PDA

View Full Version : Dsa

AdamA
December 25th, 2001, 07:06
Hi,

has somebody tried to solve the DLP from Dictation Buddy(www.highcriteria.com)?
They use DSA-160 for serial checking.

merry xmas,
AdamA

goatass
December 25th, 2001, 12:54
Have you tried reversing it? were you able to locate all the parameters for the DSA algorithm?

goatass

goatass
December 25th, 2001, 18:46
I'm playing with the application now and I located where the real work happens.
Firs the application takes the username and using an array of characters it mangels the username and sends that to the SHA hashing algorithm and that is used to generate a signature and verify the one you entered.

The p,q,g, and y I found are a bit hard to tell which one is what. The shorter number is "q" since that is a factor of p-1 but I can't tell which one of the other number is p, g, and y.

Once I can figure out which number is which it wouldn't take too long to solve the DLP.

As a side note, when I put the p,y, or g into tE!'s RSA tool to check it's size it shows that it's not 160bit but 90bit, I don't know.

I'm gonna keep playing with it and see where I get to.

Some RVAs to check:

004121AA: call sub_411F10 --> calls everything below
00412062: call sub_411690 --> mangle username
00412071: call sub_410920 --> hash using SHA
00412081: call sub_411D90 --> verify signature
004436D1: jz loc_4437ED --> final flag check, nop out and you will be registered. Still need to find the checks when the application starts up.

goatass

tE!
December 25th, 2001, 19:33
ArthaXerXes:
"DSA-160 should be no problem to forge. Try the p-rho method."

You use pollard-rho to solve a discrete logarithm, not to 'forge'
a signature. If it's possible to forge a signature there's no need
to solve the dedicated mathematical problem of the used
algorithm at all.

For last version of Dictation Buddy forging a signature was
possible infact. Now the author understood shit, but nevertheless
updated his routines to check for our previously found 'universal'
serial *g*

tE![TMG]

AdamA
December 26th, 2001, 07:08
I found following params:
p=008943f7937bf9f769e6a1e3eb3248ecae1a350fa1
q=00d5f653b008a5314c0021
g=003990903a9d769a588a04adc26fbba81165dc5aef
y=002f5ab7d02eb0ce64d40107c7257846dcbb5bf93a

I tried it with p-rho, but after hours of calculation it ended with x=0

AdamA

tE!
December 26th, 2001, 10:44
ArthaXerXes:

The serial wasn't "AAAAAAAAAAAAAAAAAAAAA" but
4C4E.2622.2222.2222.2222.6626.SEF7.34S7.9XQP.

It has been found by one of our members, who has a bit more
of a clue about crypto than you.

If you would know wtf you're talking about you'd understand
that it is -necessary- to analyze the cryptographic scheme and
even to understand it before it is possible to *forge* a signature
without recovering the private key x.

Poor you if you think using (some probably 'borrowed') pollard
to solve the dlp is more 'l33t' whatsoever. Why is that ? Because
one has to copy/paste the parameters in a piece of source code
and wait some time for the calculations ? Or why ?

And go on labeling things that they meet your needs. Decreases
your reputation, but who gives a shit eh ? Main thing is you put
your ego in some safe place.

Looking forward to see the next great crypto-keygen of you.
Keep on the great work in that buizz, as you did in the past.

(lol)

tE!
December 26th, 2001, 11:01
Oh, and for those of you reading this thread who really want
to solve this dlp...index calculus might work well in this case...

goatass
December 26th, 2001, 15:00
tE! and ArthaXerXes you're both skilled guys and good people, this agressiveness towards each other is not necessary and the least constructive. Both AdamA and myself are trying to learn, we could use both your help and knowledge. I'm sure that goes for others that are reading this forum.

It is easy for you to say, "just solve the DLP" or "forging the signature is easy" but for us less knowledgeable individuals about crypto it would be highly appreciated if you could provide us with some explanation on how certain things are done.

ArthaXerXes: I also think that the numbers AdamA and I saw in the disassembly are incorrect because Q suppose to be a factor of P-1 and it's not and P is not even a real prime. Maybe I'm missing something but when I tried solving the DLP it took a couple hours and I got 0 at the end as well.

tE! mentioned using the index-calculus to try and solve it so I'm playing with it now to see if I can figure out how to do it.

goatass

goatass
December 26th, 2001, 15:38
ArthaXerXes, yes you are right "p" is the prime but what I was saying is that the P that we found = 008943f7937bf9f769e6a1e3eb3248ecae1a350fa1
fails the primality test therefore is either a badly chosen prime by the author or is not the correct prime used in the DSA calulations in the program.

I'll give your routine a shot and see what I get.

goatass

tE!
December 26th, 2001, 16:45
Oh, well. I've always been more or less aggressive. Guess what,
sometimes more, sometimes less :> Be lucky you don't have to
suffer me in real life. Hehe.

goatass: According to primality tests using trial division by small
primes and 90 iterations of Miller Rabin, the p you posted -is-
prime.

For your approach to solve things (also for the miracl/index.cpp
based source arthaxerxes posted)... check your 'long iter;'
parameter...i fear there will be an overflow error in your routines
which will end up in trash (after some hours of waiting)...

goatass, am i right you tried to solve this dlp using miracl/index.c
based source code ? you should get that x=0 result then after
approx. 11h (depending on your machine's speed o'course). if
you just going to extend range of "iter", i wish you all good luck
and lots of time...Hint: i wouldn't try this approach on a windows
machine, since it will most likely crash before you see any result

If anyone has a -good- implementation of index-calculus with a
fast relations finder, please contact me. I offer a fullblown 'Hello
World'-application in VB for exchange :P

goatass
December 26th, 2001, 17:03
tE! you are correct in every one of the assumptions you made

Ok so how do we go about solving this thing when solving the DLP is not a good approach and I can't seem to find any good index-calculus implementation.

Would forging the signature be feasable here?

p.s. see your response to my post was nice and non-aggressive, I knew you could do it

goatass

goatass
January 13th, 2002, 12:37
So AdamA did you ever manage to make a keygen or something for this application?

goatass

AdamA
January 14th, 2002, 04:52
Hi goatass,

its not possible to write a keygen without the private key.
But you can try to keygen Total Recorder, it is DSA-80, not so hard like Dictation Buddy.

AdamA