APACHE
August 29th, 2009, 14:11
Hi all my respected seniors and friends..
Currently i am working on a executable based on serial protection.
<font color="Red">Link deleted by Moderator</font>
I am able to reverse it fully and make it working very fine..(How is given below but I know you guys already know ;-))
But i am having problems as i wanted to reverse it more radically..
==============================================
Some Info (PEiD)
VC++ 6.0
Krypto Analysis:
ADLER32 :: 000B2AE4 :: 004B2AE4
The reference is above.
CRC32 :: 000E4138 :: 004E4138
Referenced at 004B1B1C
Referenced at 004B1B3C
Referenced at 004B1B57
Referenced at 004B1B73
Referenced at 004B1B8E
Referenced at 004B1BAA
Referenced at 004B1BC5
Referenced at 004B1BDF
Referenced at 004B1C06
SHA1 [Compress] :: 0008A352 :: 0048A352
The reference is above.
SHA1 [Compress] :: 0008C769 :: 0048C769
The reference is above.
ZLIB deflate [long] :: 000E4FF0 :: 004E4FF0
Referenced at 004B5286
==============================================
Problem 1
Fishing valid serial)
====================================
When I enter a wrong serial in REG Window, I managed it to break at kernel32.lstrcpynA, it shows fake serial in ESI and I dont know what
is in EDI (=129884=00A5AD6C) but it does not look like a valid serial and
just some lines below appears a magic no. and my fake serial:
00129758 012D0168 ASCII "94D7F253-97DB21CF-77BC98D8-6F456A41-BE943BE4-A0A3B2E0-16059D78-D7D2FE36-0DE33BC7-D866E316-C5811727-327512BB-AF3D58FF-07E5A488-DF33AE98-1A620514"
0012975C 00DC4998 ASCII "SDFDSFSDFSD" ;;my fake serial
The above magic no. remains same whatever my fake serial is(i've checked)..but this is not a valid
serial i think its a hash or checksum (or a proper word that I may not know, if yes
please let me know) generated by program.
There is a another magic no. in stack
00129764 012D0058 ASCII "0AB52023-BA00347E-9FA86ACD-FDC330A9-68578B7E-264B81E1-30BDFEEF-CEA403FA-20457E4A-39C03409-F69A9ABA-388E8A94-677044C7-643FE9AC-66523C91-18A61801"
It should be notice both no. doesnt change according to my fake serial
means whatever the serial is but those two will ever be same..
However I tried to make both magic values equal ..but nothing
below are some details..
0042493C |. 2BC6 SUB EAX,ESI
0042493E |> 8A0E /MOV CL,[ESI]
00424940 |. 880C30 |MOV [EAX+ESI],CL
00424943 |. 46 |INC ESI
00424944 |. 84C9 |TEST CL,CL
00424946 |.^ 75 F6 \JNZ SHORT 0042493E
00424948 |. 8B1D B8314C00 MOV EBX,[<&KERNEL32.lstrcpynA>] ; kernel32.lstrcpynA
0042494E |. 8DBC24 3C010000 LEA EDI,[ESP+13C]
00424955 |. 8D7424 6C LEA ESI,[ESP+6C]
00424959 |. C74424 1C 10000000 MOV DWORD PTR [ESP+1C],10
00424961 |> 6A 09 /PUSH 9 ; /n = 9
00424963 |. 56 |PUSH ESI ;ESI=1297B4 ; |String2
00424964 |. 57 |PUSH EDI ;129884 ; |String1
00424965 |. FFD3 |CALL EBX ; \lstrcpynA
00424967 |. 8B4424 1C |MOV EAX,[ESP+1C]
0042496B |. 83C6 09 |ADD ESI,9
0042496E |. 83C7 08 |ADD EDI,8
00424971 |. 48 |DEC EAX
00424972 |. 894424 1C |MOV [ESP+1C],EAX
00424976 |.^ 75 E9 \JNZ SHORT 00424961
00424978 |. 33F6 XOR ESI,ESI
0042497A |. 8DBC24 3C010000 LEA EDI,[ESP+13C]
00424981 |> 6A 03 /PUSH 3
STACK POSITION
================
00129734 00000001
00129738 00DCBF20
0012973C 00129884 |String1 = 00129884 ;;129884=00A5AD6C ITZ DUMP VALUE IS BELOW
00129740 001297B4 |String2 = "SDFDSFSDFSD"
00129744 00000009 \n = 9
00129748 00129964
0012974C 0012A318
00129750 73E7B064 OFFSET MFC42.#4234_?messageMap@CDialog@@1UAFX_MSGMAP@@B
00129754 00000001
00129758 012D0168 ASCII "94D7F253-97DB21CF-77BC98D8-6F456A41-BE943BE4-A0A3B2E0-16059D78-D7D2FE36-0DE33BC7-D866E316-C5811727-327512BB-AF3D58FF-07E5A488-DF33AE98-1A620514"
0012975C 00DC4998 ASCII "SDFDSFSDFSD" ;my serial
00129760 032D02A2
00129764 00000010
00129768 0012A318
0012976C 012D0168 ASCII "94D7F253-97DB21CF-77BC98D8-6F456A41-BE943BE4-A0A3B2E0-16059D78-D7D2FE36-0DE33BC7-D866E316-C5811727-327512BB-AF3D58FF-07E5A488-DF33AE98-1A620514"
00129770 002D02A2
00129774 00DC9A98 ASCII "themewnd"
00129778 00129768
0012977C 00DC9000
00129780 00DC9A98 ASCII "themewnd"
;;129884=00A5AD6C ITZ DUMP VALUE IS BELOW
00A5AD6C 48 2A 8B 20 00 03 00 80 01 09 01 C0 C4 00 C8 94 H*‹ ..€.ÀÄ.È”
00A5AD7C 00 00 40 00 00 00 A4 02 D0 54 68 BC 80 B8 68 BC ..@...¤ÐTh¼€¸h¼
00A5AD8C E8 06 64 BC D0 B0 68 BC 00 00 00 00 F5 00 00 00 èd¼Ð°h¼....õ...
