Title: LeapFTP


                          URL: http://www.leapware.com


                          Type: Patch


                         Difficulty: Beginner





File Transfer Protocol (FTP) was created to allow the transfer of files between a FTP server and a FTP client. LeapFTP is a powerful Windows 95 FTP client that provides the user an abundance of features in a simple and easy to use interface that even the seasoned computer user can understand and use.



Debugger (Softice or TRW2000)
Dissassembler (eg WDasm32)
Hex Editor (eg Hex Workshop)
Registry Editor (eg Regedit,WinHacker)



Lets Start Cracking!

When we first run the program after installation, we find there is no nag screen displaying how many days you have remaining , and we are kicked straight into the program. Right! Where do we start? Do we start fishing for a serial? Being a newbie, my preferred method is as follows ………. In LeapFTP, bring up the registration entry found in the help menu, type in any old name and serial, and make a note of the bad cracker message – “The license key you entered is not valid. Blah blah blah” – write this down.


Open up W32Dasm and disassemble leapftp.exe, then go to the refs menu and select String Data References. Remember the error message we wrote down? Scroll down the window and look for that text, and when you find it, double click on it. In the main window you will see that the code has skipped to that location. If we scroll up through the code a few lines, you will see;



 :004872E1 E8AE040000              call 00487794


 * Possible StringData Ref from Code Obj ->"Thank You For Registering!"


:004872E6 B864734800              mov eax, 00487364


So we know we are in the right area! Scroll up a bit further and you will see a reference to a conditional jump at address 0048728E , so we know that this jump has something to do with what registration message we get. Scroll up a bit further and we see another conditional jump referenced to at 00487280. But Wait!! What do we see directly above? Both jumps within a few lines of each other!


:00487271 8D55FC                         lea edx, dword ptr [ebp-04]                      

:00487274 E83718F8FF                call 00408AB0                                        

:00487279 80BBF402000000        cmp byte ptr [ebx+000002F4], 00         

:00487280 740E                               je 00487290                                            <Not sure about this one

:00487282 8B55FC                         mov edx, dword ptr [ebp-04]                 

:00487285 8BC3                              mov eax, ebx

:00487287 E888030000                 call 00487614                                         

:0048728C 84C0                              test al, al

:0048728E 7526                               jne 004872B6                                          <Is our serial good? If yes jump to “ Good Boy “  if no, carry on to “ Bad Cracker “


*Referenced by a (U)nconditional or (C)onditional Jump at Address:



The simple solution seems to be that if we can change the JNE at 0048728E, to a JE, the only serial it wont accept is the correct one! Note the offset of the line at 0048728E, open your hex editor, and go to the said offset. There you see your JNE hex value of 7526. Change this to 7426, which now changes the instruction to a jump if equal, JE. Save the file, and start up LeapFTP. Enter any old value into the registration fields and click OK. Boomph! Thank You for registering! If you look in the About…. Section, you will see the program has been registered to you! OR HAS IT?


Exit the program and start it up again. WHAT THE HELL? Its unregistered again! So we know that although the program has been changed to except your dodgy serial, your name and said dodgy serial are copied to the registry, and the program rechecks them everytime the program is restarted. So the only way to have it registered is to re-enter the serial every time you start up the program. When the 30 Days is up, your fake serial will still get you into the program, but THAT SUCKS!


So now we know that we must modify the code so that it never checks how many days you have left of your trial! The next thing I did was to set my clock forward past the 30 day limit. Start up the program, and you get a message saying “ This copy of LeapFTP has been installed for X days,please register your copy, or remove it from your system “ . With the above alteration, any username and serial will be excepted, but we don’t want to do that everytime we use the program. Go back into W32Dasm, and bring up the String Resources menu, and we find a reference to this statement, if we double click on it, we will be taken to that portion of the code. If we scroll up slightly we see some more text… “ You are on day X of your evaluation period, this program will stop functioning after 60 days “ , hmmmmmm looks like we don’t want to be seeing that either. Scroll up a bit more and we see a reference to a conditional jump at 00495AC2, scroll to that location;


:00495ABB E80023FFFF              call 00487DC0

:00495AC0 84C0                           test al, al

:00495AC2 740D                           je 00495AD1                                  <Our suspect jump command!

:00495AC4 8B45FC                      mov eax, dword ptr [ebp-04]

:00495AC7 E81C760100              call 004AD0E8

:00495ACC E910010000               jmp 00495BE1


Hmmmm, the unconditional jump at 00495ACC also looks interesting, but where do it jump to? 00495BE1, if we look at this section of code………….


:00495BE1 803DD0FB4B0000          cmp byte ptr [004BFBD0], 00     <Our unconditional jump takes us here

:00495BE8 750F                                 jne 00495BF9                              <But where does this take us?


* Possible StringData Ref from Code Obj ->"LeapFTP 2.7.1 - (Unregistered)"


:00495BEA BA8C6D4900              mov edx, 00496D8C

:00495BEF 8B45FC                       mov eax, dword ptr [ebp-04]

:00495BF2 E801DEF9FF               call 004339F8

:00495BF7 EB0D                           jmp 00495C06


* Referenced by a (U)nconditional or (C)onditional Jump at Address:



* Possible StringData Ref from Code Obj ->"LeapFTP 2.7.1"


:00495BF9 BAB46D4900              mov edx, 00496DB4                       <Here!!! Looks like we are gonna be registered!!


First thing to to is to NOP out the jump at 00495AC2, we do this by going to that offset location in our hex editor and entering 9090 where the 740D jump command is! This removes the conditional jump so the program just carries on to the unconditional jump at 00495ACC. The section of code now looks like this:


:00495ABB E80023FFFF              call 00487DC0

:00495AC0 84C0                           test al, al

:00495AC2 90                                nop                                               <Our jump has gone! The program carries on to the jump at 00495ACC

:00495AC3 90                                nop

:00495AC4 8B45FC                      mov eax, dword ptr [ebp-04]

:00495AC7 E81C760100               call 004AD0E8

:00495ACC E910010000               jmp 00495BE1


If we now start up LeapFTP, BOOM! Straight into the program! No reference to days left or anything! The [UNREGISTERED] notice has also gone from the title bar! Look in the help menu. The Enter Registration Key option has also gone! It looks like our little code change worked, and we have tricked the program into always thinking it is registered when it isn’t!


So it looks like job done! NOT SO FAST! Remember that conditional jump at 0049BE8? It does seem to jump us to the registered section, but why is it conditional? This makes me think that our job is not yet finished. If it is conditional, it depends on something being not equal. I don’t like that! Why not just make it an unconditional jump, so that it will jump whatever the circumstances! That sounds better to me.


Go back into your hex editor and to the location 94FE8 ( this is the offset for address 00495BE8), and change 750F to EB0F. This changes our conditional jump JNE to an unconditional jump JMP. I’m not sure wether that needed to be done, but why not?


JOB FINISHED!!!!!! You now have a fully functional program that will never expire!


Hope this tutorial helped, if it didn’t, tough!  I know patching programs is a dirty cracking method, but I’m still a newbie and it works! I haven’t quite got to grips with the live approach yet!!!! But Rome wasn’t built in a day was it?




The guys at TRES2000 for giving me a chance

[T]urb0z` - You know why!

DaZZler + the Little OnE - For being ACE

Lee + Sarah - The best!

All the other ppl that have helped me through life!




The information in this essay is for educational purpose only!
You are only allow to crack, reverse engineer, modify code and debug programs that you legaly bought and then for personal use only!!
To ignore this warning is a criminal act and can result in lawful actions!

So please note!
I take no responsibility for how you use the information in this essay, i take NO responsibility for what might happen to you or your computer!
You use this information on your own risk!!

What I mean is: Please buy the software!