Lean to Crack
by Ignatz
Number 2 : Find your own way cracking UltraEdit-32  (ver 6.00c)
 using Pascal for writing a patch

[Task one | Task two | Task three | Task four | Task five | Task six | FAQ]

Ok people. First of all I´d like to say that I do not want to support any illegal action with this tutorial. It´s just for educational purpose. It
should help you to undestand what´s going on in a PC any why things are the way they are. You should also get an idea of what good craking
is about and be able to recognize genaral patterns used by many programs. If you want to use the software beyond it´s trial-status then there´s
only one way. This way is to buy it. After doing and understanding the crack you should buy or delete the software. Because cracking isn´t
neccessarilly illegal. It´s a way having fun and it´s a real good feeling when you´re done with a hard program. Believe me.

So, if you do not think the same or if you were too stupid to find an exe crack and just want to crack it by my tutorial, then I´d like you to go to
bed, take a nap, think about ethical cracking, your life, things you archieved and how did it, love, hate, ignorance, of course Roadrunner and
Koyote and come back with the wish to learn and understand. Repeat this part until you feel you are the kind of person having the wish to
seek for knowledge bestowed upon.

Tutorials I came across very often are even too detailed, I think! So I´d like to try a new approach by writing a tutorial which does not tell you where to put a breakpoint and why to do so, but which should guide you to one of the possible solutions. This means that I also  presuppose fundamental knowledge about the use of Soft-ICE, Win32 DASM, HView, and basic assembler-knowledge. I will not tell you where or how to set breakpoints. I will only tell you how to look for the right position. The where and why is your part.
This may, or even will (I hope it will) cause many questions. Therefore I got an eMail-address. Don´t hesitate to post but be sure about what and why you post a question. These Questions will be collected in a FAQ which will be added and updated frequently.
I´ll just tell you exatcly how to write a patch for the program in pascal. (with false addresses of course)

Where to get the program:
find it at:


Let´s get started!

Task one:

As always get to know you enemy. Find out as much as you can about the targetprogram, by reading the help, the aboutbox, the mechanism of registration, ... . After doing so get an idea of how to crack the program and what it is you want to archieve. This will determin what you´ll have to do next.

Question: Why should you find out as much as possible and not try a bruteforce approach ?

MY answer: (since there are hundrets of possible answer, because cracking is more like a philosophy to me, than something to be put into schemes of rules and "dos and don´ts". You might also say it´s not useful to do any research on your target, because sooner or later you´ll crack the damn thing this way or the other. It´s YOUR philosophy. So use a way that suits you best!)

Knowing as much as possible about you program gives you the oppertunity to set up a plan of how to crack a program. If you want to break into a bank for example you should know what you want to steal. Is it the money, the gold, diamants, shares or all together, and what you want to do with you loot. Then you have to know about the security-installations of your target. Is it enough to crash the door and grab the money (brureforce) or does it have a high security standard. Then you take a look at the tools you got and which tools you might need in addition to bust the sec.-sys. Putting it all together you might get a scenario like this.

Target:                                                             BANK
What do I want :                                              get rich!
How may I do this:                                          steal money, steal shares.
                                                                        (they don´t got diamants.
                                                                        I can´t carry the gold.)
What about the security:                                  The shares are stored in a much safer place than the money. Therefore I´d rather just try to
                                                                        get the money.
How to get the money:                                     1) get in, shoot people, take the money, get out (brutal isn´t it)
                                                                        2) find a way to bypass the security system by getting as much knowledge as possible and
                                                                            setting up a good plan.
What to do with the money:                             don´t waste it, and don´t get caught by spending it all for things you shouldn´t be able to buy

So like this you can get a much better idea of what to do and how to do. If you have the mission to steal the gold you´ll have to set up a totally different plan. The same about programs: do I want to register, do I want to write a keygen,... .Each target has it´s own way.

I our case -ultraedit32 ver 6.00c- we have 3 major possibilities to archive our "what do I want"-part : no limitations since the timetrial is the only limitation.
1)  find the correct serial
2)  fake a correct serial
3)  fake that you are still in the trial period.

1&2 are a bit harder since there is no nagscreen and it´s therefore harder to find the generating routine.
3 looks easy. You have got enough nags which guide you to a useful part in the disassambled code.

