UltraEdit 32 v6.20b
[Reversing essay]

Subject: Cracking
Target: UltraEdit 32 v6.20b
URL: http://www.ultraedit.com
Author: BlackB
Date: 1999-10-03
Tools used: SoftICE, W32DSM, a hexeditor
Difficulty (scale 1-5): 2
Requirements: More experienced cracker

Before starting!
This essay is for knowledge purposes only!!
Software developers spend much time in making their programs. They live from the money we give them!
Please buy good software!!
I. Introduction 
Welcome in this howto crack UltraEdit essay! Of all essays I wrote this is the most difficult
one. I don't mean that this essay is the most difficult to understand....just that 
UltraEdit isn't easy :)

Hmmm, what else can I say about UltraEdit then: "Get it or die". It's a real real great 
texteditor (and also includes hexeditor features) much better then notepad or wordpad. 
Throw away all your other texteditors, download this one and enjoy! Actually you should buy 
this program instead of cracking it...but I don't have the right to say that coz I didn't 
buy it myself.
II. About the protection
  • It displays a nagscreen
  • 45 days timetrial
  • The about box mentions it is unregistered
III. Cracking it 
Run the program and note the message the nagscreen displays: 
      "This is an unregistered copy...."

Disassemble the copy of the original UEdit32.exe (in my case that is UEdit32.dsm). And look 
for the string occurences "This is an unregistered copy...."......*OUCH* these strings appear 
A LOT in the dead listing! This gives us the first difficulty cracking the program: what string
is used on the nag screen?
Therefore we'll have to use SoftICE. We'll have to set a breakpoint on "updatewindow". How can 
you know it? Simple, it's also used A LOT in the program :) Okay, so let's try it -> get into 
softice, type "bpx updatewindow", leave softice and fire up UltraEdit. Softice will popup, but 
the nagscreen won't be drawn yet (you can check this out by pressing F4 in softice). Keep 
pressing CTRL-D and F4 until the nagscreen appears.(remember, you can see this by pressing F4, 
softice 'll let you see how windows look at the moment, press ESC to get back in softice)

If you've seen the nagscreen press (in softice) F12 (=execute until ret) until you're back 
in the main code of UltraEdit and note the offset. Clear all breakpoints.

Now get back to w32dsm and goto the offset you noted. In the direct surrounding you should 
see something like this:

************Start-of-partial-code************ 

* Possible StringData Ref from Data Obj ->"Days to expire"
                                  |
:0045A68B 689C064D00              push 004D069C
:0045A690 57                      push edi
:0045A691 E8D1030300              call 0048AA67
:0045A696 A14C6D4D00              mov eax, dword ptr [004D6D4C]
:0045A69B A3546D4D00              mov dword ptr [004D6D54], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045A724(C)
|
:0045A6A0 391D206D4D00            cmp dword ptr [004D6D20], ebx<-Registered?
:0045A6A6 7519                    jne 0045A6C1             <- Jump if it is

* Possible Reference to String Resource ID=00005: "ULTRAEDT.MAC"
                                  |
:0045A6A8 6A05                    push 00000005
:0045A6AA 8D8E28010000            lea ecx, dword ptr [esi+00000128]
:0045A6B0 E8557C0200              call 0048230A
:0045A6B5 FFB644010000            push dword ptr [esi+00000144]

* Reference To: USER32.UpdateWindow, Ord:0291h            <- Display nag
                                  |
:0045A6BB FF15ECB64A00            Call dword ptr [004AB6EC]

************End-of-partial-code************

Okay so first thing we have to do is changing the
7519 jne 0045A6C1 into:
EB19 jmp 0045A6C1
Run the program again, and you'll see the nag has disappeared. Note that the time trial is still active, so let's crack that bitch :)
You can use the program unregistered for 45 days. The hex value for 45 is "2D". So, there might be a check like
"cmp register, 0000002D". Let's guess and take eax for the register, so search for "cmp eax, 0000002D"....and BINGO!

************Start-of-partial-code************ 

* Possible StringData Ref from Data Obj ->"Settings"
                                  |
:0045A6FD 68F0054D00              push 004D05F0
:0045A702 E860030300              call 0048AA67
:0045A707 A14C6D4D00              mov eax, dword ptr [004D6D4C]
:0045A70C 2B05546D4D00            sub eax, dword ptr [004D6D54]
:0045A712 50                      push eax
:0045A713 E8323C0100              call 0046E34A <- Calculate usage
:0045A718 83F82D                  cmp eax, 0000002D <-Compare days
:0045A71B 59                      pop ecx
:0045A71C 7F0C                    jg 0045A72A <- jump if expired
:0045A71E 399E44010000            cmp dword ptr [esi+00000144], ebx
:0045A724 0F8576FFFFFF            jne 0045A6A0
************End-of-partial-code************

Yeah indeed, nop out that jump :)
7F0C jg 0045A72A becomes:
90 NOP
90 NOP
Now the program is fully functional as the registered program should be, but there's still one thing left: the "unregistered"
string in the aboutbox. This nasty thing costed me quite some time to find out: there are so many "This is an unregistered
copy...." strings that it'd be impossible to find out what string is used for the about box.
So I started thinking, and this is what I found out: the program probably checks the registered flag twice -> once for the
nagscreen and once for the about box. So I started searching for a second "cmp dword ptr [004D6D20], ebx". I didn't find
one, and I was getting quite frustrated, until I thought: "Maybe, it used another register to check that memory location!?". So
again I started searching for all occurences with all different registers until....TADAAAAAAM if found:
"cmp dword ptr [004D6D20], edi" :))

************Start-of-partial-code************ 

:004061D7 C645FC01                mov [ebp-04], 01
:004061DB C70378D04A00            mov dword ptr [ebx], 004AD078
:004061E1 E8EACA0700              call 00482CD0
:004061E6 393D206D4D00            cmp dword ptr [004D6D20], edi <- Registered?
:004061EC 7462                    je 00406250 <- Jump if not registered

* Possible Reference to String Resource ID=00009: "


This copy of UltraEdit-32 is licensed to :

  "
                                  |
:004061EE 6A09                    push 00000009
:004061F0 8BCE                    mov ecx, esi
:004061F2 E868CF0700              call 0048315F
:004061F7 68FC544D00              push 004D54FC
:004061FC 8BCE                    mov ecx, esi
:004061FE E85CCD0700              call 00482F5F
:00406203 BFA4CF4C00              mov edi, 004CCFA4

************End-of-partial-code************ 
     
It's easy now, just nop out the "badboy" jump :-) Tha UltraEdit-bitch is 
cracked *g*
IV. In the end 

Heh, my favorite part of tutorials :) You can freely use this essay on your page, as long as 
you mention you got it from my site http://beam.to/blackb, but I 'd rather like if you linked 
your page to mine ;) and as long as you don't change ANYTHING of its contents!

Greetings goto the EVC members R!SC, MMke, Sn00pee, Dead-Mike

General greetings goto [Lazarus] aka Leetsheep, Sandman, Icecream, Neural_Noise, Knotty Dread, 
AcID_BuRN

Greetings
BlackB

Endnote:
Essay written by The Blackbird © 1999-2000
This essay can be freely distributed/ published/ printed etc... as long as no modifications are made.