Crack UltraEdit (Ver20.00.0.1040), unlimited trial

Because it is the first time to crack the larger business software, so it is necessary to record, in addition the UE price is too expensive ...

0th Step: Prepare

Be ready to hack common software. My common tools are IDA (for static analysis), ollydbg (Dynamic Debugging), Peid (to see if the executable is shelled), w32dasm (software seen in an online instructional video for static search of string resources in the software), Cheatengine (used for game cheating, this is used to dynamically search for strings in the process).

First of all, Uedit32.exe this executable file, Peid found that it does not add shell, it is not surprising, this software is certainly not to add shell.

Second, need to know about the UE registration/activation mechanism: The default installation after the software is not registered/activated state, at this time can try 30 days, after the trial expires, will pop-up prompts, must register to be able to use, not expire can also click "Help", "registration", At this point is the UE's online Activation dialog (as shown), fill in the License ID and password click on the "Activate" button will be to the UE's server to initiate HTTP interaction, without the correct license ID and password is of course not by the server check.

There is another way to activate-offline activation, you need to disable the network card in the case of clicking on the "Activate" button will appear:

Click "Offline Activation", in the dialog box to fill in the "license", "Password", "Code 1", "Verification Code 2", click the "Activate" button, the failure message will pop up:

Note This error message "The code you entered is not valid." You need ... ", the type of hack described in this article starts with this string.

The first step is to find instructions and functions to access the error prompt.

Try static lookups first. Use W32dasm to find the string "The code you entered is invalid. You need ... ", not found.

This guesses that the UE's cue information may be dynamically loaded and read into memory from a file at UE startup. This attempts to find success by using Cheatengine append after:

Continue to use Cheatengine to find out what access to this address is, and to find such a few instructions:

We should only focus on the instructions within the UE module, so here are the first instructions.

Try to the breakpoint on this command, the discovery program is constantly broken down, you can guess that the UE may exist a thread in the execution of the instructions, and also observed that the stack is different after each break, so that the instructions may be located inside a lower function, so the need to use conditional breakpoints, When the value of the Register EDI is equal to 05a27b80, it breaks down. The discovery is not broken again and again, and the command is broken when you try to activate again.

Then you need to start a painful step: you need to find the function that was called when the Activate button was pressed. Note look at the bottom right of the call stack, from the inside out in order to try the various calls under the breakpoint (non-conditional breakpoint), each add a breakpoint, try to let the UE run, to see whether it is just click on the "Activate" button is broken, if not, delete breakpoint, continue in the upper level function under the breakpoint. After several attempts, a call:0099b170 was found.

The second step is to analyze the key instruction logic to determine the verification code/registration code matching.

Turn off Cheatengine, use IDA to disassemble the UE executable file, and find the function 0099b170. Because of the large file size, disassembly may take a long time to be ready.

Analysis disassembly, found that the following instruction is to determine whether the user entered a license:

CMP     0 jnz     Loc_99b2f9

　　and subsequent calls to this section of logic with the input of a license but a validation error will be executed:

.Text:0099b8ff LOC_99B8FF:                             ;CODE xref:sub_99b170+783j.Text:0099b8ff                 movedx, [eax].Text:0099b901                 movecx, eax.Text:0099b903                 moveax, [edx+0ch].Text:0099b906                 Pagereax.Text:0099b908                 LeaEDI, [eax+10h].Text:0099b90b                 mov[ebp+var_68], EDI.Text:0099b90e                 Push6d6fh;unsigned int.Text:0099b913                 movbyte ptr [ebp+var_4], 18h.Text:0099b917                 Pager[Email protected]@[email protected]@[email protected];afxfindstringresourcehandle (UINT).Text:0099b91c                 Testeax, eax.Text:0099b91e                 JZShort loc_99b931.Text:0099b920                 Push6d6fh;Lpwidecharstr.Text:0099b925                 Pusheax;hmodule.Text:0099b926                 Leaecx, [ebp+var_80].Text:0099b929                 Pagersub_4098f0.Text:0099b92e                 movebx, [ebp+var_80].Text:0099b931.Text:0099b931 loc_99b931:                             ;CODE Xref:sub_99b170+7aej.Text:0099b931                 Push6d70h;unsigned int.Text:0099b936                 Pager[Email protected]@[email protected]@[email protected];afxfindstringresourcehandle (UINT).Text:0099b93b                 Testeax, eax.Text:0099b93d                 JZShort loc_99b950.Text:0099b93f                 Push6d70h;Lpwidecharstr.Text:0099b944                 Pushfa[;hmodule.Text:0099b945                 LeaECX, [ebp+var_68]

It is therefore assumed that the validation of the UE may be similar to the logic:

= Check (/* input of various users */= Get_str_by_ret (ret); Show_str (str_id) ... 

It is also fortunate to see that there is a preceding directive:

. Text: 0099b1c4                 Push    0               ; benable. Text: 0099b1c6                 mov      ecx, eax. Text: 0099b1c8                 Pager    ; Cwnd::enablewindow (int). Text: 0099B1CD

Use ollydbg to try to modify the. Text:0099b1c4 for push 1, the activation button is no longer grayed out, so the logic of guessing whether the registration code matches or not is in the middle of the above two instructions.

Continuing to analyze Ida's disassembly results, we found two calls to Atoi in the middle:

.Text:0099b337                 PushEbx;char *.Text:0099b338                 movbyte ptr [ebp+var_4],4.Text:0099b33c                 Pager_atoi.Text:0099b341                 AddEsp4.Text:0099b344                 Pusheax.Text:0099b345                 PagerSub_ccda26.Text:0099b34a                 movEDI, eax.Text:0099b34c                 moveax, [ebp+var_6c].Text:0099b34f                 Push0c6h.Text:0099b354                 Pushfa[;char *.Text:0099b355                 Pager_atoi.Text:0099b35a                 AddEsp4

OllyDbg broken to these two places, found their entry to the UE of the Verification Code 1 and the Verification Code 2 of the string, visible, determine whether the registration code matches the logic behind these two atoi.

Continuing the analysis of IDA's disassembly results, it was found that there is one such instruction behind the two atoi:

. Text: 0099b363                 Lea      ecx, [edi-13h]. Text: 0099b366                 CMP     ECX, 0Dh        ; Switch Cases. Text: 0099b369                 ja      Loc_99b8b8      ; jumptable 0099b376 Default case

Thanks to Ida for helping us analyze this as a switch case branch, guess what's behind is the get_str_by_ret you're looking for.

Step three, crack.

OllyDbg try to modify the execution of CMP ecx, 0Dh before the ecx, most likely the correct is 0, try to 0, continue to run, see the Pop-up dialog box, you can also try 30 days. OLLYDBG out of UE process, stop debugging, turn off UE, reopen, no more pop-up trial expiration prompt, cracked success.

Summarize

In fact, the last step to crack, is a good luck, easier to find the judgment logic, if the attempt fails, you may want to continue to find the real check function.

In fact, there are a lot of cracked patches can be downloaded, even cracked version of the UE (but this 20.00.0.1040 version of the not found), as the beginning of the article, the significance of this paper is to record sharing rather than show off.

Can be further extended:

1, I think the rest of the UE's trial time should be written in the registry or a file, if you can find it, it is possible to change the trial time to unlimited length;

2, can challenge the online registration, completely different ideas?

3, on the idea of this article, but also a crack patch, in CMP ecx, 0Dh before modifying the value of ECX, this should be relatively easy, follow-up time to engage.

Crack UltraEdit (Ver20.00.0.1040), unlimited trial