Initial Algorithm for activating the video Subsystem

By Xiaofei lankerr
Let's talk about theme.
The main program sends the entered activation code to the driver for verification. forcible modification of the return value does not work.
The program uses ODPS to download powermaster.exe and uses three flower commands to hide the call to DeviceIoControl. In this case, there are four exception handling times. Two steps are used to reverse the debugger, as long as you go to the next StrongOD. dll, that is, the OD plug-in can bypass the check. When the shell program calls DeviceIoControl, The ControlCode is 7C320, The InBuff is the entered registration code, and the length is 0x1E, that is, 30 characters (must be capitalized), but what we input is as follows: the 123456789F-123456789L-123456789Y program will delete the '-' in the middle and then go to the driver SnpShot. sys. OD cannot trace the system kernel. SoftIce (I used Wdasm to disassemble SnpShot at the beginning. sys cannot find the IRP allocation, and uses SoftIce to track the call of DeviceIoControl to SnpShot. sys. Later I learned how to use IDA, and then I saw the IRP allocation in the disassembly ).
How to verify and calculate the activation code in the driver?
Two steps
1. modulo the activation code using the 'look-up table method' to obtain a string.
2. Use an encryption algorithm to obtain an encrypted string and compare it with a string with a length of 0x10.
Then let's talk about how to use the 'look-up table method' to get this string.
A: for example, we enter "123456789F123456789L123456789Y"
 
B: The table used is
CString GhostKey = "d54x379epw.cykn1tufh82vablsm6qgr"; // The table used in the table, which contains 32 characters
The return activation code is followed by the ordinal number of each character in the preceding table. For example, the ordinal number of 1 is 15, and the ordinal number of F is 21.
C code:
// ================================================ ===
//
// Returns the serial number of the corresponding character in The lookup table.
//
// ================================================ ===
Int CMy2008Dlg: ScanKeyTable (char T)
{
Int I = 0;

For (I = 0; I <32; I ++)
{
If (T = GhostKey. GetAt (I ))
Return I;
}
Return 0;
}
C: perform five cycles for the value returned above, calculate the remainder, and return '0' or '1' as the parameter of the next function. I didn't use the C code here, because the IDIV command does not seem to be represented by C, and the shift refers to rol and so on, and cannot be represented by C ...., The Function name is BB0Mod because the last three digits of the Function address in the driver are BB0.
Int CMy2008Dlg: BB0Mod (int iii, int sn)
{
_ Asm
{
Cdq
Mov eax, iii
Mov ecx, 8
Idiv ecx
Mov ecx, edx
Mov dl, 1
Shl dl, cl
Mov eax, sn
And dl, al
Neg dl
Sbb edx, edx
Neg edx
Mov iii, edx
}
Return iii;
}
D: Calculate the remainder of the number of cycles on 8. The '1' or '0' operation is determined based on the above return value. Here we need to use a new string:
Unsigned char XorKey [56] = "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"X00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"; the length does not need to be so long. I wrote more in the test.
Void CMy2008Dlg: DDEMod (int KeySnMod, int kkk)
{
_ Asm
{
Mov eax, kkk
Cdq
Push 8
Pop ecx
Idiv ecx
Mov ebx, 1
Mov ecx, edx
Shl bl, cl
Lea ecx, XorKey
Add eax, ecx
Cmp KeySnMod, 0
Jz AndByte
Or [eax], bl
Jmp DDEmodReturn
AndByte:
Not bl
And [eax], bl
DDEmodReturn:
}
Return;
}
The query table and the preceding two functions are called as follows:
For (int j = 0; j <30; j ++)
{
: ScanKeyTable (char T );
For (int I = 0; I <5; I ++)
{
BB0Mod (int iii, int sn );
DDEMod (int KeySnMod, int kkk );
}
}
E: After the above execution, the situation is as follows:
}
 
The activation code "123456789F123456789L123456789Y" is used to generate "AF 12 11 78 A1 46 BE 4A E0 85 9A FC 11 81". Therefore, the subsequent calculation is as follows, the reason is that the following operation will set the character after 81 to 0, which may not be included in the calculation (in fact, it seems that only the length 0x10 is calculated ). The speed call is as follows:
Void CMy2008Dlg: OnCalc ()
{
UpdateData (TRUE );
CString showMsg;
CString ActiveKey;

ActiveKey = m_Key1 + m_Key2 + m_Key3;
Int KeySn = 0;
Int KeySnMod = 0;
Int kkk = 0;
CString temp;
For (int j = 0; j <30; j ++)
{
KeySn = ScanKeyTable (ActiveKey. GetAt (j ));
Temp. Format ("% 02d", KeySn );
ShowMsg + = temp;
For (int j = 0; j <5; j ++)
{
// _ Asm int 3
KeySnMod = BB0Mod (j, KeySn );
DDEMod (KeySnMod, kkk );
Kkk ++;
Temp. Format ("% d", KeySnMod );
ShowMsg + = temp;
}
Temp. Format ("", KeySn, KeySnMod );
ShowMsg + = temp;
}
// ShowMsg. Format ("% s, String Length: % d", ActiveKey, GhostKey. GetLength ());
: MessageBox (NULL, showMsg, "show character", 0x1040 );
Char showBuff [512];
: Wsprintf (showBuff, "% 02X % 02X % 02X % 02X % 02X % 02X % 02X % 02X-% 02X % 02X % 02X % 02X % 02X % 02X % 02X % 02X % 02X % 02X
% 02X % 02X % 02X % 02X % 02X % 02X % 02X % 02X ",
XorKey [0], XorKey [1],
XorKey [2], XorKey [3],
XorKey [4], XorKey [5],
XorKey [6], XorKey [7],
XorKey [8], XorKey [9],
XorKey [10], XorKey [11],
XorKey [12], XorKey [13],
XorKey [14], XorKey [15],
XorKey [16], XorKey [17],
XorKey [18], XorKey [19],
XorKey [20], XorKey [21],
XorKey [22], XorKey [23]);
: MessageBox (NULL, showBuff, "Show Xor character", 0x1040 );
}

The above is the first step. Here are some ideas:
I. The video subsystem 2008 has no registration machine on the Internet so far. It is all about modifying the SYS Driver file to activate it. It may be unable to make a registration machine, or its versatility is poor.
2. After a series of changes, the activation code is compared with the content specified in the index. If you do not want to modify the SYS file, it seems that you have to make a final effort. When the SYS File is scanned with a password tool, the prompt is MD5. After analyzing the encryption function, it is found that there is only a large number of carry-on Multiplication calculations, and the results are used for new calculations for 32 cycles, it is not MD5. Unless you know the method for calculating the memory string used for comparison, you can only perform the following operations.
Iii ,...... Many