keygening-malwarebytes
TRANSCRIPT
Keygenning Malwarebytes' Anti-MalwareProgram Name Malwarebytes' Anti-MalwareProgram version 1.50bWebsite www.malwarebytes.orgCompiler Visual Basic 6.0Protection MD5+CustomTutorial author XylitolDate 31/12/2010Level Beginner
IntroductionHi there at first: sorry for my bad English. I’m not a native English speaker.In this tutorial we will see how to defeat Malwarebytes’ Anti-Malware who use a really basic protection scheme.So.. I hope you will like it, if not I’m sorry.
Tools used• OllyDbg (http://ollydbg.de/) • PEiD (http://peid.has.it/)
SummarySummary ................................................................................................................................................ 1
Start ........................................................................................................................................................ 2
Finding the bad boy message ................................................................................................................. 3
How it’s work .......................................................................................................................................... 5
ASM Keygen source code ...................................................................................................................... 11
Patching ................................................................................................................................................ 13
Greetings .............................................................................................................................................. 13
StartSo let’s start, the first thing to do is to scan the main executable (mbam.exe) in pied for see if the binary was packed with something.
Seem not packed, now let’s see with the Krypto ANALyzer plugin if he can detect something interesting.
Ok that will be fun.
Finding the bad boy messageOk, now load the target in Ollydbg and click run (F9) for launch the app, click the register button in malwarebytes’ and enter anything, then press Register.
Once you have this dialog message:
Return in Ollydbg and click on the pause button (F12)
Then go to the debug menu and click on ‘execute till user code’ (Alt+F9)
Return on the error message and press ok
After you will break again.
By going up the code you will see a JMP, click on the line just under this JMP and olly will says you we come here by a jump in 00477C84
Make a right clicks and Go to JE from 0x477C84
We are here:
Scroll up the code and add a breakpoint (F2) on the Push EBP.
We can also go to the jump who call us but that become useless now:
How it’s work
Add your breakpoint (F2) in 0x477AC0, and click run (F9)Then, press again register and we will break on the line.
Follow the lines by pressing F8 (Step over)
Until we reach again our bad boy jump we will see nothing really interesting.Only this
Who make your ‘Product ID’ in capital letter.So let’s see what’s is done on the call before
Press F7 (Step into) for enter in the call, then keep up with Step over (F8)The first thing we will see
The serial dash check.Here the registration routine check if the serial is correctly formatted, using the InStr Function (VBA only)The InStr function returns the position of the first occurrence of a string in another string.The syntax for the InStr function is:InStr( [start], string_being_searched, string2, [compare] )
Here it search for the dash (‘2D’ in hex)How do you know that ?
My entered serial is 1337 so that not good.And like you can see on the picture, he did that three timesso a good serial will be something like: XXXX-XXXX-XXXX-XXXXWe redid that with 1337-1337-1337-1337 and…We don’t take the jump..
Next!Continue to F8 with your new fake serial, now it will check if the ‘Product ID’ is also correctly formatted.
Always the same jump who make you quit the routine if wrong. (0x47775D)
Here we have the API “__vbaStrLike” exported by msvbvm60.dllit check if you first product ID chars is a numeric (1-9)If not you quit the routineso the first character must be a numeric between 1-9 included (and no ‘0’ of course)
He did that many time, let’s see before re-testing:
2 chars check:
Must be a character between A-Z included.
3 chars check:
Must be a character between A-Z included
4 chars check:
Must be a character between A-Z included
5 chars check (and the last):
For example a correct product ID can be: 1AB23
Now we can retry withProduct ID: 1AB23Serial: 1337-1337-1337-1337
Super, jumps are not taken, let’s continue…
On the picture, after checking the correct format of the entered product IDwe see again two jump we will make us quit the routine if we take it (easy to recognize, it jump always in the same line if something is wrong)
So let’s enter in the first call (F7) for see what’s he want this time,
And it’s a keygen check!
The program check if during the validation you have used a keygen.It look on the process if he can detect something like ‘keygen.exe’or some stuff from CRUDE
So if you made a keygen dont name it ‘keygen.exe’ or it will not accept your keys.
Now, let’s see what’s happen in the CALL 00412BE8.Before entering you can see your serial in EAX and EDX.
F7.
ProductID blacklist routine!
Blacklisted ID are stored on ‘mbamcore.dll’ you will jump on it when reached ‘JMP eax’Office Jesus from iNF have made a short paper about finding blacklisted serial so let's pass this part.
Continuing, we will reach the crypto part
Here the MD5 call:
After we will enter in a loop:
The move eax 1 initialize the number of loop.After: move ecx 10 (mean 16 in hex)And then comparison between the number of loop done and the max number of loopthe JG (Jump if Greater) will decide if we continue or if it’s terminated. (16 loops reached)
The end of this loop is on 0x4776F2
Our MD5 hash will be each loop, decomposed.
Mov edx, dword take the MD5imul eax eax 2: eax will contain the number of loop we have done, then multiply eax by 2mov ecx,2: The number of chars to grab (always two)the sub eax,1 is for determine where we will start to grab our two chars.1x2 = 2, 2-1 = 1 so we start to grab from the 1st chars (first loop)And finally, call ebx will call the api for grab our two chars (rtcMidCharBstr)
After grabbing our two chars, it will call StrMove and StrCat for create the strings&H2e
After it does a hex to int in the callThen you will get 2E in eax, who will be stored later in ediIt perform a logical And, with 2E (edi) and 8000001Fhere is a screenshot for promote a tool of someone registered in my forum.
Well, after doing this you will get “0E” in ediContinue with F8 (step over), it will add to edi +1 (add edi,1)EDI = “0F”Then, it pass in the strings: 0123456789ABCDEFGHJKLMNPQRTUVWXYAnd will call ebx for grab the chars who is in position 15 from the strings (0F = 15 in hex)
So the grabbed character will be: “E”You can find the character by checking the hex dump for eax value
And then it increment eax (+1 loop done) take the end jump (JMP) and retry to make a loop.When all is done (16 loops done), it will take the JG (Jump if Greater) we have talked at the beginning (after the MD5 hashing call)
Something can be see:
It’s just all our chars done by the calculation.
1AB23: 2e69ae201966977628d24d08fceb5b5f
MD5 2e 69 ae 20 19 66 97 76 28 d2 4d 08 fc eb 5b 5fRESULT E 9 E 0 R 6 P N 8 J D 8 V B U Y
On this listing, the obtained strings “E9E0R6PN8JD8VBUY” will be translated to small letters with the api rtcLowerCaseBstr.Then our fake serial (1337-1337-1337-1337) appear and all dash will disappear (remember the push 414C28)Why? It will call the api rtcReplace for remove it, our fake serial will become “1337133713371337”Then the API rtcLowerCaseBstr is call again this time for the fake serial (but the fake serial is full numeric so…)And after the fake serial and the calculated string are compared with vbaStrCmp.And badboy…Because the final serial and our fake serial are not the same
End, finally this algorithm is not really complicated.
ASM Keygen source code(ChOoKi have made something in Delphi, so time to use another language)
kg.asm:
.386
.model flat, stdcalloption casemap :none
include keygen.incinclude md5.asm
.codestart: invoke GetModuleHandle, NULL mov hInstance, eax invoke DialogBoxParam, hInstance, IDD_MAIN, 0, offset DlgProc, 0 invoke ExitProcess, eax invoke InitCommonControls DlgProc proc uses esi edi hWnd:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD mov eax,uMsg
.if eax == WM_INITDIALOG invoke LoadIcon,hInstance,200 invoke SendMessage, hWnd, WM_SETICON, 1, eax mov Rndm,'RED' invoke GetTickCount add Rndm,eax .elseif eax == WM_LBUTTONDOWN invoke SendMessage,hWnd,WM_NCLBUTTONDOWN,HTCAPTION,NULL .elseif eax == WM_COMMAND mov eax,wParam .if eax == IDB_EXIT invoke SendMessage, hWnd, WM_CLOSE, 0, 0 .elseif eax == IDB_GENERATE mov eax,Rndm mov esi,offset Base10 mov edi,offset ID mov ecx,10 xor edx,edx idiv ecx mov al,byte ptr [esi+edx] stosb invoke GetTickCount add Rndm,eax mov eax,Rndm mov esi,offset Base26 mov ecx,26 xor edx,edx idiv ecx mov al,byte ptr [esi+edx] stosb invoke GetTickCount add Rndm,eax mov eax,Rndm mov esi,offset Base26 mov ecx,26 xor edx,edx idiv ecx mov al,byte ptr [esi+edx] stosb invoke GetTickCount add Rndm,eax mov eax,Rndm mov esi,offset Base10 mov ecx,10 xor edx,edx idiv ecx mov al,byte ptr [esi+edx] stosb invoke GetTickCount add Rndm,eax
mov eax,Rndm mov esi,offset Base10 mov ecx,10 xor edx,edx idiv ecx mov al,byte ptr [esi+edx] stosb invoke GetTickCount add Rndm,eax invoke MD5Init invoke MD5Update,addr ID,5 invoke MD5Final mov esi,offset MD5Digest mov edi,offset Serial mov ecx,4 xor eax,eax .repeat lodsb and eax,8000001Fh mov al,byte ptr [eax+Base32] stosb dec ecx .until ecx == 0 invoke lstrcat,addr Serial,addr Tab mov esi,offset MD5Digest+4 mov edi,offset Serial+4+1 mov ecx,4 xor eax,eax .repeat lodsb and eax,8000001Fh mov al,byte ptr [eax+Base32] stosb dec ecx .until ecx == 0 invoke lstrcat,addr Serial,addr Tab mov esi,offset MD5Digest+4+4 mov edi,offset Serial+4+4+1+1 mov ecx,4 xor eax,eax .repeat lodsb and eax,8000001Fh mov al,byte ptr [eax+Base32] stosb dec ecx .until ecx == 0 invoke lstrcat,addr Serial,addr Tab mov esi,offset MD5Digest+4+4+4 mov edi,offset Serial+4+4+4+1+1+1 mov ecx,4 xor eax,eax .repeat lodsb and eax,8000001Fh mov al,byte ptr [eax+Base32] stosb dec ecx .until ecx == 0 invoke SetDlgItemText,hWnd,IDC_NAME,addr ID invoke SetDlgItemText,hWnd,IDC_SERIAL,addr Serial invoke RtlZeroMemory,addr ID,sizeof ID invoke RtlZeroMemory,addr Serial,sizeof Serial .endif .elseif eax == WM_CLOSE invoke EndDialog, hWnd, 0 .endif xor eax,eax retDlgProc endpend start
Keygen.inc:
include windows.incinclude user32.incinclude kernel32.incinclude comctl32.incinclude shlwapi.incinclude winmm.incinclude \masm32\macros\macros.asm
includelib user32.libincludelib kernel32.libincludelib comctl32.libincludelib shlwapi.libincludelib winmm.lib
DlgProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
.codeHexToChar Proc HexValue:DWORD,CharValue:DWORD,HexLength:DWORDmov esi,[ebp+8]mov edi,[ebp+0Ch]mov ecx,[ebp+10h]@HexToChar:lodsbmov ah, aland ah, 0fhshr al, 4add al, '0'add ah, '0'.if al > '9'add al, 'A'-'9'-1.endif.if ah > '9'add ah, 'A'-'9'-1.endifstoswloopd @HexToCharRetHexToChar endp
.constIDD_MAIN equ 1000IDC_NAME equ 1012IDC_SERIAL equ 1013IDB_GENERATE equ 1016IDB_EXIT equ 1017
.dataBase32 db "0123456789ABCDEFGHJKLMNPQRTUVWXY",0Base10 db "0123456789",0Base26 db "ABCDEFGHIJKLMNOPQRSTUVWXYZ",0Tab db "-",0Rndm dd 0,0
.data?hInstance dd ?pData dd ?SizeRes dd ?hResource dd ?ID db 10h dup(?)Serial db 20h dup(?)
Md5.asm:
.data?MD5HashBuf db 64 dup(?)MD5Digest dd 4 dup(?)MD5Len dd ?MD5Index dd ? .codeMD5FF macro dwA, dwB, dwC, dwD, locX, rolS, constAC mov edi,dwC xor edi,dwD and edi,dwB xor edi,dwD add dwA,[locX] lea dwA,[edi+dwA+constAC] rol dwA,rolS add dwA,dwBendm
MD5GG macro dwA, dwB, dwC, dwD, locX, rolS, constAC mov edi,dwC xor edi,dwB and edi,dwD xor edi,dwC add dwA,[locX] lea dwA,[edi+dwA+constAC] rol dwA,rolS add dwA,dwBendm
MD5HH macro dwA, dwB, dwC, dwD, locX, rolS, constAC mov edi,dwC xor edi,dwD xor edi,dwB add dwA,[locX] lea dwA,[dwA+edi+constAC] rol dwA,rolS add dwA,dwBendm
MD5II macro dwA, dwB, dwC, dwD, locX, rolS, constAC mov edi,dwD xor edi,-1 or edi,dwB xor edi,dwC add dwA,[locX] lea dwA,[edi+dwA+constAC] rol dwA,rolS add dwA,dwBendm
align dwordMD5Transform proc pushad mov esi,offset MD5Digest mov edi,offset MD5HashBuf mov eax,[esi+0*4] mov ebx,[esi+1*4] mov ecx,[esi+2*4] mov ebp,edi mov edx,[esi+3*4] ;============================================================== MD5FF eax, ebx, ecx, edx, dword ptr [ebp+ 0*4], 7, 0D76AA478H MD5FF edx, eax, ebx, ecx, dword ptr [ebp+ 1*4], 12, 0E8C7B756H MD5FF ecx, edx, eax, ebx, dword ptr [ebp+ 2*4], 17, 0242070DBH MD5FF ebx, ecx, edx, eax, dword ptr [ebp+ 3*4], 22, 0C1BDCEEEH MD5FF eax, ebx, ecx, edx, dword ptr [ebp+ 4*4], 7, 0F57C0FAFH MD5FF edx, eax, ebx, ecx, dword ptr [ebp+ 5*4], 12, 04787C62AH MD5FF ecx, edx, eax, ebx, dword ptr [ebp+ 6*4], 17, 0A8304613H MD5FF ebx, ecx, edx, eax, dword ptr [ebp+ 7*4], 22, 0FD469501H MD5FF eax, ebx, ecx, edx, dword ptr [ebp+ 8*4], 7, 0698098D8H MD5FF edx, eax, ebx, ecx, dword ptr [ebp+ 9*4], 12, 08B44F7AFH MD5FF ecx, edx, eax, ebx, dword ptr [ebp+10*4], 17, 0FFFF5BB1H MD5FF ebx, ecx, edx, eax, dword ptr [ebp+11*4], 22, 0895CD7BEH
MD5FF eax, ebx, ecx, edx, dword ptr [ebp+12*4], 7, 06B901122H MD5FF edx, eax, ebx, ecx, dword ptr [ebp+13*4], 12, 0FD987193H MD5FF ecx, edx, eax, ebx, dword ptr [ebp+14*4], 17, 0A679438EH MD5FF ebx, ecx, edx, eax, dword ptr [ebp+15*4], 22, 049B40821H ;============================================================== MD5GG eax, ebx, ecx, edx, dword ptr [ebp+ 1*4], 5, 0F61E2562H MD5GG edx, eax, ebx, ecx, dword ptr [ebp+ 6*4], 9, 0C040B340H MD5GG ecx, edx, eax, ebx, dword ptr [ebp+11*4], 14, 0265E5A51H MD5GG ebx, ecx, edx, eax, dword ptr [ebp+ 0*4], 20, 0E9B6C7AAH MD5GG eax, ebx, ecx, edx, dword ptr [ebp+ 5*4], 5, 0D62F105DH MD5GG edx, eax, ebx, ecx, dword ptr [ebp+10*4], 9, 002441453H MD5GG ecx, edx, eax, ebx, dword ptr [ebp+15*4], 14, 0D8A1E681H MD5GG ebx, ecx, edx, eax, dword ptr [ebp+ 4*4], 20, 0E7D3FBC8H MD5GG eax, ebx, ecx, edx, dword ptr [ebp+ 9*4], 5, 021E1CDE6H MD5GG