HOW TO REGISTER ACDSee 2.3 WITHOUT THE SERIAL NUMBER! 

Tutorial by UmE

Introduction: in this tutorial I'll show you how to register ACDSee 2.3 without the serial 
number. this is possibli patching the code int the routine where the right S/N is compared
with our S/N. 

Necessary tools: SoftIce 3.24 or better, W32Dasm 8.9 or higher.

Program description: ACDSee 2.3, ACDSee32.exe, 966.656 bytes.

PARENTAL ADVISORY: this tutorial is cracking oriented!!!

Step1: run the program and click on the "Tools" -> "Register..." menu item. You'll see the
registration window where your name and the S/N are required. Fill the form with your informations
and then press Ctrl+D to enter in SoftIce. Now place a breakpoint on the GetDlgItemTextA function
and then press Ctrl+D again to return to windows. Now press the OK button in the registration
window and you'll land in SoftIce; press F11 and you'll be here:

:00407AA2 FFD7                    call edi	<- This is the GetDlgItemTextA call
:00407AA4 8D54247C                lea edx, dword ptr [esp+7C]
:00407AA8 68F5010000              push 000001F5
:00407AAD 52                      push edx
:00407AAE 6882000000              push 00000082

Now start to trace the code pressing F10 until a new call to the GetDlgItemTextA function will
appear. This is normail because with the first call the program reads the "Name" field from the
registration window and with the second call it reads the S/N we've entered. After the second call
press F11 to return in the code snippets where the function is called. You'll be here:

:00407AB4 FFD7                    call edi	<- This is the GetDlgItemTextA call
:00407AB6 8D44247C                lea eax, dword ptr [esp+7C]
:00407ABA 8D4C243C                lea ecx, dword ptr [esp+3C]
:00407ABE 50                      push eax
:00407ABF 51                      push ecx
:00407AC0 E82BF8FFFF              call 004072F0
:00407AC5 83C408                  add esp, 00000008
:00407AC8 85C0                    test eax, eax
:00407ACA 7E6B                    jle 00407B37
:00407ACC 8D54247C                lea edx, dword ptr [esp+7C]

From this code snippet I want to focalize your attention at the instructions following the
00407AC0.

:00407AC0 E82BF8FFFF              call 004072F0
:00407AC5 83C408                  add esp, 00000008
:00407AC8 85C0                    test eax, eax
:00407ACA 7E6B                    jle 00407B37
:00407ACC 8D54247C                lea edx, dword ptr [esp+7C]

This is a typical approach present in a lot of serial number shareware program. Now I'll try to
explain!

:00407AC0 E82BF8FFFF              call 004072F0

This call computes the right S/N from some parameters passed to it and then make a comparison
with the S/N we've entered.

:00407AC5 83C408                  add esp, 00000008

This is an instruction to tidy up the stack.

:00407AC8 85C0                    test eax, eax

With this test instruction the program test is the return value of the function is zero.

:00407ACA 7E6B                    jle 00407B37

This is a conditional jump the detrmines if you're a good or a bad boy. In this case the program
jumps to the location at 00407B37 if eax=0 (wrong S/N, eax=1 right S/N). Change this jump has
no effect on the registration because the program tells you "Thank you for registering!" but
when you run the program again it will shoe "Unregistered" again on the main window caption.

What we have to do now is to go inside the call 004072F0 and make it returns always eax=1.
Ok now open W32Dasm and disassemble the file ACDSee32.exe. And go to the 004072F0 address. 
You'll be here:

* Referenced by a CALL at Addresses:
|:0040742A   , :00407AC0   
|
:004072F0 56                      push esi
:004072F1 8B742408                mov esi, dword ptr [esp+08]
:004072F5 56                      push esi
:004072F6 C70540E04B0000000000    mov dword ptr [004BE040], 00000000
:00407300 E82B000000              call 00407330
:00407305 83C404                  add esp, 00000004
:00407308 85C0                    test eax, eax
:0040730A 7502                    jne 0040730E
:0040730C 5E                      pop esi
:0040730D C3                      ret

As you can see this routine is called 2 times: the first from the 0040742A address and the 
second from the 00407AC0 address (the call we've seen during the registration process). What is
the first call? It's another control on the registration informations that the program makes at 
the startup! It go to read from the windows registry the information you've entered in the 
reg window and compare them with the right information. So if you change the conditional jump as
explained before, the program writes in the windows registry the information you've entered and
says "Thank you for register!" but when you run the program again it notice that the infos are
wrong!! If the above code snippet will return always eax=1 the program looks like registered!!
All we have to do now is changeing the following instructions with this:

:00407308 85C0                    test eax, eax		change in		push 00000001
:0040730A 7502                    jne 0040730E		change in		pop eax
:0040730C 5E                      ret			mantein it!


In exadecimal we have to change 85C07502 in 6A015890. Clear?  :-)

Ok that's all for now! I hope you've enjoyed during this tuts!

Contact me at: ume15@hotmail.com

UmE



