[Observation]: NNEWELL's KEYGENME
[Tuner]: Olydbg1.1b (DIY Version), Lordpe, ImportRec1.6F
【任务】:. Perspective N-layer vest (violent), simply remove the N-layer shell.
[Operation Platform]: WinXP SP1
[Author]: loveboom [dfcg] [fcg]
[Related Links]: See attachment
[Brief Description]: I haven't written anything for a long time. I am old. I finally ended over a few years of online cafes to debug life. I am dedicated to all my friends. It is also dedicated to Male Feather, finally climbed to TOP1 Let's take a lot of advice. I used NNewell's boss to cheat MM, I don't know what opinions have boss .. If the boss said, I will delete this post.
[Detailed Procedure]:
If the breakth, this thing is also more easy, the cattle old says to write a registration machine, I am not enough, I have no empty to analyze the algorithm. Ok, get a task., Perspective the N-layer vest, and then rape.
Use OD to load the target, remove the debug logo. Ignore all exceptions.
Load and run the goal, this is the first time you are here:
042E137F 6285 0e0B0000 Bound Eax, Qword PTR SS: [EBP B0E]; here is abnormal
042E1385 EB 02 JMP Short 042e1389
After the exception, Shift F9 continues, so the program is running, now look at how it is in OD, don't have to be nervous, "there is policy, there is a countermeasure", after the program runs, we press F12 how, There is something in OD, press F12 to disconnect, press F9 to let the program continue, this will have an exception prompt, pay attention, press the message box and press SHIFT F9 and press F9, because this kind, wait Just die. Ok, after the operation is completed, Alt M opens the memory page, see how much the CODE segment is, it is 401000, now returned to the OD's CPU window, press Ctrl G to jump to 401000 (of course this step is not required) ), When the main program, the BP getWindowTexta is broken.
Enter your big name and registration code in the target, then point register, this will be broken here:
77D17FEC> 6a 0c push 0c; break here
77D17Fee 68 309DD677 PUSH USER32.77D69D30
After disconnection, Alt F9 is executed to return:
0040d917 FF15 AA374100 CALL DWORD PTR DS: [4137AA]; here is getDlgitemtexta
0040D91D A3 4C364100 MOV DWORD PTR DS: [41364C], EAX; user length entry address, EAX = user name length
0040d922 0BC0 or Eax, EAX
0040d924 75 1f jnz short keygenme.0040d945; if the user does not jump
0040d926 6a 00 push 0; the registration name is jumped here, that is, the road of OVER
0040d928 FF75 0C Push DWORD PTR SS: [EBP C] 0040D92B FF75 10 Push DWORD PTR SS: [EBP 10]
0040d92e FF75 08 Push DWORD PTR SS: [EBP 8]
0040d931 FF15 B0374100 CALL DWORD PTR DS: [4137B0]; here is MessageBoxa
0040D937 5B POP EBX
0040D938 891D 5C364100 MOV DWORD PTR DS: [41365c], EBX
0040D93E 5F POP EDI
0040d93f 5e POP ESI
0040D940 5B POP EBX
0040d941 C9 Leave
0040D942 C2 1800 RETN 18
0040d945 68 00010000 PUSH 100; ready to get registration code
0040D94A 8D85 D0FAFFFFLE EAX, DWORD PTR SS: [EBP-530]
0040d950 50 Push EAX
0040D951 68 E9030000 Push 3e; Push ID
0040D956 FF75 08 Push DWORD PTR SS: [EBP 8]
0040D959 FF15 AA374100 CALL DWORD PTR DS: [4137AA]; getdlgitemtexta
0040D95F A3 50364100 MOV DWORD PTR DS: [413650], Eax; Here EAX = Registration Code Length
0040d964 0BC0 or Eax, EAX
0040d966 75 1f jnz short keygenme.0040d987; if the registration code is not empty
0040d968 6a 00 push 0; it is not fun to empty, here is here
0040D96A FF75 0C Push DWORD PTR SS: [EBP C]
0040d96D FF75 14 Push DWORD PTR SS: [EBP 14]
0040d970 FF75 08 Push DWORD PTR SS: [EBP 8]
0040d973 FF15 B0374100 CALL DWORD PTR DS: [4137B0]; Keygenme.0040E79E
0040D979 5B POP EBX
0040D97A 891D 5C364100 MOV DWORD PTR DS: [41365C], EBX
