About this protection system

 
The Protection system is based  on a serial number that is based on your name/handle and you can access the Registration Screen via the initial Nag Screen that reminds you to register.
 

The Essay

     
Once I installed the program i fired w32dasm up to get a dead listing of the program:
Well,Well,Well look at the String data Resource and you will find "Invalid Registration"

:00403C7A push eax ;EAX=Your name
:00403C7B call 0040ABA5 ;Generate Password and test it
:00403C80 pop ecx
:00403C81 test eax, eax test EAX
:00403C83 pop ecx
:00403C84 jnz 00403C9E ;If EAX=0 bad boy
:00403C86 push 00000030

* Possible StringData Ref from Data Obj ->"Invalid Registration"

:00403C88 push 00414BC0

* Possible StringData Ref from Data Obj ->"Invalid Registration Name or Serial Number"

:00403C8D push 00414B94
:00403C92 push ebx

* Reference To: USER32.MessageBoxA, Ord:0195h

:00403C93 Call dword ptr [00423450]
:00403C99 jmp 00403DC2

* Referenced by a (U)nconditional or (C)onditional Jump at Address:00403C84(C)

:00403C9E mov eax, dword ptr [00418E64]
So If EAX=1 we'll be Registered
We could crack this baby to change the JNZ to a conditional JMP
But why would we do that, load FtpWolf in Softice
Use the *Register* button to go the place where we must be
Enter a name and a serial code, if you pressed the OK button you will see a messagebox with Invalid Registration.
This messagebox(A) is the point where we set a breakpoint
Switch to softice and set a breakpoint on Bpx messageboxa
Now press the ok button and softice will break , press the key and and softice will land here

:00403C99 jmp 00403DC2 You remember this of the WD32ASM listing?
Clear your breakpoints with bc* and set a new breakpoint on the call a few lines above
Switch to Ftpwolf and press the OK button Again
Softice will break on Call , press F8 one time and you will land here:

:0040ABA5 push ebp
:0040ABA6 mov ebp, esp
:0040ABA8 sub esp, 00000030
:0040ABAB mov eax, dword ptr [ebp+0C] ;load serial number to EAX
:0040ABAE push ebx
:0040ABAF push esi
:0040ABB0 push edi
:0040ABB1 test eax, eax ;empty?
:0040ABB3 je 0040ACC5 ;yes bad cracker
:0040ABB9 mov ebx, dword ptr [ebp+08] ;first caracter to ebx
:0040ABBC test ebx, ebx ; first caracter zero
:0040ABBE je 0040ACC5 ; yes bad cracker
:0040ABC4 cmp byte ptr [eax], 46 ;first caracter F?
:0040ABC7 jne 0040ACC5 No bad cracker
:0040ABCD cmp byte ptr [eax+01], 57 ; Next caracter W?
:0040ABD1 jne 0040ACC5 ;No bad cracker

If you have read the above code you see the programs checks the the first and the second caracter of your serial and compare it with FW
Clear your first breakpoint and set a new breapkpoint on line 0040ABE1 pop ecx
Change your serial with the first and second caracter to FW, and press the ok button.
:0040ABD7 push eax ; softice will break here EAX=your serial
:0040ABD8 lea eax, dword ptr [ebp-1C]
:0040ABDB push eax ;push new location serial
:0040ABDC call 0040B530 ; copy it into the new location
:0040ABE1 pop ecx
:0040ABE2 lea eax, dword ptr [ebp-1C] ; Serial in EAX
:0040ABE5 pop ecx
:0040ABE6 push 0000002D ;push a '-'
:0040ABE8 push eax ;Push Serial
:0040ABE9 call 0040BDC0 ;check for '-' in serial
:0040ABEE mov esi, eax ; results to esi
:0040ABF0 pop ecx
:0040ABF1 test esi, esi ;is the '-' in the serial?
:0040ABF3 pop ecx
:0040ABF4 mov dword ptr [ebp+0C], esi
:0040ABF7 je 0040ACC5 ;No bad cracker
:0040ABFD and byte ptr [esi], 00 ; changes - to 00
So we know now that the serial must contain FW1- ,if you are wondering where the 1 comes from believe me it must there else on startup you will get a messagebox that it is a pirate copy of FtpWolf
On this moment my registration name=lownoise and my serial is FW1-123456
Lets go futher

:0040AC00 lea eax, dword ptr [ebp-08]
:0040AC03 push 00415C80
:0040AC08 push eax
:0040AC09 call 0040B530
:0040AC0E pop ecx
:0040AC0F lea eax, dword ptr [ebp-08]
:0040AC12 pop ecx
:0040AC13 push 00000004
:0040AC15 push ebx ;Your Name
:0040AC16 push eax ;here comes the first 4 caracters or your name
:0040AC17 call 0040C4D0; copy the 4 caracters
:0040AC1C mov al, byte ptr [ebp-1C] ; EBP-1C contains your serial code, In AL will be the first caracter (F)
:0040AC1F add esp, 0000000C
:0040AC22 test al, al ;Zero
:0040AC24 je 0040AC4D ; zero jump to next proc
:0040AC26 lea edi, dword ptr [ebp-1C] ;Password to EBP
:0040AC29 mov dl, al ; the F to dl
:0040AC2B xor esi, esi ;ESI to 0 (the counter)
:0040AC2D add dl, 02 ;add 02 to F
:0040AC30 mov al, byte ptr [ebp+esi-08] ;load caracter name in AL
:0040AC34 lea ecx, dword ptr [ebp+esi-08] ; changes name byte right :0040AC38 imul dl
:0040AC3A inc esi ; add one to counter
:0040AC3B mov byte ptr [ecx], al ; result imul to ecx
:0040AC3D cmp esi, 00000004 ;did we reach the end?
:0040AC40 jl 0040AC30 ;No? jump else next line
:0040AC42 mov al, byte ptr [edi+01] ;next caracter serial to AL :0040AC45 inc edi ;next letter serial
:0040AC46 test al, al ; did we reach the end?
:0040AC48 jne 0040AC29 no? jump to 0040ac29 and repeat action

The program just maked the first key with will be used for the next operation, in my case 'lown" has been changed to the values '20 E8 A8 50'
lets go further

:0040AC4A mov esi, dword ptr [ebp+0C]
:0040AC4D mov cl, byte ptr [ebx] ; EBX (contains your name) caracter to CL
:0040AC4F test cl, cl ;Zero?
:0040AC51 je 0040AC6C ;Yes next proc
:0040AC53 mov edx, ebx ;Name caracters to EDX
:0040AC55 xor eax, eax ;reset EAX to zero (counter)
:0040AC57 add cl, 02 ;Name carater +2
:0040AC5A xor byte ptr [ebp+eax-08], cl ;xor result value with CL
:0040AC5E inc eax ;Counter +1
:0040AC5F cmp eax, 00000004 ; all 4 values done?
:0040AC62 jl 0040AC5A ;jump if lower
:0040AC64 mov cl, byte ptr [edx+01] ;next caracter name to CL
:0040AC67 inc edx ;move name one to right
:0040AC68 test cl, cl ;End of the name? :0040AC6A jne 0040AC55 ;no Repeat prog else next line

The First key is now changed to the second key, in my case the values "20 E8 A8 50' are changed to '3E F6 B6 4E'
lets go further

:0040AC6C mov eax, dword ptr [ebp-08] ; results to eax
:0040AC6F test eax, eax ;zero?
:0040AC71 7505 jnz 0040AC78 ;No jump else next line
:0040AC73 push 00000001
:0040AC75 pop eax
:0040AC76 test eax, eax
:0040AC78 jge 0040AC7C ;values larger than zero? jump
:0040AC7A neg eax
:0040AC7C mov ecx, 0000270F ; 9999 in ECX
:0040AC81 cmp eax, ecx ;compare value with 9999
:0040AC83 jge 0040AC8C ;Higher jump else next line
:0040AC85 lea eax, dword ptr [eax+4*eax]
:0040AC88 shl eax, 1
:0040AC8A jmp 0040AC81
:0040AC8C mov ecx, 000F423F ;999999 in ECX
:0040AC91 cmp eax, ecx ;compare value with 999999
:0040AC93 jle 0040AC9D ;lower or equal jump
:0040AC95 push 0000000A
:0040AC97 cdq
:0040AC98 pop edi
:0040AC99 idiv edi
:0040AC9B jmp 0040AC91
:0040AC9D push EAX :0040AC9E push 00415C7C
:0040ACA3 lea eax, dword ptr [ebp-30]
:0040ACA6 push 00000014
:0040ACA8 push eax
:0040ACA9 call 0040B440 ;Final call to complete your serial number
:0040ACAE add esp, 00000010
:0040ACB1 inc esi
:0040ACB2 lea eax, dword ptr [ebp-30]
:0040ACB5 push esi ; your code
:0040ACB6 push eax ;Good code
:0040ACB7 call 0040BBF0 ;compare it
:0040ACBC neg eax
:0040ACBE pop ecx
:0040ACBF sbb eax, eax
:0040ACC1 pop ecx
:0040ACC2 inc eax
:0040ACC3 jmp 0040ACC7
:0040ACC5 xor eax, eax
:0040ACC7 pop edi
:0040ACC8 pop esi
:0040ACC9 pop ebx
:0040ACCA leave
:0040ACCB ret

So if you are on line 0040ACB5 and you do a d esi you'll see your input, and if you do a d eax you'll see the correct code
For the lazy people :name lownoise and password FW1-132061

 

The 'Crack'

 
None required..:but a key generator would be easy!
If you can't make the keygenerator by your self download it here
 

Final Notes

 
So if you read this essay you can revers every target of the makers of FtpWolf, In every program they're using the same proctection!
 

 
My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
Dr Karma who wrotes the Keygenerator
 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.