Transformation of perfect proxy software CCProxy 6.2

CCProxy 6.2 is a very useful proxy software, but the unregistered version only allows three users to use, so I tried to crack it. Here, cracking is not our ultimate goal. After the program is started, it will be marked on the system tray. We also need to remove it to make it better run on the zombie.

Cracking tool:
Ollydbg 1.10b (fly modified)
W32Dasm v10.0 enhanced Chinese Version
PEiD V0.92
Keymake1.73

Preliminary Exploration
Run PEiD V0.92 to check whether the target is shelled. This software is not shelled! Run the CCProxy main program to see what it looks like. Why? To give a face, look pretty good, registration code error will give an error prompt.

Information available for Static Analysis
Since we enter the wrong registration code program, a dialog box will pop up, We can first use this error message to find the program comparison section.
Use W32Dasm to perform static analysis on the target file. In the toolbar, click "string character reference" to find the error message provided by the program? Normal! This software is good, and we have learned English. We can change the prompt content of the software in "Settings> advanced> Other" of the CCProxy main program. After modification, check the software error prompt (as shown in figure 2). Is there any error message similar to "string character reference"? 3. Double-click the error string and we will see the assembly code of the program. In Step 4, the Code 0040e33e is the key hop of the program. If it is skipped, we will fail, therefore, you only need to delete the code NOP 0040e33e. Use WinHex to load the CCProxy main program. NOP drops the code of the program 0040e33e and re-runs the software registration! However, after the software is restarted, the registration does not take effect. It may be that the registration code is verified when the program starts. In the installation directory of the program, we can find a CCProxy. ini file, which is the configuration file of the program. Our registration code is put here and will be used for dynamic analysis.

Let's look at several CALL statements above the code. we can infer that the CALL statement above is the registration code part calculated by the program. We can dynamically track the registration code of the program. OK! Step 2: find two ideas for cracking software and continue!

Dynamic Tracking of registration code
Use Ollydbg to load the CCProxy main program. After the program is fully loaded, press Ctrl + G to jump to the Program Key to e33e. Locate the beginning of this Code, F2 is disconnected, the program is disconnected immediately after running, and the breakpoint is canceled. First, we run F8 in a single step to 0040e33e. The program tests the eax register to determine the program's turn. We can find the last value assignment statement of the program to the eax register 0040e333 not far above. If eax is not zero, the program will not jump and we will register it successfully.
Now, in this piece of code, we carefully run a single step. The program mainly performs MD5 encryption on the Registration Name. Because the program is complicated, it is not something that I can wait for the younger generation to see, so I don't want to look for the encryption algorithm of the Program (I'm not just leaving, I still want the registration code ).
When the program moves to e333, it is the last statement to assign a value to the registration code. In the Ollydbg information box, we can see ds: [004a6cbc] = 00000000 (source data to be assigned to eax), eax = 00000001 (source content of the eax register ). When eax is not zero, the program is successfully registered! Right-click the ds: [004a6cbc] = 00000000 piece of code in the information box, and click "follow address in the bucket" in the shortcut menu ". In the data box in the lower left corner, we can drag down to see a large number. Needless to say, it must be the registration code. Close the debugger, run the CCProxy main program, enter the data found, and register successfully!
The last attack is a registration machine! Open keymake and set according to the figure, as shown in figure 6.

Improve CCProxy
This software is really easy to use. It's a pity not to run on bots. Think about the feeling of various agents! Improve the software.
The program is mainly to add the icon on the system tray so that our bots cannot accept it, then we can remove this icon! At first, I thought that "resource hacker" was used to directly Delete the CCProxy ICON resources. Later I tried to change the software, as if there was a blank icon in the system tray, although you can't see the icon of the program, it's too dazzling. The Administrator's eyes are not 500-degree myopia! To add an icon to the system tray, the program must call the SHELL32.Shell _ policyicona function. First, let's look at the original function API:
Declare Function shell_policyicon Lib "shell32.dll" Alias "shell_policyicona" (ByVal dwMessage As Long, lpData As policyicondata) As Long
Const NIF_ICON = & H2
Const NIF_TIP = & H4
Const NIM_ADD = & H0 // This is the parameter for adding an icon to the tray
Const NIF_MESSAGE = & H1
Const NIM_MODIFY = & H1
Const NIM_DELETE = & H2 // This is the parameter for deleting the icon from the tray
The Ollydbg reloads the CCProxy main program and searches for all interactive calls. You can see that the program has called the SHELL32.Shell _ policyicona function five times. From the programming point of view, the SHELL32.Shell _ policyicona function is generally called to add icons to the system tray and delete icons from the system tray, but you can observe the icon on the system tray to a certain extent. It is dynamic, programmers know that the simplest way to do this kind of dynamic icons is to switch the two icons back and forth. With this understanding, we can boldly infer that the first and last calls of the SHELL32.Shell _ policyicona function are the system initialization and deletion icons respectively.
The first call of the program:
0040C703 6A 00 push 0
0040C705. C1E9 02 shr ecx, 2
0040C708. F3: A5 rep movs dword ptr es: [edi], dword ptr ds: [esi]
0040C70A. 8BC8 mov ecx, eax
0040C70C. 83E1 03 and ecx, 3
0040C70F. F3: A4 rep movs byte ptr es: [edi], byte ptr ds: [esi]
0040C711. FF15 98434600 call dword ptr ds: [<& SHELL32.Shell _ policyicona>]; SHELL32.Shell _ policyicona

The fifth call of the program:
0042F898. 6A 02 push 2
0042F89A. C74424 20 0A0000> mov dword ptr ss: [esp + 20], 0A
0042F8A2. C74424 24 010000> mov dword ptr ss: [esp + 24], 1
0042F8AA. 894C24 28 mov dword ptr ss: [esp + 28], ecx
0042F8AE. FF15 98434600 call dword ptr ds: [<& SHELL32.Shell _ policyicona>]; SHELL32.Shell _ policyicona
0042F8B4. 6A 00 push 0;/ExitCode = 0
0042F8B6. FF15 CC444600 call dword ptr ds: [<& USER32.PostQuitMessage>]; PostQuitMessage
0042F8BC. EB 71 jmp short duplicate _ CCP.0042F92F
When the program parameter is push 0, the SHELL32.Shell _ policyicona function loads the icon; when the program parameter is push 2, The SHELL32.Shell _ policyicona function deletes the icon. Since we are not talking about programming, I will not talk about the specific reason why pushing 0/1 will lead to function loading and deleting icons, so we will not waste the layout of our XFile. The idea is clear. We only need to change the value of push 0 for four calls except the last call to push 2! After the change, F9 runs the program and no icon appears on the system tray (Figure 9). The improvement is successful. You can modify the program configuration file CCProxy. ini when using it on Broilers:
HotKey = CTRL + ALT + C (the shortcut key automatically popped up after the program is hidden, which can be adjusted by yourself !)
EnableHotKey = 1 (the shortcut key automatically pops up when the program starts. The default value is 0)