Kayaker
December 18th, 2000, 00:57
OK, this isn't a Newbie target
It seems to use something called D-Square Cipher v2.5 (saw a ref. to it) to decrypt your name and s/n (concatenated as a string, no capitals) from the RegistrationKey registry value at location 20h. Minimum length of RegistrationKey is 30h. This is the value MOVed to cl. It then compares each character with your name/sn string as hex, XORed with 55 at 4205B0.
If this passes, then it compares it with your name/sn string as it has been encrypted in WindowData. This is a simple XOR AA encryption. NOTing it will recreate it as the XOR 55 value.
i.e. "k" in hex is 6B. 6B XOR AA = C1. This is stored in WindowData.
6B XOR 55 = 3E. NOT C1 = 3E
:004205A4 mov cl, byte ptr [eax] ; DEcrypted name/sn from RegistrationKey, still partially encrypted
:004205A6 mov dl, byte ptr [eax+edx-000024C8] ; your name/sn as hex. i.e. "k" = 6B
:004205AD xor dl, 55 ; 6B XOR 55 = 3E
:004205B0 cmp dl, cl ; are they equal?
:004205B2 jne 004205C4
:004205B4 test esi, esi ; counter
:004205B6 je 004205C4
:004205B8 mov dl, byte ptr [eax+FFFFDB38] ; name/sn from WindowData. i.e. "k" = C1
:004205BE not dl ; NOT C1 = 3E
:004205C0 cmp dl, cl
:004205C2 je 004205CE
This is repeated verbatim at 3 locations in the program. The easiest solution is to patch all the jumps.
Now there's a problem with this solution. As long as you have the details fairly correct in the Registry key "RegistrationKey" (this found from Regmon), i.e. 30h bytes or more, then you will always be registered as whatever you enter as name and s/n. BUT, the reg box comes up every time.
Maybe a couple of reasonable Tasks for this is to find the 3 comparison routines and patch them (1st one is above), and then try to get rid of the reg box that comes up each time. Maybe figure out how to show your registered name in the About box.
When you create this RegistrationKey value out of thin air, how do you know whether it's supposed to be a String, Binary or DWORD value? Sometimes you can just make a good guess, but if not, the 3rd parameter of RegQueryValueExA will tell you.
LONG RegQueryValueEx(
HKEY hKey, // handle of key to query
LPTSTR lpValueName, // address of name of value to query
LPDWORD lpReserved, // reserved
LPDWORD lpType, // address of buffer for value type
LPBYTE lpData, // address of data buffer
LPDWORD lpcbData // address of data buffer size
i.e.
Public Const REG_SZ = 1 ' Unicode nul terminated string
Public Const REG_EXPAND_SZ = 2 ' Unicode nul terminated string
Public Const REG_BINARY = 3 ' Free form binary
Public Const REG_DWORD_LITTLE_ENDIAN = 4 ' 32-bit number (same as REG_DWORD)
Anybody had any other luck with the encryption process?
Kayaker