Name      : UltraEdit 32

Version   : 7.00

Editor    : ultraedit

Target    : Uedit32.exe

Tools     : FileMon
            Hiew
            W32Dasm
            Brain
            
Cracker   : LW2000

Tutorial  : No.51

http://www.ultraedit.com



---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---


1.      Lets start, go to the regscreen and enter the details.

        Name: LW2000 [CiA]
        Code: 1230099

        *BOOM* Mhmm, no msg! UE exits!
  
        So, what does this mean? Ultra Edit saves the details in a
        file and checks this when starting up.

2.      OK, lets take a close look on this "file". Watch Ultra Edit in
        Filemon! Filemon speaks from a file called UEDIT32.reg...
        Mhmm *g*, seems that we have found a good starting point
        to crack Ultra Edit!
        

3.      Load Uedit32.exe in W32Dasm and search in the SDR for REG.
        Ok, i get a few different hits. But after a close look,
        it was clear that this is the part we need:


:0043D61E 6840444E00 push 004E4440
:0043D623 B90CE54E00 mov ecx, 004EE50C
:0043D628 E873230500 call 0048F9A0
:0043D62D 83F8FF cmp eax, FFFFFFFF
:0043D630 0F841D010000 je 0043D753
:0043D636 FFB78C000000 push dword ptr [edi+0000008C]
:0043D63C 8D4D10 lea ecx, dword ptr [ebp+10]
:0043D63F E88DA20500 call 004978D1
:0043D644 8B4510 mov eax, dword ptr [ebp+10]
:0043D647 8D4D10 lea ecx, dword ptr [ebp+10]
:0043D64A C645FC02 mov [ebp-04], 02
:0043D64E 8B40F8 mov eax, dword ptr [eax-08]
:0043D651 83C0FD add eax, FFFFFFFD
:0043D654 50 push eax
:0043D655 8D45E8 lea eax, dword ptr [ebp-18]
:0043D658 50 push eax
:0043D659 E8A8220500 call 0048F906

* Possible StringData Ref from Data Obj ->"REG"

4.      Now scroll up a bit to see this.


* Reference To: USER32.CreateWindowExA, Ord:0059h
|
:0043D5E2 FF1530074C00 Call dword ptr [004C0730]
:0043D5E8 A3C8FF4E00 mov dword ptr [004EFFC8], eax
:0043D5ED 8D8796020000 lea eax, dword ptr [edi+00000296]
:0043D5F3 885810 mov byte ptr [eax+10], bl
:0043D5F6 FF3500E54E00 push dword ptr [004EE500]
:0043D5FC 6A01 push 00000001
:0043D5FE 50 push eax
:0043D5FF FF75F0 push [ebp-10]
:0043D602 E8BB11FDFF call 0040E7C2 <-- Check Routine
:0043D607 83C410 add esp, 00000010
:0043D60A 85C0 test eax, eax       <-- TEST
:0043D60C 0F8489010000 je 0043D79B <-- BAD BOY!
:0043D612 391D1C004F00 cmp dword ptr [004F001C], ebx
:0043D618 0F857D010000 jne 0043D79B

* Possible StringData Ref from Data Obj ->"Extension License"

5.      The CreateWindowEx function creates pop-up, overlapped or
        child window with an extended style. If the function succeeds,
        the return value is the handle of the new window, else
        it is zero. We see at 43D602 a call.
        Inside this call our fake serial and the correct one are compared.
        If the are identical then eax=1 else eax=0.

        So what to do? Lets change the call, that the return value
        is 1 - everytime =)  Go into the call and note the offset.
        Open hiew, go to the offset. Enter decode mode, press F3 to edit
        and F2 to enter ASM commands. Now type:

        mov eax,1 [press Enter]
        ret       [press Enter]
                  [press Esc]

        What does this do? This sets eax=1 and returns from the call =)

        OK, lets try our bug-free version ;)    
                


Congratulation! You are a registered user.

FINISH! Easy, or?

cu LW2000
Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!