You’re going to have to brute-force the calling function as well—it’s the only
way to find this key.
In this function, the encrypted code starts at 401FEDand ends at 40207F.
In looking at the encryption/decryption local variable, you can see that it’s at
the same offset [EBP-4]as in the previous function. This is good because it
means that you’ll be looking for the same byte sequence:unsigned char Sequence[] = {0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00, 0x00 };Of course, the data is different because it’s a different function, so you copy
the new function’s data over into the brute-forcer program and let it run. Sure
enough, after about 10 minutes or so you get the answer:Found our sequence! Key is 0x8ed105c2.Let’s immediately fix the keygen to correctly compute the high-order word
of the serial number and try it out. Here’s the corrected keygen code.unsigned __int64 Name = NameToInt64(wszName);
ULONG FirstNum = (ULONG) Name * VolumeSerialNumber;
unsigned __int64 Result = FirstNum - (ULONG) 0xb14ac01a;
Result |= (unsigned __int64) (FirstNum - 0x8ed105c2) << 32;printf (“Name number is: %08x%08x\n”,
(ULONG) (Name >> 32), (ULONG) Name);
printf (“Name * VolumeSerialNumber is: %08x\n”, FirstNum);
printf (“Serial number is: %08x%08x\n”,
(ULONG) (Result >> 32), (ULONG) Result);Running this corrected keygen with “John Doe” as the username, you get
the following output:Volume serial number is: 0x6c69e863
Computing serial for name: John Doe
Name number is: 000000212ccaf4a0
Name * VolumeSerialNumber is: 15cd99e0
Serial number is: 86fc941e6482d9c6As expected, the low-order word of the serial number is identical, but you
now have a full result, including the high-order word. You immediately try
and run this data by Defender: Defender “John Doe” 86fc941e6482d9c6 (again,
this number will vary depending on the volume serial number). Here’s
Defender’s output:Defender Version 1.0 - Written by Eldad Eilam
That is correct! Way to go!414 Chapter 11