Name : UltraEdit 32 Version : 7.00 Editor : ultraedit Target : Uedit32.exe Tools : FileMon Hiew W32Dasm Brain Cracker : LW2000 Tutorial : No.51 http://www.ultraedit.com --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Lets start, go to the regscreen and enter the details. Name: LW2000 [CiA] Code: 1230099 *BOOM* Mhmm, no msg! UE exits! So, what does this mean? Ultra Edit saves the details in a file and checks this when starting up. 2. OK, lets take a close look on this "file". Watch Ultra Edit in Filemon! Filemon speaks from a file called UEDIT32.reg... Mhmm *g*, seems that we have found a good starting point to crack Ultra Edit! 3. Load Uedit32.exe in W32Dasm and search in the SDR for REG. Ok, i get a few different hits. But after a close look, it was clear that this is the part we need: :0043D61E 6840444E00 push 004E4440 :0043D623 B90CE54E00 mov ecx, 004EE50C :0043D628 E873230500 call 0048F9A0 :0043D62D 83F8FF cmp eax, FFFFFFFF :0043D630 0F841D010000 je 0043D753 :0043D636 FFB78C000000 push dword ptr [edi+0000008C] :0043D63C 8D4D10 lea ecx, dword ptr [ebp+10] :0043D63F E88DA20500 call 004978D1 :0043D644 8B4510 mov eax, dword ptr [ebp+10] :0043D647 8D4D10 lea ecx, dword ptr [ebp+10] :0043D64A C645FC02 mov [ebp-04], 02 :0043D64E 8B40F8 mov eax, dword ptr [eax-08] :0043D651 83C0FD add eax, FFFFFFFD :0043D654 50 push eax :0043D655 8D45E8 lea eax, dword ptr [ebp-18] :0043D658 50 push eax :0043D659 E8A8220500 call 0048F906 * Possible StringData Ref from Data Obj ->"REG" 4. Now scroll up a bit to see this. * Reference To: USER32.CreateWindowExA, Ord:0059h | :0043D5E2 FF1530074C00 Call dword ptr [004C0730] :0043D5E8 A3C8FF4E00 mov dword ptr [004EFFC8], eax :0043D5ED 8D8796020000 lea eax, dword ptr [edi+00000296] :0043D5F3 885810 mov byte ptr [eax+10], bl :0043D5F6 FF3500E54E00 push dword ptr [004EE500] :0043D5FC 6A01 push 00000001 :0043D5FE 50 push eax :0043D5FF FF75F0 push [ebp-10] :0043D602 E8BB11FDFF call 0040E7C2 <-- Check Routine :0043D607 83C410 add esp, 00000010 :0043D60A 85C0 test eax, eax <-- TEST :0043D60C 0F8489010000 je 0043D79B <-- BAD BOY! :0043D612 391D1C004F00 cmp dword ptr [004F001C], ebx :0043D618 0F857D010000 jne 0043D79B * Possible StringData Ref from Data Obj ->"Extension License" 5. The CreateWindowEx function creates pop-up, overlapped or child window with an extended style. If the function succeeds, the return value is the handle of the new window, else it is zero. We see at 43D602 a call. Inside this call our fake serial and the correct one are compared. If the are identical then eax=1 else eax=0. So what to do? Lets change the call, that the return value is 1 - everytime =) Go into the call and note the offset. Open hiew, go to the offset. Enter decode mode, press F3 to edit and F2 to enter ASM commands. Now type: mov eax,1 [press Enter] ret [press Enter] [press Esc] What does this do? This sets eax=1 and returns from the call =) OK, lets try our bug-free version ;) Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best!