How to crack CuteFTP 4.0

Last Update:2013-10-17 Source: Internet

Author: User

Tags globalscape

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Comments: The protection of early versions of CuteFTP is still quite powerful. First, it was KeyFile, and then changed to the registration code. It has a 3.x version used as the strainer of HCU (High Cracking University. Version 4.0 can be changed to the registration version, but after entering the registration code, it will be connected to its company's server for verification. After entering the registration code, the registration code can be followed, but the protection of early versions of CuteFTP is still quite powerful. First, the KeyFile is used, and then the registration code is changed. It has a 3.x version used as the strainer of HCU (High Cracking University. Version 4.0 can be changed to the registration version, but after entering the registration code, it will be connected to its company's server for verification. After entering the registration code, it can be followed by the registration code, but it cannot pass online verification, it will not save the registration code, so the next start is still not a registered version. You can track and find the registration code from when it starts. In fact, all software can start from when it starts.
Check with RegMon and FileMon and find a registry key named Key1, which contains a long mess of characters. You can use bpx RegQueryValueExA as a breakpoint and track it. However, this plug-in reads too many registry keys, and the SoftICE conditional breakpoint is not very good (I use bpx RegQueryValueExA if * (esp 8) = 'key1' for resumable upload without interruption), so use W32Dasm to find a suitable breakpoint. After disassembly, find the place that references the string "Key1", write down its address as a breakpoint, then load the main program with Symbol Loader, and set the breakpoint, it is found that the key value is read below, but it requires the length of the Key1 string to be less than or equal to 20.

015F: 00489074 mov esi, [ADVAPI32! RegQueryValueExA]
015F: 0048907A JNZ 004890A9
015F: 0048907C mov ecx, [ESP 10]
015F: 00489080 lea edx, [ESP 14]
015F: 00489084 PUSH EDX
015F: 00489085 lea eax, [ESP 20]
015F: 00489089 PUSH EBX
015F: 0048908A PUSH EAX
015F: 0048908B PUSH 00
015F: 0048908D PUSH 0053E030 // Key1
015F: 00489092 PUSH ECX
015F: 00489093 call esi // read the Registry
015F: 00489095 test eax, EAX
015F: 00489097 JNZ 004890A2
015F: 00489099 mov edx, [ESP 10]
015F: 0048909D PUSH EDX
015F: 0048909E CALL EBP
015F: 004890A0 JMP 00489108

.........

015F: 00489108 mov ecx, [ESP 14] // length of the Key1 string
015F: 0048910C cmp ecx, 14 // check if the length is less than or equal to 0x14
015F: 0048910F JBE 0048911B
015F: 00489111 POP EDI
015F: 00489112 POP ESI
015F: 00489113 POP EBP
015F: 00489114 xor eax, EAX // bag guy
015F: 00489116 POP EBX
015F: 00489117 add esp, 10
015F: 0048911A RET
015F: 0048911B mov eax, [ESP 28]
015F: 0048911F test eax, EAX
015F: 00489121 jz00489125
0 15f: 00489123 MOV [EAX], ECX
015F: 00489125 POP EDI
015F: 00489126 POP ESI
015F: 00489127 POP EBP
015F: 00489128 mov eax, 00000001
015F: 0048912D POP EBX
015F: 0048912E add esp, 10
015F: 00489131 RET

Replace the Key1 string with an ASCIIZ string of less than 20 characters and repeat it. After reading Key1, it monitors the Key1 string with the BPR breakpoint and converts Key1 to uppercase and checks the length:

015F: 004AB0F0 REPNZ SCASB
015F: 004AB0F2 NOT ECX
015F: 004AB0F4 DEC ECX
015F: 004AB0F5 cmp ecx, 0E
015F: 004AB0F8 JNZ 004AB16D

The visible length should be 14 characters. Next, it checks whether the first character of Key1 is 'A' and calculates the other digits of the registration code:

