Quick Password Recovery PRO 1.7 security research

Hello. Today, using the example of Quick Password Recovery Pro 1.7.1, I want to show a study of protection using a couple of interesting techniques and a hash function.

Purpose: Quick Password Recovery PRO 1.7.1 (www.passdecrypt.ru)
Protection: HWID + MD5
Tools: Die 0.65 + KANAL 2.92 plugin, OllyDbg 1.10 (more Olly) + mapimp plugin (available on tport.org), IDR (Interactive Delphi Reconstructor), Keygener Assistant 1.7, Borland Delphi 7 (for writing keygen).
Let's start the "examination of the patient":

The program is written in Borland Delphi [ver: 2006] | Object Pascal, so we immediately ship it to IDR to analyze and create a map file for Olly.
The Kanal plugin finds several crypto signatures:

We start the program, we are greeted by a window with a message that this is an unregistered version and some functions are not available. In this we can see for yourself:

')
Press the "Register" button:

For registration, we need a name and serial number, which certainly depend on the system identifier (further HWID).

Enter any registration data, for example:
Name: ds@mail.ru
Serial: abcdefghigklmnop

We look at the IDR code, which is executed by clicking on the "Register" button, but we see that in addition to the creation of a pair of entries in the registry, nothing else happens:

The program offers us to restart it, which means that the check is performed somewhere at the start of the program. Suppose a check is performed when the main form is created (OnCreate event). We are looking for a place to call in IDR and put a breakpoint at the beginning of the function in Olly:

We start the program from the debugger and stop here:

Copy Source | Copy HTML 0046EC94 > . 55 PUSH EBP ; Unit1.TForm1.FormCreate 

We reach the first interesting call:

On F7 we enter and trace further, until we reach here:

I'll run a little bit ahead and say that this is where the HWID generation and subtraction of the first part of the serial are hiding.
Again, we follow F7 and determine that the HWID is generated at 46537F, which is easy to guess by passing the function under the debugger:

Copy Source | Copy HTML 0046537F |. E8 3CFCFFFF CALL <QuickPas._Unit32.sub_00464FC0> ; << Get Hwid 

But then we carefully examine the function at the address 00464FC0 and find the code there:

Copy Source | Copy HTML 00465072 | > /8B45 FC /MOV EAX,DWORD PTR SS:[EBP-4] 00465075 |. |0FB64418 FF |MOVZX EAX,BYTE PTR DS:[EAX+EBX-1] 0046507A |. |8BD3 |MOV EDX,EBX 0046507C |. |03D2 |ADD EDX,EDX 0046507E |. |03C2 |ADD EAX,EDX 00465080 |. |8D55 DC |LEA EDX,DWORD PTR SS:[EBP-24] 00465083 |. |E8 3441FAFF |CALL < QuickPas.SysUtils.IntToStr > 00465088 |. |8B55 DC |MOV EDX,DWORD PTR SS:[EBP-24] 0046508B |. |8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C] 0046508E |. |E8 6D01FAFF |CALL < QuickPas.system. @LStrCat > 00465093 |. |43 |INC EBX 00465094 |. |83FB 04 |CMP EBX,4 00465097 |.^\75 D9 \JNZ SHORT QuickPas.00465072 00465099 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 0046509C |. E8 93FEF9FF CALL < QuickPas.system. @LStrClr > 004650A1 |. BB 01000000 MOV EBX,1 004650A6 | > 8D45 D8 /LEA EAX,DWORD PTR SS:[EBP-28] 004650A9 |. 8B55 F4 |MOV EDX,DWORD PTR SS:[EBP-C] 004650AC |. 0FB6541A FF |MOVZX EDX,BYTE PTR DS:[EDX+EBX-1] 004650B1 |. E8 6600FAFF |CALL < QuickPas.system. @LStrFromChar > 004650B6 |. 8B55 D8 |MOV EDX,DWORD PTR SS:[EBP-28] 004650B9 |. 8D45 F8 |LEA EAX,DWORD PTR SS:[EBP-8] 004650BC |. E8 3F01FAFF |CALL < QuickPas.system. @LStrCat > 004650C1 |. 43 |INC EBX 004650C2 |. 83FB 06 |CMP EBX,6 004650C5 |.^ 75 DF \JNZ SHORT QuickPas.004650A6

