venerdì 11 gennaio 2019

Perfect Keylogger - Not a so perfect protection itself. An old infected keygen story.

Hello everybody,
everything has started by watching this video on youtube made by some user "St.Bandera" https://www.youtube.com/watch?v=xv1WbTQbXzY

His "nasty dirty trick" used to crack the software has triggered my anger and I wanted to write this post. :)


Some time before I was also interested to take a look into the same commercial keylogger which is packed with Themida protector. 

Themida has always been a nightmare. 

My goal was to unpack it and analyze the keylogger deeply to know what does it really do...until now :)

In my pc I have an older version with an infected keygen and I'm focusing on it.

Virustotal scores it as 51/67.
https://www.virustotal.com/#/file/c5b81e4f47aae5c7b74b6c4257bb98e6d07c05b5d6ab04bb5727a7509f0419f2/detection



After first unpacking I dumped a second exe which is also (probably) a malware... https://www.virustotal.com/#/file/d7da3cebe33476fe10f088cec3220f6b6be00cac70bb25a258be97f0cc991952/detection
what do you expect from a keygen?! :)

In this case I won't dig about what such malware do, I focus myself into the keygen routine. IDA-Pro static analysis helps us:


Basically, each char of the key (which is always 16 char long as the lenght of the secret key) is generated by simple operations in a pseudo routine like this: 
// PSEUDO CODE
result = xor ( hex(A[0]), hex(k[i]) );
final_Char= result % 0x19;
final_Char+= 0x41;

Where the "A" array is just our "user name" of 16 char lengh and the "k" array is the secret key which changes on each version of the "Perfect keylogger" (and works until the owner does not change the registration routine).
Since we're starting from an old keygen which contains an invalid key for this keylogger newer version, now the question is: where do we find the key?

The keylogger, even if its packed by Themida protector, is not propelly fully protected and we can steal the key from the dump and we dont even need to do that by using ollydbg...we can just use a HXD!!!! LOL
Anyway, we're lazy...aren't we? :)
In the youtube video, there is the secret key showed up into the strings list. :)))

A quick snippet of code in .net do the job.

// hex rapresetation of the secret key - i wrote an invalid one -
   char[] secretkey =new char[]{   (char)0x90, (char)0x90, (char)0x46, (char)0x90,
           (char)0x90, (char)0x90, (char)0x90, (char)0x90, 
           (char)0x90, (char)0x78, (char)0x90, (char)0x25,
       (char)0x90, (char)0x90,(char) 0x90, (char)0x21};
   string hex ="A";
   
   
   
   int result=0x0;
   string key="";
   int A;
   int k;
   for(int i=0;i<=15;i++)
   {
    A=(int)Convert.ToChar(hex);                 
    k=Convert.ToInt32(secretkey[i]);
    result=( k ^ A);                 
    result= result % 0x19;
    result+=0x41;
    if(i==4 || i==8||i==12) key+="-";
    key+= ((char) result).ToString();
   }
   
   Console.WriteLine(key);
   Console.Write("Press any key to continue . . . ");
   Console.ReadKey(true);

Most of people are used to download crack on internet without considering the risks of infection.
In my experience, almost all of keygens (even the ones who do the job) are malware. 
Be aware of them and - for fun - always write it by your own!

Feel free to comment below.
Cheers!
RE Solver




Nessun commento:

Posta un commento