home *** CD-ROM | disk | FTP | other *** search
- A BASIC TIME LIMITED (AND A GOOD HEX EDITOR!)PROGRAM HEDIT 2.1
-
- Tutorial by UmE
-
- Introduction: in this tutorial I'll show you how to remove the time limitation from a very useful
- program: Hedit 2.1. The protection scheme is very simple and for this reason will be very
- educational for every newbies. And it's my favourite Hex editor......
-
- Tools needed: SoftIce 3.00 or higher.
-
- Program informations: Hedit version 2.1.14, HEdit.exe, 352.256 bytes.
-
- PARENTAL ADVISORY: this tutorial is cracking oriented!!!
-
- Step 1: let's start the tutorial by executing our target....run it and the program will start
- with no nag screens. Let's move our system date 1 month forward respect to the installation date
- and this time running the program a messagebox (not really a msgbox!!) will tells us that our
- trial period is over.
-
- "Your trial license of Hedit has expired...."
-
- Step 2: press Ctrl+D to enter in SoftIce and place a breakpoint to the GetLocalTime Function.
- Press ctrl+D again to return into Windows and now run Hedit.....GOAL!! You're in SoftIce: you
- land here:
-
- * Reference To: KERNEL32.GetLocalTime, Ord:00F5h
- |
- :0040C2EB FF154CC24300 Call dword ptr [0043C24C]
- :0040C2F1 8D4C2400 lea ecx, dword ptr [esp]
- :0040C2F5 51 push ecx
-
- Now start to trace the code until you find some interesting instruction such as JG, JL or some
- interesting data such as 1Eh (31 in decimal), 1Fh (30dec).
- During your traceing you'll arrive here:
-
- :0040C382 8B542400 mov edx, dword ptr [esp]
- :0040C386 8B4C2404 mov ecx, dword ptr [esp+04]
- :0040C38A 8915F0174500 mov dword ptr [004517F0], edx
- :0040C390 8B542408 mov edx, dword ptr [esp+08]
- :0040C394 890DF4174500 mov dword ptr [004517F4], ecx
- :0040C39A 8B4C240C mov ecx, dword ptr [esp+0C]
- :0040C39E A3E8174500 mov dword ptr [004517E8], eax
- :0040C3A3 8915F8174500 mov dword ptr [004517F8], edx
- :0040C3A9 890DFC174500 mov dword ptr [004517FC], ecx
-
- * Referenced by a (U)nconditional or (C)onditional Jump at Address:
- |:0040C347(U)
- |
- :0040C3AF 8B54241C mov edx, dword ptr [esp+1C]
- :0040C3B3 8B4C2418 mov ecx, dword ptr [esp+18]
- :0040C3B7 50 push eax
- :0040C3B8 8B44241E mov eax, dword ptr [esp+1E]
- :0040C3BC 81E2FFFF0000 and edx, 0000FFFF
- :0040C3C2 25FFFF0000 and eax, 0000FFFF
- :0040C3C7 52 push edx
- :0040C3C8 8B54241E mov edx, dword ptr [esp+1E]
- :0040C3CC 81E1FFFF0000 and ecx, 0000FFFF
- :0040C3D2 50 push eax
- :0040C3D3 8B44241E mov eax, dword ptr [esp+1E]
- :0040C3D7 51 push ecx
- :0040C3D8 8B4C2420 mov ecx, dword ptr [esp+20]
- :0040C3DC 81E2FFFF0000 and edx, 0000FFFF
- :0040C3E2 25FFFF0000 and eax, 0000FFFF
- :0040C3E7 52 push edx
- :0040C3E8 81E1FFFF0000 and ecx, 0000FFFF
- :0040C3EE 50 push eax
- :0040C3EF 51 push ecx
- :0040C3F0 E82B610000 call 00412520
-
- The move instructions of the first part of this code snippet are a little sospicious because
- this means that the program is preparing some datas for a function. In fact if you take a look
- to the registers that the program use in this part you can observe that they contains time
- informations. You can find the actual year (7D0h = 2000dec) and the other informations about
- the actual date (the number of the month, the number of the day, the hour....). All these
- informations are stored in the stack (see the push instructions) for the call at the address
- 0040C3F0 (note that the "and [reg name], 0000FFFF are to clear the higher part of register).
- This means that we're following the right way.....
- Continue to trace and you'll find something of very interesting: look here!!
-
- :004032C5 C1E91F shr ecx, 1F <-1Fh = 31dec we're near the solution!
- :004032C8 03D1 add edx, ecx
- :004032CA 7842 js 0040330E
- :004032CC 83FA1C cmp edx, 0000001C <-edx= number of days you've used the program
- it's comapared with 1Ch = 28dec
- :004032CF 7F3D jg 0040330E <-if it's greater jump to other controls:
- I suppouse it jumps to a "You're in the
- last day of your trial period" msgbox or
- something similar!!
- :004032D1 83FA0E cmp edx, 0000000E <-compare edx with 0eh = 14dec
- :004032D4 0F8EF6000000 jle 004033D0 <-if it's less execute the program otherwise
- it jumps to a "You've used Hedit for 2
- weeks! Please register" msgbox or something
- similar.
-
- Have you understand? Just nop the jg 0040330E instruction and change the jle 004033D0 instruction
- into jmp 004033D0 and the program will work forever.
-
- As you've seen the protection scheme of this program is a little weak but is the a classic in
- the time limited shareware applications. So newbies read and learn!!!
-
- See you the next time!!
-
- Greetings to Volatility and all the Immortal Descendants.
-
- Contact me at: ume15@hotmail.com.
-
-
-
-
-