June
 1999
"Ws_ftp pro V6.01"
( '30 day limit? not any more'  )
Win '95 PROGRAM
Win Code Reversing
 
 
by The Snake
 
 
Code Reversing For Beginners 
 
 
 
 
Program Details
Program Name: f_x86t32.exe
Program Type: File Transfer client
Program Location: Here 
Program Size: 1.5mb 
 
 
     
Tools Used:
 Softice V3.23 - Win'95 Debugger
W32Dasm V8.93 - Win'95 Dissembler
 
 
Rating
Easy (X)  Medium ( )  Hard (    )  Pro (    ) 
 
 

Ws_ftp pro V6.01
( '30 day limit? not any more'  )
Written by The Snake
 
Introduction
 
The author of  Ftp95pro says :
 
  WS_FTP Professional is a Windows-based file transfer client application
  that transfers files between a userís local PC and another, remote
  computer system connected via a modem and telephone lines or by a
  local-area network. With WS_FTP Pro, users can connect to any remote
  system that has a valid Internet address and an FTP server program,
  browse  through directories and files, and transfer files between the
  two systems. In addition, users can create, change, and remove
  directories and view, execute, rename, or delete files.

  WS_FTP Pro complies with the Windows sockets (Winsock) standard,
  allowing you to transfer files between a wide variety of systems,
  including Windows, OS/2, and UNIX systems.
 
About this protection system
 
 Before we start the reverse work, play with this tool, by changing the date of your
 computer.
 As we see, this program will stop functioning after 30 days. When we run it, it rus
 without any nag screen untill we come to 7 days before expire. Then it shows us
 nag screen that "evaluation is runinig", and we have left 7,6,5,4,3,2,1 days left, BUT
 IT KEEP RUN AS NORMAL.
 When time is over, we get the nag screen, that evaluation is over AND THE
 PROGRAM WILL STOP RUN...
 This is a good sign for us !!!
 The program saves the installation settings in file called WS_FTP.key :

 create date=19990530 15:34
 expire date=June 14, 1999
 expiration=1999165  <<<  165 dayes from begining of 1999.

 Don't change this file before you make a backup !! (unless you want re-install it)

 Ok, can we start our un-limited trip now ?
 
The Essay 
 
 Since it's not the first "time limitted" program i'm dealing with, i can tell that this kind
 of programs uses the "GetSystemTime" function to "know" the period left...
 In this one, after the program gets the system time, it makes some checks with the
 dates that were kept in the WS_FTP.key file.
 All what you're going to see and follow here, is not a "rule". Sometimes you need to
 bpx in the program, and then keep "F10" and watch some registers to get the idea
 of what's going on...  we're ready now.
 Just remember to set up the clock to the range of 7 days before end of trial time.
 set a break-point in Softice :
 "ctrl-d', "bpx getsystemtime" and x to leave. Start ftp95pro.exe.
 SI break, we need now the 6th time of "getsystemtime", so type "x" 5 times, and
 now 'F11' once. We want now to go on the function that reads the installation info
 from  the key file. DB the last pbx and set a new one : bpx GetPrivateProfileStringa.
 This function reads string from files...
 Type x, and SI break. press 'F11' once, and here is the code we lant at:
 the dates are in format of : yyyynnn. yyyy=year, nnn=dayes fron begining of the year.
 * Reference To: KERNEL32.GetPrivateProfileStringA, Ord:00FFh
                                  |
:00411380 FF1510C74500     Call dword ptr [0045C710]
:00411386 6A04             push 00000004               ; we land here
:00411388 8D45AE           lea eax, dword ptr [ebp-52] ; eax=expire date
:0041138B 50               push eax
:0041138C 8D45A4           lea eax, dword ptr [ebp-5C] ; eax=today's date
:0041138F 50               push eax
:00411390 E8EB660200       call 00437A80
:00411395 83C40C           add esp, 0000000C
:00411398 8945FC           mov dword ptr [ebp-04], eax
:0041139B 837DFC00         cmp dword ptr [ebp-04], 00000000
:0041139F 0F8524000000     jne 004113C9
:004113A5 8D45AE           lea eax, dword ptr [ebp-52] ; eax=expire date
:004113A8 50               push eax
:004113A9 E8426F0200       call 004382F0 ; eax=expire date in hex format
:004113AE 83C404           add esp, 00000004
:004113B1 8BD8             mov ebx, eax  ; ebx=expire date in hex format
:004113B3 8D45A4           lea eax, dword ptr [ebp-5C] ; eax=today's date
:004113B6 50               push eax
:004113B7 E8346F0200       call 004382F0 eax=today's date in hex format
:004113BC 83C404           add esp, 00000004
:004113BF 2BD8             sub ebx, eax ; ebx=days left
:004113C1 895DF4           mov dword ptr [ebp-0C], ebx
:004113C4 E9D6000000       jmp 0041149F ; we jump here

