Perfect cracking Note: Broadband FTP server V1.0

To crack the software of the broadband FTP server V1.0, OK and start the action:
Software name: Broadband FTP server V1.0

Cracking tools: FileInfo, W32Dasm, UltraEdit

Level: Easy

First, run the software, click "register", enter a few numbers, and the system prompts "software registration number error ". Mm ~ This software automatically obtains the machine information and generates the serial number. Even if the registration code is obtained, it can only be used on the local machine.

You can use FileInfo to check whether the software is written in Delphi and W32Dasm can be used for ease. Run W32Dasm, open the "Broadband FTP server" software, and find the "software registration number error" string in "Reference" and "Serial reference". The Code is as follows:

* Referenced by a (U) nconditional or (C) onditional Jump at Addresses:

|: 004BDAD1 (C),: 004BDAD6 (C)

|

: 004BDB31 6A00 push 00000000

: 004BDB33 668B0DD0DB4B00 mov cx, word ptr [004BDBD0]

: 004BDB3A B201 mov dl, 01

* Possible StringData Ref from Code Obj-> "software registration number error"

|

: 004BDB3C B8F8DB4B00 mov eax, 004BDBF8

: 004BDB41 E84E96F7FF call 00437194

Jump directly to 004BDAD1 and find the Code as follows:

: 004 BDACE 3B55FC cmp edx, dword ptr [ebp-04]

: 004BDAD1 755E jne 004BDB31 // skip to 004BDB31 if the registration code does not match

: 004BDAD3 3B45F8 cmp eax, dword ptr [ebp-08]

: 004BDAD6 7559 jne 004BDB31

: 004BDAD8 33D2 xor edx, edx

: 004 BDADA 8B8398030000 mov eax, dword ptr [ebx + 00000398]

: 004BDAE0 8B08 mov ecx, dword ptr [eax]

: 004BDAE2 FF5164 call [ecx + 64]

: 004BDAE5 B201 mov dl, 01

: 004BDAE7 8B8330030000 mov eax, dword ptr [ebx + 00000330]

: 004 BDAED 8B08 mov ecx, dword ptr [eax]

: 004 BDAEF FF5164 call [ecx + 64]

* Possible StringData Ref from Code Obj-> "registered version" // The registered version is now available.

|

: 004BDAF2 BAC0DB4B00 mov edx, 004BDBC0

: 004BDAF7 8B8394030000 mov eax, dword ptr [ebx + 00000394]

: 004 BDAFD E8BA08F8FF call 0043E3BC

: 004BDB02 33D2 xor edx, edx

: 004BDB04 8B83A0030000 mov eax, dword ptr [ebx + 000003A0]

: 004BDB0A E8AD08F8FF call 0043E3BC

: 004BDB0F 8B83A4030000 mov eax, dword ptr [ebx + 000003A4]

: 004BDB15 E87ED1FFFF call 004BAC98

: 004BDB1A 6A00 push 00000000

: 004BDB1C 668B0DD0DB4B00 mov cx, word ptr [004BDBD0]

: 004BDB23 B202 mov dl, 02

* Possible StringData Ref from Code Obj-> "software registration successful" // The registration successful window is displayed.

|

: 004BDB25 B8DCDB4B00 mov eax, 004 BDBDC

: 004BDB2A E86596F7FF call 00437194

: 004BDB2F EB15 jmp 004BDB46

Here, you should understand how to do it. You just need it to stop jumping at the registration code error. Simply drop both jumps to nop, use UltraEdit to change the offset to 0x00BCED1 and 0x00BCED6 to 9090.

Program Analysis:

According to analysis, this application is not registered version can only use 18 times, to 15th times and 5th times are prompted the remaining number of times, in the registry, you can find the key value of the number of records (different machines may be different ):

HKEY_CLASSES_ROOTCLSID {1AE69D60-73D0-11D4-BD52-38A480C50000}

412112012 15 // This is the remaining number of times, which can be changed.

613738517 18 // This is the total number of times, but do not expect this to be changed to an unlimited number, because it does not use this calculation.

When the registration is successful, the key value of 412112012 will change to 412112012, that is, the same as the key name, that is, the calculation, in the registry, you can change the key value of 412112012 to 412112012 to complete registration.

Now, it's all done here !!