Compiler C-free v352 Registration Algorithm Analysis

C-free v352 compiler RegistrationAlgorithmAnalysis

Author: Prince

ASPack 2.12 is easy to shell and can be easily handled by aspackdie. There is no self-check. It can be run directly after shelling. Registration Status: the machine code is provided. Enter the username prince and serial number 8764321. OK. A prompt is displayed for restart verification.
when it comes to restart verification, the simplest and most direct way is to think of the Registry. After checking, open the Registry Search username prince and find it in \ HKEY_LOCAL_MACHINE \ SOFTWARE \ c-free \ 3.5, the entered false code 87654321 and machinecode 2781318776 are also listed in the table. Now we can confirm that the software is indeed verified by restarting the registry. The goal is so clear: After loading the Program after shelling, the breakpoint regqueryvaluea, en? No, go back to regqueryvalueexa. Run F9 and get disconnected immediately. Check the stack. valuename = "layout text" is not what we want. Continue with F9. Note that the breakpoint cannot be canceled, because the subsequent reading of the Registry still depends on this function, it is broken again, not yet, and then run ..., about 81 times, valuename
= "machinecode" is displayed in the stack. This is the machine code to be read. Again, F9 is disconnected from the location where registrycode is also a false code. The next step is to read the username, that is, the user name. At this point, the preparation for calculating the registration code is complete, but where is the calculation? When the software is started, the author reads all the configuration information together with the machine code, user name, and registration code, and then calculates the registration code and continues to compare it, this makes it difficult for us to locate the registration code calculation. What should we do at this time? Two Methods: one is to perform one-step tracking below until key functions are found. After all, the software will definitely calculate the registration code before it starts; another method is to search for the false code in the memory and then download the memory breakpoint. This method is fast and convenient, but you have to grasp the timing, when to search for memory depends on the action of Code . I usually search for memory first. If it doesn't work, I have to perform a one-step single-stick operation and be patient with cracker. When you see valuename = "editortabwidth" in the stack, be careful. Well, we are at the secret entrance to the treasure.

Bytes ----------------------------------------------------------------------------------------
00419654 |.> mov word ptr ds: [EBX + 10], 4B8
0041965a |.> mov edX, unpacked.005daa4c; ASCII "editortabwidth"
0041965f |.> Lea eax, dword ptr ss: [EBP-620]
00419665 |.> call unpacked.0058d308
0041966a |.> Inc dword ptr ds: [EBX + 1C]
0041966d |.> mov edX, dword ptr ds: [eax]
0041966f |.> mov eax, ESI
00419671 |.> call unpacked.004e936c
00419676 |.> mov ECx, dword ptr ds: [EDI]
00419678 |.> mov edX, 2
0041967d |.> mov dword ptr ds: [ECx + a0c], eax
00419683 |.> Lea eax, dword ptr ss: [EBP-620]
00419689 |.> dec dword ptr ds: [EBX + 1C]
0041968c |.> call unpacked.0058d520
00419691 |.> mov ECx, dword ptr ds: [EDI]
00419693 |.> mov byte ptr ds: [ECx + 8f4], 0
0041969a |.> mov eax, dword ptr ds: [EDI]
0041969c |.> Inc dword ptr ds: [eax + 8f0]
004196a2 |.> call unpacked.00462f18; get the machine code and send it to eax
004196a7 |.> mov dword ptr ss: [EBP-764], eax
004196ad |.> mov word ptr ds: [EBX + 10], 98
004196b3 |.> mov edX, dword ptr ds: [EDI]
004196b5 |.> mov ECx, dword ptr ds: [edX + 8e4]
004196bb |.> CMP ECx, dword ptr ss: [EBP-764]
004196c1 |.> jnz unpacked.00419772
004196c7 |.> Lea eax, dword ptr ss: [EBP-884]
004196cd |.> push eax;/arg2
004196ce |.> mov edX, dword ptr ss: [EBP-764]; | [EBP-764] = machine code
004196d4 |.> push edX; | arg1
004196d5 |.> call unpacked.00462f70; \ key call, follow up
004196da |.> mov word ptr ds: [EBX + 10], 4c4; the call calculation code above is stored in eax (ah! Plaintext again

)
004196e0 |.> Add ESP, 8
004196e3 |.> Lea edX, dword ptr ss: [EBP-884]; real Code address sent to edX
004196e9 |.> Lea eax, dword ptr ss: [EBP-624]
004196ef |.> call unpacked.0058d308
004196f4 |.> Inc dword ptr ds: [EBX + 1C]
004196f7 |.> mov edX, dword ptr ds: [eax]
004196f9 |.> mov eax, dword ptr ds: [EDI]
004196fb |.> mov eax, dword ptr ds: [eax + 8e8]; send a false code to eax.
00419701 |.> call unpacked.004eced4; comparison function,.
00419706 |.> test eax, eax
00419708 |.> Lea eax, dword ptr ss: [EBP-624]

Bytes ----------------------------------------------------------------------------------------

We are looking for the algorithm calculation process, so we will follow up at 004196d5:

Bytes ----------------------------------------------------------------------------------------
00462f70/$> push EBP
00462f71 |.> mov EBP, ESP
00462f73 |.> Add ESP,-0c
00462f76 |.> XOR edX, EDX
00462f78 |.> push EBX
00462f79 |.> push ESI
00462f7a |.> push EDI
00462f7b |.> mov EBX, 25; EBX = 0x25
00462f80 |.> mov ECx, dword ptr ss: [EBP + 8]; [EBP + 8] = machine code
00462f83 |.> XOR ECx, 90909090; abnormal machine code or 90909090, ECx = 35571ee8
00462f89 |.> mov eax, ECx
00462f8b |.> Div EBX; divide the result of the exclusive or above by 25
00462f8d |.> mov eax, EDX; eax for remainder
00462f8f |.> CMP eax, 11; compare the remainder with 0x11
00462f92 |.> jge short unpacked.00462f97; directly press the stack to prepare function calls if the value is greater than or equal
00462f94 |.> Add eax, 11; otherwise, the remainder + 0x11, and then re-enter the stack.
00462f97 |> push eax;/arg3 remainder into Stack
00462f98 |.> Lea edX, dword ptr ss: [EBP-C]; |
00462f9b |.> push edX; | arg2
00462f9c |.> push ECx; | returns an exclusive or result from the arg1 to the stack.
00462f9d |.> call unpacked.005861f0; \ follow up
00462fa2 |.> mov ECx, dword ptr ss: [EBP + C]
00462fa5 |.> Add ESP, 0c
00462fa8 |.> mov ESI, ECx
00462faa |.> XOR eax, eax
00462fac |.> Lea EDI, dword ptr ss: [EBP-C]

Bytes ----------------------------------------------------------------------------------------

Follow up at 00462f9d:

Bytes ----------------------------------------------------------------------------------------
005861f0/$> push EBP
005861f1 |.> mov EBP, ESP
005861f3 |.> mov eax, dword ptr ss: [EBP + 10]
005861f6 |.> mov edX, dword ptr ss: [EBP + 8]
005861f9 |.> CMP eax, 0a; comparison of remainder with 0a
005861fc |.> push 61
005861fe |.> sete Cl; the condition is false, so cl is cleared.
00586201 |.> and ECx, 1
00586204 |.> CMP eax, 0a; still compared with 0a
00586207 |.> push ECx
00586208 |.> push eax
00586209 |.> mov ECx, dword ptr ss: [EBP + C]
0058620c |.> push ECx
0058620d |.> jnz short unpacked.00586213
0058620f |.> mov eax, EDX
00586211 |.> JMP short unpacked.00586215
00586213 |> mov eax, EDX
00586215 |> push eax; | arg1
00586216 |.> call unpacked.00586160; \ follow up
0058621b |.> Add ESP, 14
0058621e |.> pop EBP
0058621f \.> retn

Bytes ----------------------------------------------------------------------------------------

If no result is returned, follow-up will be conducted at section 00586216:

Bytes ----------------------------------------------------------------------------------------
00586160/$> push EBP
00586161 |.> mov EBP, ESP
00586163 |.> Add ESP,-24
00586166 |.> push EBX
00586167 |.> push ESI
00586168 |.> push EDI
00586169 |.> mov EDI, dword ptr ss: [EBP + 10]; [EBP + 10] indicates the remainder of the front pressure Stack
0058616c |.> mov ESI, dword ptr ss: [EBP + 8]; [EBP + 8] indicates the result of machine code exception or 90909090
0058616f |.> mov EBX, dword ptr ss: [EBP + C]
00586172 |.> cmp edi, 2; the remainder is compared with 0x2
00586175 |.> JL short unpacked.005861c4; less than hop
00586177 |.> cmp edi, 24; compared with 0x24
0058617a |.> JG short unpacked.005861c4; Skip if the value is greater
0058617c |.> test ESI, ESI
0058617e |.> jge short unpacked.0058618c
00586180 |.> CMP byte ptr ss: [EBP + 14], 0
00586184 |.> je short unpacked.0058618c
00586186 |.> mov byte ptr ds: [EBX], 2D
00586189 |.> Inc EBX
0058618a |.> neg ESI
0058618c |> Lea ECx, dword ptr ss: [EBP-24]; below is the key Loop
0058618f |>/mov eax, ESI; ESI = machine code exception or result
00586191 |.> | XOR edX, EDX, and EDX are cleared.
00586193 |.> | Div EDI; divide the above variance or result by the remainder of the Pressure Stack
00586195 |.> | mov byte ptr ds: [ECx], DL; write memory of one byte of the remainder calculated above
00586197 |.> | Inc ECx
00586198 |.> | mov eax, ESI
0058619a |.> | XOR edX, EDX
0058619c |.> | Div EDI
0058619e |.> | mov ESI, eax; the same computation was performed again, and the provider sent it to ESI
005861a0 |.> | test eax, eax; until eax = 0
005861a2 |.> \ jnz short unpacked.0058618f; if it is not 0, the loop continues.
005861a4 |.> JMP short unpacked.005861bd
005861a6 |>/DEC ECx
005861a7 |.> | mov Al, byte ptr ds: [ECx]; The value of memory [ECx] is sent to Al
005861a9 |.> | CMP Al, 0a; compared with 0a
005861ab |.> | jge short unpacked.005861b5; jump to another Calculation
005861ad |.> | add eax, 30; add 0x30 to this value
005861b0 |.> | mov byte ptr ds: [EBX], Al; the value is the I value of the registration code, which is saved in the memory.
005861b2 |.> | Inc EBX; continue to the next step
005861b3 |.> | JMP short unpacked.005861bd
005861b5 | >>| add Al, byte ptr ss: [EBP + 18]; if it is greater than 0a, add [EBP + 18] = 61,
005861b8 |.> | add Al, 0f6; add 0f6
005861ba |.> | mov byte ptr ds: [EBX], Al; write to memory as the I value of the registration code
005861bc |.> | Inc EBX
005861bd |> Lea edX, dword ptr ss: [EBP-24]; Address [EBP-24]
005861c0 |.> | CMP ECx, EDX; check whether the loop ends.
005861c2 |.> \ jnz short unpacked.005861a6; continue if no end
005861c4 |> mov byte ptr ds: [EBX], 0
005861c7 |.> mov eax, dword ptr ss: [EBP + C]
005861ca |.> pop EDI
005861cb |.> pop ESI
005861cc |.> pop EBX
005861cd |.> mov ESP, EBP
005861cf |.> pop EBP
005861d0 \.> retn

Bytes ----------------------------------------------------------------------------------------

The process is clear, right? First cycle: The result of the machine code rejection or 0x9090909090 is divided by the remainder of the Pressure stack obtained earlier. Then, the remainder of the process is written into the memory and reserved. The operator continues the cycle as the variable of the next cycle. The second cycle: reads the values written into the memory in the first cycle in reverse order. Compared with 0xa, 0x30 is directly added if the value is smaller than 0 XA, and is written into the memory as the I-character of the registration code; if the value is greater than or equal to 61 and 0xf6, the lower byte is used as the I-character of the registration code to be written into the memory. The user name is not calculated. I do not know if I have explained it to the white, but I still look at the program directly. C source code registration machine:

Bytes -----------------------------------------------------------------------------------------

# Include "stdafx. H"
# Include "stdlib. H"
# Include "stdio. H"

Int main (INT argc, char * argv [])
{
Char chkey [128] = {0 };
Unsigned int unxorcode, unremainder, unquotient, untmp, unmachinecode;
Printf ("Please key in the machine code: \ n ");
Scanf ("% d", & unmachinecode );

Unxorcode = unmachinecode ^ 0x90909090;
Unremainder = unxorcode % 0x25;
Unquotient = unxorcode;
If (unremainder <0x11)
{
Unremainder + = 0x11;
}

Int I;
I = 0;
While (unquotient! = 0)
{
Untmp = unquotient % unremainder;
Unquotient/= unremainder;
If (untmp> = 0xa)
{
Untmp = untmp + 0x61 + 0xf6;
Untmp & = 0x0ff;
Chkey [I] = untmp;
}
Else
{
Chkey [I] = untmp + 0x30;
}
I ++;
}
Printf ("Key is: \ n ");
While (I> = 0)
{
Printf ("% C", chkey [I]);
I --;
}
Printf ("\ n ");

Return 0;
}

Bytes -----------------------------------------------------------------------------------------