00A5AD9C 95 00 00 00 0C 03 00 00 4E 02 00 00 F8 00 00 00 •......N..ø...
00A5ADAC B2 00 00 00 09 03 00 00 4B 02 00 00 44 84 E6 73 ²......K..D„æs
00A5ADBC C8 C5 68 BC 40 0D 04 6E 50 AF 68 BC 00 00 00 00 ÈÅh¼@.nP¯h¼....
00A5ADCC 30 1E 67 BC 00 00 00 00 F4 0D 04 96 4A 00 00 00 0g¼....ô.–J...
00A5ADDC 4C 00 00 00 28 AE 68 BC 1E 00 00 00 58 AD 68 BC L...(®h¼...X*h¼
00A5ADEC A5 00 40 15 00 00 00 00 00 00 00 00 05 00 00 00 ¥.@...........
Any help to fish out real serial will be appreciated...
or if someone catches the serial calculation scheme please let me know because i'll try to keygen
it in future when I'll reach on that level..(and I know one day I'll..)
Problem 2
removing the registration window)
==============================================
I am able to eliminate the protection when we click OK after entering fake serial:
As always there may be many solution:
Inverting jumps (see below)
or
Make 1st JNZ to JMP 00424A7C is enough to defeat protection perfectly..(well i chose this way)
But i just want to catch the point where program checks itself as unregistered and throw
regisration window..Olly's <back to user> trick doesnt work on this registration window
I tried protection ID to get the handle of window and tried to search it but nothing happens..
Then I tried "W" button of Olly selected "ACTUALIZE" Here itz showing the
title bar text but when I set a variety of BPXs as BPX on various messages it breaks
on a wierd area as: MFCXX.dll...what iz this..I dont know
Plz help to know from where this registration window is coming...
eliminating the protection
===========================
00424A3D |> \8A4C24 24 MOV CL,[ESP+24] ;ENTER WRONG SERIAL AND PRESS OK BREAKS HERE
00424A41 B0 54 MOV AL,54 ;<=========SOME PROTECTION IS HERE
00424A43 3AC8 CMP CL,AL
00424A45 75 40 JNZ SHORT 00424A87 ;<====GOES TO BAD BOY , change this to JMP 00424A7C to deprotect
00424A47 807C24 25 4F CMP BYTE PTR [ESP+25],4F
00424A4C |. 75 39 JNZ SHORT 00424A87 ;<====GOES TO BAD BOY
00424A4E |. 384424 26 CMP [ESP+26],AL
00424A52 |. 75 33 JNZ SHORT 00424A87 ;<====GOES TO BAD BOY
00424A54 |. 807C24 27 41 CMP BYTE PTR [ESP+27],41
00424A59 |. 75 2C JNZ SHORT 00424A87 ;<====GOES TO BAD BOY
00424A5B |. 807C24 28 4C CMP BYTE PTR [ESP+28],4C
00424A60 |. 75 25 JNZ SHORT 00424A87 ;<====GOES TO BAD BOY
00424A62 |. 80FA 20 CMP DL,20
00424A65 |. 75 20 JNZ SHORT 00424A87 ;<====GOES TO BAD BOY
00424A67 |. 80FB 56 CMP BL,56
00424A6A |. 75 29 JNZ SHORT 00424A95 ;<====GOES TO WRONG DIRECTION
00424A6C |. 807C24 2B 43 CMP BYTE PTR [ESP+2B],43
00424A71 |. 75 22 JNZ SHORT 00424A95 ;<====GOES TO WRONG DIRECTION
00424A73 |. 803D 60914F00 A5 CMP BYTE PTR [4F9160],0A5
00424A7A |. 75 19 JNZ SHORT 00424A95 ;<====GOES TO WRONG DIRECTION
00424A7C |. 8B4C24 1C MOV ECX,[ESP+1C] ;<===HERE IS THE POINT WE SHOULD REACH
00424A80 |. E8 69910600 CALL <JMP.&MFC42.#4853_?OnOK@CDialog@@MA> ;<== DESTROYS SERIAL ASKING WINDOW on pressing OK
00424A85 |. EB 0E JMP SHORT 00424A95 ;<=== GO TO GOOD BOY
00424A87 |> 6A 00 PUSH 0
00424A89 |. 6A 00 PUSH 0
00424A8B |. 68 CC964F00 PUSH 004F96CC ; ASCII "Wrong!"
00424A90 |. E8 95910600 CALL <JMP.&MFC42.#1200_?AfxMessageBox@@Y>
00424A95 |> 8D4C24 0C LEA ECX,[ESP+C]
00424A99 |. C68424 08020000 00 MOV BYTE PTR [ESP+208],0
00424AA1 |. E8 28900600 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00424AA6 |. 8D4C24 10 LEA ECX,[ESP+10]
Pleezzz...help...!!!