Main | Index

CuteFTP 5.0 XP - Build 50.6.10.2

Type : FTP Client
Protection : Serial - OnLine Check - CRC Check - Memory check sum
Tech : Patch

Crack :

Cute FTP does a OnLine check of S/N entered .. and validates it.I was wondering how it is done.To find it use a proxy server ... as it shows every http request.And enter S/N in Cute FTP.Proxy server reveals what this baby is doing with our S/N ... with which server it is checking.Following are its result ..

POST http://dbregistration.cuteftp.com/what_xou_like.reg HTTP/1.0
User-Agent: CuteRegistrator
Host: dbregistration.cuteftp.com
Content-Length: 226
Pragma: no-cache

CUTERG0100046B657931000E413232323232323232323232323200046B65793200404E4D4D4F38574E
4B3233394159574B464C314F504C334A3350594A3058414E324F4B574E4A4554575654383058384830
3239574C544D334F544E4D35564D3556000870726F64747970650003434635

So our S/N is validated by "dbregistration.cuteftp.com" visit this server by your browser and you can see a interesting string showed in your browser ...

CUTERG010007636F6D6D616E64000B696E76616C696464617461 - This means "d invaliddata"

So this is how comunication is taking place ... we are not doing our stuff ... here just for info.

This baby can easily be stoped from verifying our S/N [OnLine check] by just changing the name of server to what ever you like ..."xbregistration.cuteftp.com" using a hex editor.

But there is also a nasty CRC Check and Memory check sum ... going on in seperate thread ...

CRC Check - Memory Check Sum :

This baby is doing these checks in a seperate thread .. Memory check sum is done using API ...

MAPVIEWOFFILENAME ...GETMODULEFILENAMEA ...

We can't put BPX on any address as it corrupts its memory and Consistency check will trace out it .. so use hardware break point - BPMB cs:xxxxxx X.Most funnniest part is that we can't patch it as CALL to this routine will depend upon its virginity.If we patch it CALL to this routine will point to some address and result is page fault.Never mind outer call can be patched.

BPX MAPVIEWOFFILE ... trace back we will end here ...

CALL [EBP-18]
MOV [EBP-1C],EAX --- > FLAG SET

Inside this call ..

004773A7 MOV EAX,01
004773AC ADD ESP,48
004773AF RET
004773B0 XOR EAX,EAX -- PUT BPMB HERE ..
004773B2 ADD ESP,48
004773B5 RET

Put a BPMB in side this routine and you will break where every it is called.Main outside calls calling this routine are ..

0044445E CALL [00556E1C]
00444464 TEST EAX,EAX
00444466 JNZ 004444EC = 0F 85 80 00 00 00 --> GOOD BOY
0044446C CALL [00556E3C] --- CONSISTENTCY CHK FAILED NAG BOX -- AND QUIT
........................
00477BC8 CALL [00556E18]
00477BCE TEST EAX,EAX
00477BD0 JNZ 00477BDA = 75 08 ---> GOOD BOY
00477BD2 CALL [00556E38] --- CONSISTENTCY CHK FAILED NAG BOX -- AND QUIT
........................
00477B92 CALL [00556E30]
00477B98 TEST EAX,EAX
00477B9A JNZ 00477BAA = 75 0E ---> GOOD BOY
00477B9C CALL [00556E50] --- CONSISTENTCY CHK FAILED NAG BOX -- AND QUIT
-----------------------PATCH THESE TO ---------------
00444466 NOP = 90 OFFSET = 44466
00444464 JMP 004444EC = E9 80 00 00 00

00477BD0 JMP 00477BDA = EB 08 OFFSET = 77BD0

00477B9A JMP 00477BAA = EB 0E OFFSET = 77B9A

S/N ..

Now go offline and register this program with this S/N .....

S/N = A2222222222222
Name = DHEERAJ

It will tell that S/N seems to be ok but not verified ... See "About Box".A quick view with Win32DASM shows that CALL 00404110 is the main sucker behind this ....Inside this CALL we will alter flag clearing part ..

004043FE XOR EAX,EAX = 33 C0
00404400 JMP 40454E = E9 49 01 00 00
----------- PATCH THIS TO ---------
004043FE XOR EAX,EAX = 33 C0
00404400 INC EAX = 40 OFFSET = 4400
00404401 JMP 40454E = E9 48 01 00 00

Now we have finished ... it is working fine and "About Box" shows it is licensed to me ...