Adobe Photoshop 7.0.1 TryOut

Web : http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com

Adobe Photoshop 7.0.1 TryOut - VBOX 4.6.2

Type : Image Editor - Got It From : Digit CD Dec 2002 Issue - India
Protection : VBox 4.6.2
Tech : Dumping + IAT Fix

Crack :

I can't belive it ... Adobe is giving their program with full features enabled .. Earlier TryOut version doesn't have "Save" which makes it useless.But this version is fully functional [only 30 Day Trial Limit : VBOX]and protected by VBOX.

Thanks Adobe for this ...

Ripping VBOX 4.6.2 :

Photoshop 7.0.1

Real program entry point can be easily found.Just put BPX GetVersion after VBOX shows its BOX and run it ... you will break here ..

015F:00C3FCFE 55 PUSH EBP <--- Real EP
015F:00C3FCFF 8BEC MOV EBP,ESP
015F:00C3FD01 6AFF PUSH FF
015F:00C3FD03 6858A8FC00 PUSH 00FCA858
015F:00C3FD08 6878C6C300 PUSH 00C3C678
015F:00C3FD0D 64A100000000 MOV EAX,FS:[00000000]
015F:00C3FD13 50 PUSH EAX
015F:00C3FD14 64892500000000 MOV FS:[00000000],ESP
015F:00C3FD1B 83EC58 SUB ESP,58
015F:00C3FD1E 53 PUSH EBX
015F:00C3FD1F 56 PUSH ESI
015F:00C3FD20 57 PUSH EDI
015F:00C3FD21 8965E8 MOV [EBP-18],ESP
015F:00C3FD24 FF15CCD5F600 CALL [KERNEL32!GetVersion]
015F:00C3FD2A 33D2 XOR EDX,EDX <--- We are here
015F:00C3FD2C 8AD4 MOV DL,AH
015F:00C3FD2E 8915606F2501 MOV [01256F60],EDX
015F:00C3FD34 8BC8 MOV ECX,EAX
015F:00C3FD36 81E1FF000000 AND ECX,000000FF
015F:00C3FD3C 890D5C6F2501 MOV [01256F5C],ECX

Use JMP EIP [EB FE] Trick at address 015F:00C3FD2A and dump it using PEditor.Now use WinHex and edit dumped file and change EBFE --> 33D2

Now our dump file is ok but will not run becoz sucker VBOX have fucked its IAT ... So we must first fix it.

Fixing IAT :

Use ImpRec and select "Photoshop" and enter :

OEP = C3FCFE - 400000 = 83FCFE
Now click "IAT Auto Search" ... "GetImports"

You can see that many pointers [200 - 300]are not valid .... this is becoz they point to vbox dll files ... which decrypt real API address only when needed.If you read my tutorial on Flash MX ... you can see i gave up the idea of fixing 200 - 300 invalid pointers ...

I need this program [Photoshop] badly ... there should be a way to fix it ... think .... think .... what if i fool vbox ? and make it to decrypt API according to my wish ?

First we must study how vbox does it ....

This is how an API is called ...

015F:00BE82DB FF1514D0F600 CALL [00F6D014] <--- Some API
015F:00BE82E1 85C0 TEST EAX,EAX
015F:00BE82E3 740B JZ 00BE82F0

In ImpRec it is ptr : 00B6D014

If we go inside ...

015F:02F50000 E81AE60B04 CALL 0700E61F <--- Call Decrypt Routine
015F:02F50005 7D37 JGE 02F5003E

Go Inside the CALL ...

VBOXTB!PREVIEW
015F:0700E61F 55 PUSH EBP
015F:0700E620 8BEC MOV EBP,ESP
015F:0700E622 83EC10 SUB ESP,10
015F:0700E625 53 PUSH EBX
015F:0700E626 8945FC MOV [EBP-04],EAX
015F:0700E629 895DF8 MOV [EBP-08],EBX
015F:0700E62C 894DF4 MOV [EBP-0C],ECX
015F:0700E62F 8955F0 MOV [EBP-10],EDX
015F:0700E632 8D45F0 LEA EAX,[EBP-10]
015F:0700E635 50 PUSH EAX
015F:0700E636 8D45F4 LEA EAX,[EBP-0C]
015F:0700E639 50 PUSH EAX
015F:0700E63A 8D45F8 LEA EAX,[EBP-08]
015F:0700E63D 50 PUSH EAX
015F:0700E63E 8D45FC LEA EAX,[EBP-04]
015F:0700E641 50 PUSH EAX
015F:0700E642 E812000000 CALL 0700E659 <--- Decrypt API ..
015F:0700E647 83C410 ADD ESP,10
015F:0700E64A 8B45FC MOV EAX,[EBP-04]
015F:0700E64D 8B5DF8 MOV EBX,[EBP-08]
015F:0700E650 8B4DF4 MOV ECX,[EBP-0C]
015F:0700E653 8B55F0 MOV EDX,[EBP-10]
015F:0700E656 5B POP EBX
015F:0700E657 C9 LEAVE
015F:0700E658 C3 RET <---- Return real API Address ...

So my point is that ... after reaching 015F:0700E61F if we press F12 in SICE we land inside real API ... So in ImpRec we can fill this API by double clicking invalid ptr.

Fooling VBOX :

It is seen if we are able to trace from where each invalid APIs are called ...
we can place EIP at that CALL and go inside Decryption routine.And when we reach at 015F:0700E61F if we press F12 we land inside real API. VBox does its decryption job nicely ... thinking that API is called ...

No need to execute it just vary EIP and CALL all invalid pointers ... And write down all real API names so that we can fill it in ImpRec. Crazy 200 --- 300 API calls to make ... i did it any way 10 hrs ... But worth ...

My method is realy a tedious one but worth ... take a paper and pen and write down all invalid pointers ... for example :

RVA ptr : 00B6D014 ---> 00F6D014

Now use RAM Editor of WinHex and edit primary memory of "Photoshop" and search for hex value "14D0F600" .... you can see it at : 00BE82DD
By this we can locate the instruction .... for this API ... Now break in Photoshop module ... BPX on some API ... i used GetPropA when we are in Photoshop module ... use this command in SICE ...

r EIP = 00BE82DB
Note : FF 15 is for CALL ...
Now go inside this and when we reach at 015F:0700E61F press F12 we land inside real API.Write it down..Like this find all APIs .... First search it in memory using WinHex and than CALL it using EIP trick ....
Crazy 200 --- 300 API calls to make ... i did it any way 10 hrs ... But worth ...

Now fill all APIs and fix the dump .... And don't forget to add expots in WinIce.dat file .. for files ...ole32.dll,version.dll, shell32.dll and oleaut32.dll ... to find API names inside SICE. Other wise you will not see any thing ...

Note : VBOX manages 2 APIs differently : GetMessageA and PeekMessageA

015F:0700EB9E E95B4CFFFF JMP 070037FE
015F:0700EBA3 E819000000 CALL 0700EBC1
015F:0700EBA8 FF742410 PUSH DWORD PTR [ESP+10]
015F:0700EBAC FF742410 PUSH DWORD PTR [ESP+10]
015F:0700EBB0 FF742410 PUSH DWORD PTR [ESP+10]
015F:0700EBB4 FF742410 PUSH DWORD PTR [ESP+10]
015F:0700EBB8 FF158CC30407 CALL [USER32!GetMessageA]
015F:0700EBBE C21000 RET 0010
015F:0700EBC1 56 PUSH ESI
015F:0700EBC2 BED0A30507 MOV ESI,0705A3D0
015F:0700EBC7 56 PUSH ESI
015F:0700EBC8 FF150CC20407 CALL [KERNEL32!InterlockedIncrement]

----------**--------------**----------------------------***

015F:0700EC12 55 PUSH EBP
015F:0700EC13 8BEC MOV EBP,ESP
015F:0700EC15 E8A7FFFFFF CALL 0700EBC1
015F:0700EC1A FF7518 PUSH DWORD PTR [EBP+18]
015F:0700EC1D FF7514 PUSH DWORD PTR [EBP+14]
015F:0700EC20 FF7510 PUSH DWORD PTR [EBP+10]
015F:0700EC23 FF750C PUSH DWORD PTR [EBP+0C]
015F:0700EC26 FF7508 PUSH DWORD PTR [EBP+08]
015F:0700EC29 FF15D4C30407 CALL [USER32!PeekMessageA]
015F:0700EC2F 5D POP EBP
015F:0700EC30 C21400 RET 0014

These APIs are not encrypted but called inside VBOX .... along with other CALLS ..
It seems that VBOX is doing some thing when these APIs are called.It is well known that these two APIs form the backbone of message loop in win32.

ImageReady 7.0.1

Use same method .....

015F:00CF567C 55 PUSH EBP <--- Real OEP
015F:00CF567D 8BEC MOV EBP,ESP
015F:00CF567F 6AFF PUSH FF
015F:00CF5681 6818CEE300 PUSH 00E3CE18
015F:00CF5686 68D453CF00 PUSH 00CF53D4
015F:00CF568B 64A100000000 MOV EAX,FS:[00000000]
015F:00CF5691 50 PUSH EAX
015F:00CF5692 64892500000000 MOV FS:[00000000],ESP
015F:00CF5699 83EC58 SUB ESP,58
015F:00CF569C 53 PUSH EBX
015F:00CF569D 56 PUSH ESI
015F:00CF569E 57 PUSH EDI
015F:00CF569F 8965E8 MOV [EBP-18],ESP
015F:00CF56A2 FF15C894DC00 CALL [00DC94C8]
015F:00CF56A8 33D2 XOR EDX,EDX

Use same method as we did ...

So all you need is enough time and patience .... It is worth ...
Both programs are now fully ripped out of VBOX and working finely on my PC.And you can use it as long as you wish ... Thanks ImpRec

Web : http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com