Cracking Tutorial for FTP Navigator 4.15
#Cracking4Newbies Target: 001
 
 
Target Program: FTP Navigator 4.15
Location: http://www.vista.ru
Protection: NAG
Tools needed: - SoftICE 3.2x
Ob duh: Do I really have to remind you all that by BUYING and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
BTW, It's illegal to use cracked Software!
 
If you're looking for cracks or serial numbers from these pages then your wasting your time, try to search elsewhere on the Web under Warez, Cracks, etc.
Info: Brand and product names are trademarks or registered trademarks of their respective holders.
Level: (X)Beginner ( )Intermediate ( )Advanced ( )Expert 
 People being in the scene such long like yosh know that there was a weekly cracking target for
 NON-ops and for ops at #Cracking4Newbies. I don't know why but as I joined the channel the
 first time there wasn't such a project. I want to bring such project back to teach how to crack
 the next generation of crackers, also known as Newbies.

 I've chosen a target which I though was very easy to crack ... however some Newbies on C4N
 couldn't get it, so I decided to write this short tutorial. I hope that with the help of
 it everyone can understand how to crack such a target.

 As I started FTP Navigator the first time I thought that is has only a time limit protection
 ... a nice screen that looks like a NAG popps up ... after I've moved the mouse it got killed
 so this isn't a real NAG. Now what would happen if we set the time forward so FTP Navigator
 has expired? Well, let's try.

 Oh my god. The OK button in the START DIALOG, which has turned into a NAG Screen now get's
 disabled ... and it is only ENABLED after 1710 seconds (28.5 mins) ... press EXIT. So let's
 start killing that stupid NAG that got displayed after FTP Navigator has expired.

 For NAG Screens of that kind like you can find in FTP Navigator, I suggest you to BPX on
 ShowWindow ... and so have I done. After setting the BPX and starting FTP Navigator,
 SoftICE will pop up and the following code snippet will be displayed:


      :0042DCBF  E81C84FDFF          CALL      USER32!ShowWindow
      :0042DCC4  E905010000          JMP       0042DDCE


 Now we need to go to the CALL that will generate the whole NAG Screen. So trace through
 the code with F12 (~ 16 times) and F10 (~ 40 times) a little bit, till you find something
 like the following code snippet:


      :0042E29E  8B03                MOV       EAX,[EBX]
      :0042E2A0  E8831B0000          CALL      0042FE28
      :0042E2A5  8B03                MOV       EAX,[EBX]
      :0042E2A7  80787C00            CMP       BYTE PTR [EAX+7C],00
      :0042E2AB  740F                JZ        0042E2BC
      :0042E2AD  8B45FC              MOV       EAX,[EBP-04]
      :0042E2B0  C7805001000002000000MOV       DWORD PTR [EAX+00000150],00000002
      :0042E2BA  EB14                JMP       0042E2D0
      :0042E2BC  8B45FC              MOV       EAX,[EBP-04]
      :0042E2BF  83B85001000000      CMP       DWORD PTR [EAX+00000150],00
      :0042E2C6  7408                JZ        0042E2D0
      :0042E2C8  8B45FC              MOV       EAX,[EBP-04]
      :0042E2CB  E838FDFFFF          CALL      0042E008
      :0042E2D0  8B45FC              MOV       EAX,[EBP-04]
      :0042E2D3  8B8050010000        MOV       EAX,[EAX+00000150]
      :0042E2D9  85C0                TEST      EAX,EAX
      :0042E2DB  74C1                JZ        0042E29E
      :0042E2DD  8945F8              MOV       [EBP-08],EAX
      :0042E2E0  6A00                PUSH      00
      :0042E2E2  6A00                PUSH      00
      :0042E2E4  6801B00000          PUSH      0000B001
      :0042E2E9  8B45FC              MOV       EAX,[EBP-04]
      :0042E2EC  E8FB5CFFFF          CALL      00423FEC
      :0042E2F1  50                  PUSH      EAX
      :0042E2F2  E8497DFDFF          CALL      USER32!SendMessageA
      :0042E2F7  8B45FC              MOV       EAX,[EBP-04]
      :0042E2FA  E8ED5CFFFF          CALL      00423FEC
      :0042E2FF  8BD8                MOV       EBX,EAX
      :0042E301  E8EA7AFDFF          CALL      USER32!GetActiveWindow
      :0042E306  3BD8                CMP       EBX,EAX
      :0042E308  7405                JZ        0042E30F
      :0042E30A  33C0                XOR       EAX,EAX
      :0042E30C  8945E4              MOV       [EBP-1C],EAX
      :0042E30F  33C0                XOR       EAX,EAX
      :0042E311  5A                  POP       EDX
       ...       ...                 ...
      :0042E324  C3                  RET


 Now as you might have guessed, this is kind of a loop. It is repeated again and again,
 till the 1710 seconds have passed. So we need to BREAK that loop - but how?

 Well if we would change the ZERO flag (r fl z) at 42E2DB, then the program would go on.
 That's what we want so far, since we want to remove the COMPLETE routine from being
 executed. So after you've passed the RETurn instruction at 42E324, we will be close the
 location, which we could patch (ie which CALL we could replace with NOPs):


      :0042E32C  33C0                XOR       EAX,EAX
      :0042E32E  5A                  POP       EDX
       ...       ...                 ...
      :0042E3BE  80A03D010000F7      AND       BYTE PTR [EAX+0000013D],F7
      :0042E3C5  C3                  RET
       ...       ...                 ...
      :0042E3E0  E8E355FDFF          CALL      004039C8
      :0042E3E5  C3                  RET
       ...       ...                 ...
      :0042E3F4  5D                  POP       EBP
      :0042E3F5  C3                  RET


 After RETurning, you are RIGHT after the location the NAG has been killed:


      :00459D1E  33C0                XOR       EAX,EAX


 Now just look at the last instruction (scroll up the Code Window one line), and you'll
 get the following:


      :00459D19  E83E44FDFF          CALL      0042E15C


 Now we can replace the CALL 42E15C at 459D19 with NOPs to kill the NAG. Start Hacker's
 View, and replace


      E83E44FDFF


 with


      9090909090


 And the NAG won't be shown on startup again. If you want to remove the 'UNREGISTERED' text
 also, you have to preform a search for '(Unregistered)' and replace it with what you like.
 E. g. replace '4.15  (Unregistered)' with 4.15  (Registered)' ... don't forget to add a
 00 right behind that ROUND BRACKET CLOSE to signify the string has ended.



 Another target has been Reverse Engineerd.

 
If you want to USE ANY PROGRAM BEYOND it's FREE TRIAL PERIOD, then please BUY IT.

Copyright © 1999 by TORN@DO and The Immortal Descendants. All Rights Reserved.