A few days ago I published a blog post regarding the reverse engineering of the Mac OSX Rogue AV registration routine. The goal was to see if the product was acting like a legitimate one once registered. The product behaved normally, and pretended to clean the machine like their windows counterpart. It was also possible to gather intelligence on the technical support once registered.
So today, I had a look at a newer variant to see whether the registration algorithm was similar or not.
The serials are no longer in plain text, but it’s still very easy to break. Here is how.
The registration function is still the same: __RegEngine_CheckKey__.
Let’s have a look into it and see how different it is now.
On the capture above, there is one thing to note that is important. MOV EDX, 55h. After that, EAX gets a pointer to some ascii string. Here is _s_port:
The full string is:
Before calling the __decodestring function, EDX and EAX are initialized; now let’s have a look inside this decoding function:
You probably noticed I highlighted two lines in orange, and added one red arrow.
The arrow is in front of the decoding instruction, a simple XOR with an 8 bit key placed in CL.Since we are looking at it statically without any debugger, let’s back trace to find out what CL is actually holding during decoding.
This is where the orange highlights are useful. CL is the lower 8 bit of the ECX register, so let’s see where ECX gets modified.
The first highlight (We are back tracing, so the bottom one) shows: MOV ECX, EDI whereas the second one (top one) shows: MOV EDI, EDX.
From this we learn than EDX is actually the register holding the key when we enter the __decodestring function.
Now if you remember what I mentioned at the start of the blog. EDX was holding 0x55.
That’s it. We have our decoding key.
Right after the call to the decoding function, we have this:
We learn that the decoded string may have separators, and in this case, the “;” character. Ok, we now have enough information to decode what seem to be our serials.
I wrote a very simple script in python to decode it:
key = "dmfbxadcaxgldfngebfxgdmgxebganmffaxmlgm[SNIP]" decoded ="" for letters in key: decoded = decoded + chr(ord(letters)^0x55) print "Your serials are: " + decoded
Once executed, we get this:
Your serials are: 1837-4164-2913;2073-2182-0724;8334-8928-9153;6241-9412-3024;4734-1427-9744;7593-5662-8323;9738-3426-1840;3248-2425-5577;5435-2648-4232;1515-8434-7756
As I predicted before, the serials are separated by “;”.
It’s funny to note it’s actually the same serials as in the previous version even though the algorithm changed.
For your convenience, here are the serials you can copy paste into their Fake Product:
1837-4164-2913 2073-2182-0724 8334-8928-9153 6241-9412-3024 4734-1427-9744 7593-5662-8323 9738-3426-1840 3248-2425-5577 5435-2648-4232 1515-8434-7756
You can use any of those serials to register the Rogue AV Product in order to stop the Warnings that get flooded on your screen, which is really annoying. Once this is done, you are free to install an Anti Virus solution for your Mac and clean it properly.