issuhub.com

Reversing : The Hacker's Guide to Reverse Engineering

(ff) #1 
The return value from this function can be fed into the following code:

char name[256];

char fsname[256];

DWORD complength;

DWORD VolumeSerialNumber;

GetVolumeInformation(“C:\\”, name, sizeof(name), &VolumeSerialNumber,

&complength, 0, fsname, sizeof(fsname));

printf (“Volume serial number is: 0x%08x\n”, VolumeSerialNumber);

printf (“Computing serial for name: %s\n”, argv[1]);

WCHAR wszName[256];

mbstowcs(wszName, argv[1], 256);

unsigned __int64 Name = NameToInt64(wszName);

ULONG FirstNum = (ULONG) Name * VolumeSerialNumber;

unsigned __int64 Result = FirstNum - (ULONG) 0xb14ac01a;

printf (“Name number is: %08x%08x\n”,

(ULONG) (Name >> 32), (ULONG) Name);

printf (“Name * VolumeSerialNumber is: %08x\n”, FirstNum);

printf (“Serial number is: %08x%08x\n”,

(ULONG) (Result >> 32), (ULONG) Result);

This is the code for the keygen program. When you run it with the name
John Doe, you get the following output.


Volume serial number is: 0x6c69e863

Computing serial for name: John Doe

Name number is: 000000212ccaf4a0

Name * VolumeSerialNumber is: 15cd99e0

Serial number is: 000000006482d9c6

Naturally, you’ll see different values because your volume serial number is
different. The final number is what you have to feed into Defender. Let’s see if
it works! You type “John Doe” and 000000006482D9C6(or whatever your
serial number is) as the command-line parameters and launch Defender. No
luck. You’re still getting the “Sorry” message. Looks like you’re going to have
to step into that encrypted function and see what it does.
The encrypted function starts with a NtDelayExecutionand proceeds to
call the inverse twin of that 64-bit left-shifter function you ran into earlier. This
one does the same thing only with right shifts (32 of them to be exact).
Defender is doing something you’ve seen it do before: It’s computing LOW
PART(NameSerial) * VolumeSerial – HIGHPART(TypedSerial).It then does some-
thing that signals some more bad news: It returns the result from the preced-
ing calculation to the caller.
This is bad news because, as you probably remember, this function’s return
value is used for decrypting the function that called it. It looks like the high
part of the typed serial is also somehow taking part in the decryption process.


Breaking Protections 413
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.