[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[exelist] Crack ACDSEE3 with TRW2000

To: liutt@egroups.com, TRW2000@egroups.com, exelist@egroups.com
Subject: [exelist] Crack ACDSEE3 with TRW2000
From: LiuTaoTao <liutt@...>
Date: Sat, 25 Dec 1999 22:00:39 +0800
Delivered-to: listsaver-of-exelist@egroups.com
Delivered-to: listsaver-egroups-exelist@egroups.com
List-archive: <http://www.egroups.com/group/exelist/>
List-help: <http://www.egroups.com/group/exelist/info.html>, <mailto:exelist-help@egroups.com>
List-unsubscribe: <mailto:exelist-unsubscribe@egroups.com>
Mailing-list: contact exelist-owner@egroups.com
Reply-to: LiuTaoTao <liutt@...>

        How to crack AcdSee 3.0 with TRW2000

Key words:
        ACDSee v3.0 Trial Version
        Build 1209
        http://www.acdsystems.com/products/acdsee/

This soft packed with a special version of ASPACK. Even many senior
crackers can not crack it. Now, we can see how easy to crack it with
our Great TRW2000!

Install it, run it, no problem. Set time to 2000.12.25, run it again,
it pops up a dialog, telling us expired. Thats all.

Now, run TRW2000. With the EXPIRE dialog window the foreground window,
press Ctrl+N. TRW000 pops up. Run command
        :PMODULE
Now close the window, we will back to
        0167:00433FF8   CALL    Near [USER32!DialogBoxParamA]
        0167:00433FFE   DEC     EAX     ;<<-- we are here
        0167:00433FFF   NEG     EAX
        0167:00434001   SBB     EAX,EAX
        0167:00434003   INC     EAX
        0167:00434004   RET     
Now we know this Expire window is display by a User32!dialogBoxparamA.
Press some F8, back to up level:

0167:00433AB4 83F8FB            CMP     EAX,FFFFFFFB
0167:00433AB7 7513              JNZ     00433ACC
0167:00433AB9 6A00              PUSH    00000000
0167:00433ABB E820050000        CALL    00433FE0
0167:00433AC0 83C404            ADD     ESP,00000004 ;<-- we are here
0167:00433AC3 5F                POP     EDI
0167:00433AC4 5E                POP     ESI
0167:00433AC5 81C4F0000000      ADD     ESP,000000F0
0167:00433ACB C3                RET     
0167:00433ACC 33C9              XOR     ECX,ECX

Its so clear. Lets have a try, 
        Press F8        ;do you know why ?
        ;r eip 433acc
        ;g
Really, it works!

We already know how to crack it, but how can we write it to its EXE 
file ? In ACDSEE.EXE, we can not find these codes. As it was packed
by ASPACK.

Now, unpack it with TRW2000!

        1. Drag the ACDSEE icon to TRW2000
        2. Press 'LOAD' button
        3. :PNEWSEC
        4. wait 20 seconds. (Why so long time ?)
        5. after TRW2000 pop up, run command
                :MAKEPE
        caution: do not add parameter! When I test this, I find
                we have a bug here. Sure we will fix it next version.
        6. find file NEWPE.EXE, it maybe in
                c:\windows
                c:\windows\desktop
                c:\trw2000      ;this is where you run TRW2000
                c:\...\ACDSEE   ;this is where you run ACDSEE

        This is the unpacked ACDSEE.EXE! You can
                TDUMP newpe.exe
        and you will find all imports table rebuild!

Now, do you know how to crack it next ?
Just change 
        0167:00433AB7 7513              JNZ     00433ACC
to
        jmp 433acc

Done!

Does it possible to do all these with SoftIce ? No Way!
We use so many new functions here:
        Ctrl+N
        PMODULE
        PNEWSEC
        MAKEPE

BTW: after PNEWSEC, you can run command 'suspend', and try if ProcDump
        can rebuild PE from memory.

                        LiuTaoTao 99.12.25
                        liutt@...

Prev by Date: [exelist] CD-Cops
Next by Date: [exelist] GetTyp 2.52
Previous by thread: [exelist] CD-Cops
Next by thread: [exelist] GetTyp 2.52
Index(es):
- Date
- Thread