UltraEdit 5.1
A time trial crack
student
Our tools
20 July 1998
by Miguel Neto
Courtesy of Reverser's page of reverse engineering
fra_00xx
980720
MiguelNeto
1100
NA
PC
An interesting essay... Enjoy!
BTW:I find too that Ultraedit is one of the best editors around. Ian Mead may be religiously completely balooney (see his site), but he's a great good programmer nevertheless and many of the functions that Ultraedit incorporates are completely missing in Micro$oft's Wordsaurius. I registered my copy of Ultraedit long ago, notwithstanding the fact that there are HUNDREDS of regged serials and regging patches for this poor shareware on the warez scene, and I invite all readers to do the same: there are very FEW programs that are worth using and even less that are worth registering. Ultraedit is among these without any doubt.
There is a crack, a crack in everything That's how the light gets in
Rating
(x)Beginner ( )Intermediate ( )Advanced ( )Expert

What I hope to be an useful essay for beginners and and intermediate crackers alike, explaining a time trial protection
UltraEdit 5.1
A time trial crack
Written by Miguel Neto


Introduction

Howdy boys, it's me again. This is my second essay, I hope reverser+ has published the other one... This time I will try to explain how to crack UltraEdit 5.1. This target has aleady been explained by Aesculapius; this great cracker, who is also, in my opinion, the funniest of us all (humour requires a great deal of reverse-engineering skills), has, however, only explained the serial fishing approach. Since we don't care as much for the targets as for their protections, I hope reverser+ will allow me to explain the trial cracking approach. I will continue to explain the crack in a way that everybody with a minimum experience of cracking will be able to follow, I don't think this does any harm, quite on the contrary... Enough rabbling, let's crack!

Tools required
Sof-Ice 3.2
Wdasm (any version should do)
An hexeditor (I prefer HIEW because of the built-in disassembler)

Program History
Will actually be useful for once: you better see all the other essays about all previous versions of this target

Essay

For those of you who want to jump straight in the action, we are after the time trial protection. So, our first reflex is to set up a breakpoint on getlocaltime (close Opera before doing this, otherwise the annoying little clock will fire up Soft-Ice every second). Now we open UltraEdit. I don't know about you, but I didn't have much luck with this approach, so I went over to the dead listing method.

After WDASM has finished disassembling, we can have a look at *all* of the references. Go ahead, you should know the drill by now. I know this is boring, it is nevertheless necessary (at least for begginers like me). There are a couple of references which might be of interest to us, and we'll try digging into the following one: UltraEdit 45 day time trial expired!!

Double click on it. Now double clik again. And again. Ok, there are way too many references... Which one is the right one? Well, I hope you didn't put Soft-ice in the drawer just yet, because we are going to need it. Set you clock 2 months forward and open UltraEdit. A dialog box appears. After this, we will get our now beloved "time expired" message box. A 32 bit message box, to be more accurate... Are you thinking what I'm thinking? I hope you are, even Homer could have figured it out by now... Set a breakpoint on messageboxa and click cancel. Bang! Soft-Ice pops up here: (just a moment, let me get my dead listing)

* Reference to String ID=00069: "To... use UltraEdit you must send the registration "
|
:00443DBF 6A45                    push 00000045
:00443DC1 8D4D14                  lea ecx, dword ptr [ebp+14]
:00443DC4 E8A0E30100              call 00462169
:00443DC9 6830200000              push 00002030
:00443DCE FF7510                  push [ebp+10]
:00443DD1 FF7514                  push [ebp+14]
:00443DD4 53                      push ebx

* Reference To: USER32.MessageBoxA, Ord:0195h
|
:00443DD5 FF15A4764800            Call dword ptr [004876A4]    ;Soft-ice pops up here
Now, if you would be kind enough to scroll up a bit, you will notice that there is a conditional jmp...
* Referenced by a Jump at Address:00443D82(C)
|
:00443D90 E89C1BFCFF              call 00405931
:00443D95 391D3CAE4A00            cmp dword ptr [004AAE3C], ebx
:00443D9B 758A                    jne 00443D27
:00443D9D 8D4D10                  lea ecx, dword ptr [ebp+10]
:00443DA0 E890DC0100              call 00461A35
:00443DA5 8D4D14                  lea ecx, dword ptr [ebp+14]
:00443DA8 C645FC01                mov [ebp-04], 01
:00443DAC E884DC0100              call 00461A35
... at 443D82, just 3 instructions above... Let's see what happens at 443D82...
            
