*************************************************************************************************TITLE:
Cracking tutorial for CuteFTP Pro 6.0.0.4
*************************************************************************************************
BEST VIEWED:
Notepad with word wrap enabled, and in restored window mode
*************************************************************************************************
TOOLS USED:
Ollydbg v1.09d
*************************************************************************************************TARGET:
CUTEFTPPRO.exe
*************************************************************************************************LOCATION OF TOOLS AND PROGRAM:
Ollydbg v1.09d http://www.grinders.withernsea.com/tools/Ollydbg/odbg109d.rar
CuteFTP Pro 6.0.0.4 http://www.grinders.withernsea.com/tools/cuteftppro.rar
HexToText.exe http://www.grinders.withernsea.com/tools/HexToText.rar
Regmon v6.06(Optional) http://www.grinders.withernsea.com/tools/ntregmon.zip
*************************************************************************************************
CONTACT INFORMATION:
vinceandjane@hotmail.com
*************************************************************************************************
TUTORIAL WRITTEN:
09/04/2004
*************************************************************************************************
AUTHOR:
Pompeyfan
*************************************************************************************************

Okay,lets attack our target, open Olly, and if you haven't done so already, to make things easier for yourself, right click, select appearance/highlighting/jumps'n'calls, makes things so much easier to follow.

Okay, lets open the program in Olly, and you land here:

0051481A >/$ 55             PUSH EBP

Press F9 (Run), and the evaluation screen opens, click on "enter serial number", and enter your fake serial, I used all 7's filling the box, then hit the "next" button, and you get the message "your serial number has not been accepted, bla, bla, bla".

Now, don't press okay to this message yet, press F12(pause), then Alt & K to bring up the call stack, and you get the following:

Call stack of main thread
Address    Stack      Procedure                             Called from                   Frame
0012DDD4   77D43C53   Includes 7FFE0304                     USER32.77D43C51               0012DE08
0012DDD8   77D4B3F2   USER32.WaitMessage                    USER32.77D4B3ED               0012DE08
0012DE0C   77D4D9A0   USER32.77D4B265                       USER32.77D4D99B               0012DE08
0012DE34   77D6AE8E   USER32.77D4D8EC                       USER32.77D6AE89               0012DE30
0012E0EC   77D6A911   ? USER32.SoftModalMessageBox          USER32.77D6A90C               0012E074
0012E234   77D6AFD5   ? USER32.77D6A7D7                     USER32.77D6AFD0               0012E1BC
0012E28C   77D6B0BD   USER32.MessageBoxTimeoutW             USER32.77D6B0B8               0012E288
0012E2C0   77D6B04A   ? USER32.MessageBoxTimeoutA           USER32.77D6B045               0012E2BC
0012E2E0   77D6B02E   ? USER32.MessageBoxExA                USER32.77D6B029               0012E2DC
0012E2F8   0052B534   ? USER32.MessageBoxA                  CUTEFTPP.0052B52E
0012E310   0046FD24   ? CUTEFTPP.0052B506                   CUTEFTPP.0046FD1F

Now, double click on the bottom entry, and you arehere:

0046FD1F   . E8 E2B70B00    CALL CUTEFTPP.0052B506

Right click on it, then Breakpoint/Toggle

Now, again press the "next" button on the serial dialogue, and Olly breaks here:

0046FD1F   . E8 E2B70B00    CALL CUTEFTPP.0052B506

and you will notice the "Registration failed" message in the EAX register, as well as in the dump, and you will see a number in the dump pane of A2222222222222 ( I tried this number, and of course we were not that lucky for it to be the real serial, looked to odd a number to be real anyway, but keep it in mind for later, as it plays a big part in the crack).

You press F7 to trace into this call, and you have this routine:

0052B506  /$ 8B4424 08      MOV EAX,DWORD PTR SS:[ESP+8]
0052B50A  |. 56             PUSH ESI
0052B50B  |. 85C0           TEST EAX,EAX
0052B50D  |. 8BF1           MOV ESI,ECX
0052B50F  |. 75 08          JNZ SHORT CUTEFTPP.0052B519
0052B511  |. E8 050A0200    CALL CUTEFTPP.0054BF1B
0052B516  |. 8B40 10        MOV EAX,DWORD PTR DS:[EAX+10]
0052B519  |> 85F6           TEST ESI,ESI
0052B51B  |. 75 04          JNZ SHORT CUTEFTPP.0052B521
0052B51D  |. 33C9           XOR ECX,ECX
0052B51F  |. EB 03          JMP SHORT CUTEFTPP.0052B524
0052B521  |> 8B4E 1C        MOV ECX,DWORD PTR DS:[ESI+1C]
0052B524  |> FF7424 10      PUSH DWORD PTR SS:[ESP+10]               ; /Style
0052B528  |. 50             PUSH EAX                                 ; |Title
0052B529  |. FF7424 10      PUSH DWORD PTR SS:[ESP+10]               ; |Text
0052B52D  |. 51             PUSH ECX                                 ; |hOwner
0052B52E  |. FF15 3CA65700  CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
0052B534  |. 5E             POP ESI
0052B535  \. C2 0C00        RETN 0C

