Discussion on the Application of "machine code" in software algorithms -- Analysis of the PC Timed Shutdown genie Registration Algorithm

Text/graph TC-XB
==========================================
At present, most of the shared software is registered in the classic registration name + registration code mode. This method is fast and effective, but its shortcomings are also very obvious, that is, the "uniqueness" of the software cannot be guaranteed ". Simply put, the software can be easily used as long as one person registers for the software and others use the same registration name and registration code. This is a disaster for the software author, so a new registration method came into being, that is, the "machine code + registration code" that we will talk about today ".
As you can see, what is different from the previous registration mode is to use something called "machine code" instead of the traditional "User Name ", why can this method ensure that the registered software cannot be used by others? This will start with the "machine code!
In our computer, devices such as hard disks and cups all have their own IDs. This ID is the unique identifier in the world and is used to distinguish other similar products, so the ID here is the same as our ID card. Because of the uniqueness of this ID, the authors of the software are thinking about it. If you use this ID as a "sign" and perform a series of calculations on this unique "sign" and use the obtained result as the registration code, then the software can only be used on the corresponding machine. The ID here refers to the "machine code ".
So how should I analyze the software that uses the "machine code? What is the specific situation? Next we will introduce in detail the software analysis process related to "machine code. Our target software is the "PC Timed Shutdown wizard". Click "Help-> Register" on the menu bar to open the software registration window, as shown in 1, obviously, the software adopts the "machine code + registration code" method, and the machine code here is a string of numbers. Enter a registration code. The software prompts us that "the registration code is incorrect", as shown in figure 2.
 
Figure 1
 
Figure 2
Now that we have a general understanding of the software, we can move out of the tool for analysis. First, check whether the software has been shelled. Use PEiD to check whether the software has been shelled. Result 3 shows that the software has not been shelled and can be analyzed using OD directly.
 
Figure 3
Step 1: track "machine code"
Open the software with OD, and now you need to find a suitable location to set the breakpoint. The general method is to enable the string search function and find the obvious registration prompt in it. Good! Enable the string search function and search it over and over again, but we did not find any information related to the registration prompt, which makes it hard for us, it seems that the method for searching strings does not work. So I moved my attention to the API function. Since the software prompts a window that tells us that "the registration code is incorrect", set a function breakpoint in OD. Run the program again and enter the "bp MessageBoxA" command in the OD command line. Should this work? When the registration code is entered in the registration window, the software is not interrupted as expected. If this is not interrupted, we can't analyze it. Is there no way to do anything about the two most effective methods? It seems that you have to analyze and analyze it to continue.
We already know that this software uses "machine code", and "machine code" is generally extracted from hard disk or CPU-related information, will this process of extracting machine code leave any traces? We once again opened the "string search" to find out what was actually suspicious in a piece of code, as shown in figure 4. Double-click the code at the corresponding location to see it. Why? The code here is very strange. We have never encountered it before, whether in the analysis registration process or in the analysis algorithm, first set a breakpoint and re-run the program. This time, when we were about to open the registration window, the program was interrupted.
 
Figure 4

00402118/$55 push ebp
Here we are
00402119 |. 8BEC mov ebp, esp
0040211B |. 51 push ecx
; Preparations before Calculation
0040211C |. 56 push esi
0040211D |. 33F6 xor esi, esi
; Clear registers
0040211F |. 56 push esi
;/PFileSystemNameSize => NULL
00402120 |. 56 push esi
; | PFileSystemNameBuffer => NULL
00402121 |. 56 push esi
; | PFileSystemFlags => NULL
00402122 |. 8D45 FC lea eax, [ebp-4]; |
00402125 |. 56 push esi
; | PMaxFilenameLength => NULL
00402126 |. 50 push eax
; | PVolumeSerialNumber
00402127 |. 56 push esi
; | MaxVolumeNameSize => 0
00402128 |. 56 push esi
; | VolumeNameBuffer => NULL
00402129 |. 68 AC444100 push 004144AC; | c:
0040212E |. 8975 FC mov [ebp-4], esi; |
00402131 |. FF15 60E04000 call [<& KERNEL32.GetVolumeInf>; GetVolumeInformationW
00402137 |. 85C0 test eax, eax
The disk C signature is used.

What is the role of this code? In the past, the program obtained the C disk pattern (that is, the C disk ID) through such code ). The pattern obtained here is likely to be processed as a "machine code". Of course, a computing process is required between the pattern of a device and the machine code, how does the software calculate the "signature" here?