Task two

Find a way to get to the correct place in the disassambled code which referres to the timetrial-protection.
You can do this by taking a windowtext and search for it in Win32DASM. The you´ll have to find a "good jump"-instruction having the form
:00987654 call 00543221
:00987655 cmp eax, 22
:00987656 jb 00432212
:00987657 good boy code
:00432212 bad boy code         (This scheme is one typical scheme for time-protected systems.)
just as you would do it with a nag screen. But now you aren´t looking for words like "wrong serial" but words like "time-trial".
It´s also possible to search for the cmp eax, 22 part. You just have to know if 22 is right and if eax is correct. You might also guess the register since there aren´t so many of them.
You might also use the GetLocalSystemtime breakpoint for this one, as often  used in time protections. There are still other ways. Find yours.

Task three

Figure out how to bypass this scuritysystem. Using the oldfashioned nop-out for example. This should be quite simple.

Task four

As I did the crack I still had the Info-Window popping up everytime I started the program. Maybe you alreayd "fixed" this problem with your artwork. (Yes, cracking is an art for me) This gets very annoying after some time. So get rid of this window too in order to stopp it popping up. find the call-compare-jump section wich controles this windowpopup. Try it all by yourself.

Task five

writing a patcher in Pascal.
This is just one possible way to write a patcher. There are many others.
But all have somethings in common:
1) security
    double check everything you do. It should produce a correct and understandable output everytime! Never terminate the program without an
    errormessage or a sucessmessage.
    never trust the people who use your patch. "If there are two or more ways to do something, and one of those ways can result in a
    catastrophe, then someone will do it." (Murphy´s law)
2) they work. Don´t write a patch which doesn´t do the things it´s supposed to do. Test it as good as possible. Also try to produce every
     errormessage to see if they are correct.
3) they have a (short) description (file_id.diz)

(* Autor   : Ignatz [Ignatz_x_@hotmail.com]      *)
(* Date    : 22.2.1999                           *)
(* Use     : Step one to crack Mp3 Wolf v1.04]   *)
(* Version : 1.0                                 *)
program wolfcrcstep1;

uses crt;

var   ToPatch:file of char;     (* I use file of char because it easy to handle *)

const c_helo1='Helo,';
      c_helo2=' This program cracks ultraedit Versoin 6.00c';
      c_helo3=' Please read the file_id.diz before starting';

      c_PressKey='Please Press <ENTER> to continue';

      c_FileNotFound='Error- file not found, this patch must be in same directory like uedit';
      c_Corrupt='Error- Corrupt file, maybe you have the wrong Version';
      c_CrcNotDone='Error- unable to crack file, maybe itïs writeprotected';

      c_CrcDone='crack done.';
      c_Message='whatever you say';

      c_FilePos = 123456; (* it´s in integer format. The position you get from HView is hex so you´ll have
                             to do some calculation *)

 * I like to use these constants because it´s making it easy to re-use a patch for another program

  writeln(c_Helo3);           (* print out the hello messsage *)
  {$I-}                       (* turn off the internal I/O error-check *)
  reset(ToPatch);             (* try to open the file *)
  {$I+}                       (* turn on the internal I/O error-check *)
  if IOResult <> 0 then       (* there might have been a fault while trying to open the file *)
                              (* we have to take care of that
    writeln(c_FileNotFound);  (* no such file ... *)
    writeln(c_PressKey);      (* goodbye *)
  end else (* continue *)
  begin (* file found *)
    {$I-}                     (* turn off the internal I/O error-check *)
    seek(ToPatch,c_FilePos);  (* go to the positon of the instruction we want to patch *)
    {$I+}                     (* turn on the internal I/O error-check *)
    if IOResult <> 0 then     (* there might have been a I/O error *)
    end else (* continue *)
    begin (* position found *)
      read(ToPatch,x);        (* read what for an instuction we have here *)
      if x <> 'u' then        (* if it is the right one then patch (u stands for 75 jnz) *)
        writeln(c_Corrupt);   (* otherwise it might already be patched or it´s a wrong file *)
      end else
      begin (* just patch now *)
        seek(ToPatch,c_FilePos);(*we have to set the filepointer to the correct position again after the read*)
        x:='t';              (* t stands for 74 jz *)
        write(ToPatch,x);    (* patch *)
        read(ToPatch,x);     (* control if we really patched the program *)
        if (IOResult <> 0) or (x <> 't') then
          writeln(c_CrcNotDone); (* too bad we wern´t able to patch *)
        end else
          writeln(c_CrcDone); (* well done *)

Task 6

Please write me your feedback and your questions about this tutorial and the crack if necessary! It´s very important for me to know what you think and what problems you have! This tutorial really is an experiment and I need to know if it was sucessfull or not. If you feel more comfortable with very detailed tutorials I will stop wasting my time on "find your own way" tutorials.


Thanks for reading. And please give me feedback!!!!
chiao bella