Here, the codes of the first 3 characters are taken, + the value of the loop counter multiplied by 2 is glued to a string, and then only the first 5 are taken (the SystemBiosDate parameter, which is considered a hash, can be found in the registry, and more specifically here: HKEY_LOCAL_MACHINE \ HARDWARE \ DESCRIPTION \ System)

In pascal, it can be written like this:

Copy Source | Copy HTML md5_sbd:=md5( SystemBiosDate) for i:=1 to 3 do begin result := result + IntToStr(ord(md5_sbd[i]) + i*2;); end ; 

After exiting the HWID receiving function, step forward:

Copy Source | Copy HTML 00465389 |> /8D45 F8 /LEA EAX,DWORD PTR SS:[EBP-8] 0046538C |. |E8 BF00FAFF | CALL <QuickPas.system.@UniqueStringA> 00465391 |. |BA 06000000 |MOV EDX,6 00465396 |. |2BD3 |SUB EDX,EBX 00465398 |. |8B4D FC |MOV ECX,DWORD PTR SS:[EBP-4] 0046539B |. |0FB64C19 FF |MOVZX ECX,BYTE PTR DS:[ECX+EBX-1] 004653A0 |. |884C10 FF |MOV BYTE PTR DS:[EAX+EDX-1],CL 004653A4 |. |43 |INC EBX 004653A5 |. |83FB 06 |CMP EBX,6 004653A8 |.^\75 DF \JNZ SHORT QuickPas.00465389 004653AA |. BB 01000000 MOV EBX,1 004653AF |> 8D45 F0 /LEA EAX,DWORD PTR SS:[EBP-10] 004653B2 |. 8B55 F8 |MOV EDX,DWORD PTR SS:[EBP-8] 004653B5 |. 0FB6541A FF |MOVZX EDX,BYTE PTR DS:[EDX+EBX-1] 004653BA |. E8 5DFDF9FF | CALL <QuickPas.system.@LStrFromChar> 004653BF |. 8B45 F0 |MOV EAX,DWORD PTR SS:[EBP-10] 004653C2 |. E8 313FFAFF | CALL <QuickPas.SysUtils.StrToInt> 004653C7 |. 8BF0 |MOV ESI,EAX 004653C9 |. 33F3 |XOR ESI,EBX 004653CB |. 8D55 F4 |LEA EDX,DWORD PTR SS:[EBP-C] 004653CE |. 8BC6 |MOV EAX,ESI 004653D0 |. E8 E73DFAFF | CALL <QuickPas.SysUtils.IntToStr> 004653D5 |. 8D45 F8 |LEA EAX,DWORD PTR SS:[EBP-8] 004653D8 |. E8 7300FAFF | CALL <QuickPas.system.@UniqueStringA> 004653DD |. 8B55 F4 |MOV EDX,DWORD PTR SS:[EBP-C] 004653E0 |. 0FB612 |MOVZX EDX,BYTE PTR DS:[EDX] 004653E3 |. 885418 FF |MOV BYTE PTR DS:[EAX+EBX-1],DL 004653E7 |. 43 |INC EBX 004653E8 |. 83FB 06 |CMP EBX,6 004653EB |.^ 75 C2 \JNZ SHORT QuickPas.004653AF

Here are some transformations, etc. Again, I present the code section I translated only in Pascal:

Copy Source | Copy HTML part_of_serial:=ReverseString(hwid); tmp:= '' ; for i:= 1 to 5 do begin tmp:=tmp + copy(IntToStr(StrToInt(part_of_serial[i]) xor i),1,1); end ; part_of_serial:=copy(tmp,1,5); 

In my case, the result was 41413
Go ahead, see ...

Knowing that the md5 hash function is used in the program, we check our assumption:
md5 (41413) = FFA54840A3C240E0725C16C7FA48281C

This is clearly seen in the stack window:

We leave the function, continue tracing and see that the md5-hash from the first 5 characters of the entered serial is taken and compared with the previously received (primitive, but at least somehow).
md5 (abcde) = AB56B4D92B40713ACC5AF89985D4B786

Now we know that the first characters of the correct serial (in my case) should be 41413.
We are trying to register a program with a new serial with the foregoing:
41413abcdefghijklmnop, and the mail is the same as before (ds@mail.ru).
Now we are going to check at:

Copy Source | Copy HTML 00465563 |. E8 DCFDF9FF CALL <QuickPas.system.@LStrCmp> 

The program runs without prejudice and says in the About window that everything is fine, but when you click on the function buttons in the program we see the Unregistered version.

