Title: LeapFTP 220.127.116.110
File Transfer Protocol (FTP) was created to allow the transfer of files between a FTP server and a FTP client. LeapFTP is a powerful Windows 95 FTP client that provides the user an abundance of features in a simple and easy to use interface that even the seasoned computer user can understand and use.
Debugger (Softice or TRW2000)
Dissassembler (eg WDasm32)
Hex Editor (eg Hex Workshop)
Registry Editor (eg Regedit,WinHacker)
first run the program after installation, we find there is no nag screen
displaying how many days you have remaining , and we are kicked straight into
the program. Right! Where do we start? Do we start fishing for a serial? Being a
newbie, my preferred method is as follows ………. In LeapFTP, bring up the
registration entry found in the help menu, type in any old name and serial, and
make a note of the bad cracker message – “The license key you entered is not
valid. Blah blah blah” – write this down.
W32Dasm and disassemble leapftp.exe, then go to the refs menu and select String
Data References. Remember the error message we wrote down? Scroll down the
window and look for that text, and when you find it, double click on it. In the
main window you will see that the code has skipped to that location. If we
scroll up through the code a few lines, you will see;
Possible StringData Ref from Code Obj ->"Thank You For
mov eax, 00487364
So we know we are in the right area!
Scroll up a bit further and you will see a reference to a conditional jump at
address 0048728E , so we know that this jump has something to do with what
registration message we get. Scroll up a bit further and we see another
conditional jump referenced to at 00487280. But Wait!! What do we see directly
above? Both jumps within a few lines of each other!
lea edx, dword ptr
cmp byte ptr [ebx+000002F4], 00
sure about this one
mov edx, dword ptr [ebp-04]
mov eax, ebx
<Is our serial good? If yes
jump to “ Good Boy “ if no,
carry on to “ Bad Cracker “
*Referenced by a (U)nconditional
or (C)onditional Jump at Address:
The simple solution seems to be that if
we can change the JNE at 0048728E, to a JE, the only serial it wont accept is
the correct one! Note the offset of the line at 0048728E, open your hex editor,
and go to the said offset. There you see your JNE hex value of 7526. Change this
to 7426, which now changes the instruction to a jump if equal, JE. Save the
file, and start up LeapFTP. Enter any old value into the registration fields and
click OK. Boomph! Thank You for registering! If you look in the About….
Section, you will see the program has been registered to you! OR HAS IT?
Exit the program and start it up again.
WHAT THE HELL? Its unregistered again! So we know that although the program has
been changed to except your dodgy serial, your name and said dodgy serial are
copied to the registry, and the program rechecks them everytime the program is
restarted. So the only way to have it registered is to re-enter the serial every
time you start up the program. When the 30 Days is up, your fake serial will
still get you into the program, but THAT SUCKS!
So now we know that we must modify the
code so that it never checks how many days you have left of your trial! The next
thing I did was to set my clock forward past the 30 day limit. Start up the
program, and you get a message saying “ This copy of LeapFTP has been
installed for X days,please register your copy, or remove it from your system
“ . With the above alteration, any username and serial will be excepted, but
we don’t want to do that everytime we use the program. Go back into W32Dasm,
and bring up the String Resources menu, and we find a reference to this
statement, if we double click on it, we will be taken to that portion of the
code. If we scroll up slightly we see some more text… “ You are on day X of
your evaluation period, this program will stop functioning after 60 days “ ,
hmmmmmm looks like we don’t want to be seeing that either. Scroll up a bit
more and we see a reference to a conditional jump at 00495AC2, scroll to that
test al, al
<Our suspect jump command!
mov eax, dword
the unconditional jump at 00495ACC also looks interesting, but where do it jump
to? 00495BE1, if we look at this section of code………….
cmp byte ptr [004BFBD0], 00
<Our unconditional jump
takes us here
<But where does
this take us?
Possible StringData Ref from Code Obj ->"LeapFTP 2.7.1 -
mov edx, 00496D8C
mov eax, dword ptr [ebp-04]
Referenced by a (U)nconditional or (C)onditional Jump at Address:
Possible StringData Ref from Code Obj ->"LeapFTP 2.7.1"
mov edx, 00496DB4
<Here!!! Looks like we are gonna be
thing to to is to NOP out the jump at 00495AC2, we do this by going to that
offset location in our hex editor and entering 9090 where the 740D jump command
is! This removes the conditional jump so the program just carries on to the
unconditional jump at 00495ACC. The section of code now looks like this:
test al, al
<Our jump has gone! The
program carries on to the jump at 00495ACC
mov eax, dword ptr [ebp-04]
we now start up LeapFTP, BOOM! Straight into the program! No reference to days
left or anything! The [UNREGISTERED] notice has also gone from the title bar!
Look in the help menu. The Enter Registration Key option has also gone! It looks
like our little code change worked, and we have tricked the program into always
thinking it is registered when it isn’t!
it looks like job done! NOT SO FAST! Remember that conditional jump at 0049BE8?
It does seem to jump us to the registered section, but why is it conditional?
This makes me think that our job is not yet finished. If it is conditional, it
depends on something being not equal. I don’t like that! Why not just make it
an unconditional jump, so that it will jump whatever the circumstances! That
sounds better to me.
back into your hex editor and to the location 94FE8 ( this is the offset for
address 00495BE8), and change 750F to EB0F. This changes our conditional jump
JNE to an unconditional jump JMP. I’m not sure wether that needed to be done,
but why not?
FINISHED!!!!!! You now have a fully functional program that will never expire!
this tutorial helped, if it didn’t, tough!
I know patching programs is a dirty cracking method, but I’m still a
newbie and it works! I haven’t quite got to grips with the live approach
yet!!!! But Rome wasn’t built in a day was it?
The guys at TRES2000 for giving me a chance
[T]urb0z` - You know why!
DaZZler + the Little OnE - For being ACE
Lee + Sarah - The best!
All the other ppl that have helped me through life!
information in this essay is for educational purpose only!
You are only allow to crack, reverse engineer, modify code and debug programs that you legaly bought and then for personal use only!!
To ignore this warning is a criminal act and can result in lawful actions!
So please note!
I take no responsibility for how you use the information in this essay, i take NO responsibility for what might happen to you or your computer!
You use this information on your own risk!!
What I mean is: Please buy the software!