FTP Navigator's Tuturial (author: duelist)

                FTP Navigator 4.15

                                
Tutor      : _duelist
Date Wrote : August 20, 1999
Target     : FTP Navigator v4.15
Tools Used : w32dasm, Hiew (or any other hex editor)
Method     : Patch
                        
                                                
                                                
                       Introduction:

Hi. I must admit that patching is not the kind of cracking i enjoy
but i know that is THE way for newbies to begin. So, i'm writing
this tuturial hoping that at least one newbie will learn from it.
I'd like to congratulate TORN@DO for the good work he is doing in
preparing the next generation of crackers. Enough blah blah blah,
let's get things rolling.



                          Cracking:

I recommend you always run the target you are cracking before even
loading it in w32dasm, which is a thing many people do. First check
if there isn't a place to enter a serial, and if there isn't, well,
we'll have to patch it then. I had a quick look around this program
and didn't seem to find any dialog to enter a serial. But, this way
i know what we need to do now: we must remove the nag, and the buggy
'(unregistered)' in the window's caption. It's now time to load your
disassembler (w32dasm).

TIP: It's better you copy Ftp.exe to any other filename and disassemble
     the new one so you can patch the original whenever you wish (w32dasm
         disables write access to the loaded file)

                                         
                                        
                     '(Unregistered)':
                                         
If you search for this string (by either using the search function or
by looking at 'string data references' menu) you will not find it. So,
this indicates us that the string is hardcoded and there's no way the
program will make it different. Unless, of course, we change the string
itself by hex editing the exe. Load HIEW with Ftp.exe as a target, and
hit F7, which is the search function. Type in '(Unregistered)', without
quotes, and hit enter. You'll get to the correct string. I don't think
we need their mail in the caption so i think we'll get off everything
after the version info. Make sure HIEW is in Hex mode (F4 to change) and
replace the byte after '4.15', which is 20h, to a 00h. This is because
strings are null terminated and the program will stop when it finds a 00,
which to him is the same as 'string terminates here'.

TIP: Highlight the 20h, press F3 and press 0 twice... Then F9 to apply the
     change and F10 to quit. Now run the patched file.
         
Yes, i like the look of the caption now! Hope it worked fine for you, if
it didn't, please start reading this section again.


 
                              Nag:
                                                          
Ok i hope you didn't close w32dasm coz we still have work to do there. Click
the GoTo menu, then GoTo Program Entry Point. Around here, should be the nag
calling code, since it is the first thing the program apparently does:

:00461EF0 55                      push ebp
:00461EF1 8BEC                    mov ebp, esp
:00461EF3 83C4F4                  add esp, FFFFFFF4
:00461EF6 53                      push ebx
:00461EF7 B8781D4600              mov eax, 00461D78
:00461EFC E8C338FAFF              call 004057C4
:00461F01 8B1DC42D4600            mov ebx, dword ptr [00462DC4]
:00461F07 8B03                    mov eax, dword ptr [ebx]

* Possible StringData Ref from Code Obj ->"FTP - Navigator"
                                  |
:00461F09 BA901F4600              mov edx, 00461F90
:00461F0E E81DDDFCFF              call 0042FC30
:00461F13 8B03                    mov eax, dword ptr [ebx]
:00461F15 83C034                  add eax, 00000034

* Possible StringData Ref from Code Obj ->"Ftpnav.hlp"
                                  |
:00461F18 BAA81F4600              mov edx, 00461FA8
:00461F1D E8FA1AFAFF              call 00403A1C
:00461F22 E8C57EFFFF              call 00459DEC
:00461F27 E82C7DFFFF              call 00459C58    <<<<<<<<<<<<
:00461F2C 8B0D582E4600            mov ecx, dword ptr [00462E58]
:00461F32 8B03                    mov eax, dword ptr [ebx]
:00461F34 8B155CA14500            mov edx, dword ptr [0045A15C]
:00461F3A E8D9DFFCFF              call 0042FF18
:00461F3F 8B0DD82D4600            mov ecx, dword ptr [00462DD8]

To say the truth, it wouldn't be easy from w32dasm to determine which call
do we need to get out. Since this time we are not using sice, your only
chance was to nop (fill with 90h) one call at a time then try running the
program. This time i'll tell you which is the correct call, now look at its
virtual address, 461F27. Load hiew, press F5 and type: '.461F27'. This will
make it know that you wanna go to virtual address 461F27. Since the call
statement is 5 bytes long, E8h 2Ch 7Dh FFh FFh, overwrite those bytes with
five 90h. F9 once again to apply changes, then F10 to quit. Run it! Yep, we
(you) did it. It probably now looks exactly like the registered version,
except that our caption text is cooler.


                             Greets:
                                                         
This is the section which makes the most pain out of me since i always forget
more than 50% of the people... So this time i'll make a general greet: i greet
everyone willing to learn and willing to teach that ever joined #c4n. Also a
special greet to TORN@DO on the great work he is doing. If you wish any further
help on this tuturial please mail me at duelist@beer.com.



                                                              Cheers, _duelist