Detailed analysis of cryptographic algorithms in IP-Tools

Software introduction:
It integrates many TCP/IP utilities, such as local information, connection information, port scanning, PING, TRACE, WHOIS,
FINGER, NSLOOKUP, Telnet client, NETBIOS information, IP monitor, etc.

The IP-Tools feature is indeed very powerful. ks-soft customers include Adobe Systems inconfigurated, Intel Corporation, IBM Corporation
I don't know if these companies also use IP-Tools. When I first got the software, I didn't expect its algorithms to be very complicated.
As the analysis goes deeper, I find that I have never seen the algorithms used by me. This algorithm has a good avalanche effect and diffusion.
And chaos, there is a one-way trap function, and at the same time has a key pair, one is the encryption key, the other is the decryption key
It is similar to RSA's big number calculation. The registration code is 640 bits. I think this one-way function should be called an asymmetric algorithm.
Unidirectional functions, that is, the hybrid encryption of public key cryptography and unidirectional functions. If the algorithm is designed and implemented by the author
I think he has a certain degree of cryptographic knowledge. The verification of his registration code is like an attack in the middle. It means a collision.
Let's get started with algorithm analysis.

EXt | Cnbragon (Radio): Go go!
Bytes ----------------------------------------------------------------------------------------
PeID view, no shell, Borland Delphi 4.0-5.0, Kanal plug-in analysis knows Base64, but unfortunately it is not used in registration
In the algorithm, if it is Base64, it will be very easy, but this is not the case. It only needs to encrypt the user name and registration code at the end.
Put it in the registry. This is not the focus of our research, but you can check it out.
Here:
HKCUSoftwareKS-SoftIP-ToolsUserName
HKCUSoftwareKS-SoftIP-ToolsUserSNum
And here:
SoftwareMicrosoftWindowsCurrentVersionDevices0102
"DATA5" = "..."
"DATA6" = "..."
The program will have self-validation at startup. Of course, the registration code will be read from the above and verified again

To Deal With It, I used DeDe, IDA and Ollydbg (Desert Eagle, AK47/B43, AWP). Of course, Ollydbg is the main weapon (I am our
The sniper of the team. If you have time, you can learn from each other.) through the DeDe analysis, it is easy to break away from the registration process, as shown below:
Bytes ----------------------------------------------------------------------------------------
00509FF0 <> |. E8 E3C0F2FF call <IP_TOOLS.sub_4360D8>;-> controls. TControl. GetText (TControl): TCaption;
00509FF5 |. 8B45 F8 mov eax, dword ptr ss: [ebp-8]
00509FF8 |. 8D55 FC lea edx, dword ptr ss: [ebp-4]
00509FFB <> |. E8 88F4EFFF call <IP_TOOLS.sub_409488>;-> sysutils. Trim (AnsiString): AnsiString;
0050A000 |. 8B55 FC mov edx, dword ptr ss: [ebp-4]
0050A003 |. 8BC7 mov eax, edi
0050A005 <> |. E8 FEC0F2FF call <IP_TOOLS.sub_436108>;-> controls. TControl. SetText (TControl; TCaption );
0050A00A |. 8D55 F0 lea edx, dword ptr ss: [ebp-10]
0050A00D |. 8B06 mov eax, dword ptr ds: [esi]
0050A00F <> |. 8BB8 E8020000 mov edi, dword ptr ds: [eax + 2E8]; * RxGIFAnimator1: TRxGIFAnimator
0050A015 |. 8BC7 mov eax, edi
0050A017 <> |. E8 BCC0F2FF call <IP_TOOLS.sub_4360D8>;-> controls. TControl. GetText (TControl): TCaption;
0050A01C |. 8B45 F0 mov eax, dword ptr ss: [ebp-10]
0050A01F |. 8D55 F4 lea edx, dword ptr ss: [ebp-C]
0050A022 <> |. E8 61F4EFFF call <IP_TOOLS.sub_409488>;-> sysutils. Trim (AnsiString): AnsiString;
0050A027 |. 8B55 F4 mov edx, dword ptr ss: [ebp-C]
0050A02A |. 8BC7 mov eax, edi
0050A02C <> |. E8 D7C0F2FF call <IP_TOOLS.sub_436108>;-> controls. TControl. SetText (TControl; TCaption );
0050A031 |. 8D55 EC lea edx, dword ptr ss: [ebp-14]
0050A034 |. 8B06 mov eax, dword ptr ds: [esi]
0050A036 <> |. 8B80 E4020000 mov eax, dword ptr ds: [eax + 2E4]; * Label1: TLabel
0050A03C <> |. E8 97C0F2FF call <IP_TOOLS.sub_4360D8>;-> controls. TControl. GetText (TControl): TCaption;
0050A041 |. 8B45 EC mov eax, dword ptr ss: [ebp-14]
0050A044 |. E8 E7A4FCFF call <IP_TOOLS.sub_4D4530>
0050A049 |. 84C0 test al, al
0050A04B |. 74 3C je short <IP_TOOLS.loc_50A089>
0050A04D |. 68 E4A25000 push <IP_TOOLS.aSorryYourRegis>; ASCII "Sorry, your registration name ("
0050A052 |. 8D55 E4 lea edx, dword ptr ss: [ebp-1C]
0050A055 |. 8B06 mov eax, dword ptr ds: [esi]
0050A057 <> |. 8B80 E4020000 mov eax, dword ptr ds: [eax + 2E4]; * Label1: TLabel
0050A05D <> |. E8 76C0F2FF call <IP_TOOLS.sub_4360D8>;-> controls. TControl. GetText (TControl): TCaption;
0050A062 |. FF75 E4 & nbs