0040D980 5F POP EDI
0040d981 5e POP ESI
0040d982 5B POP EBX
0040D983 C9 Leave0040D984 C2 1800 RETN 18
0040D987 8D85 D0FAFFFFLE EAX, DWORD PTR SS: [EBP-530]
0040d98d 50 push eax; registration code
0040D98E E8 9D0D0000 Call keygenme.0040e730; this CALL converts the registration code to uppercase
0040d993 E8 2E0C0000 Call keygenme.0040e5c6; here should be careful, under the next line, because this Call does not do, N times an abnormal
0040D998 8D85 D0FAFFFFFE EAX, DWORD PTR SS: [EBP-530]
0040d99e 50 Push EAX
0040d99f E8 9A0C0000 Call KeygenMe.0040E63E; this CALL judgment the legality of the registration code
0040D9A4 83F8 01 CMP EAX, 1
0040D9A7 75 1f jnz short keygenme.0040d9c8; if you justify
0040D9A9 6A 00 PUSH 0
0040D9AB FF75 0C Push DWORD PTR SS: [EBP C]; illegal information
0040D9AE FF75 18 PUSH DWORD PTR SS: [EBP 18]
0040d9b1 FF75 08 Push DWORD PTR SS: [EBP 8]
0040d9B4 FF15 B0374100 Call DWORD PTR DS: [4137B0]; KeygenMe.0040E79E
0040D9BA 5B POP EBX
0040D9BB 891D 5C364100 MOV DWORD PTR DS: [41365C], EBX
0040D9C1 5F POP EDI
0040D9C2 5E POP ESI
0040D9C3 5B POP EBX
0040d9c4 c9 Leave
0040d9c5 C2 1800 RETN 18
0040D9C8 33DB XOR EBX, EBX
0040D9CA 8B35 4C364100 MOV ESI, DWORD PTR DS: [41364C]; Registered name length into ESI
0040D9D0 8D95 D0FBFFFFLE EDX, DWORD PTR SS: [EBP-430]; Registration is named EDX, my own registration name is Loveboom
0040D9D6 B8 01000000 MOV EAX, 1; initial assignment EAX 1
0040d9db 0fb64c10 ff Movzx ECX, BYTE PTR DS: [EAX EDX-1]; read each bit of the registration name, used for the following calculation 0040d9E0 8BF8 MOV EDI, EAX; A = 1; for i = 1 To 8
0040d9E2 83C7 03 Add EDI, 3; A = A 3 SASC = ASC (MID (Name, I, 1))
0040d9E5 0FAFCF Imul ECX, EDI; B = SASC; B = B * a
0040d9E8 03D9 Add EBX, ECX; C = C B
0040d9EA 40 Inc EAX
0040d9eb 3BC6 CMP EAX, ESI
0040d9ed 77 02 Ja Short keygenme.0040d9f1; jump here to the next step
0040d9ef ^ EB EA JMP Short keygenme.0040d9db; Next
0040d9f1 8bc3 MOV EAX, EBX; After the operation, 195E into EAX
0040d9f3 99 CDQ
0040D9F4 69c0 C9430000 Imul Eax, EAX, 43C9; Computing Results 195E * 43C9 = 6B784CE
0040d9fa 05 BBEF9505 Add Eax, 595efbb; EAX = 6b784ce 595EFBB
0040D9FF 8BF0 MOV ESI, EAX; Planted the result in ESI (0C4D7489)
0040DA01 56 Push ESI
0040DA02 68 00304100 Push keygenme.00413000; ASCII "% 1D"
0040DA07 8D45 D0 LEA EAX, DWORD PTR SS: [EBP-30]
0040DA0A 50 PUSH EAX
0040DA0B E8 580D0000 Call KeygenMe.0040E768; JMP To User32.wsprintfa
0040DA10 83C4 0C Add ESP, 0C
0040DA13 8B0D 50364100 MOV ECX, DWORD PTR DS: [413650]
0040DA19 8D75 D0 LEA ESI, DWORD PTR SS: [EBP-30]
0040DA1C 8dbd D0FAFFFF LEA EDI, DWORD PTR SS: [EBP-530] 0040DA22 FC CLD
0040DA23 A6 CMPS BYTE PTR DS: [ESI], BYTE PTR ES: [EDI]
0040DA24 75 25 JNZ Short keygenme.0040da4b; here the registration code and the first calculation result is comparable if there is a calculation.
0040DA26 49 DEC ECX
0040DA27 ^ 75 fa jnz short keygenme.0040da23
0040DA29 C785 CCFAFFFF 01> MOV DWORD PTR SS: [EBP-534], 1
0040DA33 6A 10 push 10; if it is here, it is not fun, then the following is wrong.
0040DA35 FF75 0C Push DWORD PTR SS: [EBP C]
0040DA38 FF75 1C PUSH DWORD PTR SS: [EBP 1C]
0040DA3B FF75 08 PUSH DWORD PTR SS: [EBP 8]
0040DA3E FF15 B0374100 CALL DWORD PTR DS: [4137B0]; Keygenme.0040E79E
0040DA44 5B POP EBX
0040DA45 891D 5C364100 MOV DWORD PTR DS: [41365c], EBX
0040DA4B C785 CCFAFFF 00> MOV DWORD PTR SS: [EBP-534], 0; not equal, jump here
0040DA55 5F POP EDI
0040DA56 5E POP ESI
0040DA57 5B POP EBX
0040DA58 C9 Leave
0040DA59 C2 1800 RETN 18
Return here:
0040dfd1 E8 F0050000 Call keygenme.0040e5c6; here is about to look at it, because it is late, because I want to sleep, I don't follow the algorithm.
