Decisive battle "Shared data protection experts"

Text/graph TC-XB
==========================================
Shared data protection expert is a powerful file protection software. After using it to encrypt a folder, you can only browse the Word, Excel, or image files in the folder, files in the folder cannot be modified or copied. The software is quite convenient to use, but there are some restrictions without registration. Let's try to analyze the software.
The old rule is to check whether the software is shelled before it is officially cracked. The PEiD detection result is Borland Delphi 6.0-7.0, with no shelling. Now we need to consider the analysis entry point. In which direction should we analyze it? Here, you can choose to set breakpoints in the message window for analysis, or you can choose to use the OD string search function to help us search for important information. Since this software has a clear prompt when registering, we can directly find the key code by searching for the string method.
The direction of analysis has been clearly defined. Let's get started! Open the string search function in OD and find an exciting prompt in the ocean of strings: "You have purchased and registered the shared data protection expert advanced Edition Software, thank you for your support! ". This prompt is no longer clear. Double-click it and you will be directed to the corresponding code. We still perform analysis in the order of first flow and then algorithm, just like the previous analysis process.

An amazing burst"
First, find the place where the registration process starts, follow the registration success prompt to look up, find the following code:

004D3C53. 50 push eax
; Here we set the breakpoint
004D3C54. 8D95 F4FDFFFF lea edx, [ebp-20C]
004D3C5A. A1 C0F14D00 mov eax, [4DF1C0]
004D3C5F. 8B00 mov eax, [eax]
004D3C61. E8 1E300000 call 004D6C84
Algorithm CALL, follow up!
004D3C66. 8B85 F4FDFFFF mov eax, [ebp-20C]
; The correct registration code has already appeared
004D3C6C. 8D95 F8FDFFFF lea edx, [ebp-208]
004D3C72. E8 D551F3FF call 00408E4C
; Get the correct registration code
004D3C77. 8B95 F8FDFFFF mov edx, [ebp-208]
; Put the correct registration code in EDX
004D3C7D. 58 pop eax
; Put the entered registration code in EAX
004D3C7E. E8 890FF3FF call 00404C0C
; Comparison of true and false registration codes
004D3C83. 75 2C jnz short 004D3CB1
Otherwise, registration fails.
004D3C85. 6A 40 push 40
004D3C87. B9 58404D00 mov ecx, 004D4058
You have registered
004D3C8C. BA 64404D00 mov edx, 004D4064
You have purchased and registered the shared data protection expert advanced Edition Software. Thank you for your support!

Just a few lines of code are the core registration process of the software. Collect registration information, calculate the registration code by using algorithms, and determine whether the entered registration code is correct or not. A prompt box Indicating successful registration or failed registration is displayed based on the judgment result. Obviously, if you change the code "jnz short 004D3CB1" to "jz short 004D3CB1" or a nop statement, the software can be considered as brute-force cracking. However, we must note that this software is used to restart the Verification Method to Determine the registration code. As a result, the method of modifying the key jump as described above may not work. Regardless of the authentication method, the registration algorithm that can analyze the software is king.

In-depth attack
We will continue to follow up the algorithm to find out. Follow up on "004D3C61. E8 1E300000 call 004D6C84" and come to the following code.

004D6C84 $55 push ebp; Here you are
004D6C85. 8BEC mov ebp, ESP
004D6C87. 6A 00 PUSH 0
004D6C89. 6A 00 PUSH 0
004D6C8B. 6A 00 PUSH 0
...... Omitted ......
004D6CBA. E8 9D000000 CALL share data. 004D6D5C
004d6bf. 8B55 F4 mov edx, dword ptr ss: [EBP-C]; 5808328774
004D6CC2. 66: B9 1701 mov cx, 117
004D6CC6. 8BC3 mov eax, EBX
004D6CC8. E8 bbfeffff call share data. 004D6B88
; Second algorithm CALL
004D6CCD. 8B45 fc mov eax, dword ptr ss: [EBP-4]
004D6CD0. 8B55 F8 mov edx, dword ptr ss: [EBP-8]
004D6CD3. E8 8CDBF2FF CALL share data. 00404864
004D6CD8. 33C0 xor eax, EAX
004D6CDA. 5A POP EDX

When we followed up the CALL of the first algorithm, we did not find an obvious computation process. Did we trace the error or did not notice it? However, when "004D6CC8. e8 bbfeffff call share data. d6b88 "code, we found a significant change in the value in the register, there is a long string, intuition tells us that this string must have a great relationship with the registration code, this code becomes very suspicious. So, continue to follow up on this CALL.

004D6B88 $55 push ebp; Here you are
004D6B89. 8BEC mov ebp, ESP
004D6B8B. 6A 00 PUSH 0
...... Omitted ......
004D6BAC. 55 push ebp; algorithm is coming soon
004D6BAD. 68 2C6C4D00 push 004D6C2C
004D6BB2. 64: FF30 push dword ptr fs: [eax]
004D6BB5. 64: 8920 mov fs: [eax], esp
004D6BB8. 8B45 08 mov eax, [ebp + 8]
004D6BBB. E8 50DCF2FF call 00404810
004D6BC0. 8D45 F8 lea eax, [ebp-8]
004D6BC3. E8 48DCF2FF call 00404810
; Remove the machine code
004D6BC8. 8BC7 mov eax, edi
; Put the machine code into EAX
004D6BCA. E8 F9DEF2FF call 00404AC8
; Number of digits of the machine code

The program puts our machine code in the register and records the number of digits of the machine code. It seems that the core algorithm is about to begin.

