This is a very good program to manipulate your image files. With some cool features. Try it!
Well, with this tutorial you will learn how to avoid a Nag Screen in an easy way, and how to remove a time limit. The protection is inside U32cfg.dll.

This tutorial was originally written in Spanish and this translation could be inaccurate.
So, sorry for my English ;o)

Start the program and you'll notice it's a 30 day trial scheme, without any disabled options.
It also has an ugly nag screen "dialogboxparama".

First of all, we are gonna kill that ugly nag screen. So, we set the first breakpoint in our beloved SoftICE. Write "BPX dialogboxparama", press F11 and then press the "Try More!" button.
We'll land here:

* Reference To: USER32.DialogBoxParamA, Ord:008Eh
                                  |
:4EB066CD FF15F4A3B14E    CALL DWORD PTR [4EB1A3F4]
:4EB066D3 898590FDFFFF    MOV DWORD PTR [EBP+FFFFFD90], EAX

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:4EB066A2(C), :4EB066AB(C)
|

* Possible Reference to Dialog: DialogID_0001 
                                  |
:4EB066D9 B801000000      MOV EAX, 00000001
:4EB066DE E935010000      JMP 4EB06818

To avoid the Nag Screen just change:

:4EB066CD FF15F4A3B14E   CALL DWORD PTR [4EB1A3F4]

To :4EB066CD 909090909090   

NOP instruction is 0x90. It means "do nothing".

So set your system clock at least 30 days ahead. Now start PhotoImpact.
It will display another ugly dialog box.
Oh!, what a surprise!!! It's another "dialogboxparama" !!!

Welcome back to SoftICE and we set the second breakpoint (or just enable the first one again) "BPX dialogboxparama". Now look where we are.

* Reference To: USER32.GetActiveWindow, Ord:00D5h
                                  |
:4EB0671F FF15C0A3B14E    CALL DWORD PTR [4EB1A3C0]
:4EB06725 50              PUSH EAX

* Possible Reference to Dialog: DialogID_0066 
                                  |
:4EB06726 6A66            PUSH 00000066
:4EB06728 8B0D0C47B24E    MOV ECX, DWORD PTR [4EB2470C]
:4EB0672E 51              PUSH ECX

* Reference To: USER32.DialogBoxParamA, Ord:008Eh
                                  |
:4EB0672F FF15F4A3B14E    CALL DWORD PTR [4EB1A3F4]
:4EB06735 89858CFDFFFF    MOV DWORD PTR [EBP+FFFFFD8C], EAX
:4EB0673B 83BD8CFDFFFF2A  CMP DWORD PTR [EBP+FFFFFD8C], 0000002A
:4EB06742 751D            JNZ 4EB06761

If you compare this code snippet with the last one, you'll notice that in the first code snippet there were just the following instructions more:

:4EB066D9 B801000000      MOV EAX, 00000001 <-- Interesting!
:4EB066DE E935010000      JMP 4EB06818

In the first code snippet, EAX is assigned the value 1 and then there is a JMP to :4EB06818.
In the second code snippet (trial period expired), [EBP+FFFFFD8C] is compared to 2A and, if they are not equal it will jump to :4EB06761.

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:4EB06716(C), :4EB06742(C)
|
:4EB06761 33C0            XOR EAX, EAX <-- Bad idea!
:4EB06763 E9B0000000      JMP 4EB06818 

So, we have to assign the value 1 to EAX and also it should jump to :4EB06818. Open the file u32cfg.dll with your favourite hex editor (UltraEdit for example) and modify the following bytes:

:4EB0672F FF15F4A3B14E    CALL DWORD PTR [4EB1A3F4]
:4EB06735 89858CFDFFFF    MOV DWORD PTR [EBP+FFFFFD8C], EAX

We search "FF15F4A3B14E89858CFD" and we change it to:
          "B801000000E9B0000000"

So, we'll have this:

:4EB0672F B801000000      MOV EAX, 00000001     
:4EB06735 E9B0000000      JMP 4EB06818

Voilá! It's done.
Do I really have to remind you the purpose of this cracking tutorial?

NOTE FOR THE READER:

This essay could contain mistakes (maybe the author skipped some steps, maybe wrong memory addresses....etc) . The purpose is that you should learn to "think like a cracker".
Good Luck! ;o)

*------------------*
|WHISKEY KON TEKILA|
|Mr.WhiTe [WkT!99] |
|http://wkt.tsx.org|
|http://ecd.tsx.org|
*------------------*