This routine leads to the bad bracker message, but after fiddling with this routine a bit, I came to the conclusion, that once in it, it is to late, you need to trace further back.

So if we scroll up from the first call we had at:

0046FD1F   . E8 E2B70B00    CALL CUTEFTPP.0052B506

We see that this sub-routine starts at:

0046FCAB   > 8B0D 000A5D00  MOV ECX,DWORD PTR DS:[5D0A00]            ;  CUTEFTPP.005D0A14

Now Right click on this line, then Find references to\Selected command, and you get this:

References in CUTEFTPP:.text to 0046FCAB
Address    Disassembly                               Comment
0046FC44   JE SHORT CUTEFTPP.0046FCAB
0046FC60   JE SHORT CUTEFTPP.0046FCAB
0046FCAB   MOV ECX,DWORD PTR DS:[5D0A00]             (Initial CPU selection)

How about we scroll up to the start of the previous sub-routine, and put a breakpoint on this line:

0046FC12   > 8B15 000A5D00  MOV EDX,DWORD PTR DS:[5D0A00]            ;  CUTEFTPP.005D0A14

Enter your details again, and we break at this line, and you see your fake serial loaded into the EAX register, we trace with F8, and again we see our fake serial being compared with A2222222222222 for some reason, I tried tracing into some of the calls with F7, the serial calculation could very well be in there, but to complex for me I'm afraid.

So we get to this section:

0046FC42   . 85C0           TEST EAX,EAX
0046FC44   . 74 65          JE SHORT CUTEFTPP.0046FCAB
0046FC46   . 6A 00          PUSH 0
0046FC48   . 8BCF           MOV ECX,EDI
0046FC4A   . E8 57D60B00    CALL CUTEFTPP.0052D2A6
0046FC4F   . 8D5424 14      LEA EDX,DWORD PTR SS:[ESP+14]
0046FC53   . 50             PUSH EAX
0046FC54   . 52             PUSH EDX
0046FC55   . E8 A67C0000    CALL CUTEFTPP.00477900
0046FC5A   . 83C4 08        ADD ESP,8
0046FC5D   . 66:85C0        TEST AX,AX
0046FC60   . 74 49          JE SHORT CUTEFTPP.0046FCAB

We have 2 tests, and 2 conditional jumps which lead to the bad cracker message, if we trace with F8, at the first EAX=FFFFFFFF and it is not taken, at the second AX=0 and away we go on our way to the bad cracker message.

Now, I may be no expert, but what I have learned, is that quite often with these tests, the value here, can be something like 0=unregistered/1=registered, so how about we change:

0046FC5D   . 66:85C0        TEST AX,AX 

to: 

0046FC5D     66:40          INC AX
0046FC5F     90             NOP

So, Right click on that line, then Assemble, make the change, then click on Assemble, then close this box. 

Now, enter your fake serial again, and this time you get a different dialogue to complete, it is the "Registration wizzard", just fill in your name that is enough, and hit next, this box is designed to confirm your serial number online, so I definitely think we hit on a good alteration above, as we are not getting the bad cracker message anymore.

OKay, let us make this change permanent, Right click/copy to executable/all modifications/copy all, and then right click on new box that comes up/save file, double click on the file to overwrite and select yes to overwrite.

Okay, after hitting next, we get the "registration failed message of course, because we are not connected to the internet, of course we don't want it verified online, so we will evenyually have to find a way of getting around this, so we select "Attempt to auto-complete the registration later" and hit "next", the program opens, and if you check the Help/About screen, you will see that your registration details now show you as Registerd but UNVERIFIED, and it shows your fake serial.

I know from experience with previous versions of this program, that it usually contains registration details somewhere in the HKEY_USERS key in your registry, so we fire up Regedit, and look under HKEY_USERS\DEFAULT\Software\GlobalSCAPE\CuteFTP Professional and we now find an entry "RegUserName", with the name you entered in the registration wizzard, and an extra key has appeared called "Index", and surprise surprise, it has your fake serial.

