PDA

View Full Version : des modified algo


LiSa
May 28th, 2003, 06:21
hello crypto reversers,

I currently reversing a licencing manager system using dongle/token number scheme

Dongle query give 32 bits hostid : rnbosentinelpro static library
A token (16 hex digit) is asked to the user
hi, crypto reversers,
I currently investigating a custom licence manager scheme using sspro dongle and key (named token) registration
but I am stuck understanding which algo is used....

In the registration process, the token and hostid is passed through Is_token_valid_sub_404070
this procedure call sub_402910 which control that hostid/token pairs are valid
in sub_402910
key1 = set_keys_4028A0(hostid, buffer)
key2 = set_keys_4028A0(81040100, buffer)

hostid is expanded to 64 bits value and submitted to parity checking and return key1
an harcoded value 81040100 is also expanded the same way and key 2 is nreturned

then bool sub_decrypt_and_check_402730 (key1, key2, buffer, token) is called
in these sub are called :

sub_unknown_algo_403DD0 (key2,token, 8, switch=1, product name)
operations on modified token
sub_unknown_algo_403DD0 ((key1,token,8,0, switch=0, productname)
operation on modified token
return good or bad in esi

Is_token_valid_ and rnbo fct can easely be patched to enable the whole stuff but,
I want to understand the inner behavior of sub_403DD0. This procedure use mainly two calls, in
which there are unrolled loop with tons of round which look like a custom DES implementation.
Can you have a look at this stuff

program removed...

LiSa
May 30th, 2003, 03:01
hello,
...Snatch, Sorry for posting a prg, I won't do it any more...

My problem is now solved : the decrypt and check routine first decrypt at run time the DES S and P tables which are used later to decrypt the token. Dumping these tables, building a correct xor reverse table, including this in rnbo* emulator and a correct tokenlicgenerator for **ilm lic manager is born.

Thanks
LiSa