--------------------------------------------------------- How to find a serial in eFTP Explorer --------------------------------------------------------- Cracker: stealthFIGHTER Target: eFTP Exlporer 1.10 Tools: SoftIce Brain Where: http://www.edisys.com Sorry for my english, its not my mother language. ----------- Step 1: ----------- === Run program ... go to registration window, fill name, company and serial number ... what is it? The "NEXT" button is still grey. Now, the registration number is calculated after each number is pressed. === So, as s/n I wrote 1234567890 (you should do it). Than set breakpoint on memory copy (bpx hmemcpy). Go back and delete last code digit - in my case it is "0" (zero). .....BooM. We are in Soft-Ice. Press "F5" (this is our deleted last code digit) and then "F11" to get to the caller. By pressing "F12" get to the 32-bit code and pass all RETs (RETurns of functions). You sould be here: === 015F:0044CBD4 E845FCFFFF CALL 0044C820 <--- trace into this call (F8) 015F:0044CBDB 85C0 TEST EAX, EAX 015F:0044CBDD 7E0F JLE 0044CBEE === Trace into the CALL before the JUMP and TEST (press "F8" key). You should be here: === 015F:0044C81F 00558B ADD [EBP-75], DL <--- we will land here 015F:0044C820 55 PUSH EBP 015F:0044C821 8BEC MOV EBP, ESP 015F:0044C823 51 PUSH ECX 015F:0044C824 B905000000 MOV ECX, 00000005 015F:0044C829 6A00 PUSH 00 015F:0044C82B 6A00 PUSH 00 015F:0044C82D 49 DEC ECX 015F:0044C82E 75F9 JNZ 0044C829 015F:0044C830 51 PUSH ECX 015F:0044C831 874DFC XCHG ECX, [EBP-04] 015F:0044C834 53 PUSH EBX 015F:0044C835 56 PUSH ESI 015F:0044C836 57 PUSH EDI 015F:0044C837 894DF8 MOV [EBP-08], ECX 015F:0044C83A 8955FC MOV [EBP-04], EDX 015F:0044C83D 8BD8 MOV EBX, EAX 015F:0044C83F 8B45FC MOV EAX, [EBP-04] 015F:0044C842 E8916FFBFF CALL 00403037D8 015F:0044C847 8B45FC MOV, [EBP-08] 015F:0044C84A E8896FFBFF CALL 004037D8 015F:0044C84F 33C0 XOR EAX, EAX 015F:0044C851 55 PUSH EBP 015F:0044C852 68B7CA4400 PUSH 0044CAB7 015F:0044C857 64FF30 PUSH DWORD PTR FS: [EAX] 015F:0044C85A 648920 MOV FS: [EAX], ESP 015F:0044C85D 8D45F4 LEA EAX, [EBP-0C] 015F:0044C860 50 PUSH EAX 015F:0044C861 B904000000 MOV ECX, 00000004 015F:0044C866 BA04000000 MOV EDX, 00000004 015F:0044C86B 8B45F8 MOV EAX, [EBP-08] 015F:0044C86E E8B56FFBFF CALL 00403828 015F:0044C873 8D45EC LEA EAX, [EBP-14] 015F:0044C876 50 PUSH EAX 015F:0044C877 B907000000 MOV ECX, 00000007 015F:0044C87C BA09000000 MOV EDX, 00000009 015F:0044C881 8B45F8 MOV EAX, [EBP-08] 015F:0044C884 E89F6FFBFF CALL 00403828 015F:0044C889 8D45F0 LEA EAX, [EBP-10] 015F:0044C88D B904000000 MOV ECX, 00000004 015F:0044C892 BA11000000 MOV EDX, 00000011 015F:0044C897 8B45F8 MOV EAX, [EBP-08] 015F:0044C89A E8896FFBFF CALL 00403828 015F:0044C89F 8D45E8 LEA EAX, [EBP-18] 015F:0044C8A2 50 PUSH EAX 015F:0044C8A3 B907000000 MOV ECX, 00000007 015F:0044C8A8 BA19000000 MOV EDX, 00000016 015F:0044C8AD 8B45F8 MOV EAX, [EBP-08] 015F:0044C8B0 E8736FFBFF CALL 00403828 015F:0044C8B5 8B45F8 MOV EAX, [EBP-08] 015F:0044C8B8 BAD4CA4400 MOV EDX, 0044CAD4 015F:0044C8BD E8726EFBFF CALL 00403734 <--- call real s/n 015F:0044C8C2 750A JNZ 0044C8CE <--- bad boy === The CALL before the JUMP are very interesting for me. Type D EDX and you will get something in the DATA window: === jake........................ boopie.................... %2.2d...U...........SV W3..]..M...U....E..... .....33....E....E......... === Write the serials/names down and clear all breakpoints (bc *). As a serial enter "jake" or "boopie" ---> YESS our NEXT button is black and now we can push it (both serials are correct). === --------------------------------------------------------- If i make a mistake, please e-mail me to: stealthfighter@another.com ---------------------------------------------------------