|
December 1998 |
"FTP Express v3.0.004" ( Finding a compare of a serial number ) |
Win '95/'98 PROGRAM Win Code Reversing |
|
|
by Punisher |
|
|
|
Cracking 4 Newbies |
|
|
Program Details Program Name: Ftpexpress.exe Program Type: FTP download program Program Location: Softseek Program Size: 1.55 MB |
||
|
Tools Used: Soft-Ice --- Debugger |
||
|
Rating |
Easy ( X ) Medium ( ) Hard ( ) Pro ( ) |
There is a crack, a crack in everything. That's how the light gets in. |
FTP Express v3.0.004
( Finding the compare of the serial number )
Written by Punisher
|
Introduction |
The author(s) of this utility can be found at: http://www.intellisys-mn.com
The author says:
"FTP Express is a full-featured FTP client application. You can
download and upload files and folders, create folders and rename and
delete files and folders. All without knowing anything about FTP."
|
About this protection system |
Registration is via the About dialogbox, then selecting the Register button. Here you will be asked to enter:-
Name :
Key :
The real reg key is calculated from the name entered. It is then compared character by character with the fake key you enetered. If the compare does not match for any character then it is a fake key.
|
The Essay |
Install FTP Express and run the program. The first thing that appears is a nag screen telling you how much days you have remaining and a set of bullshit about registering.
Click the 'I Agree' button and the another screen will pop up asking you to make a couple of choices. Click the cancel button and you will be in the main program screen.
Select the Help About FTP Express and when the About dialog box appear select the Register button. The Register dialogbox will appear. Enter your anme and Fake Reg key.
Go into Soft-Ice by pressing ctrl-d. We are going to use HMEMCPY to trace into Kernel and locate where HMEMCPY copies our fake reg key and set a break point on that memory range.
Set a breakpoint on HMEMCPY.- eg
>>> BPX HMEMCPY
Now leave Soft-Ice by pressing ctrl-d.
We are back at the register dialogbox. Click the Ok button and Soft-Ice breaks in Kernel at HMEMCPY.
Type x and press [ENTER] and Soft-Ice will break in Kernel again at HMEMCPY. Now press F10 until you come to this piece of code.
0117:9E8C PUSH ECX
0117:9E8E SHR ECX, 02
0117:9E92 REPZ MOVSD ; this copies fake reg code to memory
0117:9E96 POP ECX
0117:9E98 AND ECX, 03
0117:9E9C REPZ MOVSB ; this copies fake reg code to memory byte at a time
This piece of code copies your fake reg key to a memory location. We will set a breakpoint on this memory range so that if the program reads or writes to that memory range Soft-Ice will break.
Step using F10 until you get to REPZ MOVSD. Don't step past it as yet.
Now dump the meory at es:edi and you will see where your fake reg key will be copied. eg:-
>>> d es:edi
We will now set a breakpoint on es:edi for the lenght of our reg key. I usually use 8 characters in mine eg: 45454545.
>>> bpr es:edi es:edi+8 rw
Now step past REPZ MOVSB using F10 and you will see your fake reg key being copied to the meomory location at es:edi.
Now lets let the program run and wait for Soft-Ice to break. Type x and press enter. Soft-Ice will break at REPZ SCASB. Press F10 until you step past it then hti x and press enter to let the program run again.
Soft-Ice will break again at AND BYTE PTR [ECX+EAX],00. Type x and press [ENTER] to let the program run again.
Soft-Ice will break at this piece of code :-
0137:78005D81 MOV DL, [EAX] ; fake key is located at EAX
0137:78005D83 MOV BL, [ESI] ; the real reg key is located at ESI
0137:78005D85 MOV CL, DL
0137:78005D87 CMP DL, BL ; this compares a charater from real key with fke key
0137:78005D89 JNZ 78005DAC ;bad cracker jump
Step past MOV BL, [ESI] and dump the mearoy address at ESI and you will see your real reg key. eg:-
>>> d ESI
Write down the real reg key. Now clear all breakpoints.eg:-
>>> bc *
Let the program run by typing x and pressing [ENTER].
A dialog box will pop up telling you to reenter your key. Click the ok button to get rid of that box and type in the real reg key and press enter and the program will be registered.
You should buy this program if you intend to use it longer than the evaluation period.