:00443D7E 83F82D           cmp eax, 0000002D   ; compare eax with 2Dh, (45 decimal)
:00443D81 59               pop ecx             ; pop ecx from the stack
:00443D82 7F0C             jg 00443D90         ; jmp eax is > 45
:00443D84 399F38010000     cmp dword ptr [edi+00000138], ebx
:00443D8A 0F8576FFFFFF     jne 00443D06
Well, that's it for the time trial. Mr Ian Mead did a good job on the serial routine, but he forgot the time trial... The crack should be almost finished...

If we scroll up a bit, we see that this check is conditional, and the jump occurs at 443CBF and at 443CBB. These locations are not so far awayare they? F12 to 443CBF and you see:


                 :00443CB9 391D64AE4A00            cmp dword ptr [004AAE64], ebx
                 :00443CBF 0F8591000000            jne 00443D56
                 :00443CC5 399F38010000            cmp dword ptr [edi+00000138], ebx
                 :00443CCB 0F8485000000            je 00443D56
                 :00443CD1 FF355CAE4A00            push dword ptr [004AAE5C]
We just have to nop, or better yet, redirect these conditional jumps and we will be able to enjoy this most wonderful tool forever....

Now, Ian, I know what you are thinking: "Stupid cracker! You will still be annoyed by the nag! The hand of God Himself protects Ian Mead! The hand of God Himself! HA HA HA!!!!"

Well, I have just one thing to say to you:"Hold your horses! (and while you're at it, hold His as well), because I'm not done yet...

Now, back with the cracking... The program reaches 443CB9, and bothers to make the time trial check, which takes time, than it either knows whe are unregistered or it does not know we are registeres, depending on which way the protectionist set the flags...

If we scroll up again, we see that the program "decides" wether to check if we expired or not at 443C25 (there are some conditional jmp's before, but even if they turn out to be false, the program will eventually reach 443CB9: ...you can check for yourseld using Soft-Ice). At this very interesting location, we see the following instruction:

                 :00443C25 7478                    je 00443C9F
So, if this jumpequal doesn't occur, we are home free, baby! Now, usually, we should not patch the jump, but the call instead, because there might be other references to the same call (See Rude-Boy's essay about this). In this case there is no need to dwelve into the call, we can just change 7478 to 7400, which has the same effect as nopping the jump, but is more correct and less dangerous.

So, open up UEDIT in Hacker's View or your favourite Hexeditor and patch this target! Close everything, restart Uedit and yahoo!! No more nags! Now, close uedit, set your clock two months forward, and restart... Nada... Ofcourse we still aren't registered... if you want to register you'd better take a look at Aesculpius' essay (or even better: pay for it!).

Final Notes

Before I end the essay, I would like send my thanks to all of those who sent essays to reverser's site, to MIB and the #c4n crew, and my special thanks to reverser+. I hope Ian Mead didn't get offended, he shouldn't have, coz I'm just a punk kid, and I could *never* program like he does; besides, I don't think anyone would bother to listen, let alone read my stupid jokes above just to get a quick'n easy UltraEdit crack, which is available all over the Web anyway, so I don't think I hurt him financially... I'm only explaining an interesting protection scheme; and I love this editor, I have already paid for it -albeit anonymously- so understand me right: it's THE BEST editor around, PAY for it, it's not expensive and worth every penny!!

If you want to mail me, you can do so here I've been having some problems with my email, so if you mail me and don't get a reply within a few days, please send another email mentioning WHEN did you first try to contact me. Thanks.

Ob Duh

I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside reverser's page of reverse engineering, choose your way out:

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_reverser
redIs reverse engineering legal?