


                           How to crack Ulead's PhotoImpact 5.0
                                        by uZzi


   HI pepz! I'm back with another cracking tutorial just for you.
   

   TOOLS YOU NEED : Soft-Ice 3.24

                    Win32Dasm 8.93

                    YOUR FAVOURITE HEXEDITOR

   You can find all of them at www.crackstore.com


   Let's start. Install the proggie and then run it. You will see a nag-screen announcing
  that this version is a trial available only a month. Set the time after the 30 days and run
  it again. You will recive something like this: the 30-day trial period has expired...bla, bla,
  bla. Click OK button and the program say ciao !
  
  There are many ways to crack this.
 
  Here's a solution. We will put a brekpoint at MessageBoxA api function that showed us the
 stupid message. Do CTRL+d to enter in Sice. Put the breakpoint : bpx messageboxa and press F5. 
 Now run it again. Sice stops at the begining of MessageBoxA function. To jump wherever it was
 called, press F11. You will land in u32cfg.dll at this code: 


* Reference To: USER32.GetDesktopWindow, Ord:00FFh
                                  |
:4EB06EDF FF155482B04E            Call dword ptr [4EB08254]
:4EB06EE5 50                      push eax

* Reference To: USER32.MessageBoxA, Ord:01BEh
                                  |
:4EB06EE6 FF157C81B04E            Call dword ptr [4EB0817C] << here you are

 
:4EB06EEC 5F                      pop edi
:4EB06EED C3                      ret


  
  As you can see noway to crack at this. Trace two lines(with F10). You will see:


:4EB06E62 68F0550000              push 000055F0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:4EB06D2C(U)
|
:4EB06E67 E814000000              call 4EB06E80
:4EB06E6C 83C40C                  add esp, 0000000C << you are here

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:4EB0601B(C), :4EB06084(C), :4EB06C6F(C), :4EB06CF3(C)
|
:4EB06E6F 5F                      pop edi
:4EB06E70 5E                      pop esi
:4EB06E71 5D                      pop ebp
:4EB06E72 33C0                    xor eax, eax << hmm...nothing good here...
:4EB06E74 5B                      pop ebx
:4EB06E75 81C470060000            add esp, 00000670
:4EB06E7B C3                      ret

   
   This code brings that error message and put in eax 0 value(xor eax, eax). If eax is 0 the
    program won't continue.
   
   Now you have enough information to crack thiz. Dont't forget to get the offsets (6E67, 6E72). 

   You may replace call 4EB06E80 with xor eax, eax ; eax=0

                                       inc eax     ; eax=1
 
                                       inc eax     ; eax=2

                                       dec eax     ; eax=1 what we need ;)
   
                                      
             and    xor eax, eax with  nop ; 

                                       nop ;
 

   
  Load the u32cfg.dll file in your heXeditor, goto first offset and replace E814000000 with 
   33C0404048; goto second offset and replace 33C0 with 9090. 
 
  Save it. Run it. Enjoy! No messagebox, no time limitation just the program working very fine.

  Well, wasn't hard, don't you?

  Now something 'bout the others ways to crack PhotoImpact. You could remove the time protection
   using a brakpoint at GetSystemTime, but this is the long way. I leave you this as a homework.


                     ^----------------------->
      Greetz goto   /---->heXcrasher<---lz0   |
                   /                          |
                  /----->3D iDA<---lz0        |
                 /                            |
                /------->oRIon                |
               /                              |
              /--------->all crackers in #lz0 |
             / tuturor crackerilor Romani :P  v       
            <----------------------------------  


  If you have any questions mail to me at uzziest@yahoo.com or catch me in #lz0 (undernet)


   See you on the next tutor!                         