Bullet Proof FTP V1.0
(hidden, bloated exe creation)
stupid

by Frog's Print

(24 September 1997)


Courtesy of fravia's page of reverse engineering

Well, another pathetical trick bites dust.

**** Bullet Proof FTP V1.0 ****
(www.bpftp.com)
by Frog's Print
When running this program, it extracts a "~XYnnnn.TMP' file in the
Windows\Temp directory and runs it. This .TMP file is an ordinary .EXE
file.
Is this a brand new protection??
Open it with W32Dasm.

Searching the String Data Refs for "UNREGISTERED EVALUATION COPY" 
we can find two occurences:

1st Occurence:
 :0046FF65 80BB2A04000000  cmp byte ptr [ebx+42A], 00  ; Is it 0?
 :0046FF6C 743B            je 0046FFA9
 :0046FF6E BAA8004700      mov edx, 004700A8     ;"Registered to "
 ...
 :0046FFA9 BACC004700      mov edx, 004700CC     ;"UNREGISTERED EVALUATION COPY-"

2nd Occurence:
 :0047CCEC 80BB2A04000000  cmp byte ptr [ebx+42A], 00  ; Is it 0?
 :0047CCF3 743D            je 0047CD32
 ...
 :0047CD30 EB43            jmp 0047CD75          ; Go_Ahead otherwise...
 :0047CD32 BA00CE4700      mov edx, 0047CE00     ;"UNREGISTERED EVALUATION COPY"


==> There is no need to crack this part as the program would be
"registered" yet it WOULD NOT download/upload files and would exit 
instead!

Searching for the string "You have exceeded your 30 day" we land here:

:004809E0 80BB3204000000   cmp byte ptr [ebx+432], 00 ; 0=Expired / 1=30 Days Left
:004809E7 7534             jne 00480A1D
:004809E9 6A00             push 00000000
:004809EB 668B0D280A4800   mov cx, word ptr [00480A28]
:004809F2 B201             mov dl, 01
:004809F4 B8340A4800       mov eax, 00480A34 ->"You have exceeded your 30 day "
                                             ->"trial limit. Click OK to go to "
                                             ->"BPFTP's web page to register so "
                                             ->"you can continue using it."
:004809F9 E8E22AFBFF       call 004334E0
:004809FE BAB40A4800       mov edx, 00480AB4 ->"This evaluation version of BPFTP "
                                             ->"has expired - everything will "
                                             ->"continue to function as normal, "
                                             ->"except you will not be able to "
                                             ->"transfer any files."


To have 30 days left forever, just search for the 
'cmp byte ptr [xxx+432],00' (there are 4 occurrences of them) 
in the program and change each occurrence to 
'cmp byte ptr [ebx+432],01'.

Just rename the "~XYnnnn.TMP" file > "Whatever_you_want.EXE" and run it.
Now it can be moved to another directory as well.
There's no need to use again the original BPFTP.EXE file. 
You can throw that stupid "loader" away!

This protection is stupid.
According to me, the fact that BPFTP.EXE is just a packed program that
creates another .EXE file and runs it 'undercover' doesn't mean that the
programmers wrote a "new" kind of protection: in fact, they wrote a 724Kb 
program (bigger than CuteFTP) and want us to believe it is just 377Kb 
(smaller than CuteFtp)!!
What a perfidious mind....

BTW, CuteFtp is a much better program (see +RCG's crack of 
CuteFtp), and I would advice you to use it anyway.

Frog's Print, September 1997
(c) Frog's Print 1997. All rights reversed
You are deep inside fravia's page of reverse engineering, choose your way out:

redBack to Project 7 ("Most stupid protection")
redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?