015F: 00491828 cmp byte ptr [EBX], 41 // the first character of Key1
015F: 0000002b JZ 00491832
015F: 0020.2d POP EDI
015F: 0000002e xor eax, EAX // bad guy
015F: 00491830 POP EBX
015F: 00491831 RET
015F: 00491832 push esi // the calculation process is as follows:
015F: 00491833 mov esi, 00000001
015F: 00491838 mov al, [ebx esi]
015F: 0000003b PUSH EAX
015F: 003473c CALL 004917D0
015F: 00491841 shl edi, 05
015F: 00491844 add esp, 04
015F: 00491847 or edi, EAX
015F: 00491849 INC ESI
015F: 0000004a cmp esi, 07
015F: 003474d JL 00491838
015F: 0000004f mov cl, [EBX 07]
015F: 00491852 PUSH ECX
015F: 00491853 CALL 004917D0
015F: 00491858 add esp, 04
015F: 0000005b lea edx, [EDI * 4 00000000]
015F: 00491862 shr eax, 02
015F: 00491865 POP ESI
015F: 00491866 POP EDI
015F: 00491867 or eax, EDX
015F: 00491869 POP EBX
015F: 0000006a RET

After the calculation is complete, start the comparison:

015F: 004AB0F0 REPNZ SCASB
015F: 004AB0F2 NOT ECX
015F: 004AB0F4 DEC ECX
015F: 004AB0F5 cmp ecx, 0E // This is the part of the sentence.
015F: 004AB0F8 JNZ 004AB16D
015F: 004AB0FA PUSH ESI
015F: 004AB0FB CALL 004B1B8A
015F: 004AB100 PUSH 0E
015F: 004AB102 lea eax, [ESP 20]
015F: 004AB106 PUSH ESI
015F: 004AB107 PUSH EAX
015F: 004AB108 CALL 004AF930
015F: 004AB10D lea ecx, [ESP 28]
015F: 004AB111 mov byte ptr [ESP 36], 00
015F: 004AB116 PUSH ECX
015F: 004AB117 CALL 00491820 // This is the place just calculated
015F: 004AB11C mov esi, EAX
015F: 004AB11E PUSH ESI
015F: 004AB11F CALL 00491510
015F: 004AB124 lea edx, [ESP 20]
015F: 004AB128 mov edi, EAX
015F: 004AB12A PUSH EDX
015F: 004AB12B PUSH ESI
015F: 004AB12C mov byte ptr [ESP 28], 00
015F: 004AB131 CALL 004916A0
015F: 004AB136 lea eax, [ESP 38]
015F: 004AB13A PUSH 0E // 14 characters
015F: 004AB13C lea ecx, [ESP 2C]
015F: 004AB140 push eax // real registration code
015F: 004AB141 push ecx // false registration code
015F: 004AB142 CALL 004B04D0 // comparison
015F: 004AB147 add esp, 2C
015F: 004AB14A test eax, EAX
015F: 004AB14C JNZ 004AB15E
015F: 004AB14E mov edx, [ESP 2C]
015F: 004AB152 or ax, FFFF // good guy
015F: 004AB156 MOV [EDX], EDI
015F: 004AB158 POP EDI
015F: 004AB159 POP ESI
015F: 004AB15A add esp, 20
015F: 004AB15D RET
015F: 004AB15E mov eax, [ESP 2C]
015F: 004AB162 MOV [EAX], EDI
015F: 004AB164 POP EDI
015F: 004AB165 xor ax, AX // bad guy
015F: 004AB168 POP ESI
015F: 004AB169 add esp, 20
015F: 004AB16C RET

So far, the registration code is found. The above calculation and comparison process show that the registration code has nothing to do with the name, so it does not need to read the user name at startup. Use RegMon to monitor the action when it displays the About dialog box. It also reads the RegUserName key, which obviously stores the user name.
Key tips:
HKEY_LOCAL_MACHINE \ Software \ GlobalSCAPE Inc. \ CuteFTP \ Key1
HKEY_LOCAL_MACHINE \ Software \ GlobalSCAPE Inc. \ CuteFTP \ RegUserName
HKEY_CLASSES_ROOT \ pfc
The last key stores the date, and the old version is also here.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More