Before exiting Regedit, let us make a backup of that registry key, so Right click on the CuteFTP Professional key, select export, then perhaps save the reg file as CuteFTPregcrack.reg or whatever you want.

Now, we try and restart the application outside of Olly, but we get the evaluation screen up again, and we see that we are again a temporary user, and although the "RegUserName" is still there, the "Index" key has vannished.

I tried seeing what was happening with Regmon, and you can see clearly the key getting added and deleted:

Enter fake serial:

2	4.75877269	CUTEFT~1.EXE:348	OpenKey	HKU\.DEFAULT\Software\GlobalSCAPE\CuteFTP Professional\Index	NOTFOUND		
3	10.95688055	CUTEFT~1.EXE:348	CreateKey	HKU\.DEFAULT\Software\GlobalSCAPE\CuteFTP Professional\Index	SUCCESS	Key: 0xE14CD138	
4	10.95702862	CUTEFT~1.EXE:348	SetValue	HKU\.DEFAULT\Software\GlobalSCAPE\CuteFTP Professional\Index\1	SUCCESS	37 37 37 37 37 37 37 37 ...	
5	10.95707555	CUTEFT~1.EXE:348	CloseKey	HKU\.DEFAULT\Software\GlobalSCAPE\CuteFTP Professional\Index	SUCCESS	Key: 0xE14CD138	
6	10.95720126	CUTEFT~1.EXE:348	OpenKey	HKU\.DEFAULT\Software\GlobalSCAPE\CuteFTP Professional	SUCCESS	Key: 0xE14CD138	
7	10.95724876	CUTEFT~1.EXE:348	SetValue	HKU\.DEFAULT\Software\GlobalSCAPE\CuteFTP Professional\RegUserName	SUCCESS	"Pompeyfan"	
8	10.95727502	CUTEFT~1.EXE:348	CloseKey	HKU\.DEFAULT\Software\GlobalSCAPE\CuteFTP Professional	SUCCESS	Key: 0xE14CD138

Startup with fake serial:

14734	9.38531573	CUTEFT~1.EXE:1848	OpenKey	HKU\.DEFAULT\Software\GlobalSCAPE\CuteFTP Professional\Index	SUCCESS	Key: 0xE1247670	
14735	9.38538194	CUTEFT~1.EXE:1848	QueryValue	HKU\.DEFAULT\Software\GlobalSCAPE\CuteFTP Professional\Index\1	SUCCESS	37 37 37 37 37 37 37 37 ...	
14736	9.38541155	CUTEFT~1.EXE:1848	QueryValue	HKU\.DEFAULT\Software\GlobalSCAPE\CuteFTP Professional\Index\3	NOTFOUND		
14737	9.38547553	CUTEFT~1.EXE:1848	CloseKey	HKU\.DEFAULT\Software\GlobalSCAPE\CuteFTP Professional\Index	SUCCESS	Key: 0xE1247670	
14738	9.38572807	CUTEFT~1.EXE:1848	OpenKey	HKU\.DEFAULT\Software\GlobalSCAPE\CuteFTP Professional\Index	SUCCESS	Key: 0xE1247670	
14739	9.38645023	CUTEFT~1.EXE:1848	DeleteKey	HKU\.DEFAULT\Software\GlobalSCAPE\CuteFTP Professional\Index	SUCCESS	Key: 0xE1247670	
14740	9.38649828	CUTEFT~1.EXE:1848	CloseKey	HKU\.DEFAULT\Software\GlobalSCAPE\CuteFTP Professional\Index	SUCCESS	Key: 0xE1247670	


So, what will we do about this, well firstly run the program outside of Olly, and enter your serial number, and follow the directions as above to include your serial in the registry,then re-open the application in Olly, then Right click/Search for name (label) in current module, then scroll down, and we see a likely target, it is RegDeleteKeyA, so Right click/Set breakpoint on every reference, and we see we have 12, now F9 (Run), and we strike it lucky first time, we are here:

0046D0D6   . FF15 2CA05700  CALL DWORD PTR DS:[<&ADVAPI32.RegDeleteK>; \RegDeleteKeyA

Look at the EAX register, it clearly mentions the "Index" key, and look at the EBP & ESI values, again our fake serial & A2222222222222, and this is the sub-routine that leads to the message:

0046D0C9   > 8B5424 20      MOV EDX,DWORD PTR SS:[ESP+20]
0046D0CD   . 8B42 28        MOV EAX,DWORD PTR DS:[EDX+28]
0046D0D0   . 50             PUSH EAX                                 ; /Subkey
0046D0D1   . 68 03000080    PUSH 80000003                            ; |hKey = HKEY_USERS
0046D0D6   . FF15 2CA05700  CALL DWORD PTR DS:[<&ADVAPI32.RegDeleteK>; \RegDeleteKeyA

Right click on the first line (0046D0C9), then Find references to/Selected command, and you get this:

References in CUTEFTPP:.text to 0046D0C9
Address    Disassembly                               Comment
0046CF48   JE CUTEFTPP.0046D0C9
0046CF5F   JE CUTEFTPP.0046D0C9
0046D0C9   MOV EDX,DWORD PTR SS:[ESP+20]             (Initial CPU selection)
	
Both these conditional jumps have tests before them, and if you jump your key will be deleted, let us see if anything else happens further up, by setting a breakpoint up the top of this routine at, firstly though remove all your other breakpoints:

0046CE50   . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]

Now Ctrl & F2 to restart the program in Olly, then F9 (Run), and we break at the point set, now F8 to step over the code, you have a couple of jumps here not taken, that would go beyond the delete key message if conditions are met, but they are not taken:

0046CED9   . 85C0           TEST EAX,EAX------------------->EAX=0
0046CEDB   . 0F85 23020000  JNZ CUTEFTPP.0046D104---------->Not taken
0046CEE1   . 807D 00 00     CMP BYTE PTR SS:[EBP],0-------->First byte of your fake serial 7(or37 in Hex) compared with 0
0046CEE5   . 0F84 29020000  JE CUTEFTPP.0046D114----------->Not taken

0046CF21   . 3A16           CMP DL,BYTE PTR DS:[ESI]------->Compares your first byte of your fake serial with A
0046CF23   . 75 1C          JNZ SHORT CUTEFTPP.0046CF41---->Taken because not equal

0046CF46   > 85C0           TEST EAX,EAX------------------->FFFFFFFF
0046CF48   . 0F84 7B010000  JE CUTEFTPP.0046D0C9----------->Not taken

0046CF5C   . 66:85C0        TEST AX,AX--------------------->AX=0
0046CF5F   . 0F84 64010000  JE CUTEFTPP.0046D0C9----------->Jump taken

Okay, I traced into some of the calls, and again this serial calculation is probably in here somewhere, but beyond me, so out of interest, using a bit of lateral thinking, I know that A2222222222222 isn't the real serial, but it is compared so damn much, I'd just like to know what happens if we use this instead, so run the program, and enter this as your fake serial, okay it wont accept it, probably because of the changes we made to the code already I suspect, but what if we enter it manually into the registry, either via Regedit, or what I did is alter my CuteFTPregcrack.reg file, then double click on it to merge into the registry.

I use a little program called HexToText to calculate the Hex equivalent ofanything, so I enter
A2222222222222 and hit convert, and I have 41 32 32 32 32 32 32 32 32 32 32 32 32 32, so I put this in my reg file to replace what is showing under the Index key (Value 1), and double click on it to merge it into my registry.

Now, I restart CuteFTP Pro in Olly, F9(Run), and we again break here:

0046CE50   . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]

Again we step over the code with F8:

0046CED9   . 85C0           TEST EAX,EAX------------------->EAX=0
0046CEDB   . 0F85 23020000  JNZ CUTEFTPP.0046D104---------->Not taken
0046CEE1   . 807D 00 00     CMP BYTE PTR SS:[EBP],0-------->First byte of your fake serial A(or 41 in Hex) compared with 0
0046CEE5   . 0F84 29020000  JE CUTEFTPP.0046D114----------->Not taken

We get to here:

0046CF21   . 3A16           CMP DL,BYTE PTR DS:[ESI]---------->A (First byte of fake serial) compared with A
0046CF23   . 75 1C          JNZ SHORT CUTEFTPP.0046CF41------->We wont take the jump of course

And we are in this loop:

0046CF23   . 75 1C          JNZ SHORT CUTEFTPP.0046CF41
0046CF25   . 84C9           TEST CL,CL
0046CF27   . 74 14          JE SHORT CUTEFTPP.0046CF3D
0046CF29   . 8A50 01        MOV DL,BYTE PTR DS:[EAX+1]
0046CF2C   . 8ACA           MOV CL,DL
0046CF2E   . 3A56 01        CMP DL,BYTE PTR DS:[ESI+1]
0046CF31   . 75 0E          JNZ SHORT CUTEFTPP.0046CF41
0046CF33   . 83C0 02        ADD EAX,2
0046CF36   . 83C6 02        ADD ESI,2
0046CF39   . 84C9           TEST CL,CL
0046CF3B   .^75 E0          JNZ SHORT CUTEFTPP.0046CF1D

