Mac Protector: Register your copy now! Part 2

A few days ago I published a blog post regarding the reverse engineering of the Mac OSX Rogue AV registration routine. The goal was to see if the product was acting like a legitimate one once registered. The product behaved normally, and pretended to clean the machine like their windows counterpart. It was also possible to gather intelligence on the technical support once registered. So today, I had a look at a newer variant to see whether the registration algorithm was similar or not.

The serials are no longer in plain text, but it’s still very easy to break. Here is how.

The registration function is still the same: __RegEngine_CheckKey__.

Let’s have a look into it and see how different it is now.

On the capture above, there is one thing to note that is important. MOV EDX, 55h.
After that, EAX gets a pointer to some ascii string. Here is _s_port:

The full string is:

Before calling the __decodestring function, EDX and EAX are initialized; now let’s have a look inside this decoding function:

You probably noticed I highlighted two lines in orange, and added one red arrow. The arrow is in front of the decoding instruction, a simple XOR with an 8 bit key placed in CL.Since we are looking at it statically without any debugger, let’s back trace to find out what CL is actually holding during decoding. This is where the orange highlights are useful. CL is the lower 8 bit of the ECX register, so let’s see where ECX gets modified.

The first highlight (We are back tracing, so the bottom one) shows: MOV ECX, EDI whereas the second one (top one) shows: MOV EDI, EDX. From this we learn than EDX is actually the register holding the key when we enter the __decodestring function.

Now if you remember what I mentioned at the start of the blog. EDX was holding 0x55. That’s it. We have our decoding key.

Right after the call to the decoding function, we have this:

We learn that the decoded string may have separators, and in this case, the “;” character. Ok, we now have enough information to decode what seem to be our serials. I wrote a very simple script in python to decode it:

Once executed, we get this:

As I predicted before, the serials are separated by “;”.

It’s funny to note it’s actually the same serials as in the previous version even though the algorithm changed.

For your convenience, here are the serials you can copy paste into their Fake Product:

You can use any of those serials to register the Rogue AV Product in order to stop the Warnings that get flooded on your screen, which is really annoying. Once this is done, you are free to install an Anti Virus solution for your Mac and clean it properly.

Mac Protector: Register your copy now! Part 2

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox