Leapftp 2.7.5.610 Crack Tutorial II Howto remove the username and serial number validation check! * written by iqlord | .aware crew * iqlord@awarenetwork.org | www.awarenetwork.org ===================================================================================== There are many ways to crack this software. Some of you may have seen at least one already. The one I performed in the crack video available on the .aware site. Any way...using this approach, we will not be able to register the program using its own registration function because the program will believe its already registered and remove the ability to re-register. We could of course alter that feature as well, but that would mean more byte patching, and I don't see the problem in adding the username and serial number manually. 00497E0C -> 00488E80::00488E92 -> 00488C48 = "Registry data location" * Data to be added to the windows registry: ------------------------------------------------------- [HKEY_CURRENT_USER\Software\LeapWare\Registry\LeapFTP] "UserName"="whatever" "UserKey"="whatever" ------------------------------------------------------- We will add a .reg file to take care of this! ===================================================================================== I will start with commenting the way we skip the protection and then i will give you the before'n'after snippets as well as the offsets. ==[PART1]== ---------------------------------------------------------------------------------------------- * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00497D16(C), :00497DC2(U), :00497DF7(U) | :00497E03 8B45FC mov eax, dword ptr [ebp-04] :00497E06 8B8064040000 mov eax, dword ptr [eax+00000464] :00497E0C E86F10FFFF call 00488E80 <-- try get the serialnumber from the registry and validate it. we can actually just remove this call and the program should be cracked. but if we do that the username won't be read and displayed in the about dialog. :00497E11 84C0 test al, al :00497E13 740D je 00497E22 <-- we should nop this and let the program continue with the next instruction. :00497E15 8B45FC mov eax, dword ptr [ebp-04] :00497E18 E86F7A0100 call 004AF88C <-- this is what we are looking for! we will now go to [PART2]. :00497E1D E910010000 jmp 00497F32 <-- when we return from the call above we will jump to [PART3]. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00497E13(C) | :00497E22 8B45FC mov eax, dword ptr [ebp-04] <-- this is were we would have landed if we did not nop the je above. :00497E25 8B8064040000 mov eax, dword ptr [eax+00000464] :00497E2B 80783400 cmp byte ptr [eax+34], 00 :00497E2F 0F84FD000000 je 00497F32 :00497E35 8B5838 mov ebx, dword ptr [eax+38] :00497E38 83FB3C cmp ebx, 0000003C :00497E3B 7D48 jge 00497E85 :00497E3D 6A00 push 00000000 -----------------------------------------------------------------------------[END OF PART1]--- ==[PART2]== ---------------------------------------------------------------------------------------------- * Referenced by a CALL at Addresses: |:00497E18 , :004AF900 , :004B17B4 | :004AF88C 53 push ebx :004AF88D 8BD8 mov ebx, eax :004AF88F C605E02B4C0001 mov byte ptr [004C2BE0], 01 :004AF896 33D2 xor edx, edx :004AF898 8B83D8030000 mov eax, dword ptr [ebx+000003D8] :004AF89E E8F14BF9FF call 00444494 :004AF8A3 33D2 xor edx, edx :004AF8A5 8B831C070000 mov eax, dword ptr [ebx+0000071C] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004AF843(C) | :004AF8AB E8E44BF9FF call 00444494 :004AF8B0 33D2 xor edx, edx :004AF8B2 8B83DC030000 mov eax, dword ptr [ebx+000003DC] :004AF8B8 E8D74BF9FF call 00444494 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004AF856(C) | :004AF8BD 803DE12B4C0000 cmp byte ptr [004C2BE1], 00 :004AF8C4 750C jne 004AF8D2 <-- we will nop this and let the program think everything is ok. * Possible StringData Ref from Code Obj ->"LeapFTP 2.7.5" | :004AF8C6 BADCF84A00 mov edx, 004AF8DC :004AF8CB 8BC3 mov eax, ebx :004AF8CD E88243F8FF call 00433C54 <-- the program believes everything is ok so it will start the program as if we actually had a valid username and s/n. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004AF8C4(C) | :004AF8D2 5B pop ebx <-- this is were we would have landed. :004AF8D3 C3 ret <-- we return to [PART1] -----------------------------------------------------------------------------[END OF PART2]--- ==[PART3]== ---------------------------------------------------------------------------------------------- * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00497E1D(U), :00497E2F(C), :00497E80(U), :00497F08(C) | :00497F32 803DE02B4C0000 cmp byte ptr [004C2BE0], 00 <-- this is were the jump from [PART1] takes us. :00497F39 750F jne 00497F4A * Possible StringData Ref from Code Obj ->"LeapFTP 2.7.5 - (Unregistered)" | :00497F3B BA58914900 mov edx, 00499158 :00497F40 8B45FC mov eax, dword ptr [ebp-04] :00497F43 E80CBDF9FF call 00433C54 :00497F48 EB0D jmp 00497F57 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00497F39(C) | * Possible StringData Ref from Code Obj ->"LeapFTP 2.7.5" | :00497F4A BA80914900 mov edx, 00499180 <-- we will end up here, and the program now accepts any username and s/n that it finds in the windows registry. :00497F4F 8B45FC mov eax, dword ptr [ebp-04] :00497F52 E8FDBCF9FF call 00433C54 -----------------------------------------------------------------------------[END OF PART3]--- Here is the byte comparison between the original and the cracked file. offset org crk ------------------ 00097213: 74 90 00097214: 0D 90 000AECC4: 75 90 000AECC5: 0C 90 [ORIGINAL] :: OFFSET @ 097213h && OFFSET @ 0AECC4h ========================================================================== :00497E03 8B45FC mov eax, dword ptr [ebp-04] :00497E06 8B8064040000 mov eax, dword ptr [eax+00000464] :00497E0C E86F10FFFF call 00488E80 :00497E11 84C0 test al, al -------------------------------------------------------------------------- :00497E13 740D je 00497E22 <-- NOP,NOP -------------------------------------------------------------------------- :00497E15 8B45FC mov eax, dword ptr [ebp-04] :00497E18 E86F7A0100 call 004AF88C :00497E1D E910010000 jmp 00497F32 :00497E22 8B45FC mov eax, dword ptr [ebp-04] :00497E25 8B8064040000 mov eax, dword ptr [eax+00000464] :00497E2B 80783400 cmp byte ptr [eax+34], 00 :00497E2F 0F84FD000000 je 00497F32 :00497E35 8B5838 mov ebx, dword ptr [eax+38] :00497E38 83FB3C cmp ebx, 0000003C :00497E3B 7D48 jge 00497E85 :00497E3D 6A00 push 00000000 ========================================================================== :004AF8BD 803DE12B4C0000 cmp byte ptr [004C2BE1], 00 -------------------------------------------------------------------------- :004AF8C4 750C jne 004AF8D2 <-- NOP,NOP -------------------------------------------------------------------------- :004AF8C6 BADCF84A00 mov edx, 004AF8DC :004AF8CB 8BC3 mov eax, ebx :004AF8CD E88243F8FF call 00433C54 ========================================================================== [CRACKED] :: OFFSET @ 097213h && OFFSET @ 0AECC4h ========================================================================== :00497E03 8B45FC mov eax, dword ptr [ebp-04] :00497E06 8B8064040000 mov eax, dword ptr [eax+00000464] :00497E0C E86F10FFFF call 00488E80 :00497E11 84C0 test al, al -------------------------------------------------------------------------- :00497E13 90 nop :00497E14 90 nop -------------------------------------------------------------------------- :00497E15 8B45FC mov eax, dword ptr [ebp-04] :00497E18 E86F7A0100 call 004AF88C :00497E1D E910010000 jmp 00497F32 :00497E22 8B45FC mov eax, dword ptr [ebp-04] :00497E25 8B8064040000 mov eax, dword ptr [eax+00000464] :00497E2B 80783400 cmp byte ptr [eax+34], 00 :00497E2F 0F84FD000000 je 00497F32 :00497E35 8B5838 mov ebx, dword ptr [eax+38] :00497E38 83FB3C cmp ebx, 0000003C :00497E3B 7D48 jge 00497E85 :00497E3D 6A00 push 00000000 ========================================================================== :004AF8BD 803DE12B4C0000 cmp byte ptr [004C2BE1], 00 -------------------------------------------------------------------------- :004AF8C4 90 nop :004AF8C5 90 nop -------------------------------------------------------------------------- :004AF8C6 BADCF84A00 mov edx, 004AF8DC :004AF8CB 8BC3 mov eax, ebx :004AF8CD E88243F8FF call 00433C54 ========================================================================== Easy enough? Enjoy! // iqlord | .aware crew