Wednesday, 24 November 2010

File Secure 2.1



This is not a new rogue, according to S!Ri this one is from 2007.
a crack got just requested.


Ok guys...
First thing is about what you have entered, here:
00532465 |. E8 1621F8FF CALL FilesSec.004B4580
0053246A |. 837D D0 00 CMP DWORD PTR SS:[EBP-30],0
0053246E |. 0F84 8F3E0000 JE FilesSec.00536303

If no email was entered (0), then you take the conditional jump who eject you from the serial verification
If you have entered something we are here:
00532488 |. E8 8B36F8FF CALL FilesSec.004B5B18
0053248D |. 84C0 TEST AL,AL
0053248F |. 0F84 6E3E0000 JE FilesSec.00536303

The procedure check your email format, if it's not correct, then you take the conditional jump who eject you from the serial verification
If you want see some detail:
Check for the arobase (@ = 40 in hex):
004B5C12 |> 807D EE 00 /CMP BYTE PTR SS:[EBP-12],0
004B5C16 |. 74 24 |JE SHORT FilesSec.004B5C3C
004B5C18 |. 8D45 C0 |LEA EAX,DWORD PTR SS:[EBP-40]
004B5C1B |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4]
004B5C1E |. 8B4D F4 |MOV ECX,DWORD PTR SS:[EBP-C]
004B5C21 |. 8A540A FF |MOV DL,BYTE PTR DS:[EDX+ECX-1]
004B5C25 |. E8 4AF1F4FF |CALL FilesSec.00404D74
004B5C2A |. 8B45 C0 |MOV EAX,DWORD PTR SS:[EBP-40]
004B5C2D |. 8B15 C8A95900 |MOV EDX,DWORD PTR DS:[59A9C8] ; FilesSec.004B4ED4
004B5C33 |. E8 5CF5F4FF |CALL FilesSec.00405194
004B5C38 |. 85C0 |TEST EAX,EAX
004B5C3A |. 7F 04 |JG SHORT FilesSec.004B5C40
004B5C3C |> 33C0 |XOR EAX,EAX
004B5C3E |. EB 02 |JMP SHORT FilesSec.004B5C42
004B5C40 |> B0 01 |MOV AL,1
004B5C42 |> 8845 EE |MOV BYTE PTR SS:[EBP-12],AL
004B5C45 |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]
004B5C48 |. 8B55 F4 |MOV EDX,DWORD PTR SS:[EBP-C]
004B5C4B |. 807C10 FF 40 |CMP BYTE PTR DS:[EAX+EDX-1],40
004B5C50 |. 75 03 |JNZ SHORT FilesSec.004B5C55
004B5C52 |. FF45 F0 |INC DWORD PTR SS:[EBP-10]
004B5C55 |> FF45 F4 |INC DWORD PTR SS:[EBP-C]
004B5C58 |. FF4D E4 |DEC DWORD PTR SS:[EBP-1C]
004B5C5B |.^75 B5 \JNZ SHORT FilesSec.004B5C12

Then it check for the dot (. = 2E in hex)
004B5C91 |> FF4D F4 /DEC DWORD PTR SS:[EBP-C]
004B5C94 |> 837D F4 01 CMP DWORD PTR SS:[EBP-C],1
004B5C98 |. 7E 0D |JLE SHORT FilesSec.004B5CA7
004B5C9A |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]
004B5C9D |. 8B55 F4 |MOV EDX,DWORD PTR SS:[EBP-C]
004B5CA0 |. 807C10 FF 2E |CMP BYTE PTR DS:[EAX+EDX-1],2E
004B5CA5 |.^75 EA \JNZ SHORT FilesSec.004B5C91

After it check for the country code ("dz,fr,com etc...) located in 59A9C8
004B5CEA |> 807D ED 00 /CMP BYTE PTR SS:[EBP-13],0
004B5CEE |. 75 23 |JNZ SHORT FilesSec.004B5D13
004B5CF0 |. 8D55 B8 |LEA EDX,DWORD PTR SS:[EBP-48]
004B5CF3 |. 8B45 F4 |MOV EAX,DWORD PTR SS:[EBP-C]
004B5CF6 |. 8B0485 C8A9590>|MOV EAX,DWORD PTR DS:[EAX*4+59A9C8] ; FilesSec.004B4F44
004B5CFD |. E8 5632F5FF |CALL FilesSec.00408F58
004B5D02 |. 8B45 B8 |MOV EAX,DWORD PTR SS:[EBP-48]
004B5D05 |. 8B55 E8 |MOV EDX,DWORD PTR SS:[EBP-18]
004B5D08 |. E8 8FF2F4FF |CALL FilesSec.00404F9C
004B5D0D |. 74 04 |JE SHORT FilesSec.004B5D13
004B5D0F |. 33C0 |XOR EAX,EAX
004B5D11 |. EB 02 |JMP SHORT FilesSec.004B5D15
004B5D13 |> B0 01 |MOV AL,1
004B5D15 |> 8845 ED |MOV BYTE PTR SS:[EBP-13],AL
004B5D18 |. FF45 F4 |INC DWORD PTR SS:[EBP-C]
004B5D1B |. 817D F4 FF0000>|CMP DWORD PTR SS:[EBP-C],0FF
004B5D22 |.^75 C6 \JNZ SHORT FilesSec.004B5CEA

And then you return to the code.
After you are here and you continue
00532A2F |> A1 AC065A00 MOV EAX,DWORD PTR DS:[5A06AC]

That will send you after a moment here:
005335AD |. E8 6A6BFFFF CALL FilesSec.0052A11C ; FilesSec.0052A11C

It's a online serial check
But the fakeAV got a bug.. It will register you due to a code failure
The site who check the license doesn't exist anymore, and you will get a positive value
who will register you...
so enter anything and get registered.
just push for register.
When registered, it will enter to a procedure for remember you have registered the product, he use the registry
HKCU\Software\FilesSecure
who retain your key and your email
but finally this is not important..
the important thing is located here, in another procedure:
HKCU\Software\Microsoft\Windows\CurrentVersion\ThemeManager
with a dword 0/1
if the dword is 1 then you have registered the rogue, if 0... not.
so, you can make a regfile:
1. Open Editor
2. Copy that code into your editor:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\FilesSecure]
"key"="Whatever"
"mail"="Whatever"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"SystemID"=dword:00000001
3. Save as "regme.reg"
4. Register that file
5. Restart Files Secure 2.1

The rogue is registered.

No comments:

Post a Comment