---------------------------------------------------------
How to find a serial in eFTP Explorer
---------------------------------------------------------

Cracker: stealthFIGHTER 

Target: eFTP Exlporer 1.10

Tools: SoftIce
           Brain

Where: http://www.edisys.com

Sorry for my english, its not my mother language.


-----------
Step 1:
-----------

===
Run program ... go to registration window, fill name, company
and serial number ... what is it? The "NEXT" button is still grey.
Now, the registration number is calculated after each number is
pressed.
===
So, as s/n I wrote 1234567890 (you should do it).
Than set breakpoint on memory copy (bpx hmemcpy). Go back 
and delete last code digit - in my case it is "0" (zero). .....BooM.
We are in Soft-Ice. Press "F5" (this is our deleted last code digit) and
then "F11" to get to the caller. By pressing "F12" get to the 32-bit code and
pass all RETs (RETurns of functions).
You sould be here:
===



015F:0044CBD4	E845FCFFFF	CALL 0044C820	<--- trace into this call (F8)
015F:0044CBDB	85C0		TEST EAX, EAX
015F:0044CBDD	7E0F		JLE 0044CBEE


===
Trace into the CALL before the JUMP and TEST (press "F8" key).
You should be here:
===


015F:0044C81F	00558B		ADD [EBP-75], DL		<--- we will land here
015F:0044C820	55		PUSH EBP
015F:0044C821	8BEC		MOV EBP, ESP
015F:0044C823	51		PUSH ECX
015F:0044C824	B905000000	MOV ECX, 00000005
015F:0044C829	6A00		PUSH 00
015F:0044C82B	6A00		PUSH 00
015F:0044C82D	49		DEC ECX
015F:0044C82E	75F9		JNZ 0044C829
015F:0044C830	51		PUSH ECX
015F:0044C831	874DFC		XCHG ECX, [EBP-04]
015F:0044C834	53		PUSH EBX
015F:0044C835	56		PUSH ESI
015F:0044C836	57		PUSH EDI
015F:0044C837	894DF8		MOV [EBP-08], ECX
015F:0044C83A	8955FC		MOV [EBP-04], EDX
015F:0044C83D	8BD8		MOV EBX, EAX
015F:0044C83F	8B45FC		MOV EAX, [EBP-04]
015F:0044C842	E8916FFBFF	CALL 00403037D8
015F:0044C847	8B45FC		MOV, [EBP-08]
015F:0044C84A	E8896FFBFF	CALL 004037D8
015F:0044C84F	33C0		XOR EAX, EAX
015F:0044C851	55		PUSH EBP
015F:0044C852	68B7CA4400	PUSH 0044CAB7
015F:0044C857	64FF30		PUSH DWORD PTR FS: [EAX]
015F:0044C85A	648920		MOV FS: [EAX], ESP
015F:0044C85D	8D45F4		LEA EAX, [EBP-0C]
015F:0044C860	50		PUSH EAX
015F:0044C861	B904000000	MOV ECX, 00000004	
015F:0044C866	BA04000000	MOV EDX, 00000004
015F:0044C86B	8B45F8		MOV EAX, [EBP-08]
015F:0044C86E	E8B56FFBFF	CALL 00403828
015F:0044C873	8D45EC		LEA EAX, [EBP-14]
015F:0044C876	50		PUSH EAX
015F:0044C877	B907000000	MOV ECX, 00000007
015F:0044C87C	BA09000000	MOV EDX, 00000009
015F:0044C881	8B45F8		MOV EAX, [EBP-08]
015F:0044C884	E89F6FFBFF	CALL 00403828
015F:0044C889	8D45F0		LEA EAX, [EBP-10]
015F:0044C88D	B904000000	MOV ECX, 00000004
015F:0044C892	BA11000000	MOV EDX, 00000011	
015F:0044C897	8B45F8		MOV EAX, [EBP-08]
015F:0044C89A	E8896FFBFF	CALL 00403828
015F:0044C89F	8D45E8		LEA EAX, [EBP-18]
015F:0044C8A2	50		PUSH EAX
015F:0044C8A3	B907000000	MOV ECX, 00000007
015F:0044C8A8	BA19000000	MOV EDX, 00000016
015F:0044C8AD	8B45F8		MOV EAX, [EBP-08]
015F:0044C8B0	E8736FFBFF	CALL 00403828
015F:0044C8B5	8B45F8		MOV EAX, [EBP-08]
015F:0044C8B8	BAD4CA4400	MOV EDX, 0044CAD4	
015F:0044C8BD	E8726EFBFF	CALL 00403734		<--- call real s/n
015F:0044C8C2	750A		JNZ 0044C8CE		<--- bad boy


===
The CALL before the JUMP are very interesting for me. Type D EDX and
you will get something in the DATA window:
===


jake........................
boopie....................
%2.2d...U...........SV
W3..]..M...U....E.....
.....33....E....E.........

===
Write the serials/names down and clear all breakpoints (bc *).
As a serial enter "jake" or "boopie" ---> YESS our NEXT button is black
and now we can push it (both serials are correct).
===
---------------------------------------------------------
If i make a mistake, please e-mail me 
to: stealthfighter@another.com
---------------------------------------------------------