ARTeam Tutorial

Visit: http://cracking.accessroot.com | http://forum.accessroot.com

 FlashFXP Ver. 3.0 (Build 1015)
FlashFXP Ver. 3.0.2 (Build 1045)

Information Cracking and assembly coding tutorial
Target FlashFXP Ver. 3.0-3.02 (Build 1015/1045)
Available http://www.flashfxp.com/download.php
Tools  OllyDbg 1.10 , PEditor 1.7
Protection Serial registration
Level Beginner
Category Cracking
Author(s) ThunderPwr November 2004
Requirements Windows XP SP1, IE 5.5 and above for best viewing


Introduction


Hi all today's target is FlashFXP ver. 3.0 (build 1015). This program is a powerful FTP client able to transfer files from ftp sites to your hard-disk and between two FTP server (Site-to-Site transfers), FlashFXP can handle thousands of connection types. If you are behind a firewall, proxy or gateway, this program can be configured to support almost any network configuration.
The purpose of this tutorial is to defeat the time limit of 30 days evaluation and to skip automatically the boring nag screen which is shown each time you start the program. I'll show you also some other less difficult topics such as how to redirect some internet links inside the program.
To skip the nag screen we'll use an interesting method which consists of a small asm subroutine which will intercept the nag screen and will press the "I Accept" button for us: I'll inject into the program some assembly code which is able to manipulate the window message queue in order to skip the nag screen without user interaction.

Meanwhile FlashFXP has been updated to version 3.0.2.1045 thus at the end of this tutorial I inserted also an addendum with differencies of this new version.

There are following sections in the remaining of this tutorial:

1. What we can do (brief explanation about the patching).
2. Executable file analysis after installation.
3. Debugging and cracking the trial time limit.
4. Main screen caption changing.
5. About dialog box and licensing message changing.
6. Redirection of the purchasing link to the ARTeam web site.
7. Defeating the startup nag screen.
8. Cracking version 3.0.2 (build 1045).

Also a big thanks to my friend Shub-Nigurrath for helps & suggestions writing this "quite long" tutorial.


1. What we can do

Our purpose is to defeat the evaluation time limit, all the integity checks inside the code, make some URL redirection and remove the nag screen at the program start up.


2. Executable file analysis after installation


When the installation process terminates you have to check for first if the target program is encrypted/packed or if it's uncompressed. In order to do this we can use PEiD, see figure 1 for detail:


Fig. 1 PEiD file scanner detail.

Well, program isn't packed, next step is searching (if there are some) about integrity checks like CRC or similar, to do this you can use the crypto analyser (KANAL v2.7) feature. We have:


Fig. 2 Crypto signature.

There are a lot of crypto signatures used to validate the file integrity (antipatching), no problem, in the following section we defeat those we'll fall into in a very fast way.


3. Debugging and cracking the trial time limit


As usual now is time to know more about the target, this means execute it and look its behaviour; when you've run the executable there is a nag screen which tells us about trial evaluation residual days (this is a 30 day evaluation version), to unlock the program you've to register it.


Fig. 3 Nag screen on the startup program.

With the program stopped showing the nag scree, go into OllyDbg code window and press F12 to stop the debugger, press ALT+K in order to show the call stack:


Fig. 4 Call Stack related to the nag screen.

Go to the 00438667 (click on the address) and scroll up until you reach 00438520 address. Place a breakpoint on this address and restart the application from OllyDbg with CTRL+F2.
When OllyDbg stops at the above breakpoint the nag message isn't still shown. To find the calling address from this routine look on the stack: there is a 0053C7E7 address, double click on it and you'll land on the return point into the main code window. The call stack shown in Figure 4 is very short because the nag screen is shown at the program's beginning through a sendmessage. When the nag is shown indeed there's already an associated window's procedure  which handle all the windows' messages, thus it also manage events when the user pushes some button or do other stuffs with the nag screen (remember what I just said later when we'll defeat the nag screen).


Fig. 5 Calling code for the nag screen.

Scroll up into the code, after some steps the instruction at 0053C4D3, at the address [EBP-4], you have a value related to the initial installation's day. At the instruction at 0053C4D6 into the address [EBP-14], you have a value connected to the current date: the days elapsed since the istallation are calculated with the SUB instruction at the address 0053C4D6 and saved with the following MOV into the memory address 5862A8:


Fig. 6 Calculation of the elapsed days.

in order to defeat the total elapsed days and change this to 0 always you've some options, first one is to find the routine where the calculation is done and force the result to zero, the other option (faster than the previous) is to force the result of the SUB to being always 30. To do this simply change the SUB argument from [EBP-14] to [EBP-4], in this way the SUB operation always returns 0.  Well we just frozen the elapsed days..