00402139 |. 75 10 jnz short 0040214B
Further processing of the signature
00401_ B |. 56 push esi
0040213C |. 56 push esi
004010000d |. 68 78EC4000 push 0040EC78
00402142 |. E8 95970000 call <jmp. & MFC42u. #1197>
00402147 |. 33C0 xor eax, eax
00402149 |. EB 11 jmp short 0040215C
0040214B |> 8B4D FC mov ecx, [ebp-4]
; Put the C drive pattern into ECX, we set it to str1
0040214E |. 8B45 FC mov eax, [ebp-4]
And put it in EAX.
00402151 |. C1E9 10 shr ecx, 10
; Take the first four digits of str1 and set it to str2
00402154 |. 2BC1 sub eax, ecx
; Str1 minus str2. The result is set to str3.
00402156 |. 0FB74D FC movzx ecx, word ptr [ebp-4]
; Take the last four digits of str1 and set it to str4
0040215A |. 2BC1 sub eax, ecx
; Str3 minus str4, we set it to str5
0040215C |> 5E pop esi
0040215D |. C9 leave
Converts str5 to the corresponding 10-digit number, that is, the "machine code"

When we see this computing process, we feel very troublesome. In fact, we mainly use the simplest addition and subtraction operations. The code and comments will surely be lost. Let's take an example to illustrate it (the computation is in hexadecimal format ).
Step 1: assume that the program obtains E8DC53CE as the disk C, and the comment in the corresponding code is str1;
Step 2: Take the first four digits of the E8DC as str2;
Step 3: Use str1 minus str2, that is, E8DC53CE-E8DC = E8DB6AF2, this value is str3;
Step 4: Take the last four digits of str1, namely 53CE, as str4;
Step 5: Use str4 minus str3, that is, E8DB6AF2-53CE = E8DB1724, this value is str 5.
In software, my machine code is 3906672420. How can this number be obtained? In fact, 3906672420 is the decimal number corresponding to E8DB1724. Simply put, it is here to convert str5 to the corresponding decimal number, which is the "machine" in the software.
I wanted to analyze the software registration process, but I accidentally discovered the formation process of the machine code. Although I did not achieve the goal, I still had some gains. Since the "machine code" is formed here, the registration code calculation process should not be too far away. Let's continue to analyze it.

Step 2: Direct click Algorithm
After that, the middle program can run again. When we open the "register" window and enter a registration code at will, the program suddenly becomes interrupted and stops in the Code mentioned above, it seems that the program repeats the process of calculating the "machine code", but this time it is a formal algorithm computing. After the calculation of the machine code, the program comes to the following code.

0040215E. C3 retn
0040215F/$ E8 B4FFFFFF call 00402118
00402164 |. 8BC8 mov ecx, eax
; Retrieve the stored str5
00402166 |. 35 EA44D934 xor eax, 34D944EA
; Perform the XOR operation on str5 and the fixed value 0x34D944EAD.
0040216B |. 8BD1 mov edx, ecx
; Save the calculation result and set it to codeA
0040216D |. C1EA 10 shr edx, 10
; Set the first four digits of str5 to codeB.
00402170 |. 0FB7C9 movzx ecx, cx
; Take the last four digits of str5 and set it to codeC
00402173 |. 2BC2 sub eax, edx
; CodeA minus codeB to get codeD
00402175 |. 2BC1 sub eax, ecx
; CodeD minus codeC to get codeE
00402177. C3 retn

The program first obtains the computed "machine code" and then performs an XOR operation on the "machine code" and the fixed value 0x34D944EAD, that is, XOR (E8DB1724, 0x34D944EAD) = DC0253CE, this result is saved as codeA; then take the first four digits of str5 as codeB, the last four digits of str5 as codeC, and then use codeA minus codeB, that is, DC0253CE-E8DB = DC016AF3, the value is codeD. Similarly, use the codeD value minus codeC, that is, the DC106AF3-1724 = DC0153CF, so that the codeE is obtained. From the current Code, the calculation process ends here. We are not sure what the registration code is. The code below seems to be verifying the registration code and continuing the analysis.

00402178/$837C24 04 00 cmp dword ptr [esp + 4], 0
0040217D |. 77 03 ja short 00402182
0040217F |. 33C0 xor eax, eax
00402181 |. C3 retn
00402182 |> E8 D8FFFFFF call 0040215F
00402187 |. 33C9 xor ecx, ecx
; Clear ecx
00402189 |. 394424 04 cmp [esp + 4], eax
; Compare the registration code with codeE
0040218D |. 0F94C1 sete cl
; Flag value assignment
00402190 |. 8BC1 mov eax, ecx
If they are equal, the value is 1.
00402192. C3 retn
; Return

The original code here is to compare the entered registration code with the calculated codeE, if the two are equal