Web : http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com


Main | Index

Fastream FTP ++ 2.0 Beta 6

Type : FTP
Protection : Serial
Tech : Patching


Crack : This program can be easily cracked.Our attack point is the
nagbox shown at start up :)

In SICE BPX MESSAGEBOXA

And run the program ..when we pop in to SICE look up ..

0x418DEA MOV [0x530EBC],00
0x418DF1 MOV CL,[EBX+5C8] >> FLAG - 0xE72538
0x418DF7 TEST CL,CL
0x418DF9 JZ 0x418E14
|||
vvv
CALL [MESSAGEBOXA] >> NAGBOX

So flag is set at 0xE72538.

So in SICE BPM 0xE72538 RW ... now restart the program :)

0x422F18 MOV [EAX+5C8],01 | C6 80 C8 05 00 00 01 << MAKE IT 00 TO CRACK

Patch :
01 ===>>> 00
0x422F18 MOV [EAX+5C8],00 | C8 80 C8 05 00 00 00 OFFSET = 0x2251E

MOV EDI,[EBP-0C]
.........................
0x4D12D2 CMP EDI,20 >> FIFTH INTERMEDIATE CHECK
0x4D12D5 JZ 0x4D131A >> GOOD BOY


I found out the S/N by varing and checking

First Name = 1490108
Reg = 9417-1BBA-986B-3416

We can register the program with this S/N ,but still the program
is not running in registered mode :( why ????


0xCF001F CALL 00CEEE14
0xCF0024 MOV [00CF39D0],EAX >> EAX = CHECK SUM VALUE

So change "E" to "D" so that program will check virgin copy.

BPX LOADLIBRARYA ... trace

0x503FC7 CALL [507208]
Inside this CALL ...

0xCEC7C8 CMP DWORD PTR[00CF35A8],00
0xCEC7CF JZ 00CEC7D7
0xCEC7D1 CALL [00CF35A8] ===>> Here comes the real fun ....

if [00CF35A8] = 0x00503A54 >> PROGRAM WILL RUN
if [00CF35A8] = 0x00503AC0 >> PROGRAM WILL EXIT

Here the encryption is done according to trial period.
I was unable to find the address which will lead us to a registered version :(
But the program is fully functional as it is said ...and also we will get nice freeware
programs than this sucker ..

Patch:
So our crack will be to write 0x00503A54 at [00CF35A8].Here patching the exe file is a real
headhace.We will use Process Patcher technique.i.e we will write a simple C program that
will load "Editpro.exe" and patch the value at [00CF35A8] when encryption routine is over.

//=========================Proc Patch Edit Pro 1.15=====================================
//gl_force.cpp
//GL_CrAck_F0rCe
//***********************************
//email : gl_force@usa.net
//web : www.glcrackforce.50megs.com
//***********************************
//================================================================================
#include <windows.h>
#include <stdio.h>
//================================================================================
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,
LPSTR lpCmdLine,int nShowCmd)
{

STARTUPINFO si;
char InfoText[] = "Proc Patch - GL_CrAck_F0rCe";
unsigned long i = 0;
unsigned long AddressOfPatch = 0x00CF35A8;
char DataRead[2] = {0};
char* cl;
PROCESS_INFORMATION pi;
char FileName[] = "EditPro.exe";
//==============================================================================
//Patch Data
char scanbyte1 = 0xC0;
char scanbyte2 = 0x3A;
//==============================================================================
ZeroMemory(&si,sizeof(si));
si.cb = sizeof(si);
cl = GetCommandLine();

if (CreateProcess(FileName, cl, NULL, NULL,FALSE,
NORMAL_PRIORITY_CLASS,NULL, NULL, &si, &pi))
{

ReadProcessMemory(pi.hProcess, (LPVOID) AddressOfPatch,
DataRead, 2, NULL);
for(;DataRead[0] != scanbyte1;)
{

ReadProcessMemory(pi.hProcess, (LPVOID) AddressOfPatch,
DataRead, 2, NULL);
}
//=============================================================================
if(DataRead[0] == scanbyte1 && DataRead[1] == scanbyte2)
{
WriteProcessMemory (pi. hProcess,
(LPVOID) AddressOfPatch, "\x54\x3A", 2, NULL);
}
//=============================================================================

CloseHandle (pi.hProcess);
CloseHandle (pi.hThread);

}
else
{
MessageBox(NULL,"Unable to load program..exiting..",InfoText,MB_OK);
return 0;
}

MessageBox(NULL,"Program Loaded...",InfoText,MB_OK);

return 0;
}
//=================================================================================

NB : It is seen that when we run Editpro with Filemon and Regmon working...this sucker kills
these two programs.To escape from this BPX REGQUERYVALUEEXA and note down after how many
bpx this sucker kills Filemon and Regmon..suppose it is after 7th break.Then restart and when we reach
7th break at REGQUERYVALUEEXA....trace back in to the program and raise an Exception.i.e fill next two
bytes of the next instruction with zeros....this will raise an exception and it will not kill Filemon and Regmon.


class=MsoNormal style='text-indent:9.0pt;border:none;mso-border-alt:solid windowtext .5pt;