Vermillion FTP Daemon-An advanced protection with a wide open backdoor

About this tutorial:
Tutorial:Vermillion FTP Daemon-An advanced protection with a wide open backdoor
Target:Vermillion FTP Daemon 1.31(http://www.arcanesoft.com)
Author:ManKind
Tools:W32Dasm 8.9x, HIEW 6.x(these are good softwares, worth buying), trial activation key from Arcane Software
Date:25th of December 1999
Descriptions&Comments:First of all, let me wish you a merry Christmas. This program uses an advanced activation key to determine whether you are a trial user or a registered one. Though the protection is quite good, the programmers left a wide open backdoor, maybe purposely for us. We are going to defeat its time-limited trial check today.
Copyright information:This tutorial is copyright © 1999 ManKind

Starting words:
Hello,welcome to my tutorial. I am ManKind, a newbie in cracking who want to share my cracking skills with other newbies. Contact me at mankind001@bigfoot.com

The process:
The year 1999 is coming to an end now, I would like to contribute some essays before the 1st of January 2000. After installing Vermillion FTP Daemon, get a trial activation key from Arcane Software(www.arcanesoft.com), put it in the directory where you have installed Vermillion FTP Daemon, and start the program. You will notice that it will expire in 23rd January 2000, so exit, modify your date to something further than 23rd Januray 2000(I just changed the year from December 1999 to December 2000), start the program and you will be presented with a messagebox telling you that the trial activation key has expired. For full evaluation's sake, we will want to fix that, remember the text in the messagebox. Disassemble vftpd.exe, you can get a drink or snack at this moment. When you have finish disassembled it, a messagebox in W32Dasm will tell you that there is not enough memory to disassemble 238080 lines of text, just press the Ok button, this happens because there are TOO many lines of text in the vftpd.exe file. Open the String Data References window, search for the following:

"This software's activation key "

It is almost at the end of the String Data References window. Double-click on that line and you will be brought to the following code:

* Possible StringData Ref from Data Obj ->"This software's activation key"
                                                               ->"is invalid or has expired."
                                                     |
:0041B344 6828064700               push 00470628

Scroll up a little and you will see the following:

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041B1EA(C), :0041B203(C), :0041B32F(C)

As you can see, the text is referenced by three conditional(the (C) indicates conditional) jumps. After going to three addresses, I know that the first two(0041B1EA and 0041B203) is the jump after the verification of the activation key data, so, there left only one jump that deals with the time validity, that is the conditional jump at address 0041B32F. We will now go that address, open the Goto Code Location window(Shift+F12) and enter the address(0041B32F) or scroll up(its very near). You will then see the following code:

:0041B32B 3BFE                        cmp edi, esi ; compare our pc's date with the allowed time trial period
:0041B32D 5E                             pop esi ; return the original value of esi
:0041B32E 5B                             pop ebx ; return the original value of ebx
:0041B32F 7705                         ja 0041B336 ; jump if our pc's date is above the allowed time trial period

You should know where to patch right? We have to patch the instruction at address 0041B32F so that it will not jump to the expired message no matter what. NOP(stands for No OPeration, the opcode is 90) can be used for our purpose. See the status bar of W32Dasm to get the address's offset which is 1B32F(note that we don't need the zero(s)). Close W32Dasm, load up HIEW(or any other hex editor of your choice), load the vftpd.exe, press Enter(twice) to go into hex mode, press F5 to go to the location we want, fill in 1B32F, press Enter once and you will be brought to the jump which we want to patch. Press F3 to edit and do the following changes:

Original bytes:7705
Change the number(7705) into the below number:
Modified bytes:9090

Press F9 to update/save and F10 to exit HIEW. Now, try to start Vermillion FTP Daemon with an expired date(after 23rd January 2000), the program starts without saying anything(messagebox). Our job is almost done now. Note that though we defeated the time-limited trial check, there are some other things we can do to make our crack nicer, but then, that's not our purpose, at least not for today. Job done. As usual, contact me if I make any mistake, give me your feedback, comments, suggestions and opinions about this tutorial and my way of presenting it.

Extra notes:
Well, the year 1999 is coming to an end. I must take this advantage to thanks everyone who has contributed to me in all possible ways, either directly or indirectly(especially those with names mentioned below). I really felt proud of the Reverse Engineering Scene(which is far more successful than hacking, virii, etc.)! I love cracking!

Ending:
Thanks to:+ORC, Sandman, HarvestR, tKC, ytc_, Punisher, Kwai_Lo, TORN@DO, Crackz, cLUSTER, LaZaRuS, mrfanatic, yes123, WhizKiD, Volatility, Acid Burn, Eternal Bliss, R!SC, MisterE, Shadow, tCM and other crackers and individuals who provide me with their tutorials and tools.

Greetz to:HarvestR, tKC, ytc_, Kwai_Lo, Punisher, TORN@Do, cLUSTER, LaZaRuS, mrfanatic, Shadow, Eternal Bliss, R!SC, yes123, MisterE, WhizKiD, Volatility, Acid Burn, DSi, other cracking groups and all crackers.

Service for ManKind
ManKind
mankind001@bigfoot.com