Recently, I started reverse engineering Anti Virus products to understand AV Engine and also to find new Vulnerability by Fuzzing. So i started looking at various AV products avilable in market. Last Week I came across the antivirus called smadav antivirus for USB Protection, which has maximum of 2-5 dll library & binary. So i thought it would be right product to start with to improve my static analysis skill.
My Goal:
- Reverse Engineer the smadav DLL & binary to understand the AV Engine & Other components
- Fuzz the dll library or other components (GUI) to identify new vulnerability
Approach
Instead of reverse engineering entire product, i thought it would better focus on specific functionality (or) module (dll) wise. So that it would make sense and helpful in understanding the code coverage. Intially, I started with Smadav License Key Registeration Functionality. After analysis the Smadav Binary using IDA Pro, i understood license key validation is done offine
To bypass Smadav Antivirus License Key Registration (Offline), These are the poisible technique
- Breaking the License Key Algorithm (Static Analysis)
- Using Frida, patch the binary at runtime and bypass the key validation (Dynamic Instrumentation)
We will see both of them in below section with demo.
Setup
Tested on: Smadav 2019 Rev. 13.2
OS: Win7 Sp1 x86
Tools Used
- Ghidra
- IDA Free or Pro Version
- Lighthouse (code coverage plugin)
- Frida
1. Breaking the License Key Algorithm
To break the license key algorithm, we need to identify the function call where algorithm is applied on License Key. Using Frida Stalker API, we can follow the thread in a smadav process and identify all function call happened during license key registration from GUI. From the list of function call got from the frida, i was able to identify the function where algorithm is applied.
After reversing the entire function, i was able to rewrite the entire algorithm in python to generate license key for the given name :)
POC Script
KeyGenerator.py [name] [output] will generate the license key from name and save into file
name : choose any name
output: Output file location
Demo:
For the demo, i have choosen the name as re01 and run the script KeyGenerator.py re01 lic.txt. It provide me a list of license key derived from the name. In this case, it gave me 2000 license key for the name re01
To confirm whether generated license key are working. I randomly picked license key from the output file and used it on Smadav. As a result, it was sucessfully registered and free version got converted into Pro version. To know more, check out the demo video below.
Pro:
- Permanent License Key. Even after restart, the license key will work.
2. Using Frida
This was very simple, once i understand the entire license key algorithm and validation check. So i have written a frida poc script which will patch the Smadav at runtime and bypass the license key validation.
Demo:
When the smadav antivirus is running, I attached the frida to smadav process using pid. For this demo, I have choosen the name as demo01 and license key as 000000000000 (12 length) (or) 00000000000000000000 (20 length).
Once i submit the license key from GUI, Frida will patch the license key validation at runtime. As a result, it was sucessfully registered and free version got converted into Pro version. To know more check out the demo video below.
Cons:
- This would work until you exit the smadav antivirus.