PowerShadow Master V2.6 Registration Algorithm Analysis

Text/figure laoxuetong
PowerShadow Master is a very strange software. After you install and restart your computer, the computer will have a startup Item similar to the two systems installed. After you select the PowerShadow Master startup Item, it is used exactly the same as the original system, but all your operations, including installation programs (or even running viruses), will not work the next time you start with the original system. This is very useful for program installation and testing and will not generate junk files because of installation and uninstallation.

Experiment, find breakthrough
Start the software and click the registration window. When we do not enter the relevant content, the program returns the information that requires entering the registration name or registration code. When you enter the registration information at will, get the information shown in 1, which indicates that there is a prompt in the software. However, when searching for a string, if no relevant string resource can be found, it is assumed that the corresponding string is encrypted. To find a suitable breakpoint, the first thing that matters is to solve the problem of encrypting strings. Copy the searched string table and remove most of the plaintext. We get the following 14 mysterious strings.
 
Figure 1

UNICODE "uJR9MxC58JR7JIADBP5N 7jmatrix ko98, TJP I998 OJ M9DINO5GG uJR9MxC58JR"
UNICODE "uJR9MxC58JR"
UNICODE "zIFIJRI 09 MNDJI"
UNICODE "w9BDNO98 09 MNDJI"
UNICODE "jQ5GP5ODJI 09 MNDJI"
UNICODE "9SKDM98 Q9MNDJI"
UNICODE "NTNO9HhPMM9IOhJIOMJGx9Ox9MQD79NNIKNCJOIAJ"
UNICODE "3JP hpno dikpo tjpm I5H9 ."
UNICODE "3JP hpno dikpo OC9 n9md5 g IPH69M ."
UNICODE "tjp dikpo OC9 9 MMJM I5H9 JM N9MD5G 69m"
UNICODE "xDIBG9 xC58JR g089"
UNICODE "kPGG xC58JR g089"
UNICODE "sJMH5G limit 89"
UNICODE "uJR9MxC58JR 7JIADBM5ODJI R5N 7jmatrix ko98, TJP NCJPG8 M9DINO5GG uJR9MxC58JR"

To decrypt these strings, a breakpoint is placed at each string without knowing where the decryption function is located. Start the software with OD and we will be here soon.

00426040 push esi; string Decryption Method
00426041 mov esi, dword ptr ss: [ESP + 8]; point to string
00426045 mov ax, word ptr ds: [ESI]; read one
00426048 test ax, AX
0000004b JE shadowse.000000108
00426051 mov ecx, dword ptr ss: [ESP + C]
00426055 PUSH EDI
00426056/cmp ax, 30; number?
0000005a | jb short shadowse.0000006c; <"0" indicates a hop.
003665c | cmp ax, 39
00426060 | ja short shadowse.0020.6c;> "9" indicates the hop.
00426062 | and eax, 0 FFFF
00426067 | sub eax, 30;-0x30
0000006a | jmp short shadowse.00000096
003666c | cmp ax, 41; uppercase letters?
00426070 | jb short shadowse.00000082; <"A" indicates A hop.
00426072 | cmp ax, 5A
00426076 | ja short shadowse.00000082;> "Z" indicates the hop.
00426078 | and eax, 0 FFFF
0042607D | sub eax, 37; yes-0x37
00426080 | jmp short shadowse.00000096
00426082 | cmp ax, 61; lowercase letter?
00426086 | jb short shadowse.0020.e8; <"a": Skip
00426088 | cmp ax, 7A
0000008c | ja short shadowse.000000e8;> "z" indicates the hop.
0000008e | and eax, 0 FFFF
00426093 | sub eax, 3D; yes-0x3D
00426096 | add eax, 1F; Result + 0x1F
00426099 | mov edi, 3E
00100009e | CDQ
0000009f | idiv edi; Result mod 0x3E
001_a1 | test edx, EDX
002.16a3 | jl short shadowse.0020.b8; <0: Skip
002.16a5 | cmp edx, 9
002.16a8 | jg short shadowse.0020.b8;> skip
0020.aa | add edx, 30; digits + 0x30
00w.ad | add esi, 2
00366b0 | mov word ptr ds: [ECX], DX
00366b3 | add ecx, 2
0020.b6 | jmp short shadowse.0020.f1
00366b8 | cmp edx, 0A
000000bb | jl short shadowse.000000d0; <skip
00366bd | cmp edx, 23
001_c0 | jg short shadowse.001_d0;> "z": Skip
001_c2 | add edx, 37
004260C5 | add esi, 2
000000c8 | mov word ptr ds: [ECX], DX
00366cb | add ecx, 2
00ce ce | jmp short shadowse.0020.f1
001_d0 | cmp edx, 24
001_d3 | jl short shadowse.001_e0; <skip
001_d5 | cmp edx, 3D
001_d8 | jg short shadowse.001_e0;> skip
0020.da | add edx, 3D; letter + 0x3D
001_dd | mov word ptr ds: [ECX], DX; Save the result
004260E0 | add esi, 2
0020.e3 | add ecx, 2
002.16e6 | jmp short shadowse.0020.f1
004260E8 | mov word ptr ds: [ECX], AX
004260EB | add ecx, 2
000000ee | add esi, 2
00366f1 | mov ax, word ptr ds: [ESI]; reads the next ciphertext
000000f4 | test ax, AX
000000f7 JNZ shadowse.00000056
00366fd mov word ptr ds: [ECX], AX
00426100 POP EDI
00426101 mov eax, 1
00426106 POP ESI
00426107 RETN
00426108 mov eax, dword ptr ss: [ESP + C]
001000010c POP ESI
0020.10d mov word ptr ds: [EAX], 0
00426112 mov eax, 1
00426117 RETN

After decryption, we get an explicit code. To decrypt the ciphertext, we can restore the Code as follows.

# Include "stdio. h"
Voidjiami (charstr [])
{Inti, n, tmp;
Printf ("% s", str, "=> ");
Tmp = str [0];
If (tmp = 0) return;
N = strlen (str );
For (I = 0; I <n; I ++)
{Tmp = str [I];
If (tmp> = 0x30 & tmp <= 0x39)
Tmp-= 0x30;
Elseif (tmp> = 0x41 & tmp <= 0x5A)
Tmp-= 0x37;
Elseif (tmp> = 0x61 & tmp <= 0x7A)
Tmp-= 0x3D;
Elsecontinue;
Tmp + = 0x1F;
Tmp % = 0x3E;
If (tmp> = 0 & tmp <= 9)
Tmp + = 0x30;
Elseif (tmp> = 10 & tmp <= 35)
Tmp + = 0x37;
Elseif (tmp> = 0x24 & tmp <= 0x3D)
Tmp + = 0x3D;
Str [I] = tmp;
}
Printf ("% s", str );
}
Main ()
{Charch;
Charstr1 [100] = "uJR9MxC58JR ";
Charstr2 [2, 100] = "zIFIJRI09MNDJI ";
Charstr3 [100] = "w9BDNO9809MNDJI ";
Charstr4 [100] = "jQ5GP5ODJI09MNDJI ";
Charstr5 [100] = "9SKDM98Q9MNDJI ";
Charstr6 [100] = "3JPHPNODIKPOTJPMI5H9 .";
Charstr7 [100] = "3JPHPNODIKPOOC9N9MD5GIPH69M .";
Charstr8 [100] = "TJPDIKPOOC99MMJMI5H9JMN9MD5GIPH69M ";
Charstr9 [100] = "xdibg9xc58jr000089 ";
Charstr10 [100] = "kPGG xC58JR g089 ";
Char str11 [100] = "sJMH5G limit 89 ";
Char str12 [100] = "uJR9MxC58JR7JIADBP5N 7jmatrix ko98, TJP I998 OJ M9DINO5GG uJR9MxC58JR ";
Char str13 [100] = "NTNO9H \ hPMM9IOhJIOMJGx9O \ x9MQD79N \ NIKNCJO \ nIAJ ";
Char str14 [100] = "uJR9MxC58JR 7JIADBM5ODJI R5N 7jmatrix ko98, TJP NCJPG8 M9DINO5GG uJR9MxC58JR ";

Jiami (str1 );
Jiami (str2 );
Jiami (str3 );
Jiami (str4 );
Jiami (str5 );
Jiami (str6 );
Jiami (str7 );
Jiami (str8 );
Jiami (str9 );
Jiami (str10 );
Jiami (str11 );
Jiami (str12 );
Jiami (str13 );
Jiami (str14 );
Ch = getchar ();
}

Through the use of this code, we get the correspondence between the ciphertext and the plaintext as follows:
UNICODE "uJR9MxC58JR7JIADBP5N 7jmatrix ko98, TJP I998 OJ M9DINO5GG uJR9MxC58JR" => PowerShadowconfiguas upted, you need to reinstall PowerShadow
UNICODE "uJR9MxC58JR" => PowerShadow
UNICODE "zIFIJRI 09 MNDJI" => Unknown Version
UNICODE "w9BDNO98 09 MNDJI" => Registed Version
UNICODE "jQ5GP5ODJI 09 MNDJI" => Evaluation Version
UNICODE "9SKDM98 Q9MNDJI" => expired version
UNICODE "NTNO9HhPMM9IOhJIOMJGx9Ox9MQD79NNIKNCJOIAJ" => systemCurrentControlSetServicessnpshotInfo
UNICODE "3JP hpno dikpo tjpm I5H9." => You must input your name.
UNICODE "3JP hpno dikpo OC9 n9md5 g IPH69M." => You must input the serial number.
UNICODE "tjp dikpo OC9 9 MMJM I5H9 JM n9md5 g IPH69M" => you input the error name or serial number
UNICODE "xDIBG9 xC58JR g089" => Single Shadow Mode
UNICODE "kPGG xC58JR g089" => Full Shadow Mode
UNICODE "sJMH5G limit 89" => Normal Mode
UNICODE "uJR9MxC58JR 7JIADBM5ODJI R5N 7jmatrix ko98, TJP NCJPG8 M9DINO5GG uJR9MxC58JR" => PowerShadow configration was implements upted, you shocould reinstall PowerShadow

Select string:
UNICODE "3JP hpno dikpo tjpm I5H9." => You must input your name.
UNICODE "3JP hpno dikpo OC9 n9md5 g IPH69M." => You must input the serial number.

We can quickly locate the key code points of the registration algorithm.

Recourse Registration Algorithm
Through the above search method, we find the key code for calculation as follows.
0041E1FB PUSH 104;/Count = 104 (260 .)
0041E200 lea ecx, [LOCAL.186]; |
0041E206 push ecx; | Buffer
0041E207 push eax; | hWnd
0041E208 mov edi, dword ptr ds: [<& USER32.GetWindo>; | user32.get1_wt