When we finally come out:

0046CF3D   > 33C0           XOR EAX,EAX------------------------>EAX is set to 0
0046CF3F   . EB 05          JMP SHORT CUTEFTPP.0046CF46-------->Then Jump

0046CF46   > 85C0           TEST EAX,EAX----------------------->Which equals zero of course because of the XOR
0046CF48   . 0F84 7B010000  JE CUTEFTPP.0046D0C9--------------->Jump to delete our key routine

Okay, restart Olly before you get to that delete key section, otherwise you will have to re-enter your details again.

I tried changing 0046CED9 to INC EAX, so that EAX would equal 1, but this is a bad jump, so I will save you the trouble of trying that.

So my next idea was this:

0046CF3F   . EB 05          JMP SHORT cuteftpp.0046CF46---------->Nop this

0046CF43   . 83D8 FF        SBB EAX,-1--------------------------->Change to INC EAX

Why, because remember their are 2 conditional jumps which lead to the delete key routine, those being in this section of code, we nop the jump because it gives us more chance change potential flags from 0=unregistered to 1=registered, and we want to increment EAX so that it will equal 1 at 0046CF46, and AX will hopefully equal 1 at 0046CF5C:

0046CF41   > 1BC0           SBB EAX,EAX
0046CF43   . 83D8 FF        SBB EAX,-1--------------------------->We change to INC EAX
0046CF46   > 85C0           TEST EAX,EAX------------------------->1 of course
0046CF48   . 0F84 7B010000  JE CUTEFTPP.0046D0C9
0046CF4E   . 8D4424 2C      LEA EAX,DWORD PTR SS:[ESP+2C]
0046CF52   . 55             PUSH EBP
0046CF53   . 50             PUSH EAX
0046CF54   . E8 A7A90000    CALL CUTEFTPP.00477900
0046CF59   . 83C4 08        ADD ESP,8
0046CF5C   . 66:85C0        TEST AX,AX--------------------------->Actually it equals FFFF? here
0046CF5F   . 0F84 64010000  JE CUTEFTPP.0046D0C9

Lets look in the call at 00477900:

00477900  /$ 83EC 20        SUB ESP,20
00477903  |. 8B5424 28      MOV EDX,DWORD PTR SS:[ESP+28]
00477907  |. 57             PUSH EDI
00477908  |. 8BFA           MOV EDI,EDX
0047790A  |. 83C9 FF        OR ECX,FFFFFFFF
0047790D  |. 33C0           XOR EAX,EAX
0047790F  |. C64424 12 00   MOV BYTE PTR SS:[ESP+12],0
00477914  |. F2:AE          REPNE SCAS BYTE PTR ES:[EDI]
00477916  |. F7D1           NOT ECX
00477918  |. 49             DEC ECX
00477919  |. C64424 22 00   MOV BYTE PTR SS:[ESP+22],0
0047791E  |. 83F9 0E        CMP ECX,0E
00477921  |. 0F85 82000000  JNZ CUTEFTPP.004779A9
00477927  |. 8B02           MOV EAX,DWORD PTR DS:[EDX]
00477929  |. 8B4A 04        MOV ECX,DWORD PTR DS:[EDX+4]
0047792C  |. 894424 04      MOV DWORD PTR SS:[ESP+4],EAX
00477930  |. 8B42 08        MOV EAX,DWORD PTR DS:[EDX+8]
00477933  |. 894C24 08      MOV DWORD PTR SS:[ESP+8],ECX
00477937  |. 66:8B4A 0C     MOV CX,WORD PTR DS:[EDX+C]
0047793B  |. 8D5424 04      LEA EDX,DWORD PTR SS:[ESP+4]
0047793F  |. 56             PUSH ESI
00477940  |. 52             PUSH EDX
00477941  |. 894424 14      MOV DWORD PTR SS:[ESP+14],EAX
00477945  |. 66:894C24 18   MOV WORD PTR SS:[ESP+18],CX
0047794A  |. E8 F1AC0900    CALL CUTEFTPP.00512640
0047794F  |. 8D4424 0C      LEA EAX,DWORD PTR SS:[ESP+C]
00477953  |. 50             PUSH EAX
00477954  |. E8 F7BBFFFF    CALL CUTEFTPP.00473550
00477959  |. 8BF0           MOV ESI,EAX
0047795B  |. 56             PUSH ESI
0047795C  |. E8 DFB8FFFF    CALL CUTEFTPP.00473240
00477961  |. 8D4C24 24      LEA ECX,DWORD PTR SS:[ESP+24]
00477965  |. 8BF8           MOV EDI,EAX
00477967  |. 51             PUSH ECX
00477968  |. 56             PUSH ESI
00477969  |. C64424 2C 00   MOV BYTE PTR SS:[ESP+2C],0
0047796E  |. E8 5DBAFFFF    CALL CUTEFTPP.004733D0
00477973  |. 8D5424 1C      LEA EDX,DWORD PTR SS:[ESP+1C]
00477977  |. 6A 0E          PUSH 0E
00477979  |. 8D4424 30      LEA EAX,DWORD PTR SS:[ESP+30]
0047797D  |. 52             PUSH EDX
0047797E  |. 50             PUSH EAX
0047797F  |. E8 CCC60900    CALL CUTEFTPP.00514050
00477984  |. 83C4 20        ADD ESP,20
00477987  |. 85C0           TEST EAX,EAX
00477989  |. 5E             POP ESI
0047798A  |. 75 0F          JNZ SHORT CUTEFTPP.0047799B
0047798C  |. 8B4C24 28      MOV ECX,DWORD PTR SS:[ESP+28]
00477990     66:0D FFFF     OR AX,0FFFF
00477994  |. 8939           MOV DWORD PTR DS:[ECX],EDI
00477996  |. 5F             POP EDI
00477997  |. 83C4 20        ADD ESP,20

Let us change:

00477990     66:0D FFFF     OR AX,0FFFF-------------------->to INC AX, now it will return a value of 1 when it gets to 0046CF5C.


Okay, restart the program in Olly, then F9(Run) to get to our breakpoint, then make the above changes, then F9(run), and bingo, the program is licenced in our name but UNVERIFIED.

Okay, make the above changes permanent, as described before, we obviously want to keep these ammendments.

But what if we now want it to accept any serial, okay I want my serial to be AR CRACKING
, so again I use HexToText, and in Hex that is 41 52 20 43 52 41 43 4B 49 4E 47, and I alter my  CuteFTPregcrack.reg file, then double click on it to merge into the registry.

Okay, restart the program in Olly, and Put a breakpoint on those last 2 tests:

0046CF46     85C0           TEST EAX,EAX

&

0046CF5C     66:85C0        TEST AX,AX

Now, F9(Run), and we break at the first test:

We see our serial compared in the registers window, and at the first breakpoint EAX=1 which is okay.

We get to the 2nd breakpoint, and AX=0, so simply change this line to:

0046CF5C     66:40          INC AX
0046CF5E     90             NOP

Now we know that AX will also equal 1, so we F9(Run), and program opens registered to us withb a serial of AR CRACKING, but UNVERIFIED.

So, if you want to register the program with any serial, make these changes permanent, you are restricted to 14 characters though.

Okay, now we have to make sure that the program never tries to verify the serial with the Authors site, one way seem work if you have a firewall, is to just not allow CUTEFTPPRO.exe access to the internet, after all ftpte.exe is responsible for all the file transfers, I did this successfully for a while, but decided I should try and make 100% sure, at least with logging enabled on my firewall, I could see when an attempt was made.

Actually the solution is quite easy, the routine is right under the one we were working on before, take note of the value of EAX at 0046CF69:

0046CF65   . 8B4424 10      MOV EAX,DWORD PTR SS:[ESP+10]
0046CF69     85C0           TEST EAX,EAX
0046CF6B   . 0F84 82010000  JE CUTEFTPP.0046D0F3
0046CF71   . 68 48775C00    PUSH CUTEFTPP.005C7748                   ;  ASCII "http://"
0046CF76   . 8D4C24 1C      LEA ECX,DWORD PTR SS:[ESP+1C]
0046CF7A   . E8 65FF0B00    CALL CUTEFTPP.0052CEE4
0046CF7F   . 8D4C24 34      LEA ECX,DWORD PTR SS:[ESP+34]
0046CF83   . 6A 0A          PUSH 0A                                  ; /Arg3 = 0000000A
0046CF85   . 51             PUSH ECX                                 ; |Arg2
0046CF86   . 6A 50          PUSH 50                                  ; |Arg1 = 00000050
0046CF88   . C68424 100C000>MOV BYTE PTR SS:[ESP+C10],2              ; |
0046CF90   . E8 19580A00    CALL CUTEFTPP.005127AE                   ; \CUTEFTPP.005127AE
0046CF95   . 83C4 0C        ADD ESP,0C
0046CF98   . 8D4C24 10      LEA ECX,DWORD PTR SS:[ESP+10]------------>Connect to Port 80
0046CF9C   . 68 2C775C00    PUSH CUTEFTPP.005C772C                   ;  ASCII "dbregistration.cuteftp.com"----------------------------------------->Authors site
0046CFA1   . E8 3EFF0B00    CALL CUTEFTPP.0052CEE4
0046CFA6   . 68 20365C00    PUSH CUTEFTPP.005C3620
0046CFAB   . 8D4C24 14      LEA ECX,DWORD PTR SS:[ESP+14]
0046CFAF   . C68424 080C000>MOV BYTE PTR SS:[ESP+C08],3
0046CFB7   . E8 91780B00    CALL CUTEFTPP.0052484D
0046CFBC   . 8BF0           MOV ESI,EAX
0046CFBE   . 83FE FF        CMP ESI,-1
0046CFC1   . 74 2F          JE SHORT CUTEFTPP.0046CFF2
0046CFC3   . 68 28775C00    PUSH CUTEFTPP.005C7728
0046CFC8   . 56             PUSH ESI
0046CFC9   . 8D4C24 18      LEA ECX,DWORD PTR SS:[ESP+18]
0046CFCD   . E8 DB730B00    CALL CUTEFTPP.005243AD
0046CFD2   . 8D5424 34      LEA EDX,DWORD PTR SS:[ESP+34]
0046CFD6   . 46             INC ESI
0046CFD7   . 52             PUSH EDX
0046CFD8   . 56             PUSH ESI
0046CFD9   . 8D4C24 18      LEA ECX,DWORD PTR SS:[ESP+18]
0046CFDD   . E8 CB730B00    CALL CUTEFTPP.005243AD
0046CFE2   . 8D4424 10      LEA EAX,DWORD PTR SS:[ESP+10]
0046CFE6   . 8D4C24 18      LEA ECX,DWORD PTR SS:[ESP+18]
0046CFEA   . 50             PUSH EAX
0046CFEB   . E8 9E020C00    CALL CUTEFTPP.0052D28E
0046CFF0   . EB 2A          JMP SHORT CUTEFTPP.0046D01C
0046CFF2   > 68 2C775C00    PUSH CUTEFTPP.005C772C                   ;  ASCII "dbregistration.cuteftp.com"
0046CFF7   . 8D4C24 1C      LEA ECX,DWORD PTR SS:[ESP+1C]
0046CFFB   . E8 52020C00    CALL CUTEFTPP.0052D252
0046D000   . 68 28775C00    PUSH CUTEFTPP.005C7728
0046D005   . 8D4C24 1C      LEA ECX,DWORD PTR SS:[ESP+1C]
0046D009   . E8 44020C00    CALL CUTEFTPP.0052D252
0046D00E   . 8D4C24 34      LEA ECX,DWORD PTR SS:[ESP+34]
0046D012   . 51             PUSH ECX
0046D013   . 8D4C24 1C      LEA ECX,DWORD PTR SS:[ESP+1C]
0046D017   . E8 36020C00    CALL CUTEFTPP.0052D252
0046D01C   > 8B5424 18      MOV EDX,DWORD PTR SS:[ESP+18]
0046D020   . 52             PUSH EDX
0046D021   . E8 FABA0400    CALL CUTEFTPP.004B8B20
0046D026   . 83C4 04        ADD ESP,4
0046D029   . 85C0           TEST EAX,EAX
0046D02B   . 74 53          JE SHORT CUTEFTPP.0046D080

and when you get here:

0046D021   . E8 FABA0400    CALL CUTEFTPP.004B8B20

If you syep into the call (F7), you can see this routine has your internet API's.

004B8B20  /$ 51             PUSH ECX
004B8B21  |. 56             PUSH ESI
004B8B22  |. 57             PUSH EDI
004B8B23  |. 8D4424 08      LEA EAX,DWORD PTR SS:[ESP+8]
004B8B27  |. 6A 00          PUSH 0
004B8B29  |. 50             PUSH EAX
004B8B2A  |. FF15 F4A85700  CALL DWORD PTR DS:[<&WININET.InternetGet>;  WININET.InternetGetConnectedState
004B8B30  |. 8BF8           MOV EDI,EAX
004B8B32  |. 85FF           TEST EDI,EDI
004B8B34  |. 74 5A          JE SHORT CUTEFTPP.004B8B90
004B8B36  |. 6A 00          PUSH 0
004B8B38  |. 6A 00          PUSH 0
004B8B3A  |. 6A 00          PUSH 0
004B8B3C  |. 6A 00          PUSH 0
004B8B3E  |. 68 00CE5C00    PUSH CUTEFTPP.005CCE00                   ;  ASCII "InternetConn"
004B8B43  |. FF15 F0A85700  CALL DWORD PTR DS:[<&WININET.InternetOpe>;  WININET.InternetOpenA
004B8B49  |. 8BF0           MOV ESI,EAX
004B8B4B  |. 85F6           TEST ESI,ESI
004B8B4D  |. 74 3B          JE SHORT CUTEFTPP.004B8B8A
004B8B4F  |. 8B4C24 10      MOV ECX,DWORD PTR SS:[ESP+10]
004B8B53  |. 53             PUSH EBX
004B8B54  |. 6A 00          PUSH 0
004B8B56  |. 68 00000080    PUSH 80000000
004B8B5B  |. 6A 00          PUSH 0
004B8B5D  |. 6A 00          PUSH 0
004B8B5F  |. 51             PUSH ECX
004B8B60  |. 56             PUSH ESI
004B8B61  |. FF15 FCA85700  CALL DWORD PTR DS:[<&WININET.InternetOpe>;  WININET.InternetOpenUrlA
004B8B67  |. 8B1D CCA85700  MOV EBX,DWORD PTR DS:[<&WININET.Internet>;  WININET.InternetCloseHandle
004B8B6D  |. 85C0           TEST EAX,EAX
004B8B6F  |. 74 0D          JE SHORT CUTEFTPP.004B8B7E
004B8B71  |. 50             PUSH EAX
004B8B72  |. FFD3           CALL EBX                                 ;  <&WININET.InternetCloseHandle>
004B8B74  |. 56             PUSH ESI
004B8B75  |. FFD3           CALL EBX
004B8B77  |. 8BC7           MOV EAX,EDI
004B8B79  |. 5B             POP EBX
004B8B7A  |. 5F             POP EDI
004B8B7B  |. 5E             POP ESI
004B8B7C  |. 59             POP ECX
004B8B7D  |. C3             RETN
004B8B7E  |> 56             PUSH ESI
004B8B7F  |. 33FF           XOR EDI,EDI
004B8B81  |. FFD3           CALL EBX
004B8B83  |. 8BC7           MOV EAX,EDI
004B8B85  |. 5B             POP EBX
004B8B86  |. 5F             POP EDI
004B8B87  |. 5E             POP ESI
004B8B88  |. 59             POP ECX
004B8B89  |. C3             RETN
004B8B8A  |> 5F             POP EDI
004B8B8B  |. 33C0           XOR EAX,EAX
004B8B8D  |. 5E             POP ESI
004B8B8E  |. 59             POP ECX
004B8B8F  |. C3             RETN
004B8B90  |> 8BC7           MOV EAX,EDI
004B8B92  |. 5F             POP EDI
004B8B93  |. 5E             POP ESI
004B8B94  |. 59             POP ECX
004B8B95  \. C3             RETN

Well EAX=1 at 0046CF69,  so all you need to do is 

0046CF69     85C0           TEST EAX,EAX

to:

0046CF69     33C0           XOR EAX,EAX

Then we jump to here:

0046D0F3   > C68424 040C000>MOV BYTE PTR SS:[ESP+C04],0

Which is past the registration check routine, I used the program after this chage, and my firewall log no longer shows any connection attempts to the authors site.

So again, make these changes permanent in Olly.

So, as far as I'm concerned, that is job done, I did notice that their were 3 other mentions of dbregistration.cuteftp.com in the referenced text strings(0046D428, 004703E4 & 00473E22), but now of those routines seem to be called up with our current status of registration, and in my opinion so long as the target is killed and fully functions, that is the end of story, so well done crackers!!!

And remember, if you use the program, buy it ,software developers rely on the income from sales to keep going, if nobody buys, no new software would be developed.

*************************************************************************************************
SHOUTZ AND GREETZ:

To the AR Cracking forum, exetools forum, tsrh forum, Ollydbg forum, Ricardo Narvaja, Kruger, Britedream, Satyric0n, R@dier, LaBBa, Nilrem & Ferarri whoose tuts have helped me more than any others , Ollydbg, and the authors of CuteFTP Pro.
*************************************************************************************************
