UltraEdit 5.1 A time trial crack	Our tools
20 July 1998	by Miguel Neto
	Courtesy of Fravia's page of reverse engineering
fra_00xx 980720 MiguelNeto 1100 NA PC	An interesting essay... Enjoy! BTW:I find too that Ultraedit is one of the best editors around. Ian Mead may be religiously completely balooney (see his site), but he's a great good programmer nevertheless and many of the functions that Ultraedit incorporates are completely missing in Micro$oft's Wordsaurius. I registered my copy of Ultraedit long ago, notwithstanding the fact that there are HUNDREDS of regged serials and regging patches for this poor shareware on the warez scene, and I invite all readers to do the same: there are very FEW programs that are worth using and even less that are worth registering. Ultraedit is among these without any doubt.
	There is a crack, a crack in everything That's how the light gets in
Rating	(x)Beginner ( )Intermediate ( )Advanced ( )Expert

Howdy boys, it's me again. This is my second essay, I hope fravia+ has published the other one... This time I will try to explain how to crack UltraEdit 5.1. This target has aleady been explained by Aesculapius; this great cracker, who is also, in my opinion, the funniest of us all (humour requires a great deal of reverse-engineering skills), has, however, only explained the serial fishing approach. Since we don't care as much for the targets as for their protections, I hope fravia+ will allow me to explain the trial cracking approach. I will continue to explain the crack in a way that everybody with a minimum experience of cracking will be able to follow, I don't think this does any harm, quite on the contrary... Enough rabbling, let's crack!

Tools required

Sof-Ice 3.2
Wdasm (any version should do)
An hexeditor (I prefer HIEW because of the built-in disassembler)

Program History

Will actually be useful for once: you better see all the other essays about all previous versions of this target

Essay

For those of you who want to jump straight in the action, we are after the time trial protection. So, our first reflex is to set up a breakpoint on getlocaltime (close Opera before doing this, otherwise the annoying little clock will fire up Soft-Ice every second). Now we open UltraEdit. I don't know about you, but I didn't have much luck with this approach, so I went over to the dead listing method.

After WDASM has finished disassembling, we can have a look at *all* of the references. Go ahead, you should know the drill by now. I know this is boring, it is nevertheless necessary (at least for begginers like me). There are a couple of references which might be of interest to us, and we'll try digging into the following one: UltraEdit 45 day time trial expired!!

Double click on it. Now double clik again. And again. Ok, there are way too many references... Which one is the right one? Well, I hope you didn't put Soft-ice in the drawer just yet, because we are going to need it. Set you clock 2 months forward and open UltraEdit. A dialog box appears. After this, we will get our now beloved "time expired" message box. A 32 bit message box, to be more accurate... Are you thinking what I'm thinking? I hope you are, even Homer could have figured it out by now... Set a breakpoint on messageboxa and click cancel. Bang! Soft-Ice pops up here: (just a moment, let me get my dead listing)

* Reference to String ID=00069: "To... use UltraEdit you must send the registration "
|
:00443DBF 6A45                    push 00000045
:00443DC1 8D4D14                  lea ecx, dword ptr [ebp+14]
:00443DC4 E8A0E30100              call 00462169
:00443DC9 6830200000              push 00002030
:00443DCE FF7510                  push [ebp+10]
:00443DD1 FF7514                  push [ebp+14]
:00443DD4 53                      push ebx

* Reference To: USER32.MessageBoxA, Ord:0195h
|
:00443DD5 FF15A4764800            Call dword ptr [004876A4]    ;Soft-ice pops up here

* Referenced by a Jump at Address:00443D82(C)
|
:00443D90 E89C1BFCFF              call 00405931
:00443D95 391D3CAE4A00            cmp dword ptr [004AAE3C], ebx
:00443D9B 758A                    jne 00443D27
:00443D9D 8D4D10                  lea ecx, dword ptr [ebp+10]
:00443DA0 E890DC0100              call 00461A35
:00443DA5 8D4D14                  lea ecx, dword ptr [ebp+14]
:00443DA8 C645FC01                mov [ebp-04], 01
:00443DAC E884DC0100              call 00461A35

            
:00443D7E 83F82D           cmp eax, 0000002D   ; compare eax with 2Dh, (45 decimal)
:00443D81 59               pop ecx             ; pop ecx from the stack
:00443D82 7F0C             jg 00443D90         ; jmp eax is > 45
:00443D84 399F38010000     cmp dword ptr [edi+00000138], ebx
:00443D8A 0F8576FFFFFF     jne 00443D06

If we scroll up a bit, we see that this check is conditional, and the jump occurs at 443CBF and at 443CBB. These locations are not so far awayare they? F12 to 443CBF and you see:

                 :00443CB9 391D64AE4A00            cmp dword ptr [004AAE64], ebx
                 :00443CBF 0F8591000000            jne 00443D56
                 :00443CC5 399F38010000            cmp dword ptr [edi+00000138], ebx
                 :00443CCB 0F8485000000            je 00443D56
                 :00443CD1 FF355CAE4A00            push dword ptr [004AAE5C]

Now, Ian, I know what you are thinking: "Stupid cracker! You will still be annoyed by the nag! The hand of God Himself protects Ian Mead! The hand of God Himself! HA HA HA!!!!"

Well, I have just one thing to say to you:"Hold your horses! (and while you're at it, hold His as well), because I'm not done yet...

Now, back with the cracking... The program reaches 443CB9, and bothers to make the time trial check, which takes time, than it either knows whe are unregistered or it does not know we are registeres, depending on which way the protectionist set the flags...

If we scroll up again, we see that the program "decides" wether to check if we expired or not at 443C25 (there are some conditional jmp's before, but even if they turn out to be false, the program will eventually reach 443CB9: ...you can check for yourseld using Soft-Ice). At this very interesting location, we see the following instruction:

                 :00443C25 7478                    je 00443C9F

So, open up UEDIT in Hacker's View or your favourite Hexeditor and patch this target! Close everything, restart Uedit and yahoo!! No more nags! Now, close uedit, set your clock two months forward, and restart... Nada... Ofcourse we still aren't registered... if you want to register you'd better take a look at Aesculpius' essay (or even better: pay for it!).

Final Notes

Before I end the essay, I would like send my thanks to all of those who sent essays to fravia's site, to MIB and the #c4n crew, and my special thanks to fravia+. I hope Ian Mead didn't get offended, he shouldn't have, coz I'm just a punk kid, and I could *never* program like he does; besides, I don't think anyone would bother to listen, let alone read my stupid jokes above just to get a quick'n easy UltraEdit crack, which is available all over the Web anyway, so I don't think I hurt him financially... I'm only explaining an interesting protection scheme; and I love this editor, I have already paid for it -albeit anonymously- so understand me right: it's THE BEST editor around, PAY for it, it's not expensive and worth every penny!!

If you want to mail me, you can do so here I've been having some problems with my email, so if you mail me and don't get a reply within a few days, please send another email mentioning WHEN did you first try to contact me. Thanks.

Ob Duh

homepage links search_forms +ORC students' essays academy database
reality cracking how to search javascript wars
tools anonymity academy cocktails antismut CGI-scripts mail_fravia+
Is reverse engineering legal?