English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Mac Protector: Register your copy now! Part 2

Nicolas Brulez
Kaspersky Lab Expert
Posted May 16, 16:19  GMT
Tags: Apple MacOS, Non-Windows Malware, Apple
0.6
 

A few days ago I published a blog post regarding the reverse engineering of the Mac OSX Rogue AV registration routine. The goal was to see if the product was acting like a legitimate one once registered. The product behaved normally, and pretended to clean the machine like their windows counterpart. It was also possible to gather intelligence on the technical support once registered.

So today, I had a look at a newer variant to see whether the registration algorithm was similar or not.

The serials are no longer in plain text, but it’s still very easy to break. Here is how.

The registration function is still the same: __RegEngine_CheckKey__.

Let’s have a look into it and see how different it is now.

On the capture above, there is one thing to note that is important. MOV EDX, 55h. After that, EAX gets a pointer to some ascii string. Here is _s_port:

The full string is:

dmfbxadcaxgldfngebfxgdmgxebganmffaxmlgmxld`fncgadxladgxfeganabfaxdagbxlbaanb
`lfx`ccgxmfgfnlbfmxfagcxdmaenfgamxgag`x``bbn`af`xgcamxagfgnd`d`xmafaxbb`c

Before calling the __decodestring function, EDX and EAX are initialized; now let’s have a look inside this decoding function:

You probably noticed I highlighted two lines in orange, and added one red arrow.

The arrow is in front of the decoding instruction, a simple XOR with an 8 bit key placed in CL.Since we are looking at it statically without any debugger, let’s back trace to find out what CL is actually holding during decoding.

This is where the orange highlights are useful. CL is the lower 8 bit of the ECX register, so let’s see where ECX gets modified.

The first highlight (We are back tracing, so the bottom one) shows: MOV ECX, EDI whereas the second one (top one) shows: MOV EDI, EDX.

From this we learn than EDX is actually the register holding the key when we enter the __decodestring function.

Now if you remember what I mentioned at the start of the blog. EDX was holding 0x55.

That’s it. We have our decoding key.

Right after the call to the decoding function, we have this:

We learn that the decoded string may have separators, and in this case, the “;” character. Ok, we now have enough information to decode what seem to be our serials.

I wrote a very simple script in python to decode it:

key = "dmfbxadcaxgldfngebfxgdmgxebganmffaxmlgm[SNIP]"
decoded =""
for letters in key:
    decoded = decoded + chr(ord(letters)^0x55)
print "Your serials are: " + decoded  

Once executed, we get this:

Your serials are: 1837-4164-2913;2073-2182-0724;8334-8928-9153;6241-9412-3024;4734-1427-9744;7593-5662-8323;9738-3426-1840;3248-2425-5577;5435-2648-4232;1515-8434-7756

As I predicted before, the serials are separated by “;”.

It’s funny to note it’s actually the same serials as in the previous version even though the algorithm changed.

For your convenience, here are the serials you can copy paste into their Fake Product:

1837-4164-2913
2073-2182-0724
8334-8928-9153
6241-9412-3024
4734-1427-9744
7593-5662-8323
9738-3426-1840
3248-2425-5577
5435-2648-4232
1515-8434-7756

You can use any of those serials to register the Rogue AV Product in order to stop the Warnings that get flooded on your screen, which is really annoying. Once this is done, you are free to install an Anti Virus solution for your Mac and clean it properly.


Comments

If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog