Introduction

WS FTP is yet another FTP proggie, this one is given away with The Sun's currantbun.com ISP package. It is limited to 30 days unless you buy it online.

The Protection:

To get a working copy for more than 30 days you need to register it and buy online, there is no serial/name area to register it. When it runs out (try putting you clock forward at least 1 month) you get a message with 3 options. [1] Visit the website. [2] Buy now. [3] Buy later, after which the program exits. However if you put your clock back to normal again the program works fine.

The 'Crack'

First of all of run the ftp95pro.exe through WDASM and wait awhile........don't forget to save the code.

OK then, if you look inside the folder where the exe is you will see a number of INI files and a file named ws_ftp.key. This is always the best place to start looking for clues along with the registry, it's always a good place to start. So what's inside this KEY file then. Take a look for yourself. It's a text file and the first entry is name=Evaluation. Well isn't this interesting?, perhaps we should try searching for this filename in WDASM. Do a search for it and you'll find it on line 65790. Then if you scroll up from there you will see a reference to a KEY file named ipswitch.key, which is odd because this file doesn't exist in the installed folder. Which leads to reason that if this file is created perhaps when you register or buy the program. Let's take a closer look at the code around this area.

* Possible StringData Ref from Data Obj ->"CyberSuite" -------> ??

:00423B71 68ACC24400 push 0044C2AC

* Possible StringData Ref from Data Obj ->"ipswitch.key" -----> reference to non-existent file

:00423B76 68B8C24400 push 0044C2B8
:00423B7B 8B4508 mov eax, dword ptr [ebp+08]
:00423B7E 50 push eax
:00423B7F 6A00 push 00000000
:00423B81 E824DFFEFF call 00411AAA -------------------> sub-routine call (open file perhaps?)
:00423B86 83C410 add esp, 00000010
:00423B89 85C0 test eax, eax --------------------------------> test made here
:00423B8B 0F841D000000 je 00423BAE -------------------> if zero jump here
* Possible StringData Ref from Data Obj ->"CyberSuite" -----> ??
:00423B91 68C8C24400 push 0044C2C8
* Possible StringData Ref from Data Obj ->"ipswitch.key" ---> another reference to this file
:00423B96 68D4C24400 push 0044C2D4
:00423B9B 8B4508 mov eax, dword ptr [ebp+08]
:00423B9E 50 push eax
:00423B9F 6A00 push 00000000
:00423BA1 E874DAFEFF call 0041161A
:00423BA6 83C410 add esp, 00000010
:00423BA9 E99E010000 jmp 00423D4C --------------> where does this jump to then?
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00423B8B(C)
* Possible StringData Ref from Data Obj ->"WSINST"
:00423BAE C785ACFEFFFFE4C24400 mov dword ptr [ebp+FFFFFEAC], 0044C2E4
:00423BB8 C605208C440000 mov byte ptr [00448C20], 00
* Possible StringData Ref from Data Obj ->"ws_ftp"
:00423BBF 68ECC24400 push 0044C2EC
* Possible StringData Ref from Data Obj ->"ws_ftp.key" --------> referenece to KEY file
:00423BC4 68F4C24400 push 0044C2F4
:00423BC9 8B4508 mov eax, dword ptr [ebp+08]

What does this all mean then? Well let's see:
[1] A test is made after a call at 423B89 and if 0 jumps to 423BAE. What happens if it is 1 instead of 0 ?
[2] A jmp in the middle of nowhere that is not referenced by any of these lines, it may be interesting to see where this one leads.

Put your clock forward at least 1 month, load up the exe file into winice loader (loader32.exe) and set a breakpoint at 423B71 (bpx 423B71). Let the program run until SI (softice) pops back up at that address.
Continue tracing using F10 until 423B86 (after the call) and note the value of EAX, it should be 0. Change this to 1 by doing 'r eax=1' (without the quores of course), then let the program run as normal. You should get an error message that says 'unable to locate .......ipswitch.key, please get a valid key......' So this would indicate that the key is obtained buy buying online. This helps us a lot now.
Restart the program, keeping the same breakpoint, and tracing down to 423B71 then stop there. Let's see where the jmp 00423D4C goes to as this a curious part of the code. Trace down to 423B8B first of all.
To get there we can do 2 things, [1] Change the instruction at 423B8B to je 00423BA9 or [2] Change the instruction to jump directly to 423D4C. To do this type 'a' follwed by enter. Now you can type in 'jmp 423D4C' followed by hitting enter twice. This should change the instruction on screen. Now let the program run as normal. It should now go directly to the main screen without any warning or error messages. Put you clock back again and run it using the same method. It works fine now, no more reminder or warning messages about the program.

Now load up the exe file into your hex editor and goto the offset of the instruction at address 423B8B - in WDASM, goto to this address and note the offset hex value on the bottom the screen. It is 22F8B. Once at this offset enter the following bytes, E9BC010000. You can also add to the end of this 909090909090 just o tidy the code up.

That's it, another program cracked...............learning anything yet then?