Name      : Silver (Photoshop Plugin)

Version   : generic

Editor    : Sandwater

Target    : Silver-100.8bf

Tools     : W32Dasm
            Hiew
            Brain
            
Cracker   : LW2000

Tutorial  : No.41

http://www.sandwater.com/download.html


---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---

1.      Ok, start Photoshop and try the silver plugin. Ok, all works fine.
        Close Photoshop and set the systemdate on the next month.
        Ok, start Photoshop again and try the silver plugin.
        *BOOM* Trail has expired!
        Mhmm, seems that we have found a bug... ;)
        Let's fix it.

        Load Silver-100.8bf with W32Dasm. Click on the Dialog Referece.
        Now you should see this:

NO_THANKS1, CONTROL_ID:0063, "A valid code was not entered."
REG_TIMEOUT, CONTROL_ID:0064, "- Pay by mail to Kagi, 1442-A Walnut Str"
REG_TIMEOUT, CONTROL_ID:0065, "Payment is accepted through Kagi, a fee "
REGISTER1, CONTROL_ID:0003, ""


2.      Ok, lets close this window and goto "REG_TIMEOUT" in the
        String Data Reference!


* Possible StringData Ref from Data Obj ->"REG_TIMEOUT"
                                  |
:1000D0A5 6844D10110              push 1001D144
:1000D0AA E88190FFFF              call 10006130
:1000D0AF 56                      push esi
:1000D0B0 E8ABFBFFFF              call 1000CC60
:1000D0B5 8B0E                    mov ecx, dword ptr [esi]
:1000D0B7 83C418                  add esp, 00000018
:1000D0BA 66C7010100              mov word ptr [ecx], 0001


        Mhmm, lets scroll up!

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000D054(C)  <<-- we go there!
|

* Possible StringData Ref from Data Obj ->"The price is US$20."
                                  |
:1000D08C 685CD10110              push 1001D15C

* Possible StringData Ref from Data Obj ->"Silver"
                                  |
:1000D091 6818D10110              push 1001D118

* Possible StringData Ref from Data Obj ->"two weeks"
                                  |
:1000D096 6850D10110              push 1001D150

* Possible StringData Ref from Data Obj ->"Silver"
                                  |
:1000D09B 6818D10110              push 1001D118
:1000D0A0 E87B8AFFFF              call 10005B20

* Possible StringData Ref from Data Obj ->"REG_TIMEOUT"


3.      Ok, lets go to 1000D054, because from their Reg_Timeout is called.


:1000D054 7D36                    jge 1000D08C  <<-- Bad Boy!
:1000D056 8B54240C                mov edx, dword ptr [esp+0C]
:1000D05A 56                      push esi
:1000D05B 81C2807FF1FF            add edx, FFF17F80
:1000D061 899054010000            mov dword ptr [eax+00000154], edx
:1000D067 8B4604                  mov eax, dword ptr [esi+04]
:1000D06A 8B500C                  mov edx, dword ptr [eax+0C]
:1000D06D 8B02                    mov eax, dword ptr [edx]
:1000D06F 89884C010000            mov dword ptr [eax+0000014C], ecx
:1000D075 E80661FFFF              call 10003180 


4.      Ok, we have found the first check, let's beat this.
        Note the Offset (D054) and open hiew and then change the
        7D36 to 9090 (2x NOP).
        Save your work and try, the plugin.

        *BOOM* A msg Box appears which tell us, that we have a new version,
        and so we get a new trail! One week more!
        If you don't get the msgbox, simply set date to next month
        (why month and not week? It easier to set back in Win than a
        week.. yeah, sometimes i'm lazy =).
        
        Let's take a look at this present.

        Open the file with W32Dasm and take a close look into the SDR.
        'Version_Alert' sounds very interesting! So lets go there.

5.      

* Possible StringData Ref from Data Obj ->"VERSION_ALERT"
                                  |
:1000D07A 6870D10110         push 1001D170
:1000D07F E8AC90FFFF         call 10006130  <-- settrail and msg inside
:1000D084 83C408             add esp, 00000008
:1000D087 5F                 pop edi
:1000D088 5E                 pop esi
:1000D089 5B                 pop ebx
:1000D08A 59                 pop ecx
:1000D08B C3                 ret



        Mhmm, what have we now? Simply NOP the Call! and we get every time
        the proggy is called one new trail week - so it can't ever expire.
        Let's do so. Open Hiew, load the file and goto the Offset (D07F),
        and enter 5x NOP.
        
        E8AC90FFF -> 9090909090

        Save your work an try it!


Congratulation! You have beaten the restrictions.


FINISH! Easy, or?

cu LW2000
Any comments? Mail me LW2000@gmx.net !!!
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!
