Reverse Engineering Team Board

Reverse Engineering Team Board (http://www.reteam.org/board/index.php)
-   Steganography + Cryptography (http://www.reteam.org/board/forumdisplay.php?f=25)
-   -   License File Protected With SHA1 + RSA (Help Understanding) (http://www.reteam.org/board/showthread.php?t=3085)

Safena 10-22-2010 01:29 PM

License File Protected With SHA1 + RSA (Help Understanding)
 
Hi
I've got a product where it use the following features as a protection:
1. It calls home every 10 days to validate "License-File" integrity+validity.
2. It uses SHA1 to protect license text (readable) from tempering.
3. It uses RSA (openSSL :confused: ) to protect some text (could be the serial or user info).

I'm willing to Keygen this and somehow (using techniques in my mind) to block home calls and still validate the license file :rolleyes:

I've done some debugging using IDA to get more information about the protection and how it works. I reached somewhere and managed to be able to reproduce "SHA1" hash key using given license file which was sent for trial, so I know how SHA1 hash is being calculated :D

Still I have some difficulties to understand how to produce the RSA encrypted string. I know that RSA uses some private/public keys to protect information. So what I did was to search the internet for some methods/functions used within the victim file (used for licensing) to get a wider picture. These function are "RSA_new" and "RSA_public_decrypt".

Now the question is from the length of the given encrypted string, can I till what is the number of bits the keys would be (if very large I will give up)? And from the given methods (above) wouldn't be possible to get the decrypted string, so I can tell, at least, what is hidden behind it (the Validate License method should do some validity so it should decrypt it, right)?

EDIT: Actually, I was able to determine the length of the encrypted text using SND Reverser tool 1.4, thanx to Loki & PuNkDuDe

PS: While I was investigating the code in IDA, I noticed some Constant string being used in "RSA_new" function, can that be any help (password/key/something).

Thanx a lot for any kind of help, hints or tips. I would like some ideas please, I'm not a guru in RCE, but still have some knowledge.

Git 10-23-2010 06:36 AM

Easiest way to fake the call home is to put the address name in your HOSTS file and equate it to 127.0.0.1. It then depends on how it deals with making a connection but getting no answer.

For RSA you need a big number library. There are only 2 or so in common use, so if you make IDA sigs from them you should advance a lot. RSA is very simple math done with very big numbers. Look here : http://en.wikipedia.org/wiki/RSA_encryption

Git

Safena 10-23-2010 10:57 AM

Thanx Git

Quote:

Easiest way to fake the call home is to put the address name in your HOSTS file and equate it to 127.0.0.1. It then depends on how it deals with making a connection but getting no answer.
I know that trick, but, the victim app get update every now and then, the app will block you from using if it cannot call home after 10 days ... that's why I don't want to patch it either, otherwise I have to patch for every update they release!!

Quote:

For RSA you need a big number library. There are only 2 or so in common use, so if you make IDA sigs from them you should advance a lot. RSA is very simple math done with very big numbers.
Using IDA sigs...hhmmm..I haven't tried that, something to try, thanx for the tip m8 ;)

Git 10-23-2010 01:24 PM

If you haven't used IDA sigs, you are in for a nice surprise.

If you don't want to patch it and it needs an answer to run, then you have to write an IP server and emulate the challenge/response that it uses. Could be quite a job. First task would be logging the IP transaction.

Git

Safena 10-24-2010 01:57 PM

Git...like if you're reading my mind :D , yes that's what I'm planning to do, but first let me analyse the algorithm.

BTW, IDA sigs are new for me, I straggled a bit trying to find the correct lib file (static COFF version) for VC to be able to use "pcf" command then sigmake. Anyways, how much secrets that will reveal, I've to find out ;)

Time for digging the treasure :cool:


All times are GMT -4. The time now is 04:26 AM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.