 We can see that the program clculated the days left from the system date and
 the expire date in the WS_FTP.key. Now it's kept in add [ebp-0c] in memory, and we
 jump to :

 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004113C4(U), :00411432(U), :0041147E(U)
|
:0041149F 8B45F4           mov eax, dword ptr [ebp-0C] ; eax=days left
:004114A2 E900000000       jmp 004114A7                                ; jump to next line
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004114A2(U)
|
:004114A7 5F               pop edi                                        ; we jump to here
:004114A8 5E               pop esi
:004114A9 5B               pop ebx
:004114AA C9               leave
:004114AB C3               ret

 After we get back from the ret, we are here :
 
:004118FA E8F4F3FFFF       call 004112AA                          ; back from this call
:004118FF 83C408           add esp, 00000008         ; we land here !
:00411902 8945FC           mov dword ptr [ebp-04], eax ;[ebp-68]=days left
:00411905 E907000000       jmp 00411911              ; we jump here

 * Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411905(U)
|
:00411911 837DFC01         cmp dword ptr [ebp-04], 00000001
:00411915 0F8DBC000000     jnl 004119D7    ; jump if more then 0 days left
:0041191B 6A00             push 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411915(C)
|
:004119D7 837DFC08         cmp dword ptr [ebp-04], 00000008 ; we land here !
:004119DB 0F8D1C000000     jnl 004119FD  ; jump if more then 8 days left
:004119E1 8B45FC           mov eax, dword ptr [ebp-04]
:004119E4 50               push eax

* Possible Reference to Dialog: DialogID_4E22
                                  |
:004119E5 68224E0000       push 00004E22
:004119EA 8B4508           mov eax, dword ptr [ebp+08]
:004119ED 50               push eax
:004119EE 8B450C           mov eax, dword ptr [ebp+0C]
:004119F1 50               push eax
:004119F2 E883F5FFFF       call 00410F7A   ; call shows the days left screen
:004119F7 83C410           add esp, 00000010   ; from here works normal !!!
:004119FA FF45A8           inc [ebp-58]

 If no more days, it will keep on, press 'F10'  untill you get the screen, and press
 "continue evaluation", this screen is created at location 004119F2, and from then, the
 program keeps runing as normal, at location 004119F7. 
  
 Can you see what is the code above ? We see how this protection routine is
 calculating how many days left for us to use. If we steel have more then 0 days
 the program will jump to location 004119D7. All the reverse done here is just to let you
 see how a trial version can check the days. Now we go to the actual part...
 Ok, from location 004119F7 keep press 'F10' 18 times this will lead us to where
 all the checks were called from :

:00423C6D 6A00             push 00000000
:00423C6F E8A6D9FEFF       call 0041161A  ; call for checks and nag screen
:00423C74 83C410           add esp, 00000010 ; from here works normal !!!
:00423C77 E9D0000000       jmp 00423D4C

 We can 'nop' this call, so we will not get the last 7 days warning.
 Now, for making this program to work for ever, look at this :

:00423BCF E8D6DEFEFF        call 00411AAA
:00423BD4 83C410            add esp, 00000010
:00423BD7 85C0              test eax, eax
:00423BD9 0F849D000000      jz 00423C7C
:00423BDE 00837DE4000F      add byte ptr [ebx+0F00E47D], al

 If we change the 'jz 00423c7c' to 'jmp 00423c74', this will make it...

 job done.
 
The Patches 
  
 Load up Ftp95pro.exe into your Hex-Editor ( I use hexWorkshop-32).
 
SEARCH FOR THE FOLLOWING BYTES : 6A00E8A6D9FEFF83
REPLACE WITH HIGHLIGHTED BYTES : 6A00909090909083

SEARCH FOR THE FOLLOWING BYTES : 85C00F849D0000
REPLACE WITH HIGHLIGHTED BYTES : 85C0E996000000
 
REMEMBER, i'm doing my cracks as a hobby and challenge, so please, if you like
this utility and want to keep using it, support the author and pay for it.
 
 
Final Notes
 
 This was kind of a long tutorial, full of asm code, but it was important to follow it. We
 could see different ways for program to check days, dates and strings beeing read
 from file that keeps the installation info. Usualy it took some time to locate to the
 "real" location that there our "crack job" will take place.

My thanks and gratitude goes to:-
 
The Sandman for all what he is doing for us, newbies.
 
Rhayader for helping me with Reverse Code Engineering and useful tips
 



Essay by:            The snake
Page Created: 10th June 1999