PDA

View Full Version : Unix Program problem


blade-r
July 4th, 2001, 06:12
Hi,
I've a problem with a unix program, i must generate a valid serial for this proggy but i can't understand what appen when i send a serial code to server. I've find a routine that (i think ) is interesting:

LNDecrypt(%s)

:0040A660 8B44240C mov eax, dword ptr [esp+0C]
:0040A664 81EC14020000 sub esp, 00000214
:0040A66A 89442410 mov dword ptr [esp+10], eax
:0040A66E 53 push ebx
:0040A66F 8B9C242C020000 mov ebx, dword ptr [esp+0000022C]
:0040A676 56 push esi
:0040A677 8B842438020000 mov eax, dword ptr [esp+00000238]
:0040A67E 57 push edi
:0040A67F 8BBC2430020000 mov edi, dword ptr [esp+00000230]
:0040A686 55 push ebp
:0040A687 8BAC243C020000 mov ebp, dword ptr [esp+0000023C]
:0040A68E 8B8C2444020000 mov ecx, dword ptr [esp+00000244]
:0040A695 8B942448020000 mov edx, dword ptr [esp+00000248]
:0040A69C 8944241C mov dword ptr [esp+1C], eax
:0040A6A0 8B84244C020000 mov eax, dword ptr [esp+0000024C]
:0040A6A7 894C2418 mov dword ptr [esp+18], ecx
:0040A6AB 8B8C2428020000 mov ecx, dword ptr [esp+00000228]
:0040A6B2 89542414 mov dword ptr [esp+14], edx
:0040A6B6 89442410 mov dword ptr [esp+10], eax
:0040A6BA 850DD4C24400 test dword ptr [0044C2D4], ecx
:0040A6C0 0F84BF000000 je 0040A785
:0040A6C6 6A02 push 00000002
:0040A6C8 68D0C14400 push 0044C1D0

* Reference To: KERNEL32._lopen, Ord:028Eh
|
:0040A6CD FF15EC7A4600 Call dword ptr [00467AEC]
:0040A6D3 8BF0 mov esi, eax
:0040A6D5 85F6 test esi, esi
:0040A6D7 0F8CA8000000 jl 0040A785
:0040A6DD 8B84242C020000 mov eax, dword ptr [esp+0000022C]
:0040A6E4 8D4C2424 lea ecx, dword ptr [esp+24]
:0040A6E8 50 push eax

* Possible StringData Ref from Data Obj ->"LSADMAPI"
|
:0040A6E9 6868D04400 push 0044D068

* Possible StringData Ref from Data Obj ->"%%lu : %s : %s"
|
:0040A6EE 6858D04400 push 0044D058
:0040A6F3 51 push ecx

* Reference To: USER32.wsprintfA, Ord:0264h
|
:0040A6F4 FF15407D4600 Call dword ptr [00467D40]
:0040A6FA 83C410 add esp, 00000010
:0040A6FD 83F801 cmp eax, 00000001
:0040A700 7E24 jle 0040A726
:0040A702 8D4C0423 lea ecx, dword ptr [esp+eax+23]
:0040A706 80390A cmp byte ptr [ecx], 0A
:0040A709 751B jne 0040A726
:0040A70B 807C04220D cmp byte ptr [esp+eax+22], 0D
:0040A710 7414 je 0040A726
:0040A712 3DFF000000 cmp eax, 000000FF
:0040A717 730D jnb 0040A726
:0040A719 C6010D mov byte ptr [ecx], 0D
:0040A71C C64404240A mov [esp+eax+24], 0A
:0040A721 C644042500 mov [esp+eax+25], 00

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040A700(C), :0040A709(C), :0040A710(C), :0040A717(C)
|
:0040A726 8B442410 mov eax, dword ptr [esp+10]
:0040A72A 8B4C2414 mov ecx, dword ptr [esp+14]
:0040A72E 8B542418 mov edx, dword ptr [esp+18]
:0040A732 50 push eax
:0040A733 8B442420 mov eax, dword ptr [esp+20]
:0040A737 51 push ecx
:0040A738 8B4C2428 mov ecx, dword ptr [esp+28]
:0040A73C 52 push edx
:0040A73D 50 push eax
:0040A73E 55 push ebp
:0040A73F 53 push ebx
:0040A740 57 push edi
:0040A741 51 push ecx

* Reference To: KERNEL32.GetTickCount, Ord:0145h
|
:0040A742 FF157C7A4600 Call dword ptr [00467A7C]
:0040A748 8D4C2444 lea ecx, dword ptr [esp+44]
:0040A74C 50 push eax
:0040A74D 8D842448010000 lea eax, dword ptr [esp+00000148]
:0040A754 51 push ecx
:0040A755 50 push eax

* Reference To: USER32.wsprintfA, Ord:0264h
|
:0040A756 FF15407D4600 Call dword ptr [00467D40]
:0040A75C 83C42C add esp, 0000002C
:0040A75F 8BF8 mov edi, eax
:0040A761 6A02 push 00000002
:0040A763 6A00 push 00000000
:0040A765 56 push esi

* Reference To: KERNEL32._llseek, Ord:028Dh
|
:0040A766 FF15D87A4600 Call dword ptr [00467AD8]
:0040A76C 8D842424010000 lea eax, dword ptr [esp+00000124]
:0040A773 57 push edi
:0040A774 50 push eax

* Reference To: KERNEL32._lwrite, Ord:0290h
|
:0040A775 8B2DE87A4600 mov ebp, dword ptr [00467AE8]
:0040A77B 56 push esi
:0040A77C FFD5 call ebp
:0040A77E 56 push esi

* Reference To: KERNEL32._lclose, Ord:028Bh
|
:0040A77F FF15F47A4600 Call dword ptr [00467AF4]

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040A6C0(C), :0040A6D7(C)
|
:0040A785 5D pop ebp
:0040A786 5F pop edi
:0040A787 5E pop esi
:0040A788 5B pop ebx
:0040A789 81C414020000 add esp, 00000214
:0040A78F C3 ret



* Referenced by a CALL at Addresses:
|:0040A9CC , :0040AAE4 , :0040AE4F , :0040B04D , :0040B27B
|:0040BAFB , :0040BB89 , :0040BBBB , :0040BC5A , :0040BCF9
|:0040BD2C , :0040BDFA , :0040BFF6 , :0040C0D9 , :0040C0FD
|
:0040A790 81EC90010000 sub esp, 00000190
:0040A796 E8451C0000 call 0040C3E0

* Possible StringData Ref from Data Obj ->"USPInitialise"
|
:0040A79B 6820D14400 push 0044D120
:0040A7A0 6A01 push 00000001
:0040A7A2 E8C91C0000 call 0040C470
:0040A7A7 8D442408 lea eax, dword ptr [esp+08]
:0040A7AB 83C408 add esp, 00000008
:0040A7AE 50 push eax
:0040A7AF 6801010000 push 00000101

* Reference To: WSOCK32.WSAStartup, Ord:0073h
|
:0040A7B4 E8C5320000 Call 0040DA7E
:0040A7B9 85C0 test eax, eax
:0040A7BB 7411 je 0040A7CE

* Possible StringData Ref from Data Obj ->"USPInitialise: WSAStartup failed"
|
:0040A7BD 68FCD04400 push 0044D0FC
:0040A7C2 6A01 push 00000001
:0040A7C4 E8A71C0000 call 0040C470
:0040A7C9 83C408 add esp, 00000008
:0040A7CC EB05 jmp 0040A7D3

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A7BB(C)
|
:0040A7CE E81D000000 call 0040A7F0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A7CC(U)
|
:0040A7D3 C705F8D0440001000000 mov dword ptr [0044D0F8], 00000001
:0040A7DD 81C490010000 add esp, 00000190
:0040A7E3 C3 ret


