Cracking_CuteFTP_Pro_By_Pompeyfan.txt

*************************************************************************************************TITLE:
Cracking tutorial for CuteFTP Pro 6.0.0.4
*************************************************************************************************
BEST VIEWED:
Notepad with word wrap enabled, and in restored window mode
*************************************************************************************************
TOOLS USED:
Ollydbg v1.09d
*************************************************************************************************TARGET:
CUTEFTPPRO.exe
*************************************************************************************************LOCATION OF TOOLS AND PROGRAM:
Ollydbg v1.09d http://www.grinders.withernsea.com/tools/Ollydbg/odbg109d.rar
CuteFTP Pro 6.0.0.4 http://www.grinders.withernsea.com/tools/cuteftppro.rar
HexToText.exe http://www.grinders.withernsea.com/tools/HexToText.rar
Regmon v6.06(Optional) http://www.grinders.withernsea.com/tools/ntregmon.zip
*************************************************************************************************
CONTACT INFORMATION:
vinceandjane@hotmail.com
*************************************************************************************************
TUTORIAL WRITTEN:
09/04/2004
*************************************************************************************************
AUTHOR:
Pompeyfan
*************************************************************************************************

Okay,lets attack our target, open Olly, and if you haven't done so already, to make things easier for yourself, right click, select appearance/highlighting/jumps'n'calls, makes things so much easier to follow.

Okay, lets open the program in Olly, and you land here:

0051481A >/$ 55             PUSH EBP

Press F9 (Run), and the evaluation screen opens, click on "enter serial number", and enter your fake serial, I used all 7's filling the box, then hit the "next" button, and you get the message "your serial number has not been accepted, bla, bla, bla".

Now, don't press okay to this message yet, press F12(pause), then Alt & K to bring up the call stack, and you get the following:

Call stack of main thread
Address    Stack      Procedure                             Called from                   Frame
0012DDD4   77D43C53   Includes 7FFE0304                     USER32.77D43C51               0012DE08
0012DDD8   77D4B3F2   USER32.WaitMessage                    USER32.77D4B3ED               0012DE08
0012DE0C   77D4D9A0   USER32.77D4B265                       USER32.77D4D99B               0012DE08
0012DE34   77D6AE8E   USER32.77D4D8EC                       USER32.77D6AE89               0012DE30
0012E0EC   77D6A911   ? USER32.SoftModalMessageBox          USER32.77D6A90C               0012E074
0012E234   77D6AFD5   ? USER32.77D6A7D7                     USER32.77D6AFD0               0012E1BC
0012E28C   77D6B0BD   USER32.MessageBoxTimeoutW             USER32.77D6B0B8               0012E288
0012E2C0   77D6B04A   ? USER32.MessageBoxTimeoutA           USER32.77D6B045               0012E2BC
0012E2E0   77D6B02E   ? USER32.MessageBoxExA                USER32.77D6B029               0012E2DC
0012E2F8   0052B534   ? USER32.MessageBoxA                  CUTEFTPP.0052B52E
0012E310   0046FD24   ? CUTEFTPP.0052B506                   CUTEFTPP.0046FD1F

Now, double click on the bottom entry, and you arehere:

0046FD1F   . E8 E2B70B00    CALL CUTEFTPP.0052B506

Right click on it, then Breakpoint/Toggle

Now, again press the "next" button on the serial dialogue, and Olly breaks here:

0046FD1F   . E8 E2B70B00    CALL CUTEFTPP.0052B506

and you will notice the "Registration failed" message in the EAX register, as well as in the dump, and you will see a number in the dump pane of A2222222222222 ( I tried this number, and of course we were not that lucky for it to be the real serial, looked to odd a number to be real anyway, but keep it in mind for later, as it plays a big part in the crack).

You press F7 to trace into this call, and you have this routine:

0052B506  /$ 8B4424 08      MOV EAX,DWORD PTR SS:[ESP+8]
0052B50A  |. 56             PUSH ESI
0052B50B  |. 85C0           TEST EAX,EAX
0052B50D  |. 8BF1           MOV ESI,ECX
0052B50F  |. 75 08          JNZ SHORT CUTEFTPP.0052B519
0052B511  |. E8 050A0200    CALL CUTEFTPP.0054BF1B
0052B516  |. 8B40 10        MOV EAX,DWORD PTR DS:[EAX+10]
0052B519  |> 85F6           TEST ESI,ESI
0052B51B  |. 75 04          JNZ SHORT CUTEFTPP.0052B521
0052B51D  |. 33C9           XOR ECX,ECX
0052B51F  |. EB 03          JMP SHORT CUTEFTPP.0052B524
0052B521  |> 8B4E 1C        MOV ECX,DWORD PTR DS:[ESI+1C]
0052B524  |> FF7424 10      PUSH DWORD PTR SS:[ESP+10]               ; /Style
0052B528  |. 50             PUSH EAX                                 ; |Title
0052B529  |. FF7424 10      PUSH DWORD PTR SS:[ESP+10]               ; |Text
0052B52D  |. 51             PUSH ECX                                 ; |hOwner
0052B52E  |. FF15 3CA65700  CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
0052B534  |. 5E             POP ESI
0052B535  \. C2 0C00        RETN 0C

This routine leads to the bad bracker message, but after fiddling with this routine a bit, I came to the conclusion, that once in it, it is to late, you need to trace further back.

So if we scroll up from the first call we had at:

0046FD1F   . E8 E2B70B00    CALL CUTEFTPP.0052B506

We see that this sub-routine starts at:

0046FCAB   > 8B0D 000A5D00  MOV ECX,DWORD PTR DS:[5D0A00]            ;  CUTEFTPP.005D0A14

Now Right click on this line, then Find references to\Selected command, and you get this:

References in CUTEFTPP:.text to 0046FCAB
Address    Disassembly                               Comment
0046FC44   JE SHORT CUTEFTPP.0046FCAB
0046FC60   JE SHORT CUTEFTPP.0046FCAB
0046FCAB   MOV ECX,DWORD PTR DS:[5D0A00]             (Initial CPU selection)

How about we scroll up to the start of the previous sub-routine, and put a breakpoint on this line:

0046FC12   > 8B15 000A5D00  MOV EDX,DWORD PTR DS:[5D0A00]            ;  CUTEFTPP.005D0A14

Enter your details again, and we break at this line, and you see your fake serial loaded into the EAX register, we trace with F8, and again we see our fake serial being compared with A2222222222222 for some reason, I tried tracing into some of the calls with F7, the serial calculation could very well be in there, but to complex for me I'm afraid.

So we get to this section:

0046FC42   . 85C0           TEST EAX,EAX
0046FC44   . 74 65          JE SHORT CUTEFTPP.0046FCAB
0046FC46   . 6A 00          PUSH 0
0046FC48   . 8BCF           MOV ECX,EDI
0046FC4A   . E8 57D60B00    CALL CUTEFTPP.0052D2A6
0046FC4F   . 8D5424 14      LEA EDX,DWORD PTR SS:[ESP+14]
0046FC53   . 50             PUSH EAX
0046FC54   . 52             PUSH EDX
0046FC55   . E8 A67C0000    CALL CUTEFTPP.00477900
0046FC5A   . 83C4 08        ADD ESP,8
0046FC5D   . 66:85C0        TEST AX,AX
0046FC60   . 74 49          JE SHORT CUTEFTPP.0046FCAB

We have 2 tests, and 2 conditional jumps which lead to the bad cracker message, if we trace with F8, at the first EAX=FFFFFFFF and it is not taken, at the second AX=0 and away we go on our way to the bad cracker message.

Now, I may be no expert, but what I have learned, is that quite often with these tests, the value here, can be something like 0=unregistered/1=registered, so how about we change:

0046FC5D   . 66:85C0        TEST AX,AX 

to: 

0046FC5D     66:40          INC AX
0046FC5F     90             NOP

So, Right click on that line, then Assemble, make the change, then click on Assemble, then close this box. 

Now, enter your fake serial again, and this time you get a different dialogue to complete, it is the "Registration wizzard", just fill in your name that is enough, and hit next, this box is designed to confirm your serial number online, so I definitely think we hit on a good alteration above, as we are not getting the bad cracker message anymore.

OKay, let us make this change permanent, Right click/copy to executable/all modifications/copy all, and then right click on new box that comes up/save file, double click on the file to overwrite and select yes to overwrite.

Okay, after hitting next, we get the "registration failed message of course, because we are not connected to the internet, of course we don't want it verified online, so we will evenyually have to find a way of getting around this, so we select "Attempt to auto-complete the registration later" and hit "next", the program opens, and if you check the Help/About screen, you will see that your registration details now show you as Registerd but UNVERIFIED, and it shows your fake serial.

I know from experience with previous versions of this program, that it usually contains registration details somewhere in the HKEY_USERS key in your registry, so we fire up Regedit, and look under HKEY_USERS\DEFAULT\Software\GlobalSCAPE\CuteFTP Professional and we now find an entry "RegUserName", with the name you entered in the registration wizzard, and an extra key has appeared called "Index", and surprise surprise, it has your fake serial.

Before exiting Regedit, let us make a backup of that registry key, so Right click on the CuteFTP Professional key, select export, then perhaps save the reg file as CuteFTPregcrack.reg or whatever you want.

Now, we try and restart the application outside of Olly, but we get the evaluation screen up again, and we see that we are again a temporary user, and although the "RegUserName" is still there, the "Index" key has vannished.

I tried seeing what was happening with Regmon, and you can see clearly the key getting added and deleted:

Enter fake serial:

2	4.75877269	CUTEFT~1.EXE:348	OpenKey	HKU\.DEFAULT\Software\GlobalSCAPE\CuteFTP Professional\Index	NOTFOUND		
3	10.95688055	CUTEFT~1.E...