how to crack 

ADOBE IMAGESTYLER v1 tryout version built 1.0.0.36

  

 
you can download it at http://www.adobe.com
 
What the developer says about ImageStyler:
  

ImageStyleris a powerful new Web graphics product for busy creative business people who want a great looking Web site but don't have a lot of time or design training. With Adobe ImageStyler you can create sophisticated navigational elements, interactive JavaScript rollovers, graphical Web pages quickly and easily without sacrificing reativity. Using ImageStyler's Styles you can get results that you may have thought were out of your reach. And with Batch Graphics Creation, you can automatically give any of your Web pages a graphically consistent look and feel without having to deal with the underlying HTML code...all in just minutes. See the sections on Getting Acquainted with ImageStyler to see how you can instantly add style to your Web site.

 
About the protection 
  

The developers are using the Sales Agent system of protection .But this time with a difference it doesn't give us the possibility to register the program by the BYE button usually existing in the nag screen of the Sales Agent .Here we will see how to bypass the time check ,how to change the TRIAL button into BYE button and how to use the Imagepop.exe (thanks VisualBB) to register


Tools u need :softice , W32Dasm

First turn your clock same years infront

the first way of cracking , bypassing the time check control
 
  

Enter Softice and put a breakpoint at hmemcpy 'bpx hmemcpy' then press
F12 19 times and you will be here 

 

* Reference To: COMCTL32.InitCommonControls, Ord:0011h
                                  |
:00408860 FF15A4934400            Call dword ptr [004493A4]

* Possible StringData Ref from Data Obj ->"RICHED32.DLL"
                                  |
:00408866 6814D44200              push 0042D414

* Reference To: KERNEL32.LoadLibraryA, Ord:0190h
                                  |
:0040886B FF151C944400            Call dword ptr [0044941C]
:00408871 E88AC7FFFF              call 00405000
:00408876 C705405F4300801B4000    mov dword ptr [00435F40], 00401B80
:00408880 C705445F4300F01C4000    mov dword ptr [00435F44], 00401CF0
:0040888A C705485F4300801E4000    mov dword ptr [00435F48], 00401E80
:00408894 C7054C5F430010204000    mov dword ptr [00435F4C], 00402010
:0040889E C705505F4300A0214000    mov dword ptr [00435F50], 004021A0


.....press F10 alot of times ,you are gona enter same loops ,to
,bypass them put breakpoints to any possible jump and press F5 
then disable the breakpoints and continue witn F10 for example :
bypassing the loops


:00408A84 8B542410                mov edx, dword ptr [esp+10]  <--------      
:00408A88 8A12                    mov dl, byte ptr [edx]                |
:00408A8A D2FA                    sar dl, cl                            |First loop
:00408A8C F6C201                  test dl, 01                           |
:00408A8F 7418                    je 00408AA9                           |
:00408A91 8D142E                  lea edx, dword ptr [esi+ebp]          |
:00408A94 83C004                  add eax, 00000004                     |      
:00408A97 47                      inc edi                               |       
:00408A98 3D285F4300              cmp eax, 00435F28                     |       
:00408A9D 8B1495405F4300          mov edx, dword ptr [4*edx+00435F40]   |       
:00408AA4 8950FC                  mov dword ptr [eax-04], edx           |       
:00408AA7 7D1A                    jge 00408AC3         >----------------     <--- 
:00408AA9 46                      inc esi      <---set a breakpoint here         |
:00408AAA 49                      dec ecx                and press 'x'           |
:00408AAB 83FE08                  cmp esi, 00000008                              |
:00408AAE 7CD4                    jl 00408A84                                    |Second loop
:00408AB0 8B442410                mov eax, dword ptr [esp+10                     |
:00408AB4 83C508                  add ebp, 00000008                              |
:00408AB7 40                      inc eax                                        |
:00408AB8 3D47E34300              cmp eax, 0043E347                              |
:00408ABD 89442410                mov dword ptr [esp+10], eax                    |
:00408AC1 7CB3                    jl 00408A76  >---------------------------------
:00408AC3 A1AC3C4300              mov eax, dword ptr [00433CAC] <-do a 'bd *'and set a bpx here
:00408AC8 8B3DBC954400            mov edi, dword ptr [004495BC]                and press 'x'
:00408ACE 33ED                    xor ebp, ebp
:00408AD0 55                      push ebp
:00408AD1 68E8030000              push 000003E8
:00408AD6 6840040000              push 00000440
:00408ADB 50                      push eax           

you can contiue using the same logic
 
continue pressing F10



:00405ED0 A1AC3C4300              mov eax, dword ptr [00433CAC]
:00405ED5 83EC10                  sub esp, 00000010
:00405ED8 56                      push esi
:00405ED9 6864634300              push 00436364
:00405EDE 50                      push eax
:00405EDF E83C130000              call 00407220
:00405EE4 83C408                  add esp, 00000008
:00405EE7 8BF0                    mov esi, eax
:00405EE9 68E8030000              push 000003E8

* Reference To: KERNEL32.Sleep, Ord:023Fh
                                  |
:00405EEE FF1530944400            Call dword ptr [00449430]
:00405EF4 83FEFF                  cmp esi, FFFFFFFF
:00405EF7 7507                    jne 00405F00             <--- this mast not jump
:00405EF9 0BC6                    or eax, esi                   so do a 'r fl z'
:00405EFB 5E                      pop esi
:00405EFC 83C410                  add esp, 00000010
:00405EFF C3                      ret

now press 'x' to leave soft-ice the time-limit is gone.     

The second way of cracking 

This is coming as an adition to the VisualBB essay (How to debug with W32Dasm 8.9 II)
Lets see what is in the install directory we see Imagepop.exe file what is this file doing ?
Lets run it it will tell us "Please wait while your software is being prepared" very good 
we thing but after that a warning is appearing "You cannot run this application at this 
time ..."lets go in W32Dasm dissamle Imagepop.exe and look for the text "You cannot run this "


* Reference To: USER32.MessageBoxA, Ord:0195h
                                  |
:00404D67 8B3D98644300            mov edi, dword ptr [00436498] <---put a bpeakpoint here
:00404D6D 85F6                    test esi, esi               <---make a "r esi=1" in the softice
:00404D6F 752F                    jne 00404DA0

* Possible StringData Ref from Data Obj ->"You cannot run this application "
                                        ->"at this time."
                                  |
:00404D71 6804024200              push 00420204
:00404D76 68408B4200              push 00428B40
:00404D7B E880DA0000              call 00412800
:00404D80 8B8C2458050000          mov ecx, dword ptr [esp+00000558]
:00404D87 83C408                  add esp, 00000008
:00404D8A 6830000100              push 00010030

* Possible StringData Ref from Data Obj ->"WARNING"
                                  |
:00404D8F 68FC014200              push 004201FC
:00404D94 68408B4200              push 00428B40
:00404D99 51                      push ecx
:00404D9A FFD7                    call edi
:00404D9C 6A00                    push 00000000
:00404D9E FFD3                    call ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404D6F(C)
|
:00404DA0 83FE01                  cmp esi, 00000001                <-----esi mast be 1
:00404DA3 0F8575010000            jne 00404F1E
:00404DA9 8B15008B4200            mov edx, dword ptr [00428B00]
:00404DAF 6880C84200              push 0042C880
:00404DB4 83C232                  add edx, 00000032

Now go the Softice and put a breakpoint at ShowWindow so BPX ShowWindow and press F12 till
we see the Imagepop code then bd 0 and bpx 00404D67 press F10 once and reverse esi to be 1 
so do a "r esi=1" ,bd *,and x to go out from softice ok that's it a now file will appear 
rstmpexe.exe this the same with ImageStyler.exe file run one of these files job is done. 








The third way of cracking 

As it seams Adobe Imager doesn't give us so many posibilities for registration but if we take a
look in the dissabled rsagnt32.dll and the ImageStyler we will see in the string referenses 
words like "Please choose the payment method" or more intresting "Click on Buy Now button to
buy %s for $%"    hmm

Here is the nag screen we want to change this 'Trial' into 'Buy Now' button 
before

after  


enter in softice set a breakpoint at hmemcpy and run Adobe ImageStyler press F12 sametimes 
till u are in the ImageStyler code then db0 to disable the breakpoint and bpx 00406AA6 and 
press 'x'
 
softice will break here

:00406AA0 0F8762010000               ja 00406C08
:00406AA6 7463                              je 00406B0B                 (NO JUMP)
:00406AA8 83F80F                         cmp eax, 0000000F
:00406AAB 0F8587020000             jne 00406D38
:00406AB1 8BB42488000000         mov esi, dword ptr [esp+00000088]

press again 'x'

softice will break again here 

:00406AA0 0F8762010000                 ja 00406C08
:00406AA6 7463                                 je 00406B0B                (JUMP)  here do a 'r fl z'
:00406AA8 83F80F                           cmp eax, 0000000F
:00406AAB 0F8587020000               jne 00406D38
:00406AB1 8BB42488000000           mov esi, dword ptr [esp+00000088]


press 'x' and the 'Trial' botton has changed into 'Buy Now' bottond
   if the breakpoint doesn't work for you try to find the sequense of the code above
in a hex editor or using W32dsm and put tha breakpoint there

Now what we have to do after pressing the "Bye now" button is descriped in the essay 
of Goth found in the fravia's site

but let's see what exactly we can do 

Press on the Bye Now botton fill the spaces with what ever names you want .Put a bogus
credit card number like 432407876876876 and select the comunication method by Phone 
then we have to find the unlocking code

Put a bogus code like 1122334455 set a 'bpx hmemcpy' in softice and press
OK press F12 9 times ,press F10 2 times and type 'd edi' there is our code
 HDWAMHXYRT 



 
Adobe ImageStyler it's a very cool program so if you like it and you have the money please buy

it .Please do not use this information to make cracks .
 
tutorial by :

page created :august '99