This program allows you to use the program for a total of 45 Days, after which any further uses of the program results in a nag screen message asking you to register the program.  This program's protection system relies on finding a  'Key File' called uedit32.reg which supplies the program with the information it needs to become fully registered..
 
A 'Key File' is a small ascii text file that has the User's registration info stored within it in an encrypted form, which only the program can make sense of.
 Since I didn't have the necessary 'key File' to register the program with I set about attacking the program from several different angles in the hope of fooling the program into saving a 'dummy' key file which I could then make the program believe it had been registered properly.  After about an hour I managed to do this and the program created this uedit32.reg file which is shown in hex/ascii format for easy viewing:-
 
00000000 393A3A38 39393738 38396236 79627B79 9::8997889b6yb{y
00000010 557B6669 54216F62 6E656F62 627B627B U{fiT!obneobb{b{
00000020 33323A34 3839393A 38393937 36386955 32:4899:899768iU
00000030 21666254 656F626E 016F0101 41013624 !fbTeobn.o..A.6$
00000040 18200102 01010ED5 010406F3 011A0F05 . ..............
00000050 485818C0 0F05011A 06F30101 0ED50104 HX..............
00000060 07170101 01038103 01010106 2D191820 ............-..
00000070 16D7C0F8 02500101 F9090172 02580101 .....P.....r.X..
00000080 1745C0F8 0ED50101 98C9014C 01F402A1 .E.........L....
00000090 028B02AE 97C10147 EA67811B 0F050101 .......G.g......
000000A0 02360101 06F30101 0ED50101 98C9014C .6.............L
000000B0 F9610172 8DB20147 02360101 06F30101 .a.r...G.6......
000000C0 0ED50101 010106A8 89EB33DE 05480201 ..........3..H..
000000D0 898F25C8 01010101 89A725C8 F8A106A8 ..%.......%.....
000000E0 014317AF 01198A95 25C889C1 25C802AC .C......%...%...
000000F0 01FF0101 21570119 01030101 01034645 ....!W........FE

The serial number encoded within this keyfile is invalid and the program rejects this keyfile but that's ok because it was my name/handle that I wanted encrypted in here. The logic behind here was that if I could somehow disable the serial number check then all the program would need to do was to retrieve my User Name/Handle instead..
 
For reasons still unknown to me the program either didn't properly encrypt my User Name or that somewhere in the code it detected my feeble attempts to *patch* the program so that it would ignore the serial number check and resulted in my User name never being un-encrypted from this keyfile..
 
My next course of action was to try and find out where in memory the program 'records' the fact that it is either running as a Shareware program or as a fully registered program, this is normally a four byte memory location that stores either a '0' (default value, meaning it's still a shareware program) or a '1' (meaning that it has been registered).

I did manage to find this 'magic' memory location and once found, was able to *patch* this program in two places so that it was *almost* like the real thing, only it is missing your User Name in the 'About' dialog screen, but all the other text relating to the fact that the program is fully registered still show and the nag screen has all so gone along with the 45 day trial limit.
 
There are of course, hidden protection systems within this program that makes using Softice very difficult for newbies to *crack*.  The program uses in certain parts the system function SetTickCount to time the amount of time it takes for certain parts of the program to complete it's tasks, so if your using Softice then these 'program parts' will take much longer to complete and so the program knows it's being executed under control of another program (your Softice) and will either exit back to windows or simply do things you don't expect it to..
 

The Essay

     
The main differences between the 'registered' and 'shareware' versions of this program are:

1. The Shareware version has a brief nag screen shown each time it is run.. The registered version does not show this.
 
2. The Shareware version displays the fact that it is still a Shareware program in the 'About' Screen.. The Registered version instead shows that it has been registered and is no longer a Shareware program.
 
3. The Shareware version checks how many days remaining you have to evalute this program, once your 45 Days are up it will ask the User to register this program. If unsuccesful then the program will exit back to windows.
 
First, lets create a 'dead listing' of this program using W32Dasm and see where everything is and how we might tackle this protection system.. I choose to try and fool the program it had already checked the non existent 'Key File' and found everything in order, which would then mean the program would then have to 'signal' this fact by using a memory location as a kind of 'flag', showing either that it found a valid 'key file' and that it was now a 'registered' program or that no valid key file was found and that it was still a Shareware program..
 
After checking the program's String Data Resources for any hard coded serial numbers (you never know, some programs still do this) I then headed for any 'Good Guy' messages within the program and examined the surrounding code to see how might the messages be used within the program.  If you've seen quite a few programs then you'll have a fair idea on what kind of things are shown in 'About screens', usually things like 'This program is registered to..." and "This software is fully registered..." etc etc..
 
Within UltraEdit I found this snippet of code:-
 

:004057BB E82A6E0600        call 0046C5EA   ;Returns with edi equaling
                                            ;0=Not Registered
                                            ;1=Registered

:004057C0 393DF4A74B00      cmp dword ptr [004BA7F4], edi ;edi=0?
:004057C6 7462              je 0040582A ;If edi=0 then display text saying
                                        ;the program is still shareware.

;If the memory location [004BA7F4] contains a '1' then the program assumes ;it's been registered so displays a different 'About' screen.
 
:004057C8 6A09   push 00000009 ;"This copy of UltraEdit-32 is licensed to"
:004057CA 8BCE   mov ecx, esi
 
Hmm, the program checks the memory location [004BA7F4] then it decides which text to display in the 'About' screen.. At this point we are assuming that the above snippet of code is, in fact, part of the 'About' Screen code so lets make sure that we are right..

Press Ctrl-D to start up Softice, we're going to set a breakpoint that will allow us to get into the program's code without too much fuss or bother but more importantly, it *should* get us into the program's code *BEFORE* the program has had chance to display the nag screen.. The breakpoint we're going to use is GetLocalTime and is set within Softice by typing: bpx getlocaltime then type: x to leave Softice.

