XyliBox: File Secure 2.1

Wednesday 24 November 2010

File Secure 2.1

This is not a new rogue, according to S!Ri this one is from 2007.
a crack got just requested.

Ok guys...
First thing is about what you have entered, here:

00532465 |. E8 1621F8FF CALL FilesSec.004B4580
0053246A |. 837D D0 00 CMP DWORD PTR SS:[EBP-30],0
0053246E |. 0F84 8F3E0000 JE FilesSec.00536303

If no email was entered (0), then you take the conditional jump who eject you from the serial verification
If you have entered something we are here:

00532488 |. E8 8B36F8FF CALL FilesSec.004B5B18
0053248D |. 84C0 TEST AL,AL
0053248F |. 0F84 6E3E0000 JE FilesSec.00536303

The procedure check your email format, if it's not correct, then you take the conditional jump who eject you from the serial verification
If you want see some detail:
Check for the arobase (@ = 40 in hex):

004B5C12 |> 807D EE 00 /CMP BYTE PTR SS:[EBP-12],0
004B5C16 |. 74 24 |JE SHORT FilesSec.004B5C3C
004B5C18 |. 8D45 C0 |LEA EAX,DWORD PTR SS:[EBP-40]
004B5C1B |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4]
004B5C1E |. 8B4D F4 |MOV ECX,DWORD PTR SS:[EBP-C]
004B5C21 |. 8A540A FF |MOV DL,BYTE PTR DS:[EDX+ECX-1]
004B5C25 |. E8 4AF1F4FF |CALL FilesSec.00404D74
004B5C2A |. 8B45 C0 |MOV EAX,DWORD PTR SS:[EBP-40]
004B5C2D |. 8B15 C8A95900 |MOV EDX,DWORD PTR DS:[59A9C8] ; FilesSec.004B4ED4
004B5C33 |. E8 5CF5F4FF |CALL FilesSec.00405194
004B5C38 |. 85C0 |TEST EAX,EAX
004B5C3A |. 7F 04 |JG SHORT FilesSec.004B5C40
004B5C3C |> 33C0 |XOR EAX,EAX
004B5C3E |. EB 02 |JMP SHORT FilesSec.004B5C42
004B5C40 |> B0 01 |MOV AL,1
004B5C42 |> 8845 EE |MOV BYTE PTR SS:[EBP-12],AL
004B5C45 |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]
004B5C48 |. 8B55 F4 |MOV EDX,DWORD PTR SS:[EBP-C]
004B5C4B |. 807C10 FF 40 |CMP BYTE PTR DS:[EAX+EDX-1],40
004B5C50 |. 75 03 |JNZ SHORT FilesSec.004B5C55
004B5C52 |. FF45 F0 |INC DWORD PTR SS:[EBP-10]
004B5C55 |> FF45 F4 |INC DWORD PTR SS:[EBP-C]
004B5C58 |. FF4D E4 |DEC DWORD PTR SS:[EBP-1C]
004B5C5B |.^75 B5 \JNZ SHORT FilesSec.004B5C12

Then it check for the dot (. = 2E in hex)

After it check for the country code ("dz,fr,com etc...) located in 59A9C8

And then you return to the code.
After you are here and you continue

00532A2F |> A1 AC065A00 MOV EAX,DWORD PTR DS:[5A06AC]

That will send you after a moment here:

005335AD |. E8 6A6BFFFF CALL FilesSec.0052A11C ; FilesSec.0052A11C

It's a online serial check
But the fakeAV got a bug.. It will register you due to a code failure
The site who check the license doesn't exist anymore, and you will get a positive value
who will register you...
so enter anything and get registered.
just push for register.
When registered, it will enter to a procedure for remember you have registered the product, he use the registry
HKCU\Software\FilesSecure
who retain your key and your email
but finally this is not important..
the important thing is located here, in another procedure:
HKCU\Software\Microsoft\Windows\CurrentVersion\ThemeManager
with a dword 0/1
if the dword is 1 then you have registered the rogue, if 0... not.
so, you can make a regfile:
1. Open Editor
2. Copy that code into your editor:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\FilesSecure]
"key"="Whatever"
"mail"="Whatever"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"SystemID"=dword:00000001

3. Save as "regme.reg"
4. Register that file
5. Restart Files Secure 2.1

The rogue is registered.

XyliBox

Wednesday 24 November 2010

File Secure 2.1

No comments:

Post a Comment