Ok, we continue from the place where we passed the test. We set breakpoint at 00465563 and trace further.
We see two very simple pieces of code:

Copy Source | Copy HTML 00465595 |. BB 01000000 MOV EBX,1 0046559A | > /8B45 EC /MOV EAX,DWORD PTR SS:[EBP-14] 0046559D |. |0FB64418 FF |MOVZX EAX,BYTE PTR DS:[EAX+EBX-1] 004655A2 |. |0145 E4 |ADD DWORD PTR SS:[EBP-1C],EAX 004655A5 |. |43 |INC EBX 004655A6 |. |83FB 06 |CMP EBX,6 004655A9 |.^\75 EF \JNZ SHORT QuickPas.0046559A 

Copy Source | Copy HTML 004655BC |. BB 01000000 MOV EBX,1 004655C1 | > 8B55 FC /MOV EDX,DWORD PTR SS:[EBP-4] 004655C4 |. 0FB6541A FF |MOVZX EDX,BYTE PTR DS:[EDX+EBX-1] 004655C9 |. 0155 E8 |ADD DWORD PTR SS:[EBP-18],EDX 004655CC |. 43 |INC EBX 004655CD |. 48 |DEC EAX 004655CE |.^ 75 F1 \JNZ SHORT QuickPas.004655C1 

They carry out some calculations (first for characters from the 6th to 10th from the entered serial), and then from the entered e-mail.

As a result of all this, the number 1353 and fghijklmnop are being compared, it is logical that this may be the third part of the serial number.
We are trying a new serial number: 41413abcde1353
It seems everything is fine, but there is one "BUT"!
When you click on the function keys for recovery, we get incomprehensible characters, such as:

It turns out that somewhere something goes wrong before outputting the results. Let's look at the IDR event by clicking, for example, on The Bat password recovery and set a breakpoint at the beginning of the procedure.

Then we go to the function at 465250 and carefully look in the stack window, and in parallel we press F8
It's hard not to notice that the first 5 characters of the serial number and the HWID are stuck together, and then the received string is considered to be an md5 hash.

md5 (4141369735) = 3354B017EB74FB4DC20A1B48491D1431

And then from the received hash is considered a certain amount:

Copy Source | Copy HTML for i:=4 to 7 do begin tmp := tmp + IntToStr(ord(part2[i])); end ; 

and the first 5 characters are copied:

Copy Source | Copy HTML some := copy(tmp,1,5); 

As a result of calculations, we get 52664 (we will return to this value).

Further interesting challenge:
CALL 00467A44
For us there is nothing interesting (this is the main function of the program that is trying to recover the password).
Go ahead and look here:
00470919 |. E8 FA4DFFFF CALL <QuickPas._Unit32.sub_00465718>

Very interesting block:

Copy Source | Copy HTML 0046577F |. BB 01000000 MOV EBX,1 00465784 | > 8D45 FC /LEA EAX,DWORD PTR SS:[EBP-4] 00465787 |. E8 C4FCF9FF |CALL < QuickPas.system. @UniqueStringA > 0046578C |. 8D4418 FF |LEA EAX,DWORD PTR DS:[EAX+EBX-1] 00465790 |. 50 |PUSH EAX 00465791 |. 8BC3 |MOV EAX,EBX 00465793 |. 99 |CDQ 00465794 |. F7FF |IDIV EDI 00465796 |. 8B45 F8 |MOV EAX,DWORD PTR SS:[EBP-8] 00465799 |. 0FB60410 |MOVZX EAX,BYTE PTR DS:[EAX+EDX] 0046579D |. 0FBE55 F3 |MOVSX EDX,BYTE PTR SS:[EBP-D] 004657A1 |. F7EA |IMUL EDX 004657A3 |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4] 004657A6 |. 0FB6541A FF |MOVZX EDX,BYTE PTR DS:[EDX+EBX-1] 004657AB |. 03C2 |ADD EAX,EDX 004657AD |. 5A |POP EDX 004657AE |. 8802 |MOV BYTE PTR DS:[EDX],AL 004657B0 |. 43 |INC EBX 004657B1 |. 4E |DEC ESI 004657B2 |.^ 75 D0 \JNZ SHORT QuickPas.00465784

Looking through the dump window, we understand that a primitive encryption is going on before output (although this is too loud and does not reach full-fledged encryption, but there is something in common - this message and the key with which encryption goes, so I will continue to call this block encryption).

