e-Picture 
- an example of using bdb to revive a quality be app
by PIrgE
Protection: time out after a certain absolute date

Software required: e-Picture 1.0 (release candidate)
     bdb (the beos graphical debugger)
     any hex editor

Blurb: e-Picture is an image editing app something like Photoshop
  I understand that it is no longer under development and now
  this version is always time-out so this is an example of reversing
  to revive

Method:
create a shortcut to bdb on your desktop then drop the icon of e-Picture on it.
make sure bdb has break_on_spawnthread enabled. you should have four bdb
windows:
1. Running Teams (you can debug something else at the same time if you want!)
2. Team: e-Picture
3. e-Picture (with Stack showing _start then main)
4. Registers (if its not showing go to e-Picture window menu item Window->Show
Registers)

from the last e-Picture window we know we are in main
and from the value of the instruction pointer register (eip) in the registers
window
we know we are at address 8*******
now if the e-Picture window shows no assembler code in the bottom half got to
menu item
Window->ShowAssembly to see the code with addresses.
no we can stepover the code using the arrows in the e-Picture window and watch
eip to
check where we are in the code.
if you see code in the bottom of the e-Picture window then you can also change
the eip by
dragging the blue arrow - this allows you to override jumps and calls.
 
Anyway you will see this code in the assembly window as you step through main:

+0***  8*******:        call    0x8******* <_init+0x00003b40>
+0***  8*******:        movl    %eax, %esi
+0***  8*******:        pushb   $0x00
+0***  8*******:        pushl   %esi
///////////////this is pretty obvious
+0***  8*******:        call    0x801f4ec4 <TimeLimit::TimeLimit(char const >
////////////////
+0***  8*******:        addl    $0x0c, %esp
+0***  8*******:        jmp     0x8******* <main+0x00000055>
+0***  8*******:        leal    (%esi), %esi
+0***  8*******:        call    0x******* <_init+0x00001940>
+0***  8*******:        pushl   %eax
////////////////this to
+0***  8*******:        call    0x8******* <TimeLimit::CheckTime(void)>
////////////////
+0***  8*******:        movl    0x00001208(%ebx), %eax
+0***  8*******:        addl    $0x04, %esp
+0***  8*******:        cmpl    $0x00, (%eax)
+0***  8*******:        jz      0x8******* <main+0x00000083>

now the app will enter the function <TimeLimit::CheckTime(void)> qnd the time
out pops up
the app then quits from another thread so never returns.
to enable the app is simply a matter of nopping the two TimeLimit function
calls.
no protection as such but an example of the flexibility of bdb

I do not condone the stealing of software - this is for esoteric purposes only
PIrgE 11/11/00