In this sequence, the first value pushed into the stack is the starting address
of the encrypted data and the second value pushed is the ending address. You
go to Olly’s dump window and dump data starting at 401E32. Now, you need
to create a brute-forcer program and copy that decrypted data into it.
Before you actually write the program, you need to get a better understand-
ing of the encryption algorithm used by Defender. A quick glance at a decryp-
tion sequence shows that it’s not just XORing the key against each DWORDin
the code. It’s also XORing each 32-bit block with the previous unencrypted
block. This is important because it means the decryption process must begin at
the same position in the data where encryption started—otherwise the decryp-
tion process will generate corrupted data. We now have enough information to
write our little decryption loop for the brute-forcer program.
for (DWORD dwCurrentBlock = 0;
dwCurrentBlock <= dwBlockCount;
dwCurrentBlock++)
{
dwDecryptedData[dwCurrentBlock] = dwEncryptedData[dwCurrentBlock] ^
dwCurrentKey;
dwDecryptedData[dwCurrentBlock] ^= dwPrevBlock;
dwPrevBlock = dwEncryptedData[dwCurrentBlock];
}This loop must be executed for each key! After decryption is completed you
search for your token in the decrypted block. If you find it, you’ve apparently
hit the correct key. If not, you increment your key by one and try to decrypt
and search for the token again. Here’s the token searching logic.
PBYTE pbCurrent = (PBYTE) memchr(dwDecryptedData, Sequence[0],
sizeof(dwEncryptedData));
while (pbCurrent)
{
if (memcmp(pbCurrent, Sequence, sizeof(Sequence)) == 0)
{
printf (“Found our sequence! Key is 0x%08x.\n”, dwCurrentKey);
_exit(1);
}
pbCurrent++;
pbCurrent = (PBYTE) memchr(pbCurrent, Sequence[0],
sizeof(dwEncryptedData) - (pbCurrent - (PBYTE) dwDecryptedData));
}Realizing that all of this must be executed 4,294,967,296 times, you can start
to see why this is going to take a little while to complete. Now, consider that
this is merely a 32-bit key! A 64-bit key would have taken 4,294,967,296 _ 232
iterations to complete. At 4,294,967,296 iterations per-minute, it would still
take about 8,000 years to go over all possible keys.
Breaking Protections 411