beta.blog

Archive for September, 2014

Patching Golden FTP Server Pro 5.00 (Reversing Tutorial)

by on Sep.24, 2014, under ReverseEngineering

This is a short tutorial on how to patch a small FTP server for Windows called Golden FTP Server (Pro version, 5.00). First off, everything posted here is solely described for educational purposes. Decided to write this tutorial since it started to piss me off that people kept asking for this program.

What you’ll need:
– Golden FTP Server Pro v5.00 trial
– OllyDbg 1.10

The first step is to load the target into OllyDbg and run it. What you’ll see is a nag screen reminding you you’re currently running a trial version and should buy a code or get one free of charge by completing a survey (urgh – surveys!). Oh, if one of the images is too small to be read, simply move your mouse pointer on it and click on your mid-mouse-button/mouse-wheel in order to open the full size image in a new tab.

01

Choose register later and you’re in – wohoo!

02

Head over to registration and fill out the form with some dummy data, just like this:

03

Hit the register button and it will come up with an error. Dang – it could have been so easy. 🙁

04

So yeah we basically will have to change a byte here and there in order to “fix this bug”. Don’t close the window yet, just switch back to Olly and right click into the CPU window -> Search for -> Name (label) in current module. The message box saying “Invalid registration code!” looks a little bit like e regular native MessageBox, so just search for the command MessageBoxA -> right click -> Set breakpoint on every reference.

Switch back to the running application and try to enter the incorrect license data again -> hit register and it will stop at one of the breakpoints we just set.

05

As you can see, it will call some routines and do its verification with your serial in order to deem it invalid. No need to do any further investigation, you can simply jump over the entire thing and bypass the entire check by modifying the following instruction:

06_patch1

Try to hit the register button again now. It will actually work and open a web page saying “Thank you”. In addition, it will also save the dummy data you provided (without doing any additional checks) and it will unlock the program directly:

07

As an unimportant side note, I did some further tracing and noticed it would write the license data into C:\ProgramData\Golden FTP Server Pro\GFTPpro.cfg but we don’t even need to know how the verification works or where it gets saved as this point, since we only need to patch one more verification check in order to make the registration persistent to application restarts.

Anyway if we restart the target application through Olly it will show its nag screen again (sigh). So since I already told you it would store the licensing information in a file, we’ll now Search for -> Name (label) in current module -> ReadFile -> right click -> Set breakpoint on every reference. Afterwards run the target (F9) and it will hit the first breakpoint. Now disable all breakpoints by going into the breakpoint window (ALT+B) -> right click -> Disable all and keep pressing F8 (= step over) until the nag screen opens up again:

10

So yeah there’s another verification routine which will do both – check your license file (and deem it invalid) as well as show a nag screen. Patch the jump above it to skip this verification as well, save both patches to the file (right click -> Copy to executable -> All modifications -> right click -> Save file) and you’re done…

11

Summary:
Spent a bit less than 30 minutes on this target, don’t expect too much. As you can see it’s a rather easy target and as such suitable to beginners. I won’t provide a patched binary over here, but you got the basic steps to do it all by yourself. As always, if you like the software, support the developers and buy it!

1 Comment : more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!