Home Reversing Rogues #2 - AntispyBoss - [basic md5]

Reversing Rogues #2 - AntispyBoss - [basic md5]

Antispyboss, a well-known relic of the digital past. In classic rogue fashion, Antispyboss users are treated to a parade of counterfeit infections, each more imaginary than the last. AND for a modest registration fee you gain the privilege of parting ways with these virtual specters.

Today, for educational purposes, we’ll craft a keygen for this maleficent artifact and learn a little about how md5 hashing can be used in serial generation.

Virus Total Results

Virus Total Results for Installer

First Run

After installing, a “scan” is performed. The rogue actually writes random files to random locations and then “detects” said files as “threats”. Yeesh. See below.

Proc Mon Showing AntiSpyBoss writing files Process Monitor showing AntiSpyBoss writing fake malware to the hard drive

Shows many fake infections on clean VM box

Shows registration prompt

Shows registration error

Registration Routine

Once the registration routine is found, we notice an interesting string ‘edinichka’ as well as a jump further down that may jump over successful registration message.

Shows the registration routine

Stepping over each instruction, we eventually see that ‘edinichka’ has been appended to our email address. We will step into the following call (call asb32.4A82C8) to see what is going to happen to this new string.

edinichka appended to email address

Entering the call we see some wincrypt functions. Noteably: CryptCreateHash, CryptHashData and CryptGetHashParam Stepping through, it is obvious to see that our newly formed email string is about to be hashed. The algorithm that will be used is MD5 as noted by the ALG_ID of 0x8003. We can follow in dump, the location where the hash will be placed. crypt hash functions

After CryptGetHashParam is called, we can see the hash has been placed the dump location. md5 hash of email+edinichka

We can check that this is indeed an md5 hash by using an online md5 hash generator with our email: ‘abz@def.comedinichka’

online md5 check

After this, the only thing of interest that seems to occur is our hash being converted to upper-case. hash to upper-case

We are returned to the main registration routine where we can see that it appears our inputed serial will be compared with the md5 hash. However, the first 6 chars and the last 10chars have been removed from our md5 hash.

Compare about to occur. First 6 chars and the last 10 chars have been removed from md5

Of course our input serial doesn’t match and we are presented with the error message. Let’s try the md5 hash minus the first 6 chars, last 10 chars and see if it works.

Entering the md5 hash minus first 6 chars

And we are presented with a rather anti-climactic success…

Registration Successful

Coding the Keygen

Our task here is pretty simple:

  1. Get email address
  2. Append the word ‘edinichka’ to email address
  3. Get md5 hash of above
  4. Remove first 6 chars, last 10 chars of md5 hash
  5. Conquer the world
import hashlib

email = str(input('Enter email: ')) # get email from user
email += 'edinichka' # append 'edinichka''

m = hashlib.md5(email.encode('utf-8')).hexdigest() # md5 hash
m = m[6:22].upper() # take chars from index 6 to 21

print(f'Serial: {m}')
This post is licensed under CC BY 4.0 by the author.