View Single Post
  #6  
Old 10-13-2012, 01:20 AM
zementmischer zementmischer is offline
Member
 
Join Date: Apr 2011
Location: Europe
Posts: 43
Default

RMS' secrets (a.k.a. challenge-response) are based on comparing the MD4 digest of the license secret to the MD4 digest inside your target. If you are lucky your target is based on the example code provided by SafeNet which means that the secrets are also stored as plain text inside the executable. But most of the time your target will only contain the MD4 digest of the secrets and not the secrets itself. In this case it's almost impossible to recover the plain secrets. You should analyze your target for any references to the MD4 algorithm (just search for known constants like 0x67452301, 0xefcdab89, 0x98badcfe and 0x10325476). These constants are used by MD4_init. From here you should be able to determine the MD4_update function. You'll probably find two (or more) MD4_init and MD4_update functions inside your target if the implementation is based on the example. Just make a dummy license with some arbitary secrets, set a bpx on all MD4_update functions and examine the stack on each hit. If you see anything else than your own secrets then you've found a candidate for a secret - if not, shit happens...
__________________
Real programmers don't comment their code.
If it was hard to write, it should be hard to read.
Reply With Quote