Ultra Edit 9.00a
By +Jonathan
*Price: $35
*Protection: Enter SN otherwise 45-days trial
Restart-checking SN protection (CMOS)
OK. As usual we begin with entering the
“12345678” and press [enter]
What the hell!!!! It pops up a Message box:
Obviously, the
protectionists try to hide the checking routine!! So, what should we do? BPX GetWindowTextA?
No, not good since you won’t find the check SN routine. Ok. Let’s fire up
W32Dasm 8.93 in orders to observe the String Data. As soon as you load it (save
it as a project, please ^_^) you will see the Dialog REF button which means it
may have RESOURCE!!! Now let adjust the time so
that it is expired. Remember that the biggest
clue is to set
break points on all the expired message references and you will
immediately pop up at 004916E4 if you press [run] button!!! Let’s analysis the
snip:
*
Possible StringData Ref from Data Obj
->"Days to expire"
:0049169A 682C3C5600 push
00563C2C
*
Possible StringData Ref from Data Obj
->"Settings"
:0049169F 68803B5600 push
00563B80
:004916A4 E86D7EF8FF call 00419516
:004916A9 A1183D5700 mov eax, dword
ptr [00573D18]
:004916AE 2B051C3D5700 sub eax, dword ptr
[00573D1C]
:004916B4 50
push eax
:004916B5 E88CF30400 call
004E0A46
:004916BA 83F82D cmp eax, 0000002D *Is the user reach 45 days?*
:004916BD 59
pop ecx
:004916BE 7F0C jg 004916CC * Yes,
bad cracker game over*
:004916C0 399E50010000 cmp dword ptr
[esi+00000150], ebx *
+cracker continue using :-)*
:004916C6 0F8576FFFFFF jne 00491642
*
Referenced by a (U)nconditional
or (C)onditional Jump at Address:
:004916BE(C)
:004916CC E8A58BF7FF call
0040A276
:004916D1 391D783B5700 cmp dword ptr
[00573B78], ebx
:004916D7 758A jne 00491663
:004916D9 A12C4B5600 mov eax, dword
ptr [00564B2C]
:004916DE 894510 mov dword ptr
[ebp+10], eax
:004916E1 894514 mov dword ptr
[ebp+14], eax
*
Possible Reference to String Resource ID=00068: "UltraEdit
45 Day Evaluation time expired!!!!"
:004916E4 6A44
push 00000044
*Here*
:004916E6 8D4D10 lea
ecx, dword ptr [ebp+10]
:004916E9 C645FC02 mov [ebp-04], 02
:004916ED E8FF5B0600 call
004F72F1
*
Possible Reference to String Resource ID=00069: "To continue to use UltraEdit you must send the registration
"
:004916F2
6A45 push 00000045
:004916F4 8D4D14 lea
ecx, dword ptr [ebp+14]
:004916F7 E8F55B0600 call
004F72F1
:004916FC 6830200000 push
00002030
:00491701 FF7510
push [ebp+10]
:00491704 FF7514
push [ebp+14]
:00491707 53
push ebx
Ok,
before it starts, it HAS TO check the time and
hence BACK TRACE is always the best no meter
what. So, let’s see the process:
004915FB
0049169A-> -> 004915ED ->
0049154E
00491607
:0049152F 8D4DF0 lea ecx, dword ptr
[ebp-10]
:00491532 E8854B0600 call 004F60BC
:00491537 8D4DF0 lea ecx, dword ptr [ebp-10]
:0049153A 895DFC mov dword ptr
[ebp-04], ebx
:0049153D E860530600 call 004F68A2
:00491542 E849EB0700 call 00510090
:00491547 8B7004 mov esi, dword
ptr [eax+04]
:0049154A 8B4514 mov eax, dword
ptr [ebp+14]
:0049154D 48 dec eax
:0049154E 0F8587000000 jne 004915DB
*Here*
:00491554 48 dec eax
:00491555 0F8508010000 jne 00491663
:0049155B 391D783B5700 cmp dword ptr
[00573B78], ebx
:00491561 7413 je 00491576
So,
let’s quickly crack this one:
SEARCH: 48 0F 84 87 00
00 00 48 0F 85
MODIFY: ====85================
Oh!!
We almost forget the neg screen, right? Fire up Resource Hack and search”register” (replace or delete resources)—keep press F3
Just
replace the highlight line with whatever you want!!! EX: This is register to
“Super +Jonathan”
and
replace the program.(This modify take care the help->about)
Oh,
I am so tire now~. It’s almost
E-Mail +Jonathan:
aikawa-nanase7511@juno.com