Common protection Attacks: serial number

Comments(1) The mathematical algorithm of serial number protection mechanism is the core of password encryption, but in general software encryption, it does not seem to be very concerned about people, most of the time, Software Encryption implements a programming technique. However, with the popularity of serial number encryption programs in recent years, the proportion of mathematical algorithms in Software Encryption seems to be growing.
(1) Serial Number Protection Mechanism
Mathematical algorithms are the core of cryptographic encryption, but in general software encryption, it does not seem very concerned, because most of the time Software Encryption itself is implemented as a programming technique. However, with the popularity of serial number encryption programs in recent years, the proportion of mathematical algorithms in Software Encryption seems to be growing.
Let's take a look at the working principle of serial number encryption on the network. After a user downloads a software-sharing software from the network, there are generally restrictions on the time of use, you must register with the software company before continuing to use the software. Generally, a user tells the software company his/her personal information (generally the name) along with a credit card number. The software company calculates a serial number based on the user's information, after the user obtains the serial code, enter the registration information and the registration code in the software according to the steps required for registration. After the validity of the registration information is verified by the software, the software will remove its own restrictions. This encryption is relatively simple and requires no additional cost, and users can purchase it conveniently, software 80% on the internet is protected in this way.
We noticed that the software verification serial number legitimacy process is actually the process of verifying whether the Conversion Relationship between the user name and serial number is correct. There are two basic types of verification: one is to generate a registration code based on the name entered by the user, and then compare it with the registration code entered by the user, the formula is as follows:
Serial number = F (user name)
However, this method is equivalent to recreating the registration code generation process of the software company in the user software, which is actually very insecure, no matter how complicated the conversion process is, the decrypted can compile a general registration program by extracting your conversion process from the program.
Another method is to verify the correctness of the user name through the registration code. The formula is as follows:
User name = F inverse (serial number) (such as ACDSEE and Xiaolou note)
This is actually an inverse algorithm of the software company's registration code calculation process. If the forward and reverse algorithms are not symmetric algorithms, it is indeed difficult for the decrypted, but this algorithm is not well designed.
So someone considered the algorithm:
F1 (User Name) = F2 (serial number)
F1 and F2 are completely different algorithms. However, the Feature Word calculated by the user name using the F1 algorithm is the same as the Feature Word calculated by the serial number using the F2 algorithm, this algorithm is relatively simple in design and has better confidentiality than the above two algorithms. If you can design the F1 and F2 algorithms as irreversible algorithms, the confidentiality is quite good. Once the decrypted finds one of the anti-algorithms, this algorithm is not safe. The design of the one-dimensional algorithm seems to be hard to make too many breakthroughs. What about dual elements?
Specific value = F (user name, serial number)
This algorithm looks pretty good. The relationship between user names and serial numbers is not so clear, but the one-to-one correspondence between user names and serial numbers is also lost, software developers must maintain the uniqueness between the user name and serial number on their own, but this does not seem to be difficult to do, just create a database. Of course, you can also divide the user name and serial number into several parts based on this idea to construct a multivariate algorithm.
Specific value = F (username 1, username 2,... serial number 1, serial number 2 ...)
Most of the existing serial number encryption algorithms are self-designed by software developers, and most of them are quite simple. In addition, although some algorithm authors have made great efforts, they often cannot get the expected results. In fact, there are many existing encryption algorithms available, such as RSADES, MD4, and MD5, but these algorithms are used to encrypt the ciphertext or password, which is somewhat different from the serial number encryption. I would like to give you an example here, hoping that it will serve as an example:
1. There is an encrypted ciphertext S in the software program.
2. Key = F (user name, serial number) use the preceding binary algorithm to obtain the key
3. plaintext D = F-DES (ciphertext S, key) use the obtained key to decrypt the ciphertext to obtain the plaintext D
4. CRC = F-CRC (plaintext D) apply various CRC statistics to the obtained plaintext
5. Check whether CRC is correct. It is best to design several CRC algorithms to check whether multiple CRC results are correct.
In this way, no correct serial number is known.
(2) attack serial number Protection
To locate the serial number or modify the jump command after the serial number is determined, the most important thing is to use various tools to locate the code segment that judges the serial number. Common APIs include GetDlgItemInt, GetDlgItemTextA, GetTabbedTextExtentA, GetWindowTextA, Hmemcpy (Windows 9x only), lstrcmp, lstrlen, and memcpy (limited to NT/2000 ).
1) Tips for Data Binding
This concept is proposed by ORC and is only applicable to the protection method that compares the registration code in plaintext. In most serial number-protected programs, the real and correct registration code or Password will appear in the memory at a certain time. Of course, its location is not fixed, but in most cases, it will be within the same range, that is, the memory address that stores the user's Input Serial number plus or minus 90 bytes. This is determined by a Windows Data Transmission constraint in the tool used by the encryptor.
2) Hmemcpy function (commonly known as universal breakpoint)
The Hmemcpy function is an internal function of the Windows9x System and is located in KERNEL32.DLL. It is used to copy a piece of data in the memory to another place. Because the Windows9x System frequently uses this function to process various strings, it is very useful to use it as a breakpoint. It is the most commonly used breakpoint on the Windows9x platform. This breakpoint does not exist in Windows NT/2 K, because its kernel is completely different from Windows 9X.
3) S command
Because the S command ignores pages not in memory, you can use 32-bit flat address data segment descriptor 30h in the entire 4 GB (0 ~ FFFFFFFFh) Space query, which is generally used under Windows9x. The specific steps are as follows: first enter the name or false serial number (for example, 78787878), press Ctrl D to switch to SoftICE, and run the following SEARCH command:
S 30: 0 L ffffffff'000000'
The system will search for the address: ss: ssssssss (there may be more than one address), and then monitor the searched false registration code with the bpm breakpoint to track how the program processes the input serial number, it is possible to find the correct serial number.
4) use message breakpoint
Message breakpoints WM_GETTEXT and WM_COMMAND can be used to process strings. The former is used to read the text in a control, such as copying the serial number in the editing window to a buffer provided by the program; the latter is used to notify the parent window of a control, for example, if you click OK after entering the serial number, the parent window of the button will receive a message indicating that the button is clicked.
BMSG xxxx WM_GETTEXT (interception serial number)
BMSG xxxx WM_COMMAND (intercept OK button)
You can use the HWND Command provided by SoftICE to obtain the window handle information, or use the Spy utility in Visual Studio to obtain the handle value of the corresponding window, and then use BMSG to set breakpoint interception. Example:
BMSG 0129 WM_COMMAND