Mac Protector: Register your copy now! Part 2

A few days ago I published a blog post regarding the reverse engineering of the Mac OSX Rogue AV registration routine. The goal was to see if the product was acting like a legitimate one once registered. The product behaved normally, and pretended to clean the machine like their windows counterpart. It was also possible to gather intelligence on the technical support once registered. So today, I had a look at a newer variant to see whether the registration algorithm was similar or not.

The serials are no longer in plain text, but it’s still very easy to break. Here is how.

The registration function is still the same: __RegEngine_CheckKey__.

Let’s have a look into it and see how different it is now.

On the capture above, there is one thing to note that is important. MOV EDX, 55h.
After that, EAX gets a pointer to some ascii string. Here is _s_port:

The full string is:

Before calling the __decodestring function, EDX and EAX are initialized; now let’s have a look inside this decoding function:

You probably noticed I highlighted two lines in orange, and added one red arrow. The arrow is in front of the decoding instruction, a simple XOR with an 8 bit key placed in CL.Since we are looking at it statically without any debugger, let’s back trace to find out what CL is actually holding during decoding. This is where the orange highlights are useful. CL is the lower 8 bit of the ECX register, so let’s see where ECX gets modified.

The first highlight (We are back tracing, so the bottom one) shows: MOV ECX, EDI whereas the second one (top one) shows: MOV EDI, EDX. From this we learn than EDX is actually the register holding the key when we enter the __decodestring function.

Now if you remember what I mentioned at the start of the blog. EDX was holding 0x55. That’s it. We have our decoding key.

Right after the call to the decoding function, we have this:

We learn that the decoded string may have separators, and in this case, the “;” character. Ok, we now have enough information to decode what seem to be our serials. I wrote a very simple script in python to decode it:

Once executed, we get this:

As I predicted before, the serials are separated by “;”.

It’s funny to note it’s actually the same serials as in the previous version even though the algorithm changed.

For your convenience, here are the serials you can copy paste into their Fake Product:

You can use any of those serials to register the Rogue AV Product in order to stop the Warnings that get flooded on your screen, which is really annoying. Once this is done, you are free to install an Anti Virus solution for your Mac and clean it properly.

Mac Protector: Register your copy now! Part 2

Your email address will not be published. Required fields are marked *



GhostEmperor: From ProxyLogon to kernel mode

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

Subscribe to our weekly e-mails

The hottest research right in your inbox