Jump to content
Tuts 4 You

Issue writing keygen in C++ Privlidged Instruction with inline ASM?


ph0six

Recommended Posts

Posted

Hello all,

So I've been bashing my head against a wall for a few hours on this issue and I'm not entirely sure what the problem is.

When I step debug the application, it's breaking on this: CALL lstrcpyA

The Error seems to be changing each time, first time it was array out of bounds, second time it was erroring with "Privileged instruction" I'm just not entirely sure what the issue is.

Anyhow, here's the source.

Can anyone possibly lend a helping hand here?

Thanks !


#include <windows.h>
#include <iostream>
#include <string>using namespace std;void MyFunction(long int one);
char alpha[] = "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ";
char one[] = "STD";
char two[] = "ENR";int m;
int main()
{
cout << endl << "BPA Keygen by ph0six" << endl << endl; __asm
{
PUSH EBP
MOV EBP,ESP
ADD ESP,-0x0B0
// PUSH EBX
PUSH ESI
PUSH EDI
MOV EAX,DWORD PTR SS:[EBP+0xC] MOV ECX, offset one
MOV EBX, offset two
PUSH ECX LEA EAX,DWORD PTR SS:[EBP-0x10]
PUSH EAX
CALL lstrcpyA
PUSH EBX
LEA EAX,DWORD PTR SS:[EBP-0x20]
PUSH EAX
CALL lstrcpyA
LEA EDI,DWORD PTR SS:[EBP-0xA0]
XOR EBX,EBX
JMP L015
L011:
PUSH 0x04077FD
CALL dip****
dip****:
PUSH EBP
MOV EBP,ESP
ADD ESP,-0x4
PUSHAD
MOV ESI,DWORD PTR SS:[EBP+0x8]
XOR ECX,ECX
JMP L008
L007:
INC ECX
L008:
CMP BYTE PTR DS:[ECX+ESI],0x0
JNZ L007
CALL asshead //
asshead:
RDTSC
SHR EAX,0x2
ADD EAX,0x1
MOV DWORD PTR DS:[0x407B00],EAX
RETN
// PUSH EAX
CALL dickwad //
dickwad:
PUSH EBP
MOV EBP,ESP
PUSH ECX
PUSH EDX
MOV EAX,DWORD PTR DS:[0x407B00]
MOV EDX,0x0
MOV ECX,0x1F31D
DIV ECX
XOR EAX,EDX
XOR EDX,EAX
XOR EAX,EDX
PUSH EDX
MOV ECX,0x41A7
MUL ECX
POP EDX
XOR EAX,EDX
XOR EDX,EAX
XOR EAX,EDX
PUSH EDX
MOV ECX,0xB14
MUL ECX
POP EDX
SUB EDX,EAX
MOV EAX,EDX
MOV DWORD PTR DS:[0x407B00],EAX
MOV ECX,DWORD PTR SS:[EBP+0x8]
MOV EDX,0x0
DIV ECX
MOV EAX,EDX
POP EDX
POP ECX
LEAVE
RETN 0x4
// MOVZX EAX,AX
CDQ
IDIV ECX
MOV AL,BYTE PTR DS:[EDX+ESI]
MOV BYTE PTR SS:[EBP-0x1],AL
POPAD
MOVZX EAX,BYTE PTR SS:[EBP-0x1]
LEAVE
RETN 0x4 MOV BYTE PTR DS:[EBX+EDI],AL
INC EBX
L015:
CMP EBX,0x19
JNZ L011 MOV BYTE PTR DS:[EBX+EDI],0x0
LEA EAX,DWORD PTR SS:[EBP-0x10]
PUSH EAX
CALL dip****
MOV BYTE PTR DS:[EDI+0xD],AL
LEA EAX,DWORD PTR SS:[EBP-0x20]
PUSH EAX
CALL dip****
MOV BYTE PTR DS:[EDI+0x2],AL
LEA EAX,DWORD PTR SS:[EBP-0x20]
PUSH EAX
CALL dip****
MOV BYTE PTR DS:[EDI+0xF],AL
CMP DWORD PTR SS:[EBP+0xC],0x9
JNZ L016
MOV BYTE PTR DS:[EDI+0x12],0x37
L016:
PUSH 0x7
XOR ECX,ECX
MOV EDX,EDI
LEA EAX,DWORD PTR SS:[EBP-0xB0]
CALL gayass
//
gayass:
PUSH EBP
MOV EBP,ESP
ADD ESP,-0x3C
MOV DWORD PTR SS:[EBP-0x30],ECX
MOV DWORD PTR SS:[EBP-0x4],EDX
MOV DWORD PTR SS:[EBP-0x2C],EAX
MOV DWORD PTR SS:[EBP-0xC],0x1
INC DWORD PTR SS:[EBP-0xC]
MOV WORD PTR SS:[EBP-0x18],0x8
XOR EDX,EDX
MOV DWORD PTR SS:[EBP-0x34],EDX
MOV BYTE PTR SS:[EBP-0x35],0x0
MOV ECX,DWORD PTR SS:[EBP-0x30]
MOV DWORD PTR SS:[EBP-0x3C],ECX
MOV EAX,DWORD PTR SS:[EBP-0x3C]
CMP EAX,DWORD PTR SS:[EBP+0x8]
JGE L088
L017:
MOV EAX,DWORD PTR SS:[EBP-0x4]
MOV EDX,DWORD PTR SS:[EBP-0x3C]
MOV DL,BYTE PTR DS:[EDX+EAX]
MOV EAX,DWORD PTR SS:[EBP-0x2C]
CALL eatmyass //0x0401AA3
eatmyass:
//
PUSH EBP
MOV EBP,ESP
ADD ESP,-0x8
MOV BYTE PTR SS:[EBP-0x5],DL
MOV DWORD PTR SS:[EBP-0x4],EAX
MOVSX EAX,BYTE PTR SS:[EBP-0x5]
CMP EAX,0x30
JL L014
MOVSX EDX,BYTE PTR SS:[EBP-0x5]
CMP EDX,0x39
JG L014
MOVSX EAX,BYTE PTR SS:[EBP-0x5]
ADD EAX,-0x29
JMP L021
L014:
MOVSX EDX,BYTE PTR SS:[EBP-0x5]
CMP EDX,0x48
JNZ L019
XOR EAX,EAX
JMP L021
L019:
MOVSX EAX,BYTE PTR SS:[EBP-0x5]
ADD EAX,-0x30
L021:
POP ECX
POP ECX
POP EBP
RETN
//
ADD DWORD PTR SS:[EBP-0x34],EAX
PUSH 0x40000000
PUSH 0x0
FILD DWORD PTR SS:[EBP-0x34]
ADD ESP,-0x8
FSTP QWORD PTR SS:[ESP]
CALL dickandballs //0x0401B56
dickandballs:
//
PUSH EBP
MOV EBP,ESP
LEA ESP,DWORD PTR SS:[EBP-0x4]
FLD QWORD PTR SS:[EBP+0x10]
MOV AX,WORD PTR SS:[EBP+0x16]
SHL AX,0x1
JE 0x0401B9D
CMP AX,0xFFE0
JNB 0x0401B94
FLD QWORD PTR SS:[EBP+0x8]
MOV AX,WORD PTR SS:[EBP+0xE]
SHL AX,0x1
JE 0x0401B9B
CMP AX,0xFFE0
JNB 0x0401B9B
L0155:
FPREM
WAIT
FSTSW WORD PTR SS:[EBP-0x4]
WAIT
MOV AX,WORD PTR SS:[EBP-0x4]
SAHF
JPE L0155
FSTP ST(1)
MOV ESP,EBP
POP EBP
RETN
// ADD ESP,0x10
FCOMP DWORD PTR DS:[0x407B04]
FSTSW AX
SAHF
JNZ L037
IMUL EDX,DWORD PTR SS:[EBP-0x3C]
ADD DWORD PTR SS:[EBP-0x34],EDX
JMP L084
L037:
PUSH 0x40080000
PUSH 0x0
FILD DWORD PTR SS:[EBP-0x34]
ADD ESP,-0x8
FSTP QWORD PTR SS:[ESP]
CALL dickandballs
ADD ESP,0x10
FCOMP DWORD PTR DS:[0x407B04]
FSTSW AX
SAHF
JNZ L051
IMUL EDX,DWORD PTR SS:[EBP-0x3C]
ADD DWORD PTR SS:[EBP-0x34],EDX
JMP L084
L051:
PUSH 0x40100000
PUSH 0x0
FILD DWORD PTR SS:[EBP-0x34]
ADD ESP,-0x8
FSTP QWORD PTR SS:[ESP]
CALL dickandballs
ADD ESP,0x10
FCOMP DWORD PTR DS:[0x407B04]
FSTSW AX
SAHF
JNZ L068
MOV EDX,DWORD PTR SS:[EBP-0x3C]
MOV ECX,EDX
SHL EDX,0x4
SUB EDX,ECX
ADD DWORD PTR SS:[EBP-0x34],EDX
JMP L084
L068:
PUSH 0x40140000
PUSH 0x0
FILD DWORD PTR SS:[EBP-0x34]
ADD ESP,-0x8
FSTP QWORD PTR SS:[ESP]
CALL dickandballs
ADD ESP,0x10
FCOMP DWORD PTR DS:[0x407B04]
FSTSW AX
SAHF
JNZ L084
MOV EDX,DWORD PTR SS:[EBP-0x3C]
MOV ECX,EDX
SHL EDX,0x4
ADD EDX,ECX
ADD DWORD PTR SS:[EBP-0x34],EDX
L084:
INC DWORD PTR SS:[EBP-0x3C]
MOV EAX,DWORD PTR SS:[EBP-0x3C]
CMP EAX,DWORD PTR SS:[EBP+0x8]
JL L017
L088:
ADD DWORD PTR SS:[EBP-0x34],0x7
MOV EDX,DWORD PTR SS:[EBP-0x34]
MOV EAX,DWORD PTR SS:[EBP-0x2C]
CALL omgdicks
omgdicks:
MOV BYTE PTR SS:[EBP-0x35],AL
JMP L099
L094:
SUB DWORD PTR SS:[EBP-0x34],0x23
MOV EDX,DWORD PTR SS:[EBP-0x34]
MOV EAX,DWORD PTR SS:[EBP-0x2C]
CALL omgdicks
MOV BYTE PTR SS:[EBP-0x35],AL
L099:
CMP BYTE PTR SS:[EBP-0x35],0x0
JE L094
XOR EAX,EAX
MOV AL,BYTE PTR SS:[EBP-0x35]
MOV ESP,EBP
POP EBP
RETN 0x4
// MOV BYTE PTR DS:[EDI+0x8],AL
PUSH 0xF
XOR ECX,ECX
MOV EDX,EDI
LEA EAX,DWORD PTR SS:[EBP-0xB0]
CALL gayass
MOV BYTE PTR DS:[EDI+0x10],AL
PUSH 0x17
XOR ECX,ECX
MOV EDX,EDI
LEA EAX,DWORD PTR SS:[EBP-0xB0]
CALL gayass
MOV BYTE PTR DS:[EDI+0x18],AL
MOV ESI,DWORD PTR SS:[EBP+0x8]
MOV DWORD PTR DS:[ESI],0x37415042
MOV BYTE PTR DS:[ESI+0x4],0x2D
MOV BYTE PTR DS:[ESI+0xA],0x2D
MOV BYTE PTR DS:[ESI+0x10],0x2D
MOV BYTE PTR DS:[ESI+0x16],0x2D
MOV BYTE PTR DS:[ESI+0x1C],0x2D
ADD ESI,0x5
XOR ECX,ECX
JMP L053
L044:
MOV AL,BYTE PTR DS:[EDI]
MOV BYTE PTR DS:[ESI],AL
INC EDI
INC ESI
INC ECX
CMP ECX,0x5
JNZ L053
INC ESI
XOR ECX,ECX
L053:
CMP BYTE PTR DS:[EDI],0x0
JNZ L044
MOV EAX,DWORD PTR SS:[EBP+0x8]
POP EDI
POP ESI
POP EBX
CALL MyFunction
}
}void MyFunction(long int one)
{
printf("Serial: %x", one); Sleep(50000);
exit(1);
}
Posted (edited)
_asm
{
PUSH EBP
MOV EBP,ESP
ADD ESP,-0x0B0
// PUSH EBX
PUSH ESI
PUSH EDI
MOV EAX,DWORD PTR SS:[EBP+0xC] MOV ECX, offset one
MOV EBX, offset two
PUSH ECX LEA EAX,DWORD PTR SS:[EBP-0x10]
}
lstrcpy(buf1,EAX VALUE); _asm{ LEA EDI,DWORD PTR SS:[EBP-0xA0]
XOR EBX,EBX
JMP L015
} }

its simple . you can make it better.

bye

Edited by GioTiN
Posted

After looking at the code, have you combined a few different routines into one? You have calls which return to the location they are calling, etc.

Instead of using the names which you have, you could try to give meaningful ones so functions can be defined and understood.

Your particular example is crashing because when it hits lstrcpyA it isnt calling the import thunk, change it to:


CALL DWORD PTR [lstrcpy]

Also, you might want to look at: http://msdn.microsoft.com/en-us/library/h5w10wxs(VS.80).aspx

You can place the asm code within a naked declaration as its own routine:


__declspec (naked) UINT SomeFunction()
{
_asm
{
MOV EAX, 000000FFh;
RET;
}
}

Now you can simply call this routine:


UINT SomeValue;SomeValue = SomeFunction();

HR,

Ghandi

Posted

Indeed if you ret some calls, they return to the function they just executed. Nice and recursive and all but it'll access violate like hell. (second return address)

LEA EAX,DWORD PTR SS:[EBP-0x10]

PUSH EAX

what is in EBP-0x10, it's some stack address which holds some function parameter prolly. But I don't see anything pushed into this function.

Looks like you took the key generation code from an app but neglected to build a proper framework around it. Some ASM fundamentals will help you a lot.

regards,

q.

Posted

Thanks a lot for the replies guys, I really appreciate the assistance, After thoroughly going through the asm block, I found several problem in addition to the things you guys pointed out for me.

I'm often finding myself rushing to get these examples completed so I can force learning ASM into my brain, problem is I find myself being impatient because I'm eager to learn and get up to speed with the rest of the elder reversers here. I honestly don't know where I'd be without these forums.

Thanks again all.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...