edx, eax, ebx, ecx, dword ptr [ebp+14*4], 9, 0C33707D6H MD5GG ecx, edx, eax, ebx, dword ptr [ebp+ 3*4], 14, 0F4D50D87H MD5GG ebx, ecx, edx, eax, dword ptr [ebp+ 8*4], 20, 0455A14EDH MD5GG eax, ebx, ecx, edx, dword ptr [ebp+13*4], 5, 0A9E3E905H MD5GG edx, eax, ebx, ecx, dword ptr [ebp+ 2*4], 9, 0FCEFA3F8H MD5GG ecx, edx, eax, ebx, dword ptr [ebp+ 7*4], 14, 0676F02D9H MD5GG ebx, ecx, edx, eax, dword ptr [ebp+12*4], 20, 08D2A4C8AH ;============================================================== MD5HH eax, ebx, ecx, edx, dword ptr [ebp+ 5*4], 4, 0FFFA3942H MD5HH edx, eax, ebx, ecx, dword ptr [ebp+ 8*4], 11, 08771F681H MD5HH ecx, edx, eax, ebx, dword ptr [ebp+11*4], 16, 06D9D6122H MD5HH ebx, ecx, edx, eax, dword ptr [ebp+14*4], 23, 0FDE5380CH MD5HH eax, ebx, ecx, edx, dword ptr [ebp+ 1*4], 4, 0A4BEEA44H MD5HH edx, eax, ebx, ecx, dword ptr [ebp+ 4*4], 11, 04BDECFA9H MD5HH ecx, edx, eax, ebx, dword ptr [ebp+ 7*4], 16, 0F6BB4B60H MD5HH ebx, ecx, edx, eax, dword ptr [ebp+10*4], 23, 0BEBFBC70H MD5HH eax, ebx, ecx, edx, dword ptr [ebp+13*4], 4, 0289B7EC6H MD5HH edx, eax, ebx, ecx, dword ptr [ebp+ 0*4], 11, 0EAA127FAH MD5HH ecx, edx, eax, ebx, dword ptr [ebp+ 3*4], 16, 0D4EF3085H MD5HH ebx, ecx, edx, eax, dword ptr [ebp+ 6*4], 23, 004881D05H MD5HH eax, ebx, ecx, edx, dword ptr [ebp+ 9*4], 4, 0D9D4D039H MD5HH edx, eax, ebx, ecx, dword ptr [ebp+12*4], 11, 0E6DB99E5H MD5HH ecx, edx, eax, ebx, dword ptr [ebp+15*4], 16, 01FA27CF8H MD5HH ebx, ecx, edx, eax, dword ptr [ebp+ 2*4], 23, 0C4AC5665H ;============================================================== MD5II eax, ebx, ecx, edx, dword ptr [ebp+ 0*4], 6, 0F4292244H MD5II edx, eax, ebx, ecx, dword ptr [ebp+ 7*4], 10, 0432AFF97H MD5II ecx, edx, eax, ebx, dword ptr [ebp+14*4], 15, 0AB9423A7H MD5II ebx, ecx, edx, eax, dword ptr [ebp+ 5*4], 21, 0FC93A039H MD5II eax, ebx, ecx, edx, dword ptr [ebp+12*4], 6, 0655B59C3H MD5II edx, eax, ebx, ecx, dword ptr [ebp+ 3*4], 10, 08F0CCC92H MD5II ecx, edx, eax, ebx, dword ptr [ebp+10*4], 15, 0FFEFF47DH MD5II ebx, ecx, edx, eax, dword ptr [ebp+ 1*4], 21, 085845DD1H MD5II eax, ebx, ecx, edx, dword ptr [ebp+ 8*4], 6, 06FA87E4FH MD5II edx, eax, ebx, ecx, dword ptr [ebp+15*4], 10, 0FE2CE6E0H MD5II ecx, edx, eax, ebx, dword ptr [ebp+ 6*4], 15, 0A3014314H MD5II ebx, ecx, edx, eax, dword ptr [ebp+13*4], 21, 04E0811A1H MD5II eax, ebx, ecx, edx, dword ptr [ebp+ 4*4], 6, 0F7537E82H MD5II edx, eax, ebx, ecx, dword ptr [ebp+11*4], 10, 0BD3AF235H MD5II ecx, edx, eax, ebx, dword ptr [ebp+ 2*4], 15, 02AD7D2BBH MD5II ebx, ecx, edx, eax, dword ptr [ebp+ 9*4], 21, 0EB86D391H ;============================================================== add [esi+0*4],eax ; update digest add [esi+1*4],ebx add [esi+2*4],ecx add [esi+3*4],edx popad retnMD5Transform endp
MD5BURN macro xor eax,eax mov MD5Index,eax mov edi,Offset MD5HashBuf mov ecx,(sizeof MD5HashBuf)/4 rep stosdendm
align dwordMD5Init proc uses edi xor eax, eax mov MD5Len,eax
MD5BURN mov eax,offset MD5Digest mov dword ptr [eax+0*4],067452301h mov dword ptr [eax+1*4],0EFCDAB89h mov dword ptr [eax+2*4],098BADCFEh mov dword ptr [eax+3*4],010325476h retMD5Init endp
align dwordMD5Update proc uses esi edi ebx lpBuffer:dword, dwBufLen:dword mov ebx,dwBufLen mov esi,lpBuffer add MD5Len,ebx .while ebx mov eax,MD5Index mov ecx,64 sub ecx,eax lea edi,[MD5HashBuf+eax] .if ecx <= ebx sub ebx,ecx rep movsb call MD5Transform MD5BURN .else mov ecx,ebx rep movsb add MD5Index,ebx .break .endif .endw retMD5Update endp
align dwordMD5Final proc uses esi edi mov ecx, MD5Index mov byte ptr [MD5HashBuf+ecx],80h .if ecx >= 56 call MD5Transform MD5BURN .endif mov eax,MD5Len xor edx,edx shld edx,eax,3 shl eax,3 mov dword ptr [MD5HashBuf+56],eax mov dword ptr [MD5HashBuf+60],edx call MD5Transform mov eax,offset MD5Digest retMD5Final endp
whatever.rc:
;This Resource Script was generated by WinAsm Studio.
#define IDD_MAIN 1000#define IDB_EXIT 1017#define IDC_NAME 1012#define IDB_GENERATE 1016#define IDC_LIC 1013#define IDC_STATIC1009 1009#define IDC_STATIC1010 1010
IDD_MAIN DIALOGEX 10,10,171,57CAPTION "MBAM 1.50b kg"FONT 8,"Tahoma"STYLE 0x90c80804EXSTYLE 0x00000000BEGIN CONTROL "ID:",IDC_STATIC1009,"Static",0x50000000,7,6,14,10,0x00000000 CONTROL "Serial:",IDC_STATIC1010,"Static",0x50000000,7,22,23,10,0x00000000 CONTROL "",IDC_NAME,"Edit",0x50010080,33,3,127,13,0x00020000 CONTROL "",IDC_LIC,"Edit",0x50010000,33,18,127,13,0x00020000 CONTROL "Generate",IDB_GENERATE,"Button",0x50010001,7,37,47,13,0x00000000 CONTROL "Exit",IDB_EXIT,"Button",0x50010000,123,37,37,13,0x00000000END
Compiled:
PatchingCall this a bonus or what’s you want but it’s also easy to patch malwarebytes’ Anti-Malware.V1,50b
dUP2:
RAW Offset |Old Byte|New Byte-----------------+----------+----------00077340 55 6600077341 8B B800077342 EC 0100077343 83 0000077344 EC C3
Adding a regfile:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes' Anti-Malware]"ID"="$Registered to ?$""Key"="RED CReW 2K10"
When registered MBAM will create you a registry key of your name and serial,Add some breakpoints in all api about registry and reload mbam for search the good,The patch do that:
Dont forget to make a regfile like:
[HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes' Anti-Malware]"ID"="Patched""Key"="Fake-Fake-Whatever"
Greetingsqpt^J for is nice stuff