Blog Archive

Friday, May 16, 2008

A Nice Protection Scheme.

Detailed Analysis of a recent Commercial Keylogger App are as follows:
1] Uses a Driver (*.sys) for all its keylogging activity.
2] Driver is setup as a Service.
3] Setup.exe of the keylogger generates random names for its core components which are
4] Setup as well as the installed components verify if the application has been registered
by accepting a “key” and using a very tedious Key validation routine.
5] The only limitation of the trial version are some nags and limited Time-period for
the usage of the app after which u need to register it, to use it.

The actual protection scheme used:
1] Setup.exe actually generates a random name for the temporary file created.
2] Then it extracts a DLL, which contains the actual installation routine.
3] The main function of this DLL is to:
a] Generate a random name.
b] Use this random name as the prefix of the components which are to be
c] Then install the Driver which is also assigned the random name as a Service
on the host system.
4] But the important thing to note is that the driver which is installed has no
“function” to check if the application’s trial period is over or not.
5] If you have not registered the app, you have a trial period of 15 Days in which
the application is fully functional except for the nags that show-up.

Now, onto the ways to crack this protection scheme:
1] One way of doing it could be to find out the registration routine and reverse it.
2] Another way is to patch it.

Well, the serial Validation routine looked really tedious so I decided to “Patch my way to Glory.”

Points to remember while attempting this technique:
1] Either patch the setup.exe to always spit out files with the same names so
that we could make a “Patch” for the app after we successfully crack it.
2] Or else crack the components which have been installed on the system.

Now the problem with the first Point is that the actual routine which generates random
names and installs components is in the DLL that is itself extracted from the Setup.exe.
So, it won’t be a great idea to try to patch the Setup and make it spit a patched version of
the DLL that works according to our wishes.

So I quickly moved onto cracking the components that were installed on my system.
Well…the best thing about this Keylogger as far as cracking it is concerned is, it shows
all its core components’s names if you select a Menu Option. So a huge task of hunting down those files is reduced. Now, as previously mentioned, the only limitations of the
Unregistered version are Nags and 15 Days of trial period.
Well, a little snooping around helped me to pin-point the component which was responsible for determining if the trial period was over or not and also to generate the nags if it was still unregistered.
(Note: One weakness of this scheme is that only this component was responsible to determine if the application was registered or not and to show the Nags. Even others could have been assigned the same task.)

Not only that, the application and all its components are written in C++ and the programmers didn’t even bother to pack or protect them. Maybe it has to do something with the fact that during each installation the components probably even had different CRC … can’t say for sure though.

Well…the executable probably uses Global Variables to determine its Registered
Status .But still, modifying them wasn’t needed either .Here is the disassembly of the section which determines if the application is Registered or not:

004016E6 . 8D45 E4 LEA EAX,[LOCAL.7]
004016E9 . 50 PUSH EAX ; /Arg2 = 00000000
004016EA . 8B4D F4 MOV ECX,[LOCAL.3] ; kernel32.7C8399F3
004016ED . 51 PUSH ECX ; Arg1 = 0012FFB0
004016EE . E8 CD110000 CALL savezl_e.004028C0 ; ß-Actual routine!!
004016F3 . 83C4 08 ADD ESP,8
004016F6 . 8945 E0 MOV [LOCAL.8],EAX ; EAX==Result !!
004016F9 . 837D E0 00 CMP [LOCAL.8],0
004016FD . 0F84 80000000 JE savezl_e.00401783
00401703 . 837D E4 00 CMP [LOCAL.7],0
00401707 . 74 7A JE SHORT savezl_e.00401783
00401709 . 837D E8 00 CMP [LOCAL.6],0
0040170D . 75 06 JNZ SHORT savezl_e.00401715
0040170F . 837D EC 00 CMP [LOCAL.5],0
00401713 . 7E 6E JLE SHORT savezl_e.00401783
00401715 > 837D E8 00 CMP [LOCAL.6],0
00401719 . 74 21 JE SHORT savezl_e.0040173C
0040171B . 8D55 E4 LEA EDX,[LOCAL.7]
0040171E . 52 PUSH EDX ; /lParam = ntdll.KiFastSystemCallRet
0040171F . 68 ED174000 PUSH savezl_e.004017ED ; DlgProc = savezl_e.004017ED
00401724 . 6A 00 PUSH 0 ; hOwner = NULL
00401726 . 6A 6A PUSH 6A ; pTemplate = 6A
00401728 . 6A 00 PUSH 0 ; /pModule = NULL
0040172A . FF15 ECB04100 CALL NEAR DWORD PTR DS:[<&KERNEL32>; \GetModuleHandleA
00401730 . 50 PUSH EAX ; hInst = NULL
00401731 . FF15 F4B14100 CALL NEAR DWORD PTR DS:[<&USER32.D>; \DialogBoxParamA
00401737 . 8945 FC MOV [LOCAL.1],EAX
0040173A . EB 1F JMP SHORT savezl_e.0040175B
0040173C > 8D45 E4 LEA EAX,[LOCAL.7]
0040173F . 50 PUSH EAX ; /lParam = NULL
00401740 . 68 121A4000 PUSH savezl_e.00401A12 ; DlgProc = savezl_e.00401A12
00401745 . 6A 00 PUSH 0 ; hOwner = NULL
00401747 . 6A 65 PUSH 65 ; pTemplate = 65
00401749 . 6A 00 PUSH 0 ; /pModule = NULL
0040174B . FF15 ECB04100 CALL NEAR DWORD PTR DS:[<&KERNEL32>; \GetModuleHandleA
00401751 . 50 PUSH EAX ; hInst = NULL
00401752 . FF15 F4B14100 CALL NEAR DWORD PTR DS:[<&USER32.D>; \DialogBoxParamA
00401758 . 8945 FC MOV [LOCAL.1],EAX
0040175B > 837D FC FF CMP [LOCAL.1],-1

As you can clearly see…the code which is highlighted in Red, is the part that checks if the application is registered or not. Just modify the JE savezl_e.00401783 to
Jmp savezl_e.00401783 and you’ll see that the application runs Merrily for as long as you want and even all the Nags are eliminated!Just a small patch to kill such a beautiful registration routine. Okay, now the general method to crack it would be to install the Keylogger on your system. Now a normal Patch wont work in this case because we cannot predict the Random name generated by the SETUP. So, we’ll make a generic patcher that’ll patch the code JE savezl_e.00401783 to Jmp savezl_e.00401783 and wont check the CRC of the executable because it was observed to fail when it checks for that .Oh yes, the component which needs to be patched is very easy to identify too…just go to your “Root\windows\System32\” folder and search for “*l.exe” that is, all executable files with the last character as “l” and this particular executable has a Transparent Icon. You’ll also find that its running in your computer’s memory because its loaded during startup, so simply use the EndTask option of Task Manager, patch the executable and restart your computer. You’ll see that all nags are gone and also the time limit is gone. You can try changing the system time and still the Keylogger works perfectly fine.

(c) Aodrulez.

No comments: