Issue writing keygen in C++ Privlidged Instruction with inline ASM?

April 8, 2010

Hello all,

So I've been bashing my head against a wall for a few hours on this issue and I'm not entirely sure what the problem is.

When I step debug the application, it's breaking on this: CALL lstrcpyA

The Error seems to be changing each time, first time it was array out of bounds, second time it was erroring with "Privileged instruction" I'm just not entirely sure what the issue is.

Anyhow, here's the source.

Can anyone possibly lend a helping hand here?

Thanks !


#include <windows.h>
#include <iostream>
#include <string>using namespace std;void MyFunction(long int one);
char alpha[] = "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ";
char one[] = "STD";
char two[] = "ENR";int m;
int main()
{
        cout << endl << "BPA Keygen by ph0six" << endl << endl;        __asm
        {
			  PUSH EBP
			  MOV EBP,ESP
			  ADD ESP,-0x0B0
			 // PUSH EBX
			  PUSH ESI
			  PUSH EDI
			  MOV EAX,DWORD PTR SS:[EBP+0xC]			  MOV ECX, offset one
			  MOV EBX, offset two
			  PUSH ECX			  LEA EAX,DWORD PTR SS:[EBP-0x10]
			  PUSH EAX
			  CALL lstrcpyA
			  PUSH EBX
			  LEA EAX,DWORD PTR SS:[EBP-0x20]
			  PUSH EAX
			  CALL lstrcpyA
			  LEA EDI,DWORD PTR SS:[EBP-0xA0]
			  XOR EBX,EBX
			  JMP L015
			L011:
			  PUSH 0x04077FD
			  CALL dip****
			dip****:
			  PUSH EBP
			  MOV EBP,ESP
			  ADD ESP,-0x4
			  PUSHAD 
			  MOV ESI,DWORD PTR SS:[EBP+0x8]
			  XOR ECX,ECX
			  JMP L008
			L007:
			  INC ECX
			L008:
			  CMP BYTE PTR DS:[ECX+ESI],0x0
			  JNZ L007
			  CALL asshead			//
			asshead:
			  RDTSC 
			  SHR EAX,0x2
			  ADD EAX,0x1
			  MOV DWORD PTR DS:[0x407B00],EAX
			  RETN
			//			  PUSH EAX
			  CALL dickwad			//
			dickwad:
			  PUSH EBP
			  MOV EBP,ESP
			  PUSH ECX
			  PUSH EDX
			  MOV EAX,DWORD PTR DS:[0x407B00]
			  MOV EDX,0x0
			  MOV ECX,0x1F31D
			  DIV ECX
			  XOR EAX,EDX
			  XOR EDX,EAX
			  XOR EAX,EDX
			  PUSH EDX
			  MOV ECX,0x41A7
			  MUL ECX
			  POP EDX
			  XOR EAX,EDX
			  XOR EDX,EAX
			  XOR EAX,EDX
			  PUSH EDX
			  MOV ECX,0xB14
			  MUL ECX
			  POP EDX
			  SUB EDX,EAX
			  MOV EAX,EDX
			  MOV DWORD PTR DS:[0x407B00],EAX
			  MOV ECX,DWORD PTR SS:[EBP+0x8]
			  MOV EDX,0x0
			  DIV ECX
			  MOV EAX,EDX
			  POP EDX
			  POP ECX
			  LEAVE 
			  RETN 0x4
			//			  MOVZX EAX,AX
			  CDQ 
			  IDIV ECX
			  MOV AL,BYTE PTR DS:[EDX+ESI]
			  MOV BYTE PTR SS:[EBP-0x1],AL
			  POPAD 
			  MOVZX EAX,BYTE PTR SS:[EBP-0x1]
			  LEAVE 
			  RETN 0x4			  MOV BYTE PTR DS:[EBX+EDI],AL
			  INC EBX
			L015:
			  CMP EBX,0x19
			  JNZ L011			  MOV BYTE PTR DS:[EBX+EDI],0x0
			  LEA EAX,DWORD PTR SS:[EBP-0x10]
			  PUSH EAX
			  CALL dip****
			  MOV BYTE PTR DS:[EDI+0xD],AL
			  LEA EAX,DWORD PTR SS:[EBP-0x20]
			  PUSH EAX
			  CALL dip****
			  MOV BYTE PTR DS:[EDI+0x2],AL
			  LEA EAX,DWORD PTR SS:[EBP-0x20]
			  PUSH EAX
			  CALL dip****
			  MOV BYTE PTR DS:[EDI+0xF],AL
			  CMP DWORD PTR SS:[EBP+0xC],0x9
			  JNZ L016
			  MOV BYTE PTR DS:[EDI+0x12],0x37
			L016:
			  PUSH 0x7
			  XOR ECX,ECX
			  MOV EDX,EDI
			  LEA EAX,DWORD PTR SS:[EBP-0xB0]
			  CALL gayass
			//
			gayass:
			  PUSH EBP
			  MOV EBP,ESP
			  ADD ESP,-0x3C
			  MOV DWORD PTR SS:[EBP-0x30],ECX
			  MOV DWORD PTR SS:[EBP-0x4],EDX
			  MOV DWORD PTR SS:[EBP-0x2C],EAX
			  MOV DWORD PTR SS:[EBP-0xC],0x1
			  INC DWORD PTR SS:[EBP-0xC]
			  MOV WORD PTR SS:[EBP-0x18],0x8
			  XOR EDX,EDX
			  MOV DWORD PTR SS:[EBP-0x34],EDX
			  MOV BYTE PTR SS:[EBP-0x35],0x0
			  MOV ECX,DWORD PTR SS:[EBP-0x30]
			  MOV DWORD PTR SS:[EBP-0x3C],ECX
			  MOV EAX,DWORD PTR SS:[EBP-0x3C]
			  CMP EAX,DWORD PTR SS:[EBP+0x8]
			  JGE L088
			L017:
			  MOV EAX,DWORD PTR SS:[EBP-0x4]
			  MOV EDX,DWORD PTR SS:[EBP-0x3C]
			  MOV DL,BYTE PTR DS:[EDX+EAX]
			  MOV EAX,DWORD PTR SS:[EBP-0x2C]
			  CALL eatmyass //0x0401AA3
			eatmyass:
			//
			  PUSH EBP
			  MOV EBP,ESP
			  ADD ESP,-0x8
			  MOV BYTE PTR SS:[EBP-0x5],DL
			  MOV DWORD PTR SS:[EBP-0x4],EAX
			  MOVSX EAX,BYTE PTR SS:[EBP-0x5]
			  CMP EAX,0x30
			  JL L014
			  MOVSX EDX,BYTE PTR SS:[EBP-0x5]
			  CMP EDX,0x39
			  JG L014
			  MOVSX EAX,BYTE PTR SS:[EBP-0x5]
			  ADD EAX,-0x29
			  JMP L021
			L014:
			  MOVSX EDX,BYTE PTR SS:[EBP-0x5]
			  CMP EDX,0x48
			  JNZ L019
			  XOR EAX,EAX
			  JMP L021
			L019:
			  MOVSX EAX,BYTE PTR SS:[EBP-0x5]
			  ADD EAX,-0x30
			L021:
			  POP ECX
			  POP ECX
			  POP EBP
			  RETN 
			//
			  ADD DWORD PTR SS:[EBP-0x34],EAX
			  PUSH 0x40000000
			  PUSH 0x0
			  FILD DWORD PTR SS:[EBP-0x34]
			  ADD ESP,-0x8
			  FSTP QWORD PTR SS:[ESP]
			  CALL dickandballs //0x0401B56
			dickandballs:
			  //
			  PUSH EBP
			  MOV EBP,ESP
			  LEA ESP,DWORD PTR SS:[EBP-0x4]
			  FLD QWORD PTR SS:[EBP+0x10]
			  MOV AX,WORD PTR SS:[EBP+0x16]
			  SHL AX,0x1
			  JE 0x0401B9D
			  CMP AX,0xFFE0
			  JNB 0x0401B94
			  FLD QWORD PTR SS:[EBP+0x8]
			  MOV AX,WORD PTR SS:[EBP+0xE]
			  SHL AX,0x1
			  JE 0x0401B9B
			  CMP AX,0xFFE0
			  JNB 0x0401B9B
			L0155:
			  FPREM 
			  WAIT 
			  FSTSW WORD PTR SS:[EBP-0x4]
			  WAIT 
			  MOV AX,WORD PTR SS:[EBP-0x4]
			  SAHF 
			  JPE L0155
			  FSTP ST(1)
			  MOV ESP,EBP
			  POP EBP
			  RETN 
			  //			  ADD ESP,0x10
			  FCOMP DWORD PTR DS:[0x407B04]
			  FSTSW AX
			  SAHF 
			  JNZ L037
			  IMUL EDX,DWORD PTR SS:[EBP-0x3C]
			  ADD DWORD PTR SS:[EBP-0x34],EDX
			  JMP L084
			L037:
			  PUSH 0x40080000
			  PUSH 0x0
			  FILD DWORD PTR SS:[EBP-0x34]
			  ADD ESP,-0x8
			  FSTP QWORD PTR SS:[ESP]
			  CALL dickandballs
			  ADD ESP,0x10
			  FCOMP DWORD PTR DS:[0x407B04]
			  FSTSW AX
			  SAHF 
			  JNZ L051
			  IMUL EDX,DWORD PTR SS:[EBP-0x3C]
			  ADD DWORD PTR SS:[EBP-0x34],EDX
			  JMP L084
			L051:
			  PUSH 0x40100000
			  PUSH 0x0
			  FILD DWORD PTR SS:[EBP-0x34]
			  ADD ESP,-0x8
			  FSTP QWORD PTR SS:[ESP]
			  CALL dickandballs
			  ADD ESP,0x10
			  FCOMP DWORD PTR DS:[0x407B04]
			  FSTSW AX
			  SAHF 
			  JNZ L068
			  MOV EDX,DWORD PTR SS:[EBP-0x3C]
			  MOV ECX,EDX
			  SHL EDX,0x4
			  SUB EDX,ECX
			  ADD DWORD PTR SS:[EBP-0x34],EDX
			  JMP L084
			L068:
			  PUSH 0x40140000
			  PUSH 0x0
			  FILD DWORD PTR SS:[EBP-0x34]
			  ADD ESP,-0x8
			  FSTP QWORD PTR SS:[ESP]
			  CALL dickandballs
			  ADD ESP,0x10
			  FCOMP DWORD PTR DS:[0x407B04]
			  FSTSW AX
			  SAHF 
			  JNZ L084
			  MOV EDX,DWORD PTR SS:[EBP-0x3C]
			  MOV ECX,EDX
			  SHL EDX,0x4
			  ADD EDX,ECX
			  ADD DWORD PTR SS:[EBP-0x34],EDX
			L084:
			  INC DWORD PTR SS:[EBP-0x3C]
			  MOV EAX,DWORD PTR SS:[EBP-0x3C]
			  CMP EAX,DWORD PTR SS:[EBP+0x8]
			  JL L017
			L088:
			  ADD DWORD PTR SS:[EBP-0x34],0x7
			  MOV EDX,DWORD PTR SS:[EBP-0x34]
			  MOV EAX,DWORD PTR SS:[EBP-0x2C]
			  CALL omgdicks
			omgdicks:
			  MOV BYTE PTR SS:[EBP-0x35],AL
			  JMP L099
			L094:
			  SUB DWORD PTR SS:[EBP-0x34],0x23
			  MOV EDX,DWORD PTR SS:[EBP-0x34]
			  MOV EAX,DWORD PTR SS:[EBP-0x2C]
			  CALL omgdicks
			  MOV BYTE PTR SS:[EBP-0x35],AL
			L099:
			  CMP BYTE PTR SS:[EBP-0x35],0x0
			  JE L094
			  XOR EAX,EAX
			  MOV AL,BYTE PTR SS:[EBP-0x35]
			  MOV ESP,EBP
			  POP EBP
			  RETN 0x4
			//			  MOV BYTE PTR DS:[EDI+0x8],AL
			  PUSH 0xF
			  XOR ECX,ECX
			  MOV EDX,EDI
			  LEA EAX,DWORD PTR SS:[EBP-0xB0]
			  CALL gayass
			  MOV BYTE PTR DS:[EDI+0x10],AL
			  PUSH 0x17
			  XOR ECX,ECX
			  MOV EDX,EDI
			  LEA EAX,DWORD PTR SS:[EBP-0xB0]
			  CALL gayass
			  MOV BYTE PTR DS:[EDI+0x18],AL
			  MOV ESI,DWORD PTR SS:[EBP+0x8]
			  MOV DWORD PTR DS:[ESI],0x37415042
			  MOV BYTE PTR DS:[ESI+0x4],0x2D
			  MOV BYTE PTR DS:[ESI+0xA],0x2D
			  MOV BYTE PTR DS:[ESI+0x10],0x2D
			  MOV BYTE PTR DS:[ESI+0x16],0x2D
			  MOV BYTE PTR DS:[ESI+0x1C],0x2D
			  ADD ESI,0x5
			  XOR ECX,ECX
			  JMP L053
			L044:
			  MOV AL,BYTE PTR DS:[EDI]
			  MOV BYTE PTR DS:[ESI],AL
			  INC EDI
			  INC ESI
			  INC ECX
			  CMP ECX,0x5
			  JNZ L053
			  INC ESI
			  XOR ECX,ECX
			L053:
			  CMP BYTE PTR DS:[EDI],0x0
			  JNZ L044
			  MOV EAX,DWORD PTR SS:[EBP+0x8]
			  POP EDI
			  POP ESI
			  POP EBX
              CALL MyFunction
        }
}void MyFunction(long int one) 
{
        printf("Serial: %x", one);        Sleep(50000);
        exit(1);
}

April 8, 2010

_asm
        {
                          PUSH EBP
                          MOV EBP,ESP
                          ADD ESP,-0x0B0
                         // PUSH EBX
                          PUSH ESI
                          PUSH EDI
                          MOV EAX,DWORD PTR SS:[EBP+0xC]                          MOV ECX, offset one
                          MOV EBX, offset two
                          PUSH ECX                          LEA EAX,DWORD PTR SS:[EBP-0x10]
                         }
                        lstrcpy(buf1,EAX VALUE);                       _asm{                             LEA EDI,DWORD PTR SS:[EBP-0xA0]
                          XOR EBX,EBX
                          JMP L015
                          }                               }

its simple . you can make it better.

bye

Edited April 8, 2010 by GioTiN

April 8, 2010

After looking at the code, have you combined a few different routines into one? You have calls which return to the location they are calling, etc.

Instead of using the names which you have, you could try to give meaningful ones so functions can be defined and understood.

Your particular example is crashing because when it hits lstrcpyA it isnt calling the import thunk, change it to:


CALL DWORD PTR [lstrcpy]

Also, you might want to look at: http://msdn.microsoft.com/en-us/library/h5w10wxs(VS.80).aspx

You can place the asm code within a naked declaration as its own routine:


__declspec (naked) UINT SomeFunction()
{
  _asm
  {
     MOV EAX, 000000FFh;
     RET;
  }
}

Now you can simply call this routine:


UINT SomeValue;SomeValue = SomeFunction();

HR,

Ghandi

April 8, 2010

Indeed if you ret some calls, they return to the function they just executed. Nice and recursive and all but it'll access violate like hell. (second return address)

LEA EAX,DWORD PTR SS:[EBP-0x10]

PUSH EAX

what is in EBP-0x10, it's some stack address which holds some function parameter prolly. But I don't see anything pushed into this function.

Looks like you took the key generation code from an app but neglected to build a proper framework around it. Some ASM fundamentals will help you a lot.

regards,

q.

April 10, 2010

Thanks a lot for the replies guys, I really appreciate the assistance, After thoroughly going through the asm block, I found several problem in addition to the things you guys pointed out for me.

I'm often finding myself rushing to get these examples completed so I can force learning ASM into my brain, problem is I find myself being impatient because I'm eager to learn and get up to speed with the rest of the elder reversers here. I honestly don't know where I'd be without these forums.

Thanks again all.

Sign In

Issue writing keygen in C++ Privlidged Instruction with inline ASM?

Recommended Posts

ph0six

GioTiN

ghandi

quosego

ph0six

Create an account or sign in to comment

Create an account

Sign in

Community

Search