:0040A7E4 CC int 03
:0040A7E5 CC int 03
:0040A7E6 CC int 03
:0040A7E7 CC int 03
:0040A7E8 CC int 03
:0040A7E9 CC int 03
:0040A7EA CC int 03
:0040A7EB CC int 03
:0040A7EC CC int 03
:0040A7ED CC int 03
:0040A7EE CC int 03
:0040A7EF CC int 03

* Referenced by a CALL at Address:
|:0040A7CE
|
:0040A7F0 57 push edi
:0040A7F1 B8FFFFFFFF mov eax, FFFFFFFF
:0040A7F6 BF60424600 mov edi, 00464260
:0040A7FB B900010000 mov ecx, 00000100
:0040A800 F3 repz
:0040A801 AB stosd
:0040A802 5F pop edi
:0040A803 C3 ret


I think that with this function i can create a valid S/n but i can't understand how the encryption scheme works.... can anyone help me Please !!

Thank you

P.s. sorry for my poooor english...

mo k
July 4th, 2001, 19:01
awesome, unix apps using win32api (ok, crtl and winsock ; )

It is not a unix program. maybe a key generator "for" a unix program.
either way, you will need to rtm.

blade-r
July 5th, 2001, 03:14
Sorry, i'not correctly explain my situation ) i've a win32 proggy that i must use to send a license code to an unix app.. so i whant know if i can use the win32 part to make a keygen..

thank for your reply

Bye

mo k
July 5th, 2001, 06:29
The code is bogus. this is not dec-ryption
routine, nor the bad_guy/serial check, nor
the key transfer.

the excerpt imo only shows the after math,
the decryption is already done. if all is well,
you will find something if you dump eax
after 0040A6E8 executes. In the same spirit,
try inverting the flags, while in the debugger,
just to make it to 0040A755, then dump the
three top elements on the stack.

the top most one is a destination buffer for some
string. beneath it is the format string, and below
that is the string getting printed.

I suggest you write down the format string,
and the to_be_printed_string (i.e. the third one)
and compile a C printf to test them.
I think the author is abusing the format strings,
to confuse crackers. see what he did before in
0040A6EE.

While at 0040A6C8, dump the variable getting
pushed. that is the name of the file it is writing to.
I think he is using very primitive encryption
by writing junk *information* using twisted
format strings, and reads them back in his
own twisted way, not very brilliant ; )

Other than those two locations, there isn't anything else.

GetTickCount is called, but the value is not
used as an encryption seed, just pushed on
the stack and *may be* gets printed
into some string.

Do me a favor, and dump ecx while at 0040A755, and note down the formating string.
count the number of variables getting printed, the %s that is. if find no %s, then sonofa bitch
is doing stack tunneling, please let me know what he is doing, i think my pyschic cracking
abilities are improving ; )

see if eax is a small number after wsprintfA execs.
if it is a small number (i.e. less than hundred,
then he did indeed print out the tick_count)
So, the next logical step is, where is he taking
all this information? find some consecetive
memory locations, some range, where he is
building the buffer for the string to be sent
to the unix box.

Wait sniff the disassembly for the transfer function (send and sendto.)

He is likely to encrypt the string before sending,
to eliminate any packet sniffing. so you will
need your good judgement in this. I think
you are close to the location, there is
the connection setup after all; unless it
is a cut from a good ol net transfer log, in which
case, all these golden strings are just some
silly debug messages ; )

mo k
July 5th, 2001, 06:41
Stack Tunneling.

This is where you push more vairiables on
the stack, than the following function call
needs or checks for.

the function will be happy poping whatever it
needs from the stack, and leave the rest alone.

wsaprintfA requires two arguments, the second
is a format string. if the second string contains
a %, then it will pop an extra variable from
the stack.

in the above case, if the third variable getting
pushed, is the number of tick count since windows
started, and the second string contains a %d,
a %u, or the likes, then the code must have looked like

wsprintf(p_buf, "%d", GetTickCount);

If the however, the author wrote

wsprintf(p_buf, "yayayyaa";

then the third *optional* paremeter will not get
poped off the stack, since it is not needed.

he will then pop it later, for his own evil mysterious ways ; )