Fig. 7 Defeating the elapsed trial day.

save this patch with Copy to Executable -> Selection and restart OllyDbg to show the results:


Fig. 8 Nag screen with the elapsed day after the patching.

Well done, patching is ok (also try by moving your PC's clock forward). Another issue we would fix is to have the elapsed days being always 0. To do this you have to look back into the OllyDbg CPU windows where we left before, just after the SUB instruction, in 0053C4EE there is an INC DWORD PTR DS:[5862A8] instruction which adds 1 the total elapsed days count which is stored on 005862A8, then to keep the elapsed days fixed to 0 you have only to NOP this instruction:


Fig. 9 Patch to fix the elapsed day to 0.

If you save this patch too and run again the application (hit CTRL+F2) the total elapsed days now are fixed to zero.


Fig. 10 Elapsed trial days fixed to zero.

Well mate, the first section is terminated, is time to go to the next one.


4. Main screen caption changing


Once the main application is running you could see on the main window's caption the following string: FlashFXP - Evaluation Copy. Our goal now is to change it with onother much more nicer one.
To do thi swe'll use Hex Editor Workshop: the string is inside the programs' resources section thus we need to modify the resources section of the PE file. it's not meaningful to do a search using the Search for -> All referenced text strings, because this text is stored into the application's resources (this can be easily seen using Resource Hacker or similar tools).
Once inside Hex Workshop open the executable program and make a text serch both for ASCII and UNICODE strings. Do this search with Evaluation Copy:


Fig. 11 Searching about Evaluation Copy text string.

What you found is an Unicode string, which has alternating normal ascii characters and 00 values (this is the unicode format). Now you can change the text in order to make it more likely:


Fig.12 Changing the text string.

if you save the file and execute the program there are some error due to one of the integrity checks we seen before, to skip the problem you have to do this patch:


Fig. 13 Patch to avoid the error due to the modified caption.

check if this work:


Fig. 14 The caption on the main screen has been changed.


5. About dialog box and licensing message changing


It is time to work around the About dialog box, first take a look at this dialog, then select it from the Help menu and About.. option:


Fig. 15 Selection the About dialog box.

when the dialog box appears it shows a message about evaluation version, our goal now is to defeat this message.


Fig. 16 The original dialog box.

To find this window's related code section it is useful look the references to the days remainder string shown on the window's bottom. In the previous section we found that the elapsed days were stored into 5862A8, we can put a memory breakpoint on access on 005862A8 and restart OllyDbg with CTRL+F2, run the program with F9 and select the About option: OllyDbg stops on 004F196C (there is a compare to check if our trial time is over), 0x1E is  30 in decimal and then this instruction checks our elapsed time:


Fig. 18 Code when OllyDbg stop on memory access into the elapsed days location.

scroll a little up the code's window 'till you arrive to the this section's start in 004F1604, place a breakpoint here and restart OllyDbg with CTRL+F2. Press F9 to continue execution from the OEP and select the about menu voice. OllyDbg stops on 004F1604, do some step with F8 till 004F1632: here is where the string This copy of FlashFXP is licensed to: is setup.
Continue tracing with F8 and look the program behaviour until you reach the 004F16DC address, now if you change the MOV EAX,DWORD PTR DS:[EBX+2F4] instruction with JMP 004F19D1 you're able to skip the evaluation message because your jump takes the execution directly to the end of the routine (if you look the next istruction, on 004F18F8 there is the ** Evaluation Version ** string construction; you have to skip this code to avoid the message).


Fig. 19 Skipping the evaluation message.

if you run the program the about message isn't shown as we wanted:

MODIFIED ABOUT DIALOG BOX
Fig. 20 The modified About dialog box.



6. Redirection of the purchasing link to the ARTeam web site


From Help menu select the option Online Services and then Purchase/Pricing Information, this is a link about product purchasing, well, our goal now is change this link in order to make it pointing on the ARTeam site.


Fig. 21 Purchase link.

This link can be changed using again Hex Workshop (or other hex editor which you prefer), then load this application on Hex Workshop and make a search for ASCII and UNICODE text string with argument:

http://www.flashfxp.com/purchase.php?ref=flashfxp


Fig. 22 Place how to change the link.

Then you've to change the URL with the ARTeam URL (http://cracking.accessroot.com) written as UNICODE string, then:


Fig. 23 Change the original link with the ARTeam web site.

Well, save the file to fix this patch, work done!


7. Defeating the nag screen

Well mate, this is the most interesting things of this tutorial: defeating the nag screen means to skip the visualization of the window, this can be achieved in different ways depending on the code, in some case a simple NOP placed on the right call is able to do this task, in other situations this is not possible because some operation are performed during the window's execution and to skip the nag's code leads to a program's malfunctioning.
In these cases you have to simulate the actions the user does to close the window (pressing the button "I Accept"), in other words you must inject some code into the application to send a message to the window/control.


Fig. 24 Initial nag screen.

In our situation the nag screen can be closed by pushing the I Accept button, before starting to think how to hack this nag screen take a moment and look at the button: it is highlighted, this means that button already has the focus then all the user actions are redirected from the window's message handler to this button (e.g. if you press Enter key this have same effect as you push the I Accept button using the mouse). Our goal is to write some code inside the program which does by the system's point of view the same things as if the user pressed the button.
Because you need to interact with this nag screen and particularity with the control (the button is a control and from the more general point of view a window) you first need to know where this window is created then you've to find the place how the CreateWindowExA API function is called.
This API function is able to set all the parameter needed to properly create a window or a control, among the arguments one is interesting and is called ClassName:


Fig. 25 CreateWindowEx / CreateWindowExA syntax.


Fig. 26 lpClassName explanation.

in order to find the right call you hav to know the class name of our nag screen. Then, launch the program and take a look on the caption text on the nag screen, you can look the FlashFXP Evaluation - 30 DAYS LEFT text (after you've patched the program about elapsed trial days, see section 1 of this tutorial to know more about it).


Fig. 27 Nag screen caption text.

Now inside OllyDbg press ALT+W and look the list for the title's string:


Fig. 28 Active window list.

on the last column you can see the nag screen Class name, which is TFrmReg.
Now is time to perform the CreateWindow API search into the program module (press CTRL+N ), you should found the CreateWindowExA API dunction.


Fig. 26 Searching for CreateWindow/CreateWindowExA API function.

press the Enter key on the function name, then right click and choose Set breakpoint on every command, when you have done it uncheck the first entry about JMP istruction because is not important for our task (we are searching about a CALL instruction):


Fig. 27 Place a breakpoint on each entry.

Now press F9 to run the program and continue to press F9 until you can see on the stack window, about Class parameter, the text string TFrmReg, you should able to look this:


Fig. 28 CreateWindowExA parameter about the nag screen.

well this is what you are searching for, OllyDbg stopped at 004445DB:


Fig. 29 CreateWindowExA code calling.

now look on the WindowName parameter (see fig. 28), this is related to a string which is stored on 00BA751C, then in order to know when the CreateWindowExA is calling about our nag screen you can make a compare from the string related to the WindowName parameter and then store the handler of the nag screen which is returned from the CreateWindowExA if the function succed (this is needed because handler is a dynamic value, like a pointer, then is different for all program executions).


Fig. 30 Returned value for the CreateWindowExA function.

Next step is to store in a safe place the nag screen handle in order to retrieve it for future uses, to do this you have to make a compare before executing the CreateWindowExA API function and to save the handler only when the FrmReg string is recognized. To do this you have to insert some code, first make a jump into a free section (you can use ToPo utility or do this search by hand: with the last option I found some free space near the the end of the area, a zero area which is not used during program's execution), a free space can be found at 0057B97C. Place one unconditional jump to this address:


Fig. 31 Redirection of the original program flow.

now you have to compare the WindowName string with FrmReg sting, this string is stored on [EBX] (take a look on the main code before the 004445DB address on the pushed parameter for the CreateWindowExA function), if comparing is false you've to execute normally the CreateWindowExA and execute the last two instruction before the RETN istruction on 004445E8, if compare is TRUE you've to save the handler and then return to the original code. An important thing is about the registry context, before modifying the normal execution flow you must save the registers values in order to keep stack's integrity: our operation must be transparent from the program point of view, then care must be used to not change anything. This can be achieved using the PUSHAD and POPAD istructions, the first push on the stack the registers value, the last retrieve the stack value on the registers, hence before our saving code we have to do a PUSHAD instruction (see on the address 0057B9A5), make our change and then restore the registers value using POPAD instruction (see on the address 0057B9B8).


Fig. 32 Code injected to store the nag screen handler.

well, I think the code above is sufficiently commented, then we can step into the next task.
Only one note: this methods appears more heavy than normal nag skipping methods, but it is very general. Another approach can be ot invoke the FindWindow API function in order to retrieve the handler, but this must be done after the CreateWindowExA succeeds.
Another think is related to the write access authorization on this section of code, to change this to write all you can use the PEditor and change the characteristic number of this section:


Fig. 33 Take the CODE section.


Fig. 34 Try to change the characteristic from original value to E0000020.

Now we have in a safe place the nag screen handle, next goal is to find the place where the window is completely built and ready to be shown: in other words the client window is created and after it's childs too (child windows, such as for example the belonging buttons' windows). Only when everything is creted you can interact with the window. The last thing the system does always is to callt eh ShowWindow's API to show the already built window on screen.
As already done with CreateWindowExA you can search the ShowWindow call address, for our pourpose the right address is on 0043807A.


Fig. 35 ShowWindow which is called for the nag screen.

because this is a generic call made for all the windows we have to find when it is the right call, to do this we have only to check if the handle given as parameter (which is on EAX register and is pushed into the stack at the address 00438079) is equal to the handle stored on 0057B9D3 (see figure 32).


Fig. 36 ShowWindow syntax.

to make this check we have to code additional code again, then first redirect the original flow to our code to some free space:


Fig. 37 Redirection of the program flow.

and this is the code:


Fig. 38 ShowWindow management.

Well now we are ok about nag screen definition, but you aren't sure if the focus is about our button, then things must be made to find the handle about I Accept button, when you've found it you can send the message to it in order to simulate the push-release button sequence; be careful: the messages sequence must be sent to the button I Accept and must be a WM_LBUTTONDOWN (which occour when you press the mouse left button) and then a WM_LBUTTONUP (when this button is released).
To find the handle to the right button we can redirect the original program flow from the main message handler of our nag screen, if you remember we have found this code at the start of the section 3:


Fig. 39 Original code about nag screen message handler.

In order to place a filter into the message handler you can redirect the original execution by placing a JMP to a safe place, for example:


Fig. 40 Redirection on our filtering routine.

On the 0058C019 address we've to write a routine which is able to:

1 - know when the focus is on the right button
2 - send the message to the button.

This task can be achieved using the GetFocus API function and then retrieve the button text with the GetWindowTextA API function, if the text is equal to I Accept (or only I because there are only one control with this letter into the first place) you can send the message WM_LBUTTONDOWN and WM_LBUTTONUP.
Below you can see the code to perform this operations:


Fig. 41 Code to send the message.

Some things about the API function which I used: the GetFocus API function has no arguments, the window handle holding the focus is returned into the EAX register:


Fig. 42 GetFocus syntax.


Fig. 43 Returned value.

About the GetWindowText API function we've:


Fig. 44 GetWindowText syntax.


Fig. 45 Parameter.


Fig. 46 Returned value.

The last function is the PostMessage/PostMessageA API, used to send (in our case) a specified message to the button:


Fig. 47 PostMessage Syntax.


Fig. 48 Parameters.


Fig. 49 Returned value.

in order to keep the numerical value for the mouse messages we want to send (or more generally for your interesting messages) use the Command line OllyDbg plugin (ALT+F1):


Fig. 50 Command Line plugin.

Then write your message (with ? before the message, be sure to place a space between the ? and the text mssage) and press Enter, into the status bar you've the number related to the specified message, for WM_LBUTTONDOWN you've 0x201, for WM_LBUTTONUP you've 0x202:


Fig. 51 Searching the code related to some message.

That's all!


8. Cracking ver. 3.0.2 (Build 1045)


Meanwhile I was writing this tutorial FlashFXP got updated and the latest version at this time is now 3.0.2 (build 1045) compiled 7th November 2004. Cracking steps are similar to the previous version and all the concepts shown in the past section can be applied to this release too. The following section is an excuse not only to update the crack to this newer version but also to do the same things in a different way.

Expecially I modified the previous approach in order to do everything using only OllyDbg (also used to modify the program's resources), thus there will not be anymore need for an external Hex Editor (like Hex Workshop).

Also this release is not packed, as before the first step is the trial time defeating, you have:


Fig. 52 Defeating the trial time.

next step is about changing the main screen caption, to do this press ALT+M and go to the resources section of the debugged program:


Fig. 53 resources section in OllyDbg.

double click on the highlighted row and then right click (or CTRL+B) to make a UNICODE string search with the argument Evaluation Copy:


Fig. 54 Select the string search option.


Fig. 55 Write your text string to search.

Press OK to do the requested search:


Fig. 56 Search result.

now to change the text simply place your mouse pointer on the first character then press any key (in the range 0..9 and A..F of course) to open the text window (be sure to write into the UNICODE editbox):


Fig. 57 Change the text.

push OK to apply the changes:


Fig. 58 The resource text string was changed.

now go to the OllyDbg dump window and press CTRL+G, write 005D72E4 then save the patch to the executable target using Copy to executable file:


Fig. 59 Save the resource modification.

Now if you run the target there is one exception due to the caption modification crypt check (see previous sections), press ALT+K:


Fig. 60 ALT+K after exception.

double click on the first address:


Fig. 61 Exception call.

remove the CALL 00403680 by NOP-ing it:


Fig. 62 Skip the call exception.

Well, now you can try to change all the caption (e.g. place a series of 0x00 0x20 = UNICODE backspace character, but don't overflow its previous dimensions):


Fig. 63 Change the caption by filling with backspace character.

save this changes and run the target, there is another exeception (crypt check) in 005635F5 (to find it press ALT+K): to eliminate also this exception place a NOP instructions as following:


Fig. 64 Last exception, due to caption modification, skipped.

Now you can change the About menu (as you've see in section 5):


Fig. 65 Skip the Evaluation Version message into the About dialog box.

Next patching is about purchasing link redirection, again you have to play with program's resources. Press ALT+M and select the resources section, then search about http://www.flashfxp.com/purchase.php?ref=flashfxp ASCII text string:


Fig. 66 Original link.


Fig. 67 Modified link.

to save this patch you have to go into the OllyDbg memory dump window and select the Copy to Executable option.

The last think, and as before the more interesting one, is about the nag screen removal: this time we'll do the things a little different.

The code is placed into a single place and not spread across the program. This makes the patch more readable and easier to understand. So if you had problems with it in the previous sections lets have a second read here. On the other hand if you understood it clearly already before, a second way to do the same could be interesting too.

A suitable place (enough free space) to write our code can be found from 0057F6A5, in the same way of the other release you have to write a code which sends to the push button the same messages as if you were pressing it.
All the code is placed in the same area. Please, note the bigger part of the code is only related to the message handler, other stuffs are mainly used to play with API function and show how manage handle and similar objects.

A difference with the previous solution is that this time I check the classname's string against an 'R' which is enough for us to recognize the TFrmReg classname.


Fig. 68 All the code which is used to close the nag screen.

first patching is about the CreateWindowExA code:


Fig. 69 Nag screen CreateWindowExA API function.


Fig. 70 CreateWindowExA parameter.


Fig. 71 Nag screen CreateWindowExA redirection.

next step is about the ShowWindow API function:


Fig. 72 ShowWindow API function.


Fig. 73 ShowWindow parameter.


Fig. 74 ShowWindow redirection.

now you have to change the nag screen message handler:


Fig. 75 Nag screen message handler code section.


Fig. 76 Nag screen message handler modified code section.

Well mate, work is done..still alive? Now is time to take a fresh beer, relax and thing about "Ollydays" ;-)

 


Conclusions

Lesson Learnt

This tutorial I hope shown how to make changes into existing code and how to interact with Window's control sending messages to the the windows message handler, directly in assembler.

You should know better:

1. how to modify and play with program's resources and windows' APIs
2. how to code a subroutine directly in assembly language and manage windows message in order to change
    the control behaviour and simulate user action in automatic mode.

Remember, if you plan to use this software that you shopuld purchase the product to support the authors to develop other good software.

Any suggest, correction or criticism is welcome, if you need help about this tutorial or other stuff you can reach me on ARTeam forum.

An finally, again, a big thanks to my friend Shub-Nigurrath for helps & suggestions writing this "quite long" tutorial.



Greetingz


[MAIN TEAM]
[Nilrem][MaDMAn_H3rCuL3s][Ferrari][EJ12N][Kruger]
[Shub-Nigurrath][Teerayoot][R@dier]
[JDOG45][Eggi][ThunderPwr]

[Support]
[Bone Enterprise]

[Groupz]
[TSRh][SnD][LUCiD]