PDA

View Full Version : Extracting symetric encryption key from a program


batwings21
March 13th, 2012, 00:04
Im trying to collect the encryption key used to decrypt and then encrypt a small file after its been altered. The program uses the microsoft base cryptographic provider and the rc4 algo and i believe its a 40bit key. I have found where the program creates a context, the creates a hash, adds data to the hash and then uses cryptderivekey to turn the hash data in the key. My problem is now i dont know how to recover the key. I have not been able to find much data on exactly where the key handles are located for a symetric key. Any help would be appriciated. I have been using IDA pro and ollydbg and perfectky willing to do my own work if someone would be as kind as push me in the right direction.

OHPen
March 13th, 2012, 08:27
Hi batwings21,

you already described that you have everything you need. You see which apis are called in which order and it should be easy to either log the needed parameters for those functions by debugging or hooking the according functions. As soon as you have extracted the parameters you are able to write a tiny c program which is calling the apis in exactly the same order. After that you should have a valid cryptographic key which can passed to msbcp encrypt/decrypt functions.

You are almost done! Simply use your result ;D

Regards,
OHPen.

disavowed
April 7th, 2012, 20:31
This may be helpful: http://www.ngssecure.com/Libraries/Document_Downloads/Exporting_Non-Exportable_RSA_Keys_Whitepaper.sflb.ashx

batwings21
April 17th, 2012, 08:19
Just wanted to thank you both for your replies, I wrote a c program using the same data and was able to decrypt and encrypt the file.