0040DFD6 8D85 9CE3FFFF LEA EAX, DWORD PTR SS: [EBP-1C64]
0040DFDC 50 Push EAX
0040DFDD 8D85 9CE7FFFF LEA EAX, DWORD PTR SS: [EBP-1864]
The above CALL came in to see an exception, I didn't follow:
0040E5C6 C705 94314100 F5> MOV DWORD PTR DS: [413194], KeygenMe.0040E5F5
0040E5D0 892D 90314100 MOV DWORD PTR DS: [413190], EBP
0040E5D6 68 31104000 push keygenme.00401031; Unusually returned place
0040E5DB 64: FF35 00000000 Push DWORD PTR FS: [0]; here are ready 0040E5E2 8925 8C314100 MOV DWORD PTR DS: [41318C], ESP
0040E5E8 64: 8925 00000000 MOV DWORD PTR FS: [0], ESP
0040E5EF 33F6 XOR ESI, ESI
0040E5F1 33c0 xor Eax, EAX; here start an abnormal
0040E5F3 8900 MOV DWORD PTR DS: [EAX], EAX
0040E5F5 64: 8F05 00000000 Pop DWORD PTR FS: [0]
Lazy, didn't follow, find that jump directly below.
0040E054 E8 5EFBFFFFF CALL KeygenMe.0040dbb7
0040E059 23c0 and Eax, Eax; here EAX is 1
0040E05B 74 1f Je Short Keygenme.0040E07C
0040E05D 8D85 9Ceffff Lea EAX, DWORD PTR SS: [EBP-1064]
0040E063 50 PUSH EAX
0040E064 8D85 3afaffff Lea Eax, DWORD PTR SS: [EBP-5C6]
0040E06A 50 PUSH EAX
0040E06B 8D85 D6FAFFFFLE EAX, DWORD PTR SS: [EBP-52A]
0040E071 50 Push EAX
0040E072 FF75 08 PUSH DWORD PTR SS: [EBP 8]
0040E075 E8 c9f7ffff Call keygenmeme.0040d843; here is MessageBoxa
0040E07A EB 1D JMP Short Keygenme.0040E099
When this is over, it is necessary to pay attention to the program has a lot of exceptions to interfere with our sight. It is particularly noted that when you encounter int3, you must remember to press SHIFT F9. Below the second link, Take off all of its vests, let it "all".
If you just get off, you will take off, I want to talk about the approximate method, and finally take the housing.
Load the goal again. Set the same: 90 in the entrance, but there is a clear JMP EAX, so directly to JMP EAX
00438029 90 NOP
0043802A 90 NOP
0043802B B8 01604300 MOV EAX, Keygenme.00436001
00438030 FFE0 JMP EAX; after loading F4 here
Now I see the first shell:
00436001 60 Pushad
00436002 E8 03000000 Call KeygenMe.0043600A
00436007 - E9 EB045D45 JMP 45A064F7
PeiD said that it is a shell of Peninja -> DZA Kracker / TNT!, but I feel aspack after I see it. Press F7 to the first shell.
0043601C 81eb 00600300 SUB EBX, 36000
00436022 83BD 22040000 00 CMP DWORD PTR SS: [EBP 422], 0
00436029 899D 22040000 MOV DWORD PTR SS: [EBP 422], EBX; KeyGenMe.00400000
0043602F 0F85 65030000 JNZ Keygenme.0043639A
Now press F4 directly to the 43639a to run there, after arrival (this process may slow down) a few times of F8 to a new place:
00435000 55 Push EBP
00435001 8bec MOV EBP, ESP
00435003 6A FF PUSH -1
00435005 68 14135200 Push 521314
It is not OEP. Cause: You look at the relevant code, you will understand, then press F8 to the second shell.
A second level here
00427000 60 Pushad
00427001 E8 00000000 Call Keygenme.00427006
00427006 5D POP EBP
Here, don't follow it step by step, because I will know after one or two times, this shell is a bit like svkp, so after you get here, we press F9 to run, so there will be SVKP typical abnormalities.
042E137F 6285 0e0B0000 Bound Eax, Qword PTR SS: [EBP B0E]; here is abnormal
042E1385 EB 02 JMP Short 042e1389
After the exception, we press F2 in the CODE section. After it is broken, Shift F9 runs so that it is here:
0430B6B1 8A06 MOV Al, Byte PTR DS: [ESI]; break here
0430B6B3 46 INC ESI
0430B6B4 47 INC EDI
0430B6B5 8843 0F MOV BYTE PTR DS: [EBX F], Al
0430B6B8 8A46 FF MOV AL, BYTE PTR DS: [ESI-1]
0430B6BB 55 PUSH EBP
0430B6BC E8 00000000 Call 0430B6C1
0430B6C1 5D POP EBP
0430B6C2 81ED 0D470000 SUB EBP, 470D
0430B6C8 8A8D 50030000 MOV CL, Byte Ptr SS: [EBP 350]
0430B6CE 5D POP EBP
0430B6CF 32C1 XOR Al, CL
0430B6D1 8847 FF MOV BYTE PTR DS: [EDI-1], Al
0430B6D4 8BC5 MOV EAX, EBP
0430B6D6 4D DEC EBP0430B6D7 85C0 Test Eax, EAX
0430B6D9 ^ 75 A4 JNZ Short 0430B67F
0430B6DB 33c0 XOR EAX, EAX
0430B6DD 5D POP EBP
0430B6DE 5F POP EDI
0430B6DF 5E POP ESI
0430B6E0 5B POP EBX
0430B6E1 C2 1400 RETN 14; Direct F4 here
Now I will go down and run in the CODE section F2, so soon I arrived at the third shell:
The third layer (it seems to be an early ASPR):
00401000 68 01504100 push keygenme.00415001; Oh, stop directly here
00401005 E8 01000000 Call Keygenme.0040100B
0040100A C3 RETN
If you see the early ASPR, you will do it, cancel the memory abnormality, and then stop here after the sixteenth abnormality:
0040E5F3 8900 MOV DWORD PTR DS: [EAX], EAX
0040E5F5 64: 8F05 00000000 Pop DWORD PTR FS: [0]
0040E5FC 83C4 04 Add ESP, 4
0040E5FF C705 94314100 33> MOV DWORD PTR DS: [413194], Keygenme.0040E633
0040E609 892D 90314100 MOV DWORD PTR DS: [413190], EBP
0040E60F 68 31104000 Push Keygenme.00401031
0040E614 64: FF35 00000000 Push DWORD PTR FS: [0]
0040E61B 8925 8C314100 MOV DWORD PTR DS: [41318C], ESP
0040E621 64: 8925 00000000 MOV DWORD PTR FS: [0], ESP
0040E628 33DB XOR EBX, EBX
0040E62A 33D2 XOR EDX, EDX
0040E62C B8 02000000 MOV EAX, 2
0040E631 F7F3 DIV EBX
0040E633 64: 8F05 00000000 Pop DWORD PTR FS: [0]
0040E63A 83C4 04 Add ESP, 4
0040E63D C3 RETN; directly below F2, then SHIFT F9 will run here.
After stopping the Retn, press F8 to the OEP of the program:
0040E707 6A 00 PUSH 0; OEP
0040E709 68 EBDB4000 Push KeygenMe.0040DBEB
0040E70E 6A 00 Push 0
When I get this OEP, I use IMPR to find two invalid APIs, using ASPR1.22 plug-in or manual. I know what happened, I have to take off now,
Load the target, press F9 to run the program, then in the CODE segment in the CODE section, then, F4 to RETN 14 à under the CODE section, f2àf9 running this to the ASPR layer, the back of the ASPR can be used. I got it, I wrote the script:
VAR CBASE
VAR CSIZE
Var count
GMI EIP, Codebase
Mov CBase, $ Result
GMI EIP, CODESIZE
Mov CSIZE, $ RESULT
Mov Count, 10
Start:
Run
LBL1:
BPRM CBASE, CSIZE
ESTO
LBL2:
BPMC
Findop EIP, # c21400 #
Go $ RESULT
LBL3:
BPRM CBASE, CSIZE
Run
LBL4:
BPMC
CMT EIP, "Cancel the memory abnormality, then press Resume to continue!"
PAUSE
LBL5:
Eoe LBL6
Run
LBL6:
Cmp Count, 0
Je lbl7
Sub Count, 1
ESTO
JMP LBL6
LBL7:
Findop EIP, # c3 #
BP $ Result
EOB LBL8
Eoe LBL8
ESTO
LBL8:
BC $ RESULT
STO
CMT EIP, "HEHE!"
RET
At this point, even if the problem is basically solved.
【to sum up】:
I really want to sleep, I'm looking at the official to see what is wrong, talk about it tomorrow.
THANKS:
Fly Hui Yock, Jingulong, TDASM, David, Ahao, UFO (Brother), Alan (Sister), all friends who have cared or help me! Thank you!
By LoveBoom [DFCG] [FCG]
Email: bmd2chen@tom.com
