Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Steganography + Cryptography
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 10-22-2010, 01:29 PM
Safena Safena is offline
Junior Member
 
Join Date: Oct 2010
Posts: 3
Question License File Protected With SHA1 + RSA (Help Understanding)

Hi
I've got a product where it use the following features as a protection:
1. It calls home every 10 days to validate "License-File" integrity+validity.
2. It uses SHA1 to protect license text (readable) from tempering.
3. It uses RSA (openSSL ) to protect some text (could be the serial or user info).

I'm willing to Keygen this and somehow (using techniques in my mind) to block home calls and still validate the license file

I've done some debugging using IDA to get more information about the protection and how it works. I reached somewhere and managed to be able to reproduce "SHA1" hash key using given license file which was sent for trial, so I know how SHA1 hash is being calculated

Still I have some difficulties to understand how to produce the RSA encrypted string. I know that RSA uses some private/public keys to protect information. So what I did was to search the internet for some methods/functions used within the victim file (used for licensing) to get a wider picture. These function are "RSA_new" and "RSA_public_decrypt".

Now the question is from the length of the given encrypted string, can I till what is the number of bits the keys would be (if very large I will give up)? And from the given methods (above) wouldn't be possible to get the decrypted string, so I can tell, at least, what is hidden behind it (the Validate License method should do some validity so it should decrypt it, right)?

EDIT: Actually, I was able to determine the length of the encrypted text using SND Reverser tool 1.4, thanx to Loki & PuNkDuDe

PS: While I was investigating the code in IDA, I noticed some Constant string being used in "RSA_new" function, can that be any help (password/key/something).

Thanx a lot for any kind of help, hints or tips. I would like some ideas please, I'm not a guru in RCE, but still have some knowledge.

Last edited by Safena : 10-24-2010 at 02:09 PM. Reason: Answered one of my questions ;)
Reply With Quote
  #2  
Old 10-23-2010, 06:36 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

Easiest way to fake the call home is to put the address name in your HOSTS file and equate it to 127.0.0.1. It then depends on how it deals with making a connection but getting no answer.

For RSA you need a big number library. There are only 2 or so in common use, so if you make IDA sigs from them you should advance a lot. RSA is very simple math done with very big numbers. Look here : http://en.wikipedia.org/wiki/RSA_encryption

Git
Reply With Quote
  #3  
Old 10-23-2010, 10:57 AM
Safena Safena is offline
Junior Member
 
Join Date: Oct 2010
Posts: 3
Thumbs up

Thanx Git

Quote:
Easiest way to fake the call home is to put the address name in your HOSTS file and equate it to 127.0.0.1. It then depends on how it deals with making a connection but getting no answer.
I know that trick, but, the victim app get update every now and then, the app will block you from using if it cannot call home after 10 days ... that's why I don't want to patch it either, otherwise I have to patch for every update they release!!

Quote:
For RSA you need a big number library. There are only 2 or so in common use, so if you make IDA sigs from them you should advance a lot. RSA is very simple math done with very big numbers.
Using IDA sigs...hhmmm..I haven't tried that, something to try, thanx for the tip m8
Reply With Quote
  #4  
Old 10-23-2010, 01:24 PM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

If you haven't used IDA sigs, you are in for a nice surprise.

If you don't want to patch it and it needs an answer to run, then you have to write an IP server and emulate the challenge/response that it uses. Could be quite a job. First task would be logging the IP transaction.

Git
Reply With Quote
  #5  
Old 10-24-2010, 01:57 PM
Safena Safena is offline
Junior Member
 
Join Date: Oct 2010
Posts: 3
Lightbulb

Git...like if you're reading my mind , yes that's what I'm planning to do, but first let me analyse the algorithm.

BTW, IDA sigs are new for me, I straggled a bit trying to find the correct lib file (static COFF version) for VC to be able to use "pcf" command then sigmake. Anyways, how much secrets that will reveal, I've to find out

Time for digging the treasure
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.