You can explore this code in more detail, but for the final purpose (writing keygens) we don’t need this.

Go ahead and see:

Copy Source | Copy HTML 0047093B |. E8 144DFFFF CALL < QuickPas._Unit32.sub_00465654 > 

The parameter that is passed to this function is very familiar to us - these are serial number symbols from the 6th to the 10th.
Intuition did not let me down, we see such a piece of code:

Copy Source | Copy HTML 004656AC |. BB 01000000 MOV EBX,1 004656B1 | > 8D45 FC /LEA EAX,DWORD PTR SS:[EBP-4] 004656B4 |. E8 97FDF9FF |CALL < QuickPas.system. @UniqueStringA > 004656B9 |. 8D4418 FF |LEA EAX,DWORD PTR DS:[EAX+EBX-1] 004656BD |. 50 |PUSH EAX 004656BE |. 8BC3 |MOV EAX,EBX 004656C0 |. 99 |CDQ 004656C1 |. F7FF |IDIV EDI 004656C3 |. 8B45 F8 |MOV EAX,DWORD PTR SS:[EBP-8] 004656C6 |. 0FB60410 |MOVZX EAX,BYTE PTR DS:[EAX+EDX] 004656CA |. 0FBE55 F3 |MOVSX EDX,BYTE PTR SS:[EBP-D] 004656CE |. F7EA |IMUL EDX 004656D0 |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4] 004656D3 |. 0FB6541A FF |MOVZX EDX,BYTE PTR DS:[EDX+EBX-1] 004656D8 |. 03C2 |ADD EAX,EDX 004656DA |. 5A |POP EDX 004656DB |. 8802 |MOV BYTE PTR DS:[EDX],AL 004656DD |. 43 |INC EBX 004656DE |. 4E |DEC ESI 004656DF |.^ 75 D0 \JNZ SHORT QuickPas.004656B1

The same code, but in this case, it “decrypts” the message just before its output.
It is clear that in order to obtain normal data at the output, you need to decrypt with the same key as encrypted.

true_key = 52664
our_key = abcde

message = decrypt (crypt (message, true_key), our_key)
It is easy to guess that in order for message = message, true_key should equal our_key.

In general, all the data for keygen we have, it remains to put everything in one general procedure.
To facilitate, we divide some calculations into separate functions:

1. The function to get the value from the registry:

Copy Source | Copy HTML function RegQueryStr(RootKey: HKEY; Key, Name: string ; Success: PBoolean = nil): string ; var Handle: HKEY; Res: LongInt; DataType, DataSize: DWORD; begin if Assigned(Success) then Success^ := False; Res := RegOpenKeyEx(RootKey, PChar(Key), 0 , KEY_QUERY_VALUE, Handle); if Res <> ERROR_SUCCESS then Exit; Res := RegQueryValueEx(Handle, PChar(Name), nil, @DataType, nil, @DataSize); if (Res <> ERROR_SUCCESS) or (DataType <> REG_SZ) then begin RegCloseKey(Handle); Exit; end; SetString(Result, nil, DataSize - 1 ); Res := RegQueryValueEx(Handle, PChar(Name), nil, @DataType, PByte(@Result[ 1 ]), @DataSize); if Assigned(Success) then Success^ := Res = ERROR_SUCCESS; RegCloseKey(Handle); end;

2. HWID calculation function:

Copy Source | Copy HTML function GetHWID: string; var SystemBiosDate,md5_sbd:String; i: integer ; digest:pointer; dwSize:Cardinal; begin SystemBiosDate := RegQueryStr(HKEY_LOCAL_MACHINE, 'HARDWARE\DESCRIPTION\System' , 'SystemBiosDate' ); md5_sbd:=SystemBiosDate; dwSize:=length(md5_sbd); digest:= GetHash(@md5_sbd[1],dwSize,ALG_MD5); if digest <> nil then try md5_sbd:=BinToHexStr(digest,dwSize); finally FreeMem(digest); end ; md5_sbd:=Uppercase(md5_sbd); result := '' ; for i:=1 to 3 do begin result := result + IntToStr(ord(md5_sbd[i]) + i*2); end ; result :=copy( Result ,1,5); End ;

