Algorithm Analysis of QQ sanjianke 3.0

Author: December
Recently, a netizen was in a hurry to crack the attack. I had to help him look at a software algorithm, so he had to take some time to look at it. After it was passed in, he knew that it was QQ sanjianke 3.0. It is a powerful and easy-to-use QQ auxiliary tool with beautiful UI. It has powerful functions such as QQ automatic and secure logon, QQ game hall opening, and offline viewing of QQ game records.

Algorithm process
PEiD was used to check and found that ASPack 2.12 is shelled. This shell is a weak shell class, And the plug-in using PEiD can be easily removed, saving a lot of trouble. Run the software after shelling, and register the software randomly. There is an error prompt dialog box, as shown in 1.

Figure 1
Search after loading with OD, and easily find the error prompt, as shown in 2. Double-click "registration successful" and go to the following code.

Figure 2

00411536 8B48 F8 mov ecx, dword ptr ds: [eax-8]
00411539 85C9 test ecx, ecx; test whether the registration code is entered
0041153B 0F84 91000000 je unpacked.004115D2
If no value is entered, the following message is displayed, prompting you to enter the registration code.

This is just to determine whether to enter the registration code.

00411541 8BCE mov ecx, esi
00411543 E8 A8000000 call unpacked.004115F0; key call
00411548 85C0 test eax, eax
0041154A 74 6B je short unpacked.004115B7; if it is equal, registration fails.

This is the key. You need to check it out, or you will not be able to learn more!

00411578 68 600A4500 push unpacked.0020.a60; code
0041157D 68 580A4500 push unpacked.0020.a58; sofregulatory
00411582 FF15 A4214400 call dword ptr ds: [<& KERNEL32.WritePriv>; kernel32.WritePrivateProfileStringA
00411588 6A 00 push 0
0041158A 68 64E14400 push unpacked.0044E164; QQ sanjianke
0041158F 68 5C0E4500 push unpacked.0020.e5c; registration successful. Please exit the software and restart the software!
..................
004115B9 68 64E14400 push unpacked.0044E164; QQ sanjianke
004115BE 68 480E4500 push unpacked.0020.e48; enter the valid registration code!
..................
004115D4 68 64E14400 push unpacked.0044E164; QQ sanjianke
004115D9 68 300E4500 push unpacked.0020.e30; the registration code is blank. Please enter it again!
This part of the code is mainly to determine whether to enter the registration code and check whether the entered registration code is legal, it is successful if it is legal, it fails if it is illegal. In this case, let's take a look at the key call. The next breakpoint at the key call is followed by the interruption.

00411610 E8 B59F0200 call <jmp. & MFC42. #6334>; characteristics of MFC
00411615 8D4C24 14 lea ecx, dword ptr ss: [esp + 14]
00411619 E8 F2DE0000 call unpacked.0041F510;
00400001e 8D4C24 10 lea ecx, dword ptr ss: [esp + 10]
00411622 C74424 2C 0000> mov dword ptr ss: [esp + 2C], 0
00400002a E8 719F0200 call <jmp. & MFC42. #540>
..................
00411639 68 540A4500 push unpacked.0020.a54; @ % s
// Later I found that @ is connected to the machine code, and the connection is recorded as
These lines can be seen that the program is written using MFC, and several of the calls are to MFC. Let's take a look at it. I guess the call at 0041166B should be the core of the algorithm. Let's take a look.

0041F574 BF 84134500 mov edi, unpacked.00451384; ProcessJudgerhaha1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ, fixed string
0041F579 83C9 FF or ecx, FFFFFFFF
..................
0041F590 8BE8 mov ebp, eax
0041F592 BF 74134500 mov edi, unpacked.00451374; ProcessJudger, fixed string
0041F597 83C9 FF or ecx, FFFFFFFF
..................
0041F5B7 F3: A4 rep movs byte ptr es: [edi], byte ptr ds:>
0041F5B9 8B4C24 30 mov ecx, dword ptr ss: [esp + 30]; @ result A after connection with the machine code is saved to ecx
Here we get the fixed string information and save result A after "@" is connected to the machine code to ecx for the convenience of the following calculation.

0041F5BD 8BFD mov edi, ebp
..................
0041F5E9 85C9 test ecx, ecx; check the length of
0041F5EB 7E 4D jle short unpacked.0041F63A
0041F5ED 8A1406 mov dl, byte ptr ds: [esi + eax]; get the ASCII code of A from left to right
0041F5F0 8BFD mov edi, ebp
..................
0041F607 8B4C24 14 mov ecx, dword ptr ss: [esp + 14]
0041F60B 33C0 xor eax, eax
0041F60D 81E1 FF000000 and ecx, 0FF
0041F613 8A042A mov al, byte ptr ds: [edx + ebp]; get the last digit of the fixed string for the first time, and get the ASCII code of the fixed string from left to right for the second time
0041F616 8B5424 10 mov edx, dword ptr ss: [esp + 10]
0041F61A 33C1 xor eax, ecx; two value exclusive or operations
0041F61C 50 push eax
0041F61D 52 push edx; press the calculation result to edx
0041F61E 8D4424 18 lea eax, dword ptr ss: [esp + 18]
0041F622 68 6C134500 push unpacked.0045136C; % s % 02X
0041F627 50 push eax
0041F628 E8 17C10100 call <jmp. & MFC42. #2818>
0041F62D 8B4424 40 mov eax, dword ptr ss: [esp + 40]
0041F631 83C4 10 add esp, 10
0041F634 46 inc esi
0041F635 3B70 F8 cmp esi, dword ptr ds: [eax-8]; compare whether to get the length of
0041F638 ^ 7C B3 jl short unpacked.0041F5ED
This loop is actually very simple, it is to take the ASCII code of A and the ASCII code of the fixed string for the XOR operation, calculate the length of A, for example, I calculated 12 times here, A value of 3203265c5253434b7b438534 is obtained. The code below is basically not good-looking, and goes back to the previous code.

00411687 6A 06 push 6; press 6
00411689 8D5424 1C lea edx, dword ptr ss: [esp + 1C]
0041168D 6A 00 push 0
0041168F 52 push edx
00411690 8BCD mov ecx, ebp
00411692 C64424 38 03 mov byte ptr ss: [esp + 38], 3
00411697 E8 8EA20200 call <jmp. & MFC42. #4278>; obtain the first six digits
0041169C 8B37 mov esi, dword ptr ds: [edi]; transfer the obtained result to esi
0041169E 8B00 mov eax, dword ptr ds: [eax]; transfers the first six digits of the false registration code to eax
004425a0 8A10 mov dl, byte ptr ds: [eax]; ASCII code of the digit of the fake registration code
0042.16a2 8A1E mov bl, byte ptr ds: [esi]; obtain the ASCII code of the real registration code in a single digit
004487a4 8ACA mov cl, dl
0040000a6 83CF FF or edi, FFFFFFFF
004109a9 3AD3 cmp dl, bl; compare two values
0040000ab 75 1E jnz short unpacked.0040000cb; if they are not equal, the game is complete.
0040000ad 84C9 test cl, cl
004366af 74 16 je short unpacked.004366c7
004da-b1 8A50 01 mov dl, byte ptr ds: [eax + 1]; obtain the ASCII code of an even number of false registration codes
004127b4 8A5E 01 mov bl, byte ptr ds: [esi + 1]; obtain the ASCII code of an even real registration code
004da-b7 8ACA mov cl, dl
004da-b9 3AD3 cmp dl, bl; compare two values
004366bb 75 0E jnz short unpacked.004366cb; if they are not equal, the game is complete.
004366bd 83C0 02 add eax, 2
004127c0 83C6 02 add esi, 2
004366c3 84C9 test cl, cl
0040000c5 ^ 75 D9 jnz short unpacked.0040000a0; cyclic judgment
..................
004127d1 8D4C24 18 lea ecx, dword ptr ss: [esp + 18]
004127d5 0F94C3 sete bl; flag. If it is false, registration fails. If it is true, registration is successful.
004366d8 E8 AB9E0200 call <jmp. & MFC42. #800>
Here we get the false registration code.