Exploring the security of iSunshare Password Genius” fullz cc free

iSunshare Password Genius is designed for recovering forgotten passwords from office documents, archives, databases, several dozen different formats in total. Password cracking works by brute force, pattern search, dictionary search. Without registration only passwords not longer than 3 characters can be recovered, which is useless for practical applications. This unfortunate misunderstanding must be fixed.

Get the distribution package of the maximum available Advanced-version of the program from the off-site, install it, and watch. The main file is packed by UPX without any modifications, so we unpack it by UPX itself using upx -d PasswordGeniusAdvancedTrial.exe command. Let’s send the unpacked file to the disassembler for parsing, and at the same time let’s look at the external manifestations of the trial:

Trial window title, About window shows Trial version, active Buy button, registration items in the menu. Try to enter some tricky serial number through the registration menu, you will get a message.

Disassembler has already finished its work, you can search the place where and under what conditions this message appears.

Code (Assembler):

.text:00423E9D call sub_424100 .text:00423EA2 lea eax, [esp 1Ch] .text:00423EA6 push eax .text:00423EA7 call sub_4037F0 .text:00423EAC mov byte ptr [esp 3Ch], 1 .text:00423EB1 mov eax, [esp 10h] .text:00423EB5 cmp dword ptr [eax-0Ch], 0 .text:00423EB9 jl short loc_423F1E .text:00423EBB push offset aIsunsharePas_0 ; ISUNSHARE-PASSWORD-GENIUS-ADVANCED .text:00423EC0 push eax .text:00423EC1 call _wcsstr .text:00423EC6 add esp, 8 .text:00423EC9 test eax, eax .text:00423ECB jz short loc_423F1E .text:00423ECD sub eax, [esp 10h] .text:00423ED1 sar eax, 1 .text:00423ED3 jnz short loc_423F1E .text:00423ED5 mov ecx, ebx .text:00423ED7 push ecx .text:00423ED8 call sub_423540 .text:00423EDD test al, al .text:00423EDF jz short loc_423F1E .text:00423EE1 mov edx, ebx .text:00423EE3 push edx .text:00423EE4 call sub_4236D0 .text:00423EE9 test al, al .text:00423EEB jz short loc_423F2C .text:00423EED call ?AfxGetModuleState .text:00423EF2 mov eax, [eax 4] .text:00423EF5 mov esi, [eax 20h] .text:00423EF8 call sub_40F930 .text:00423EFD push 0 .text:00423EFF push offset aIsunsharePassw ; iSunshare Password Genius Advanced Tria .text:00423F04 push offset aThankYouForReg ; Thank you for registering! .text:00423F09 mov ecx, edi .text:00423F0B call sub_45509E .text:00423F10 mov eax, [edi] .text:00423F12 mov edx, [eax 158h] .text:00423F18 mov ecx, edi .text:00423F1A call edx .text:00423F1C jmp short loc_423F3F .text:00423F1E ; .text:00423F1E loc_423F1E: .text:00423F1E push 30h .text:00423F20 push offset aRegistration ; Registration .text:00423F25 push offset aTheCodeYouVeEn ; The Code youve entered invalid! .text:00423F2A jmp short loc_423F38

Several conditional hops at addresses 00423EB9, 00423ECB, 00423ED3, 00423EDF and 00423EEB, each of which leads to a misregistration message. We fill them all up with the NOP commands. Now, any serial number will be accepted as correct. But that’s not all, as the serial number is checked during startup and then all features of the trial are applied to the interface or, vice versa, are not applied. We have to find the place where similar checks are performed. You can get the second place by cross-referencing function sub_423540 which is called from exactly two places.

Code (Assembler):

.text:004234CE mov eax, [esp 1Ch var_14] .text:004234D2 cmp [eax-0Ch], ebx .text:004234D5 jl short loc_4234FD .text:004234D7 push offset aIsunsharePas_0 ; ISUNSHARE-PASSWORD-GENIUS-ADVANCED .text:004234DC push eax ; wchar_t * .text:004234DD call _wcsstr .text:004234E2 add esp, 8 .text:004234E5 cmp eax, ebx .text:004234E7 jz short loc_4234FD .text:004234E9 sub eax, [esp 1Ch var_14] .text:004234ED sar eax, 1 .text:004234EF jnz short loc_4234FD .text:004234F1 lea edx, [esp 1Ch var_14] .text:004234F5 push edx ; wchar_t * .text:004234F6 call sub_423540 .text:004234FB mov bl, al .text:004234FD loc_4234FD: .text:004234FD mov [esp 1Ch var_4], 0FFFFFFFFh .text:00423505 mov eax, [esp 1Ch var_14]

Similarly, we NOP conditional transitions at addresses 004234D5,004234E7 and 004234EF. But note that the result of the sub_423540 function is stored in the BL register. As you remember from the previous code, it should be non-zero. Ok, let’s open the function that checks address 00423540 and add a couple of commands MOV AL,1 and RET 4 at the beginning, so as not to destroy the stack on return. Save changes.

Now you can test the functionality. We open the TEST.zip zip file with the password, but get a message that this format is not supported. Rename it to TEST.zip and the program will accept it without any problems. Really?! Case-sensitive extensions? Write a password cracking program and get screwed up by this rudimentary stuff? It’s embarrassing.

That’s it, the program recovers passwords without any length limitations, the purchase button is locked, and there is nothing extra displayed in the About window. The goal has been reached. Other programs by this developer are cured in exactly the same way.

Author: ManHunter

fullz cc free

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *