A BASIC TIME LIMITED (AND A GOOD HEX EDITOR!)PROGRAM HEDIT 2.1 

Tutorial by UmE

Introduction: in this tutorial I'll show you how to remove the time limitation from a very useful
program: Hedit 2.1. The protection scheme is very simple and for this reason will be very
educational for every newbies. And it's my favourite Hex editor......

Tools needed: SoftIce 3.00 or higher.

Program informations: Hedit version 2.1.14, HEdit.exe, 352.256 bytes.

PARENTAL ADVISORY: this tutorial is cracking oriented!!!

Step 1: let's start the tutorial by executing our target....run it and the program will start 
with no nag screens. Let's move our system date 1 month forward respect to the installation date 
and this time running the program a messagebox (not really a msgbox!!) will tells us that our 
trial period is over.

                        "Your trial license of Hedit has expired...."

Step 2: press Ctrl+D to enter in SoftIce and place a breakpoint to the GetLocalTime Function.
Press ctrl+D again to return into Windows and now run Hedit.....GOAL!! You're in SoftIce: you 
land here:

* Reference To: KERNEL32.GetLocalTime, Ord:00F5h
                                  |
:0040C2EB FF154CC24300            Call dword ptr [0043C24C]
:0040C2F1 8D4C2400                lea ecx, dword ptr [esp]
:0040C2F5 51                      push ecx

Now start to trace the code until you find some interesting instruction such as JG, JL or some 
interesting data such as 1Eh (31 in decimal), 1Fh (30dec).
During your traceing you'll arrive here:

:0040C382 8B542400                mov edx, dword ptr [esp]
:0040C386 8B4C2404                mov ecx, dword ptr [esp+04]
:0040C38A 8915F0174500            mov dword ptr [004517F0], edx
:0040C390 8B542408                mov edx, dword ptr [esp+08]
:0040C394 890DF4174500            mov dword ptr [004517F4], ecx
:0040C39A 8B4C240C                mov ecx, dword ptr [esp+0C]
:0040C39E A3E8174500              mov dword ptr [004517E8], eax
:0040C3A3 8915F8174500            mov dword ptr [004517F8], edx
:0040C3A9 890DFC174500            mov dword ptr [004517FC], ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C347(U)
|
:0040C3AF 8B54241C                mov edx, dword ptr [esp+1C]
:0040C3B3 8B4C2418                mov ecx, dword ptr [esp+18]
:0040C3B7 50                      push eax
:0040C3B8 8B44241E                mov eax, dword ptr [esp+1E]
:0040C3BC 81E2FFFF0000            and edx, 0000FFFF
:0040C3C2 25FFFF0000              and eax, 0000FFFF
:0040C3C7 52                      push edx
:0040C3C8 8B54241E                mov edx, dword ptr [esp+1E]
:0040C3CC 81E1FFFF0000            and ecx, 0000FFFF
:0040C3D2 50                      push eax
:0040C3D3 8B44241E                mov eax, dword ptr [esp+1E]
:0040C3D7 51                      push ecx
:0040C3D8 8B4C2420                mov ecx, dword ptr [esp+20]
:0040C3DC 81E2FFFF0000            and edx, 0000FFFF
:0040C3E2 25FFFF0000              and eax, 0000FFFF
:0040C3E7 52                      push edx
:0040C3E8 81E1FFFF0000            and ecx, 0000FFFF
:0040C3EE 50                      push eax
:0040C3EF 51                      push ecx
:0040C3F0 E82B610000              call 00412520

The move instructions of the first part of this code snippet are a little sospicious because 
this means that the program is preparing some datas for a function. In fact if you take a look
to the registers that the program use in this part you can observe that they contains time
informations. You can find the actual year (7D0h = 2000dec) and the other informations about
the actual date (the number of the month, the number of the day, the hour....). All these
informations are stored in the stack (see the push instructions) for the call at the address
0040C3F0 (note that the "and [reg name], 0000FFFF are to clear the higher part of register).
This means that we're following the right way.....
Continue to trace and you'll find something of very interesting: look here!!

:004032C5 C1E91F                  shr ecx, 1F 		<-1Fh = 31dec we're near the solution!
:004032C8 03D1                    add edx, ecx
:004032CA 7842                    js 0040330E
:004032CC 83FA1C                  cmp edx, 0000001C	<-edx= number of days you've used the program
									       it's comapared with 1Ch = 28dec	
:004032CF 7F3D                    jg 0040330E		<-if it's greater jump to other controls:
									  I suppouse it jumps to a "You're in the 
									  last day of your trial period" msgbox or
									  something similar!!
:004032D1 83FA0E                  cmp edx, 0000000E	<-compare edx with 0eh = 14dec
:004032D4 0F8EF6000000            jle 004033D0		<-if it's less execute the program otherwise
									  it jumps to a "You've used Hedit for 2
									  weeks! Please register" msgbox or something
									  similar.

Have you understand? Just nop the jg 0040330E instruction and change the jle 004033D0 instruction
into jmp 004033D0 and the program will work forever.

As you've seen the protection scheme of this program is a little weak but is the a classic in
the time limited shareware applications. So newbies read and learn!!!

See you the next time!!

Greetings to Volatility and all the Immortal Descendants.

Contact me at: ume15@hotmail.com.