3. The function of receiving the reverse (reverse line):

Copy Source | Copy HTML function ReverseString( const s: string ): string ; var i, len: Integer; begin len := Length(s); SetLength(Result, len); for i := len downto 1 do begin Result[len - i + 1 ] := s[i]; end; end; 

4. Function to check whether the string is a number (for correctness of the entered data by the user):

Copy Source | Copy HTML function IsStrANumber( const S: string ): Boolean; var P: PChar; begin P := PChar(S); Result := False; while P^ <> # 0 do begin if not (P^ in [ '0' .. '9' ]) then Exit; Inc(P); end; Result := True; end; 

The basic generation procedure:

Copy Source | Copy HTML procedure generate; var Serial,NameBuf: String ; len,len1: integer ; Textname,HWID: PChar ; hw: String ; i ,sum_name,sum_part2: integer ; part1,tmp,part2,part3: string ; digest: pointer ; dw Size : Cardinal ; begin len := GetWindowTextLengthA( TxtNameHwnd ); len1 := GetWindowTextLengthA( txtHWID ); if len > 1 then begin { Get text from name input } GetMem( Textname, len ); GetWindowTextA( TxtNameHwnd,PAnsiChar(Textname ),len + 1 ); GetMem( HWID, len1 ); GetWindowTextA( TxtHWID,PAnsiChar(HWID ),len1 + 1 ); HW:=String( HWID ); if ( IsStrANumber(hw )) and ( length(hw )= 5 ) then begin { Generate Serial } NameBuf:=String( Textname ); hw:=string( HWID ); hw:=copy( hw,1,5 ); part1:=ReverseString( hw ); tmp:= '' ; for i := 1 to 5 do begin tmp:=tmp + copy( IntToStr(StrToInt(part1[i] ) xor i ), 1 , 1 ); end; part1:=copy( tmp,1,5 ); //--------------------- tmp:= '' ; part2 :=part1+hw; dw Size :=length( part2 ); digest:= GetHash( @part2[1],dwSize,ALG_MD5 ); if digest <> nil then try part2:=BinToHexStr( digest,dwSize ); finally FreeMem( digest ); end; part2 := UpperCase ( part2 ); for i := 4 to 7 do begin tmp := tmp + IntToStr( ord(part2[i] )); end; part2 := copy( tmp,1,5 );; //--------------------- sum_name:= 0 ; sum_part2:= 0 ; for i := 1 to length( NameBuf )- 1 do begin sum_name:=sum_name + ord( NameBuf[i] ); end; for i := 1 to length( part2 ) do begin sum_part2:=sum_part2 + ord( part2[i] ); end; part3:=IntToStr( sum_name+sum_part2 ); Serial:=part1 + part2 + part3; end else // if hwid not numeric or <> 5 Serial:= 'Invalid HWID' ; { Display The Results } SetWindowTextA( TxtSerialHwnd,PChar(Serial )); FreeMem ( HWID, len1 + 1 ); FreeMem ( Textname, len+1 ); end Else { Display Error } SetWindowText( TxtSerialHwnd,'Not Enough Characters..' ); end;

I think everything is very clear here, since all the main points were dismantled earlier.
These sections of code can cause questions:

Copy Source | Copy HTML dwSize:=length(part2); digest:= GetHash(@part2[1],dwSize,ALG_MD5); if digest <> nil then try part2:=BinToHexStr(digest,dwSize); finally FreeMem(digest); end ; 

In short, this is an md5-hash calculation using HashCryptoAPILib, which in turn uses standard Windows tools (CryptoApi). You can compile the keygen yourself or take it ready on tport.org in the “Download” section.

We generate a serial on any name and we test. The program is registered, works correctly, tries to perform its functions and displays messages in a normal form. That's all.

I hope that the above material was interesting and that someone will learn something useful for themselves.

Source: https://habr.com/ru/post/133508/

All Articles

Quick Password Recovery PRO 1.7 security research

More articles: