PDA

View Full Version : stream cipher???


crUsAdEr
March 23rd, 2002, 04:41
Hi folks, i am kinda stuck when trying my hand on crypto stuff, just wanan clarify a few things...

Should this be strean cipher? or is this block cipher?

mov eax, DecryptedArea
mov ecx, key ; taken from serial
mov edx, length
Call Decrypt

This Call Decrypt has somethings to do with MD5 as i see the whole sets of MD5 sine tables in there... has anyone seen this type of cipher before? using MD5 hash?... i am a bit lost here, also cos of lack of sleep, thus the incoherent typing.... just wonder if this is some kind of standard cipher that i have missed out when reading about general cryptography?

Thanx a lot,

DaKien : i read ur post sometimes ago that you were willing to share ur collection of crypto source code :>... are you still extending that offer :>>>...??

Sab`
March 23rd, 2002, 08:52
hrm... would be nice to see the code that "decrypt" function contains. Chances are it is a block cipher, havent seen to many stream ciphers in programs. Its possible a md5 is used to generate the block cipher keys or anything similiar. To spot if it is a block cipher look for some sort of loop until the length of the data has been encrypted, then look for the corresponding encrypted data. Honestly, dont see any reason why there would be a stream cipher in there although who knows what ppl may program. (: More data is needed to tell you what it actually is or what is going on. -Sab

DakienDX
March 23rd, 2002, 09:17
Hello binh81 !

(After four computer crashes while trying to post in the last hour I hope this one works finally. )

First I noticed that there is no EncryptedArea passed to the call. This might mean that it is a stream cipher, since it is not so common in block ciphers. If the length is not a multiple of 08h or 10h, it is probably a stream cipher, unless it's a block cipher using CFB. You wrote Decrypt, but stream ciphers have only a Crypt, since encryption and decryption are the same.

The MD5 function looks a bit strange to me. I would guess it's some code like this
Code:

SerialHash = MD5(Serial)
@1:
SerialHash = MD5(SerialHash)
DecryptedArea[Counter] = DecryptedArea[Counter] XOR SerialHash[Counter And 0Fh]
Inc(Counter)
Dec(Length)
If (Length != 0) Goto @1
But if the DecryptedArea is not initialized and there is no EncryptedArea, I would say it's a normal MD5 function with all three functions (Init, Update, Final) in one, maybe modified.

I still have my cryptographic collection, but I don't know an algorithm working like this. I don't think a algorithm using a 32-bit password is considered as secure.

crUsAdEr
March 23rd, 2002, 13:04
HI guys, thanx for the response :>

Yeah i think it is block cipher as you all said, i thought it would be stream cipher as the length varies... but yep i found the loop, it takes block of 32-bits at a time and perform the decrypt routine...

Sorry Dakien for the being unclear, i would liek to clarify

mov eax, DecryptedArea ; this is where the data are stored,
original encrypted but decrypted
after the call ( hope this is clearer)
mov ecx, key ; taken from serial
mov edx, length
Call Decrypt

Alright, here are my finding so far
Call Decrypt :

Call1; Initialise (see later)
Call2;
Call3; This one has the whole MD5 sets of numbers
it also generate the STATIC key (see later)
Call4; Generate Initial Dynamic key (not sure how yet)
end; :>

Okie, here is Call1 :
mov dword ptr [ebx+48h], 67452301h
mov dword ptr [ebx+4Ch], 0EFCDAB89h
mov dword ptr [ebx+50h], 98BADCFEh
mov dword ptr [ebx+54h], 10325476h
mov dword ptr [ebx+58h], 0C3D2E1F0h
mov dword ptr [ebx+5Ch], 76543210h
mov dword ptr [ebx+60h], 0FEDCBA98h
mov dword ptr [ebx+64h], 89ABCDEFh
mov dword ptr [ebx+68h], 1234567h
mov dword ptr [ebx+6Ch], 3C2D1E0Fh
weird, it generates the table of "0123456789ABCDEF..." twice??


I have yet to figured out what Call2 and $ do escatly but they seem to do mainly copying blocks of memory around....

Then the deciphering process is as follow
STATIC key : 10 words long, does not change throughout the whole process

Dynamic key : 8 words long i am not sure how this is generated yet, but it changes...

It takes block of 8 words, xor with dynamic keys, store it as the new dynamic key for the next block (data still unchanged yet, only new dynamic key generated)... perform some encryption with STATIC key (here data is changed)... (am i working on the algo here but i presume it is symmetric??)... then finally the encrypted data is XOR with the original dynamic key and stored back into dataarea...

The process goes on until the whole data area is ciphered...

Yeah, this is all for now... any suggestion on what this cipher might be are welcome :>?? and attackign methods?

Dakien : yeah, i am just working on crypto in general and i do have pascal cource code for some of the stuff but i do need some asm source code for common crypto algo.. sicne you have it... if you dont mind i will drop u an email :>... thanx...

P.S : Dakien, the password length is unknown :>.. might be 32 bits but i think should be more.. can be anything!!!

P.P.S : sorry for the terminology, i might use the wrong term here and there!!

DakienDX
March 23rd, 2002, 14:38
Hello binh81 !

I thought the Mov ECX, key was the actual key, but now I know you meant Mov ECX, Offset key. Of course this key can have more than 32 bits.

From what you've described so far, I think it's a block cipher in CBC mode.

The problem with block ciphers is that a same input block produces the same output block. So if you've for example a cipher with 64-bit blocks and 100h times 00h (at the end of a section for example), you can see that the 20h blocks of 08h bytes each look the same. This can be used to bruteforce a key, since we've encrypted and decrypted data.

CBC works the following way to prevent this:
An IV (InitializingVector) is created. It is a random number as big as the block size (64-bit or 128-bit for example).
This vector is stored. (It is needed to decrypt the data later)
Take a block of the data and Xor it with the IV.
Encrypt this block.
Save this block and use it as new IV.
Repeat steps 3. to 5. for each block.

The decryption works similar:
Take IV used for encryption.
Take a block of data.
Save this block as TempIV
Decrypt this block of data.
Xor this block with IV.
Use TempIV as new IV.
Repeat steps 2. to 6. for each block.

If one block has errors, not only this block but also the following block will be decrypted wrong.

Now you only need to find out what encryption algorithm is used.

crUsAdEr
March 23rd, 2002, 17:27
Hi Dakien,

Thanx for the info... yeah it is definitely Chained Block Cipher, did search the net a bit of info on ways to attack this but could not find anything real useful...

Yeah, in the mean time i have located the following.. here is the encryption algo

STATIC key : 4 qwords : K1, K2, K3, K4
Input Data block : 2 qwords : D1, D2

Loop 16 times (decimal :>
begin
x := D1 * 16 + K3
x := x XOR D1
y := D1 : 32 + K4
y := y XOR x
D2 := D2 - y
x := D2 * 16 + K1
x := x XOR D2
y := D2 : 32 + K2
y := y XOR x
D1 := D1 - y
end;

The dynamic key is generated in a similiar way from the static key so i will just need to find the dynamic key... However, i am just looking at the decrypting algo above and trying to reverse it to find the encrypting algo at the moment, bruteforcing 64 bits doesnt seem very fun....

What are the usual way of attacking CBC??

Dakien : so can I email you :>?? Dont worry, you can say no i finconvenient for you... i'll look around :>

thanx for the info guys,

crUsAdEr
March 23rd, 2002, 19:20
Hmm okie...

Think i have an idea on how to attack this :>... no hint yet please :>

Thanx....

DakienDX
March 23rd, 2002, 20:19
Hello binh81 !

OK, I don't give you a hint with attacking CBC, but I'll give you an other.

The algorithm used is TEA, a very short encryption algorithm. It uses normally 32 rounds, but it works also with 16.

I think you don't mean the static key consists of QWords, but of DWords, the same for the input data.

The dynamic key you're talking about is probably the Delta used in TEA. Delta is (sqrt(5)-1)*2^31.

When encrypting, the Delta is added each round to a counter, when decryption it's subtracted each round from the counter. The counter has the InitValue 0 when encrypting and the InitValue Delta*Rounds when decrypting.

So in this example it should be E3779B90.

The MD5 function is used to hash the password, so that the key passed to the decryption has a length of 128 bit.

You haven't implemented the dynamic key in the pseudo-code you wrote, but you can find sources of TEA everywhere on the net and maybe here too. (SafeDisc+CodeLok)

crUsAdEr
March 23rd, 2002, 23:09
Hi Dakien...

Thanx for the info but i am pretty sure the static key is 4 Qwords.. double that size....

The dynamic key is 2 qwords or 4 dwords....

Shall try on it for a while first :>....

Thanx a lot ....

P.S : Yep.. it is TEA alright... hmm okie.. looks hard to break really... chained and uncrippled... ah well.. i'll see how...

Okie, Dakien... any hint are VERY welcome now :>...

DakienDX
March 24th, 2002, 00:04
Hello binh81 !

If it uses really QWords, then it's probably a modified TEA version with a block size of 10h bytes instead of 08h. This could explain the 16 rounds instead of 32.

Then it would use (sqrt(5)-1)*2^63 as Delta. (9E3779B97F4A7C15h is case you're to lazy to calculate it )

The block size is then 10h bytes and everything must be calculated with 64-bit registers (or 2x32-bit ).

The MD5 table is generated twice because a 128bit hash value is not enough any more, 256bit must be used now (4 QWords) and the author doesn't know how to generate it. So he hashes two times with two equal tables.

So here's my suggestion: Read something about TEA and understand it. It can be easily transfered to a block size of 10h bytes. But remember, it's real cryptography. This makes it very hard to bruteforce it.

BTW., what are you trying to do? If I could check out the target too, I could give more specified answers.

crUsAdEr
March 24th, 2002, 00:32
Hi Dakien,

Yeah.. the target is Advanced Archives Password Recovery 2.0...
unpacking was discussed earlier...

I have located the output format... know that certain places have to be 00 but don think it is gonna help much here...

Yeah and i am reading about TEA now... gonna be darn hard i think.. but ah well.. worth a try, i have learnt a lot since i started reversing this... :>

Thanx a lot...

mike
March 24th, 2002, 01:18
TEA will be virtually impossible to break; however, the system in which it is used may not be. What is being decrypted?

crUsAdEr
March 24th, 2002, 09:37
Hi Mike,

Its main purpose is to decrypt code i suspect but here is how it works, it decrypts a table of 9C size with the following format

Flag VA, Code to be decrypted offset, length (3 qwords)
(repeat D times)

Then it use the same routine above to decrypt each section of the code in similiar fashion...

That means that the first byte of each qword is always 00, also the length should not be too big so first dword of length should be also 0000... however this doesnt help much yet as i dont have the exact decrypted table... i am looking for encrypted area in the code to kind of guess the teh decrypted table but again, not sure if it helps at all cos we still need to bruteforce to find the key...

That is all for now

crUsAdEr
March 24th, 2002, 20:02
Hi guys, can you help me identify if this is some known hashing?

It uses a different set of constant,
2895b588
173848AA
242070DB
3E423112
0A83F051
4787C62A

yeah , just to name a few.. a search on these numbers yields nothing.. it has 3 procedure, the first one initialise an array of 128 bits "0123456789ABCDEFFEDCBA9876543210" as usual... the result is 128 bits.... i thought it was MD5 but it doesnt seem so... if it is not some known algorithm then maybe i will try to break this... change of tactic :> (TEA seem really secured)

Dakien, have you looked at the program yet? Think i might just attempt to patch and put in some code myself... bruteforcing doesnt seem a feasible options... what a pity when i have had the whole algo laid out on the table.. ah well...

Thanx guys.. do post here if you guys find anythign interesting that would help :>...

Ciao,

DakienDX
March 24th, 2002, 20:38
Hello binh81 !

The hash is MD5. Not a modified form, just a different form.
It takes every number bigger than 2^31 as negative, and therefore subtracts the positive value instead of adding the negative value.

You'll notice that NEG(2895B588h)=D76A4A78h. (The same goes for the other values you've given us)

The hash uses Sub EDI,2895B588 instead of Add EDI,D76A4A78. The only thing which has changed is the sign, not the result.

You can't break MD5 in mathematics, only by bruteforcing, which will take many years. The same goes for TEA.
Cryptography is no copy-protection, cryptography is nothing else than cryptography. And this means it can't be broken by IAT rebuilders, tracers or debuggers.
If you've encrypted data you can only decrypt it with the password, not with a patch.

LaptoniC
March 24th, 2002, 21:57
I was working on AudioSphere(tut on tsehp's site) and coded one MD5 bruteforcer.Its MD5 function is well optimized for pentium cpus.If you knw some bytes from what it except maybe you can find.
You can download md5bruteforcer source code from
hxxp//mrstop.host.sk/files/md5brute.zip

My source code is very messy and it contains more than one MD5 mplementation to test their speed.Anyway hope it helps.

crUsAdEr
March 24th, 2002, 22:08
Hi Dakien,

Hee.. think we have the greatest communication skill.. (ok enuff sarcasm) .. just kidding.... nah ah well.. just that i probably neva make efforts to make myself clear... I meant make patches to reinstall the program functionalities, not patching the TEA bits :>

Yep.. THANK YOU for your insight... I was probably too scared of MD5 reputation to poke aroudn with it... but i think i have decrypted everything.. the decrypted results looks fairly promising as it is almost identical with my conjectured resutls (aka : flag, offset, size).
i actually spent 1 hr going through IDA disassemly and locate the invalid code section :>

Cheers...
Shall test the decrypted program now... :>

crUsAdEr
March 25th, 2002, 01:20
Thanx Laptonic, downloaded your source code and took a look at it, man you really should at least put some comments in there :>.. guess i am really a newbie at coding in asm... well i'll try to put the comment in myself :>...

Just wanna check with you how fast is this algorithm? can it really break MD5? (I thought it is unbreakable?) guess i will have to try Audio Sphere to figure this one out... i cant make sense of the text file as it is in some unknown language...

Dakien : yeah, thanx for pointing me to the right direction... i have got it all done now.. thanx for your prompt response, fly down to UK and i will buy u a beer :>... (or even TWO if you wish :>

Regards,

LaptoniC
March 25th, 2002, 02:14
I have added some comments to code and updated zip file.I am not good commenter but it is better than nothing

mike
March 26th, 2002, 03:09
Quote:

Hi Mike,

Its main purpose is to decrypt code i suspect but here is how it works, it decrypts a table of 9C size with the following format

Flag VA, Code to be decrypted offset, length (3 qwords)
(repeat D times)

Then it use the same routine above to decrypt each section of the code in similiar fashion...

That means that the first byte of each qword is always 00, also the length should not be too big so first dword of length should be also 0000... however this doesnt help much yet as i dont have the exact decrypted table... i am looking for encrypted area in the code to kind of guess the teh decrypted table but again, not sure if it helps at all cos we still need to bruteforce to find the key...

That is all for now


Lemme see if I've got this straight:

The program takes a password, MD5 hashes it to get a key, uses TEA to decrypt some code which is later executed. 'zat right?

Do you have a working password? If you do, then it's the same as unpacking, essentially.

If not, then there's probably a password check in there somewhere that you can use with a dictionary. What does the program do when you type in a wrong password?

MD5 is used sometimes on unix & linux I think, so there is probably md5 hashing built into the better cracking programs, but it won't help you much: if you knew the hash, you'd know the key to use! So I only mention it because you could get one w/ source and use that as a basis for coding your own attack. Laptonic's code works just as well for this, I bet.

The password check is either going to be some kind of checksum of the hash or it'll try to use that key to decrypt known plaintext. Follow the code to the pointe where it branches to pop up the error box & you'll have everything you need for a dictionary attack.

You can't bruteforce MD5, but if you know something about the passwords (like, are they single english words? a big honkin' serial string? what?) you might be able to brute force the space from which the passwords were selected.

Good luck. I'm glad the quality of the threads in this group has improved so much lately!

--mike

crUsAdEr
March 26th, 2002, 16:27
***************************************
Lemme see if I've got this straight:

The program takes a password, MD5 hashes it to get a key, uses TEA to decrypt some code which is later executed. 'zat right?
****************************************

Yep :>


****************************************
Do you have a working password? If you do, then it's the same as unpacking, essentially.
****************************************
Erm no... :>.. i dont have any stolen credit card :>


****************************************
If not, then there's probably a password check in there somewhere that you can use with a dictionary. What does the program do when you type in a wrong password?
****************************************

The program crashed with a nice crashed log and a messagebox saying that i should automatically send a message to Elcomsoft :>...


*****************************************
Good luck. I'm glad the quality of the threads in this group has improved so much lately!
*****************************************

Thanx for your replay, albeit a bit late, as Dakien has pointed me to the right direction to find the TEA key hardcoded!!!!!... Hee, you will see more questions from me soon now that i am touching my hand on all this crypto stuff.... kinda exciting...

Regards,

mike
March 26th, 2002, 17:00
Yeah, I kind of expected that. Most often, crypto is used for obscuring data in copy protection schemes, and doesn't actually depend on data that the user enters. So it's more like unpacking than anything else.

Would you be willing to tell how you figured out that the stuff was MD5 and TEA as a postscript to the "finding encryption code" essay I posted?

DakienDX
March 26th, 2002, 18:44
Hello binh81 !

What a great use of cryptography.
Code:

Ouput("Enter password";
Input(PW);
Hash=MD5(PW);
If (Hash = EC5C65FE1C9DCF80EABAA7516BCC79Ah) then
Decrypt(Offset Data, "HardCodedPW"
Else
Output("Wrong password";
I wouldn't call this cryptography.

foxthree
March 26th, 2002, 20:42
Hi DakienDX/binh81:

First off, I'm following this thread with avid interest. There is a lot of good posting here.

One small question here:

Isn't the method of serial check rather lame? 'cos I've to store the the correct hash values (for later comparison) for all possible "correct" serial nos. (I'm referring to this line here
"If (Hash = EC5C65FE1C9DCF80EABAA7516BCC79Ah) then"

Note that no two serial nos can hash to the same MD5 as MD5 byitself is collision-resistant.

How can this be a practically implementable approach?

Signed,
-- FoxThree

PS: BTW, If you were talking w.r.t. traditinal correct-password-decrypting-file-else-error kind of proggie, then just ignore my post

mike
March 26th, 2002, 20:51
Quote:
Isn't the method of serial check rather lame?

Yes. The right way to do it is to take the hash, use it as a key, and decrypt some known plaintext. If you want it to be hard to break, use salt to prevent building dictionaries of hashes, and have the hash function repeat like 64000 times so it takes forever to brute force.

Of course, none of this prevents someone from getting a valid serial number, decrypting it, and patching the app. That's where stuff like checksumming comes in handy.

Quote:
No two serial nos can hash to the same

If the serial numbers are long enough, then they can. Finding two that do, however, will take about 2^64 work!

DakienDX
March 26th, 2002, 21:13
Hello foxthree !

It might be a bit difficult to detect, but EC5C65FE1C9DCF80EABAA7516BCC79Ah is the MD5 hash value of the string "HardCodedPW".
I wanted to use this example to show that even with strong cryptographic algorithms you can protect nothing if you don't know how to use them.

crUsAdEr
March 26th, 2002, 21:19
Hi Mike,

Well.... sure if you want me to write about it :>.... actually i only identified one MD5 algorithm... i worked out the rest of the crypto algo and our dear trustful Dakien just sat there, shakes his leg and tell me what algorithm was used :>....

As Dakien pointed out in his post, though it used cryptography, the method it ised is overly paranoid thus make it unsecure... However it was not that easy for me, as i was disturbed by the slightly different style of MD5 used in the first serial check, and when i compared the first MD5 hash of my second-half serial with the second MD5 hash of my second hash serial ( there are 3 MD5 hash, but forget about the middle hash which take the whole serials)... so i was not thinking that the first correct hash could be used to decrypt TEA... ah well... was really a worthwhile lesson...

Hi Dakien :>.... well not really cryptography make it interesting dont you think, i personnally believe in finding back door rather than bruteforcing, which is real cryptography :>... somehow i find it monotonous and unrewarding, the main objective becomes optimising ur bruteforcer :>... but yeah, i will try to figure out the serial format for this one and attempt a bruteforcer :>..

Thanx guys for the help, Mike, do tell me if u still want me to post my findings of the encryption algo, or u might want an input from Dakien instead since he might have a more developed approach...

Cheers,

mike
March 27th, 2002, 19:02
Well, if you want to, go post on that thread. I'm just trying to create resources by having people contribute information as they get it.

crUsAdEr
March 27th, 2002, 23:20
Ok, Mike...

Give me sometimes cos i am still working on the bruteforcer... when i am done i shall append my notes on this at the end of your thread..

Cheers,