004D6BCF. 8BD8 mov ebx, eax
004D6BD1. 85DB test ebx, ebx
004D6BD3. 7E 36 jle short 004D6C0B
004D6BD5. BE 01000000 mov esi, 1
; Cyclic computing is about to begin
004d6133> 8D45 F0 lea eax, [ebp-10]
004D6BDD. 8A5437 FF mov dl, [edi + esi-1]
; Obtain each digit of the machine code in sequence
004D6BE1. E8 0ADEF2FF call 004049F0
004D6BE6. 8B45 F0 mov eax, [ebp-10]
004D6BE9. E8 DE24F3FF call 004090CC
; Put every bit of the machine code in EAX
004D6BEE. 0FB755 FE movzx edx, word ptr [ebp-2]
; Take a fixed number 0x117
004D6BF2. 33C2 xor eax, edx
Performs XOR operations on each digit of the machine code and a fixed number.
004D6BF4. 8D55 F4 lea edx, [ebp-C]
; Save the calculation result
004D6BF7. E8 6C24F3FF call 00409068
Convert the calculation result to the corresponding 10-digit system.
004D6BFC. 8B55 F4 mov edx, [ebp-C]
; Put the 10-digit result in EDX
004D6BFF. 8D45 F8 lea eax, [ebp-8]
004D6C02. E8 C9DEF2FF call 00404AD0
; Connect the results of each Computation
004D6C07. 46 inc esi
; Add 1 to the value in esi for each calculation.
004D6C08. 4B dec ebx
; The value in EBX is reduced by 1 every time it is calculated.
004D6C09. ^ 75 CF jnz short 004d6133
; Cyclic computing
004D6C0B> 8B45 08 mov eax, [ebp + 8]

What is the detailed computing process of this cyclic computing? Here, the program performs an exclusive or operation on each bit of the machine code and the fixed value 0x117.
Why should the fixed value be expressed in the form of 0x117? In this process, all calculations are performed in hexadecimal notation, so the numbers are also in hexadecimal notation, the hexadecimal 0x117 value is equivalent to 279 in decimal format. Each bit of the machine code carries out an exclusive or operation, but the calculation result is still a hexadecimal number, so at the end of the algorithm, the program converts all the hexadecimal calculation results into the corresponding 10 hexadecimal number.

004D6C0E. 50 push eax
004D6C0F. 8BC7 mov eax, edi
004D6C11. E8 B2DEF2FF call 00404AC8
; Connect computing results

After cyclic computing, the program connects the computing results of each (every bit) here. Here, we may be confused. What is the computing process? Let's give an example. Assuming that our machine code is ABCDEF, the first step of the algorithm is to perform an exclusive or operation between each bit and the fixed value 0x117. The specific calculation method is as follows:

XOR (A, 0x117) =
XOR (B, 0x117) = B
XOR (C, 0x117) = c
XOR (D, 0x117) = d
XOR (E, 0x117) = e
XOR (F, 0x117) = f

At this time, the calculation results are still hexadecimal numbers. Now we need to convert them into the corresponding 10-digit system. For example, a = 1: B = 2: c = 3: d = 4: e = 5: f = 6, and then connect the computing results of each bit, the final result is 123456. Of course, here is just an example. The actual calculation result is much longer than the 123456 here, and there should be about 30 digits. The current calculation result is not the final registration code. What is the processing of this calculation result in the last part of the algorithm?

004D6C16. 8BC8 mov ecx, eax
004d6c6. 33D2 xor edx, edx
004D6C1A. 8B45 F8 mov eax, [ebp-8]
The final calculation result is saved in EAX.
004D6C1D. E8 FEE0F2FF call 00404D20
...... Omitted ......
004D6C66. 5E POP ESI
004D6C67. 5B POP EBX
004D6C68. 8BE5 mov esp, EBP
Take the first ten digits of the calculation result as the registration code
004D6C6A. 5D POP EBP
004D6C6B. C2 0400 RETN 4

It turns out that at the end of the algorithm, the program retrieves the first 10 digits of the calculation result and uses these 10 digits as the final registration code. After analysis, we found that the Registration Algorithm of this software is so simple that the detailed calculation process can be summarized into the following three main steps.
1) Each digit of the machine code performs an exclusive or operation with a fixed value of 0x117 (hexadecimal computation), and the result is converted to hexadecimal notation;
2) connect each operation result in sequence, for example, abcdef I mentioned in this article;
3) The first 10 digits of the above result are the registration code.
The functions of this software are quite good and convenient to use. However, there are still some insecure factors that are not shelled during registration and verification. Therefore, it also requires the author to work hard on the protection of the software itself.