GetLocalTime is a system function found in the Kernel32.DLL file, it is used by many programs to obtain the current time found on your puter, it's used quite a lot by programs that have 'time limits' set within them.

Now fire up UltraEdit, almost right away Softice breaks at the start of the GetLocalTime system function, from here press 'F11' ONCE, this gets us nicely back into UltraEdit's code.

From here you will need to type into Softice and in order:
bc *
u 004057C6
bpx 004057C6
X

What all this means is:
[ BC * ] Clear away any previous breakpoints in Softice.
[ u 004057C6 ] Display program location starting from 004057C6.
[ bpx 004057C6 ] Place a Softice breakpoint on program location 004057C6.
[ x ] Leave Softice.

If you have typed in the set of four Softice commands correctly as shown above then you should now be back into UltraEdit staring at a blank screen, so from here select the 'Help' menu option then choose the 'About Ultraedit-32' option. Softice should now break here:-

:004057C0 393DF4A74B00      cmp dword ptr [004BA7F4], edi ;edi=0?
:004057C6 7462              je 0040582A ;If edi=0 then display text saying
                                        ;the program is still shareware.

Now, if you looked at the 'dead listing' of this section of code then you will have seen that *if* the je instruction is NOT set then the program will display the text 'This software is licensed to..." but as you already know from testing the program out it normally says it's a Shareware program and that you need to register it etc etc.

Lets test it out... While still in Softice type 'x' to return back to Ultraedit and notice what kind of information is display.. When you've done click the 'ok' button to close the 'About Screen'..  Let's try it again but when Softice breaks you will need to type:

r eip=004057C8 then x to leave Softice.

Notice the difference?.
 
So all we need to do here is either nop (90h) out the je 0040582A instruction or simply change it to jmp 004057C8 which does the same job.. It's perfectly valid to make a jump instruction jump to the next line and makes even more sense to use this method rather than a couple of Nop's (90h) if you suspect the program might check for this kind of *crack*.
 
That's the 'About Screen' patch taken care of, lets now go onto disabling the nag screen..
 
The way I found the Nag Screen location routine in order to disable it involved placing a bpm on the memory location 004BA7F4  so that every time the program either 'read' or 'wrote' to this memory location Softice would break and I would then look for any conditional jump instructions (jnz, jz, je etc) close by and make them do the reverse of whatever they would normally do.. So if, after the program had 'read' the contents of memory location 004BA7F4 it would normally jump to a different part of the program then I would prevent this from happening and allow the program to continue with the next instruction following the conditional jump instruction.

After checking all the occurrences of memory read/writes to location 004BA7F4 I came across this code snippet:-

* Referenced by a (C)onditional Jump at Address :0044AD4B
 
:0044ACC7 391DF4A74B00    cmp dword ptr [004BA7F4], ebx
:0044ACCD 7519            jne 0044ACE8

Notice this set of two instructions are very simular to the ones that control what is shown in the 'About Screen'..  If you examine the 'dead listing' at this program location where the above two instructions can be found you'll see it's pretty close to the routines relating to the 45 day trial period, the actual nag screen in fact..
 
Again, it's that conditional jump instruction based on the memory contents of our 'magic' [004BA7F4] program location that decides wether to display the nag screen or not.. In this case we WANT the program to JUMP here, so that it bypasses the nag screen so we must change this instruction so that it ALWAYS jumps..

Here's how we would change it:-

BEFORE:-
 
* Referenced by a (C)onditional Jump at Address :0044AD4B
 
:0044ACC7 391DF4A74B00    cmp dword ptr [004BA7F4], ebx
:0044ACCD 7519            jne 0044ACE8

AFTER:
 
* Referenced by a (C)onditional Jump at Address :0044AD4B
 
:0044ACC7 391DF4A74B00    cmp dword ptr [004BA7F4], ebx
:0044ACCD EB19            jmp 0044ACE8

Finally...

Each time the program is run it checksto see how many days left you have from your allocated 45 days evaluation period.  If your trial period runs out then it will display a new screen asking you to register this software. If you don't register it properley here then it will refuse to run and exits back to windows..
 
Since we know that the program checks for the number 45 (2D in hex) then we can expect to find an instruction that cmp register,2D very close to where ever it displays the message "Days left" or "Days remaining" or "Days to expire".
 
In our dead listing check out the String Data Resources and you will indeed see a text reference to "Days to expire" so locate this reference in  program's code.  You should see this code snippet:-

:0044AD3A E8E1BF0000      call 00456D20     ;Returns eax= days remaining
:0044AD3F 83F82D          cmp eax, 0000002D ;eax = 45?
:0044AD42 59              pop ecx
:0044AD43 7F0C            jg 0044AD51       ;if eax > 45 then out of time

All we needto do here is Nop (90h) out this jump and the program will never run out of time..:)

Job Done.
 

The Crack

     
In order to then *crack* this program you will need to load up uedit32.exe into your favorite Hex Editor then:-

SEARCH FOR THE BYTES     :393DF4A74B007462
REPLACE HIGHLIGHTED BYTES:393DF4A74B009090
 
SEARCH FOR THE BYTES     :391DF4A74B007519
REPLACE HIGHLIGHTED BYTES:391DF4A74B00EB19
 
SEARCH FOR THE BYTES     :83F82D597F0C399F
REPLACE HIGHLIGHTED BYTES:83F82D599090399F
 

Final Notes

 
This essay explains how to crack helper V4, but with the arrival of V4.2 the programmers have disabled the serial registration side of the program but you can still get past this *small* hurdle if you read this essay..
 
My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.