I am going to analyze a FakeAV (thanks to MDL) md5: 5493bb325f4b3a1cc6efab226d1c4600. This analysis will be focused on how to spot the serial checking algorithm and retrieve a valid serial.
So we have to locate the routine that checks the serial provided and figure out how to craft a valid serial. Since the sample is packed with a custom packer, we have two ways. The first one is to get rid of the packer (maybe I will write about it in the near future) and then work on the unpacked sample. The second way is to get infected (use a Virtual Machine!) and then attach the debugger to the process in memory :]
Once you have chosen your way, we have to find out how to locate the serial checking function. We know that we have to put a string that will be used by the serial checking routine, so what about setting a breakpoint to trap the access to the serial string ?
Once you have set your breakpoint (@0×507288), we can resume the process and then press the “Activate Now” button, after few msec you will reach the following code:
As we can see from the code above, we have a function that takes two parameters: EAX and ESI, in which EAX is pointing to the serial provided, and ESI instead points to a hardcoded string. If we take a closer look at the location pointed by ESI, we can get the “hardcoded serial” which we are looking for:
So in order to activate the FakeAV, we have to provide a serial which matches the hardcoded one, so our serial must be: 1145-17884799-7733. Finally here is the proof that our serial works:
That’s all. Let me know your comments, so I can decide if I take a look at other samples ;]
I hope you have enjoyed the reading.
See you soon!