       _       _          _          _             _           _         _
      / \_____/ \______  / \____    / \___________/ \         / \_______/ \____
      \       \        \ \      \_  \       \        \        \         \      \
 _____/   .    \   .    \/   /\   \ /   .    \   .    \________\   .     \     /_ _____
 |   /    /_   /   /_   /_  /  \   \    /_   /   \_   /_       /  /       \   _/ \_   |
 |  /    /  \_/ \    \_/  \ \__/    \  /  \_/ \    \_/  \     /  /        /        \  |
 |__\    \      /          \ /      /  \      /  .       \___/   \_      /         /__|
     \         /     /     / \     /         /    \      /   \     \____/         /
      \____   /\____/     /___\__  \\____   /\____/\    /     \______/  \_____   /
           \_/      \____/       \_/     \_/        \__/                      \_/

              - t h e   h o m e   o f   p o l i s h   c r a c k e r s -

                                  proudly presents:

 `~*[ a tutorial:.................the.trial.thing.-.ulead.photo.explorer.v4.2 ]*~`
 `~*[ written by:............................................emotion.thirteen ]*~`
 `~*[ date:...................................................22nd.April.1999 ]*~`


   [      ulead  photo  explorer  is a great example of trial software and an exact ]
   [ example  of  how it shouldn't be done... anyways, it's not our problem 'coz if ]
   [ they  want  to  share with us for free or almost for free we can always accept ]
   [ it,  rite  ?  =) okay, let's use our mind now... first of all install software ]
   [ and  see  how  it  works...  nothing unusual here, nag screen which informs us ]
   [ about  trial time and nothing more... well, let's see what's inside... execute ]
   [ your  w32dasm  - I use 8.93 version - load pe42.exe and disassemble it... now, ]
   [ let's   check   out  what's  in  'string  data  references'...  hmmm,  nothing ]
   [ interesting  here,  what's  now ??? well, save listing as project and minimize ]
   [ w32dasm...  now  double  click  on  win  clock  to set date/time properties... ]
   [ let's  move  it  a  month or two ahead... heh, that's like travelling in time, ]
   [ isn't  it  ?!  no,  it's not... =P~~ now once again execute photo explorer and ]
   [ it'll  nicely inform you that your trial period is over...  let's travel  back ]
   [ to  our  time  and  execute it again... this time it should say 'sorry! due to ]
   [ internal checking file damaged or system time had been changed...' yay, that's ]
   [ what  we've been looking for ! now when it's expired there's no way out: crack ]
   [ it  or  walk  away... get back to w32dasm and check out 'imports', scroll down ]
   [ till   you   find   'peabout.'   library   and  functions  we  need  to  check ] 
   [ 'CheckTimeLimit'      and      'IsFullVersion'...      double     click     on ]
   [ peabout.IsFullVersion and it'll take you to such location:                     ]

* Reference To: peabout.IsFullVersion, Ord:0002h
                                  |
:0041B5DE FF15840C4600            Call dword ptr [00460C84] - it checks if it's full or trial ver. here...
:0041B5E4 83C404                  add esp, 00000004	    - the result is returned in eax...
:0041B5E7 85C0                    test eax, eax		    - full or trial ?
:0041B5E9 751B                    jne 0041B606		    - jumps if full, skips if trial...

* Reference To: peabout.CheckTimeLimit, Ord:0000h
                                  |
:0041B5EB FF15800C4600            Call dword ptr [00460C80] - now it checks trial time...
:0041B5F1 85C0                    test eax, eax		    - end of trial ?
:0041B5F3 7511                    jne 0041B606		    - no, there're some days left, run proggy...
:0041B5F5 C745FCFFFFFFFF          mov [ebp-04], FFFFFFFF    - apparently, there's no days left, show
:0041B5FC E8CB020000              call 0041B8CC		    - proper message and exit
:0041B601 E928FEFFFF              jmp 0041B42E

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041B5D6(C), :0041B5E9(C), :0041B5F3(C)
|
:0041B606 8B4DF0                  mov ecx, dword ptr [ebp-10] - here is the point where program starts
:0041B609 E8E2130000              call 0041C9F0		      - after check...

   [      looks  pretty simple, eh ? at the first time you probably think: gotta do ]
   [ something  with  that  check at :0041B5E7... well... it's a solution but...  I ]
   [ tell  you that's not the best solution... anyways, after such change your code ]
   [ should look like this:                                                         ]

* Reference To: peabout.IsFullVersion, Ord:0002h
                                  |
:0041B5DE FF15840C4600            Call dword ptr [00460C84] - it checks if it's full or trial ver. here...
:0041B5E4 83C404                  add esp, 00000004	    - the result is returned in eax...
:0041B5E7 33C0                    xor eax, eax		    - make eax = 0 always
:0041B5E9 741B                    je 0041B606		    - if eax=0 then jump...

   [           photo  explorer will run without a nag screen and it looks like full ]
   [ ver  now  but...  what  about  ABOUT menu ? you'll see that it still says it's ]
   [ trial  or  something like that... so your crack is not 101 yet... let's see... ]
   [ it  says:  '*  Reference  To: peabout.IsFullVersion, Ord:0002h'... if you look ]
   [ inside  photo  explorer  dir  you'll  find  here  our  victim 'peabout.dll'... ]
   [ disassemble   it  and  look  into  'exports'...  yay  !  'CheckTimeLimit'  and ]
   [ 'IsFullVersion'  are  there ! double click on it and you should see that below ]
   [ code... let's take a look...                                                   ]

Exported fn(): IsFullVersion - Ord:0003h
:100010C0 83EC04                  sub esp, 00000004
:100010C3 833D40B0001000          cmp dword ptr [1000B040], 00000000
:100010CA 750F                    jne 100010DB		- in our case it jumps always here...
* Reference To: peabout.InitAboutDll
                                  |
:100010CC E86FFFFFFF              call 10001040
:100010D1 85C0                    test eax, eax
:100010D3 7506                    jne 100010DB
:100010D5 33C0                    xor eax, eax
:100010D7 83C404                  add esp, 00000004
:100010DA C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:100010CA(C), :100010D3(C)
|
* Reference To: peabout.IsPI3FullVersion
                                  |
:100010DB E8E0030000              call 100014C0
:100010E0 A334C80010              mov dword ptr [1000C834], eax
* Reference To: peabout.IsWEGOFullVersion
                                  |
:100010E5 E8B6010000              call 100012A0
:100010EA 8B4C2408                mov ecx, dword ptr [esp+08]
:100010EE 6A00                    push 00000000
:100010F0 A330C80010              mov dword ptr [1000C830], eax
:100010F5 8D442404                lea eax, dword ptr [esp+04]
:100010F9 50                      push eax
:100010FA 6A01                    push 00000001

* Possible StringData Ref from Data Obj ->"SpecialBuild"
                                  |
:100010FC 6844B00010              push 1000B044
:10001101 51                      push ecx
:10001102 E8C90C0000              call 10001DD0
:10001107 83C414                  add esp, 00000014
:1000110A 85C0                    test eax, eax			- trial / full check...
:1000110C 741D                    je 1000112B			- jump if trial...
:1000110E 817C240014050000        cmp dword ptr [esp], 00000514	- as above...
:10001116 7513                    jne 1000112B
:10001118 B801000000              mov eax, 00000001		- make eax=1 - full ver...
:1000111D 83C404                  add esp, 00000004
:10001120 C70540C8001001000000    mov dword ptr [1000C840], 00000001
:1000112A C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1000110C(C), :10001116(C)
|
:1000112B 33C0                    xor eax, eax		- here's our problem, it makes eax=0...
:1000112D 83C404                  add esp, 00000004
:10001130 C3                      ret

   [      wow,  wow,  wait  a  minute ? you'll say...  how did I find out it always ]
   [ jumps at :100010CA ??? well, just load your pe42 project file, from DEBUG menu ]
   [ choose  LOAD  PROCESS,  when it loads click on 'Active DLLs' window and scroll ]
   [ down  till  you find peabout.dll... now double click it and choose 'yes'... go ]
   [ to 'IsFullVersion' start and place there break point pushing F2... now push F9 ]
   [ [run  process]  and wait a moment... it'll stop on our break point... now push ]
   [ F7  a  few  times...  see now ?! so our problem equals those two 'trial / full ]
   [ check' functions'... simple, make such changes:                                ]

* Possible StringData Ref from Data Obj ->"SpecialBuild"
                                  |
[...]
:1000110A 85C0                    test eax, eax			
:1000110C 7400                    je 1000110E			
:1000110E 817C240014050000        cmp dword ptr [esp], 00000514	
:10001116 7500                    jne 10001118
[...]

   [      trial  check  has  been  removed and now it'll always return as full ver, ]
   [ no need to mess with 'CheckTimeLimit' 'coz it's not used now... let's see that ]
   [ ABOUT  menu  now...  in  the  'exports'  we've  got 'ShowAboutBox' function... ]
   [ double click it and you should see:                                            ] 

Exported fn(): ShowAboutBox - Ord:0006h
:100016C0 833D40C8001000          cmp dword ptr [1000C840], 00000000
:100016C7 7410                    je 100016D9
:100016C9 8B442404                mov eax, dword ptr [esp+04]
:100016CD 6A01                    push 00000001
:100016CF 50                      push eax
:100016D0 E8EB140000              call 10002BC0
:100016D5 83C408                  add esp, 00000008
:100016D8 C3                      ret

   [      doing the previous trick we'll find out that jump at :100016C7 is 'trial' ]
   [ jump... so once again make such a change:                                      ]
 
:100016C7 7400                    je 100016C9

   [      done...  to  sum up... we've changed just three bytes to get full version ]
   [ of  ulead  photo  explorer v4.2... not bad but sometimes it's just a matter of ]
   [ one  byte...  so... till the next crack... ah, by the way, if you enjoyed this ]
   [ tutorial  or you think it just plainly sucks just let us know... we gotta know ]
   [ what to do or what not to do next...                                           ] 


	signed:
	emotion thirteen

   [ p/s:
   [      ready  crack  is  avilable  at  http://crackpl.cjb.net  - unfortunately I ]
   [ didn't have a chance to applay it on not expired version of photo explorer, so ]
   [ I don't know if it works properly with such a ver... check it yo' self then... ]

                                                    ______   ______   ______   ______
                                                   /      \ /      \ /      \ /      \
 _________________________________________________/   .   //   /   //   /   //   /   /
 |                                                \__/   /_\__    /_\__    /_\__    /|
 |     [CP]: http://realmsofcrack.cjb.net          /    //    /  //    /  //    /  / |
 |________________________________________________/    //    /  //    /  //    /  /__|
                                                  \___/ \_______\\_______\\_______\
