Title: LeapFTP 2.7.1.580
URL: http://www.leapware.com
Type: Patch
Difficulty: Beginner
|
ABOUT |
File Transfer Protocol (FTP) was created to allow the transfer of files between a FTP server and a FTP client. LeapFTP is a powerful Windows 95 FTP client that provides the user an abundance of features in a simple and easy to use interface that even the seasoned computer user can understand and use.
|
TOOLS |
Debugger (Softice or TRW2000)
Dissassembler (eg WDasm32)
Hex Editor (eg Hex Workshop)
Registry Editor (eg Regedit,WinHacker)
|
ESSAY |
Lets
Start Cracking!
When we
first run the program after installation, we find there is no nag screen
displaying how many days you have remaining , and we are kicked straight into
the program. Right! Where do we start? Do we start fishing for a serial? Being a
newbie, my preferred method is as follows ………. In LeapFTP, bring up the
registration entry found in the help menu, type in any old name and serial, and
make a note of the bad cracker message – “The license key you entered is not
valid. Blah blah blah” – write this down.
Open up
W32Dasm and disassemble leapftp.exe, then go to the refs menu and select String
Data References. Remember the error message we wrote down? Scroll down the
window and look for that text, and when you find it, double click on it. In the
main window you will see that the code has skipped to that location. If we
scroll up through the code a few lines, you will see;
:004872E1
E8AE040000
call 00487794
*
Possible StringData Ref from Code Obj ->"Thank You For
Registering!"
:004872E6
B864734800
mov eax, 00487364
So we know we are in the right area!
Scroll up a bit further and you will see a reference to a conditional jump at
address 0048728E , so we know that this jump has something to do with what
registration message we get. Scroll up a bit further and we see another
conditional jump referenced to at 00487280. But Wait!! What do we see directly
above? Both jumps within a few lines of each other!
:00487271 8D55FC
lea edx, dword ptr
[ebp-04]
:00487274 E83718F8FF
call 00408AB0
:00487279 80BBF402000000
cmp byte ptr [ebx+000002F4], 00
:00487280 740E
je
00487290
<Not
sure about this one
:00487282 8B55FC
mov edx, dword ptr [ebp-04]
:00487285 8BC3
mov eax, ebx
:00487287 E888030000
call 00487614
:0048728C 84C0
test
al, al
:0048728E 7526
jne 004872B6
<Is our serial good? If yes
jump to “ Good Boy “ if no,
carry on to “ Bad Cracker “
*Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00487280(C)
The simple solution seems to be that if
we can change the JNE at 0048728E, to a JE, the only serial it wont accept is
the correct one! Note the offset of the line at 0048728E, open your hex editor,
and go to the said offset. There you see your JNE hex value of 7526. Change this
to 7426, which now changes the instruction to a jump if equal, JE. Save the
file, and start up LeapFTP. Enter any old value into the registration fields and
click OK. Boomph! Thank You for registering! If you look in the About….
Section, you will see the program has been registered to you! OR HAS IT?
Exit the program and start it up again.
WHAT THE HELL? Its unregistered again! So we know that although the program has
been changed to except your dodgy serial, your name and said dodgy serial are
copied to the registry, and the program rechecks them everytime the program is
restarted. So the only way to have it registered is to re-enter the serial every
time you start up the program. When the 30 Days is up, your fake serial will
still get you into the program, but THAT SUCKS!
So now we know that we must modify the
code so that it never checks how many days you have left of your trial! The next
thing I did was to set my clock forward past the 30 day limit. Start up the
program, and you get a message saying “ This copy of LeapFTP has been
installed for X days,please register your copy, or remove it from your system
“ . With the above alteration, any username and serial will be excepted, but
we don’t want to do that everytime we use the program. Go back into W32Dasm,
and bring up the String Resources menu, and we find a reference to this
statement, if we double click on it, we will be taken to that portion of the
code. If we scroll up slightly we see some more text… “ You are on day X of
your evaluation period, this program will stop functioning after 60 days “ ,
hmmmmmm looks like we don’t want to be seeing that either. Scroll up a bit
more and we see a reference to a conditional jump at 00495AC2, scroll to that
location;
:00495ABB
E80023FFFF
call 00487DC0
:00495AC0
84C0
test al, al
:00495AC2
740D
je 00495AD1
<Our suspect jump command!
:00495AC4
8B45FC
mov eax, dword
ptr [ebp-04]
:00495AC7
E81C760100
call 004AD0E8
:00495ACC
E910010000
jmp 00495BE1
Hmmmm,
the unconditional jump at 00495ACC also looks interesting, but where do it jump
to? 00495BE1, if we look at this section of code………….
:00495BE1
803DD0FB4B0000
cmp byte ptr [004BFBD0], 00
<Our unconditional jump
takes us here
:00495BE8
750F
jne
00495BF9
<But where does
this take us?
*
Possible StringData Ref from Code Obj ->"LeapFTP 2.7.1 -
(Unregistered)"
:00495BEA
BA8C6D4900
mov edx, 00496D8C
:00495BEF
8B45FC
mov eax, dword ptr [ebp-04]
:00495BF2
E801DEF9FF
call 004339F8
:00495BF7
EB0D
jmp 00495C06
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00495BE8(C)
*
Possible StringData Ref from Code Obj ->"LeapFTP 2.7.1"
:00495BF9
BAB46D4900
mov edx, 00496DB4
<Here!!! Looks like we are gonna be
registered!!
First
thing to to is to NOP out the jump at 00495AC2, we do this by going to that
offset location in our hex editor and entering 9090 where the 740D jump command
is! This removes the conditional jump so the program just carries on to the
unconditional jump at 00495ACC. The section of code now looks like this:
:00495ABB
E80023FFFF
call 00487DC0
:00495AC0
84C0
test al, al
:00495AC2
90
nop
<Our jump has gone! The
program carries on to the jump at 00495ACC
:00495AC3
90
nop
:00495AC4
8B45FC
mov eax, dword ptr [ebp-04]
:00495AC7
E81C760100
call 004AD0E8
:00495ACC
E910010000
jmp 00495BE1
If
we now start up LeapFTP, BOOM! Straight into the program! No reference to days
left or anything! The [UNREGISTERED] notice has also gone from the title bar!
Look in the help menu. The Enter Registration Key option has also gone! It looks
like our little code change worked, and we have tricked the program into always
thinking it is registered when it isn’t!
So
it looks like job done! NOT SO FAST! Remember that conditional jump at 0049BE8?
It does seem to jump us to the registered section, but why is it conditional?
This makes me think that our job is not yet finished. If it is conditional, it
depends on something being not equal. I don’t like that! Why not just make it
an unconditional jump, so that it will jump whatever the circumstances! That
sounds better to me.
Go
back into your hex editor and to the location 94FE8 ( this is the offset for
address 00495BE8), and change 750F to EB0F. This changes our conditional jump
JNE to an unconditional jump JMP. I’m not sure wether that needed to be done,
but why not?
JOB
FINISHED!!!!!! You now have a fully functional program that will never expire!
Hope
this tutorial helped, if it didn’t, tough!
I know patching programs is a dirty cracking method, but I’m still a
newbie and it works! I haven’t quite got to grips with the live approach
yet!!!! But Rome wasn’t built in a day was it?
|
THANKS |
The guys at TRES2000 for giving me a chance
[T]urb0z` - You know why!
DaZZler + the Little OnE - For being ACE
Lee + Sarah - The best!
All the other ppl that have helped me through life!
|
DISCLAIMER |
The
information in this essay is for educational purpose only!
You are only allow to crack, reverse engineer, modify code and debug programs
that you legaly bought and then for personal use only!!
To ignore this warning is a criminal act and can result in lawful actions!
So please note!
I take no responsibility for how you use the information in this essay, i take
NO responsibility for what might happen to you or your computer!
You use this information on your own risk!!
What I mean is: Please buy the software!