Disabling Nag & Expiration in WS_FTP Pro v6.60 Tryout by Raybiez (Feb 28th 2001) Tools needed: SoftICE v4.0 UltraEdit v8.0 (www.ultraedit.com + keygen at www.keygenstudio.org) WS_FTP Pro v6.60 Tryout (www.ipswitch.com) Tools can be found at: http://www.programmerstools.com http://www.8bn.com/hambo/tools.html http://kickme.to/codersdomain --- Another tut coming your way! And this time we'll have a look at SoftICE, the best tool you can get. I really prefer the Windows 9x version cause I've gotten used to that, so at the moment I'm dual booting between Windows 98 & Windows 2000. You should start by installing the correct version for your system, it's nothing really difficult about it but make sure your graphics and mouse work while installing it. You can change these settings later if you should have to from the start menu: NuMega SoftICE|Display Adapter Setup NuMega SoftICE|Mouse Setup Another useful thing to have in mind is the Symbol Loader available: NuMega SoftICE|Symbol Loader We will use the Symbol Loader later when we start cracking but first you should know a few things about SoftICE. If you're installing the WinNT2k version you can choose which way you want to start it. The best option (I think) is Manual. Then you have to load it manually by using NuMega SoftICE|Start SoftICE every time you're using it. If you use the Windows 9x version a line is added to Autoexec.bat that loads SoftICE every time Windows starts. You can simply put REM before the SoftICE line in Autoexec.bat then reboot to disable it. Ok, after it's completely installed you switch to SI any time by simply pressing CTRL+D. Now if everything works you'll be able to resize the different windows with your mouse and type commands in the Command Window. If there are any problems with your mouse for example then try different mouse settings, I have to use PS/2 compatible Microsoft IntelliMouse even though I have a Logitech mouse. And if you have graphics problems try different drivers or settings in Display Adapter Setup. My Detonator 3 drivers doesn't work with my nVidia RIVA TNT for example, so I have to uninstall them before using SoftICE. :) You just have to try around until you get everything right. --- Now start the Symbol Loader and click Edit|SoftICE Initialization Settings..., in the General tab you can change the Initialization string. Change it so it looks like this: X; WD; CODE ON; X ; Close SoftICE WC ; Show/Hide Code Window WD ; Show/Hide Data Window WR ; Show/Hide Register Window CODE ON ; Show/Hide the Hex Code for the Assembly commands You can also enter these commands from the SI command line, try that to see that it works and what happens. After you have made changes like this you will have to reboot/reload SoftICE, if you don't enter the commands manually that is! If you've read my last tutorial on Eye Candy 4000 you remember I said that W32Dasm will get you a Dead Listing of the program code. Well you could say that SI is Live compared with that, you will be able to Single Step through the code and see exactly what happens with Registers and the Stack etc in real time, while the program is running! You can set so called Break Points to break into SI when the program does something interesting. Examples: BPX ; Break Point on eXecution BPM ; Break Point on Memory read/write The reason I like SI for Win9x is because of the breakpoints that can be used. This is really the trick with SoftICE, cause every program contains a lot of code so you really don't want to trace through 1000 lines of irrelevant code. If you're gonna disable a nag screen, find a serial, check what the program is doing with the registry, you use different breakpoints. Most programs uses the windows API (Application Programming Interface) when performing things. And that's a great help when setting breakpoints. But more on this later, you don't need this right now. :) --- Ok, install WS_FTP with the classic two window interface. Start it (ftp95pro.exe) and see what happens, a nasty Nag screen. We don't like those, click Continue Evaluation and try out the program. Click on Help|About and read 'This is a fully functional copy..' and it says 'will expire on xxxx-xx-xx'. Ok, that's good, the only thing that should be fixed with this program is nag screen and expiration. Close the program, set your clock One Year ahead and launch it again. Well isn't that nice, you can't use it anymore. Set back your clock again and it works again. Time to do some thinking, maybe the Nag is the expiration, if we disable the Nag the program may become fully working. So make sure that SI is loaded, start up your Symbol Loader and click File|Open Module..., and browse to ftp95pro.exe and click Open. It should say Opened Successfully. Now click Module|Load, you will get a Symbol Translation/Load error, just click Yes to continue. Now SI will pop up, and right above your Command Window it will say something like: ftp95pro!.text+0003E3CF This means you are now inside ftp95pro.exe at the Entry Point of the program. Here's some info: F5 ; Exit SoftICE F8 ; Trace CALL F10 ; Single Step Code F11 ; Return if you are inside a CALL F12 ; Execute until a RET is reached Or something like that, you can use X, F5 or CTRL+D to exit SoftICE. It's not really important you understand all of this now, I will guide you exactly how you should do. Since we want to disable the Nag screen we want to find exactly where in the code the Nag is created. We do this with Single Stepping (F10). So use Symbol Loader again to load the program, you will now be in SoftICE. Use F10 to step through the code, until you get to address: 0043F4A9 The address can be seen to the left in the Code Window looking like this: xxxx:0043F4A9 (xxxx is irrelevant, varies on different computers.) This is a small Loop, if you continue to press F10 you'll notice it jumps up two steps several times. And since this is annyoing we will use a breakpoint to get past it, like this: BPX 0043F4AB You see how that line is now colored, since it's an active breakpoint. More info on this in a moment. Press F5, SoftICE will exit but then break again very quickly at that address. So continue to Single Step with F10. When you get past address 0043F51B SoftICE will exit and you'll see the Nag screen, this means that somewhere within the CALL at address 0043F51B the Nag is generated. So click Continue Evaluation then exit the program and SI will pop up once again. Break Point commands: BL ; List Break Points BC ; Clear Break Points, ie BC 0,3,4 or BC * BD ; Disable Break Points, ie BD 0,2 or BD * You can now clear your old BP and add the new one at: 0043F51B BC * BPX 0043F51B F5 (exit) After you have exited SI then load the program again, press F10 to Single Step a few times then press F5 once and it will break at your new BP. Instead of Stepping over it use F8 to trace inside this CALL. Once inside the CALL, continue by pressing F10 one line at a time, once again until the Nag is shown. When you get the Nag just click Continue and exit the program again. Back in SI, disable or clear the old BP and set the new one at address: 00418ACE BC * BPX 00418ACE F5 (exit) Load program again, press F10 a couple of times, then press F5 to exit SI and break at your new BP. Ok now you're at the address 00418ACE which CALLs to show you the Nag, hopefully ONLY to show the Nag. If you look at the top window in SI, the Register Window, you will see all the Registers. These are used for different things, have a look at EIP, you see this register contains the address you're currently at in the program, it's the Program Counter. By editing the value of this you will automatically jump to a different location in the program. So when we are at address 00418ACE we do this: R EIP=00418AD3 This will make the program skip the CALL that generated the Nag, and if this CALL only did that, and nothing "important" this might just work. So after you skipped the CALL press F5 to exit SI and voila, the program starts without Nag & without error messages! Try the same thing but set your clock One Year ahead again, this also works. Now we only have to Nop this CALL in the actual .exe with UltraEdit, so make a backup of ftp95pro.exe just in case ;) then open it up in UltraEdit. Launch the program once again with Symbol Loader to get some code you can use in your search. Use the breakpoint at address 00418ACE :00418AC3 6824144500 push 00451424 :00418AC8 8B4508 mov eax, dword ptr [ebp+08] :00418ACB 50 push eax :00418ACC 6A00 push 00000000 :00418ACE E837830100 call 00430E0A ; You are here :00418AD3 83C410 add esp, 00000010 :00418AD6 85C0 test eax, eax :00418AD8 0F8F07000000 jg 00418AE5 :00418ADE 33C0 xor eax, eax :00418AE0 E935080000 jmp 0041931A Now you will understand why we want CODE ON, all the Code to the left (next to the address) is very useful for searching in UltraEdit. Write down some of it, like this: 6A00 E837830100 ; This is the interesting part 83C410 This code can now be searched for like this 6A00E83783010083C410 in UltraEdit (don't use Find ASCII). You should now change the bytes like this: E837830100 ; Original code for CALL 00430E0A 9090909090 ; 90 = Nop (no operation) Save the changes and disable all the breakpoints in SI, then start the program normally (don't use Symbol Loader). And it should work, fully functional without Nag & Expiration! --- You should know that it's pretty tough to write a tutorial about this so I hope you've understood it. If not then read it again, cause if you want to learn cracking, SoftICE is essential! If you wanna scroll the different windows here's how to do it: ALT+Arrows ; Scroll Data Window CTRL+Arrows ; Scroll Code Window Shift+Arrows ; Scroll Command Window Hope you had fun reading, more to come if needed.. Written by Raybiez (raybiez@gmx.net) Dedicated to +ORC, tKC, ED!SON, Fravia, +Sandman and all others for writing tutorials and YOU for reading it!