Results 1 to 13 of 13

Thread: A nasty id/pass scheme

  1. #1
    Bitman
    Guest

    Question Reversing ASProtect SKE protection. Was: A nasty id/pass scheme

    Hello everybody,

    I'm in the process of reversing/cracking a nasty regcode protection.
    After a lot of tinkering with OllyDbg I finally found the "attack point".
    The way I got there is interesting in its own self, with lots of SMC and jumps in the middle of instructions, etc, but it's not the subject of this request for help

    To make a long story short (but hopefully comprehensible), the target makes a lot of shuffling around with the username and outputs 7 bytes.
    Then it takes the regcode, which apparently must consist of 25 characters chosen among an alphabet of 32, which makes for a total of 125 bits (25 chars * 5 bits/char); from the regcode a new output sequence of 115 bits is calculated.
    Each output bit is calculated starting from all of the 125 regcode bits and a sequence of 7876 hardcoded bits (the first output bit is always calculated using the same 7876 bits, the second one uses a different sequence of 7876 bits which anyway is fixed and so on... hope this makes sense, in total a fixed sequence of 115*7876=905740 bits that is hardcoded into the program is used).

    Every output bit is calculated as follows:

    out_bit(x) = ( sum_for_i_0_to_7875 of (sequence_bit(x,i)*regcode_seq_bit(i) ) modulus 2

    where i = 0..7875
    sequence_bit(x,i) is the 7876 bits sequence used for the xth bit
    regcode_seq_bit(i) is a sequence of 7876 bits calculated from the regcode as follows:

    regcode_seq_bit(0)=1
    regcode_seq_bit(1..125)=regcode_bit(0..124)
    regcode_seq_bit(126..7875)=a sequence of bits representing the products between the 7750 possible unique pairs of regcode_bits.

    Then, only 42 bits of the shuffled username are compared to the corresponding 42 bits of the out_bit(x) sequence, and the regcode is considered valid if they match.

    The question is: I totally understand the matching algorithm, but HOW DO I GENERATE A VALID REGCODE?

    I'm not very deep into maths/cryptography and the like, but as I understand it I have 42 binary equations with 125 unknowns (i.e. lots of degrees of freedom); the problem is the equations are nonlinear (because of the regcode_bits products) so a simple matrix solver is not viable.
    Is this a standard/known keygen check scheme?
    Is there a known way to generate the regcode?
    I'm going to try with a brute force type of approach but I'm not very optimistic.

    Any idea is greatly appreciated!

    -- Bitman
    Last edited by Bitman; May 20th, 2007 at 11:29. Reason: Clarity
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Hi Bitman.

    Welcome to the board.
    You certainly have spent your time in the algo analysis and I commend you for that.

    Before me spending a lot of time figuring out your scheme interpretation, I suggest you run your program through PEID, using the KANAL crypto analyzer plug-in. Both tools are widely available in the web, plus perhaps also running your program through some other crypto signature finding utilities.

    That way you may answer your own question about this scheme being a known/standard keygen/hashing algorithm already described somewhere else and save yourself quite a bit of time in the research and analysis.

  3. #3
    Bitman
    Guest
    Quote Originally Posted by naides View Post
    Hi Bitman.
    Before me spending a lot of time figuring out your scheme interpretation, I suggest you run your program through PEID, using the KANAL crypto analyzer plug-in. Both tools are widely available in the web, plus perhaps also running your program through some other crypto signature finding utilities.
    Thank you for the tips! I used to do some reversing in the old DOS days but then I lost interest when Windows 95 came along... and now my knowledge of current packers/unpackers/tools is very scarce.

    The program seems to be encrypted using ASProtect SKE 2.1x.
    There seem to be very little if NO information about the keygen algorithm on the Internet.
    I tried a brute force approach (starting from a random key and then changing bits and keeping the changes which satisfy an increasingly larger number of equations) but this approach gets stuck with 30 to 32 equations satisfied out of 42; i.e. it gets stuck on local maxima as I feared.
    Maybe my description seems a little bit complicated but the basic idea is really quite simple! Please try to understand and give me a hand

    Regards
    -- bitman

    P.S.: I've also downloaded ASProtect SKE to reverse its key generator, but I cannot even find the attack point... the usual GetDlg... and Point H approaches don't seem to work... these guys did their homework (or -maybe- I didn't
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    AsProtect by Alexey Solodovnikov.

    The application is protected with a well known packer/encryptor.
    I have heard of no one attacking the name/key checking of any packer.
    Believe me, this guy, Alexey, did his homework.

    The majority of this key validation schema relies on hashing algorithms that cannot easily be reversed.
    Most of the attacks on packed executables consist on allowing the packer itself to unpack the code, for instance before a trial is up, then dumping the code form memory and modifying the resulting file to be runnable again.

    A frontal attack on AsProtect validation routine? may be someone around here may have attempted it. . .

  5. #5
    This tut might have some information on this issue as related to ASProtect. I have not reviewed it however.

    You will find it on tuts4you.com:

    Unpacking | ASProtect 2.xx SKE (Attack on Activation Key)

    Downloads -> Unpacking
    ASProtect SKE provides function CheckKeyDecrypt. It verifies the registration key for all implemented modes and saves it to the external configuration...
    Author: shoooo | Date added: Thursday 07 September 2006 - 05:58:33

    Regards,
    JMI

  6. #6
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Yep, I looked at the contents of the tut. At a superficial first pass, shooo describes operations that are in the same "mood" to the analysis that Bitman has described so far.
    Thank you, JMI for the link.

  7. #7
    Bitman
    Guest
    Thanks JMI for the tutorial.

    The hashing that my target operates on the serial is indeed "in the same mood" as the one described in the tutorial but quite different!

    I can see something very similar to a RC4 hashing done on the username, but I think this is unessential; I could use the username hashing algorithm as a "black box" and take whatever output it gives to match it to the hashing of the serial... unless I wanted to write a "username generator" given a serial

    The hashing done on the serial is not based on a known algorithm (well, not on one that *I* know of), certainly it's not RC4 nor MD5. Are we sure that PEiD identified the packer correctly?

    The key is to solve the set of 42 equations based on the serial's bits.

    Regards
    -- bitman
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    PEID is not perfect. There are other packer Identification tools: RDG Packer Detector for instance. Google for "packer detector" and visit the tools repositories linked below, test your app with several. If they all call it Asprotect, I think the evidence is somewhat better.
    It is also possible for an app to "disguise" itself as a Asprotected, by faking the signature bytes that most packer detectors search for. (There is a thread or two in this board describing those mascaraders.

    However, the fact that you found several characteristics of the hashing algorithm makes me believe that you are indeed working with Asprotect.

    It would not surprise me that Alexey introduced a variety of different validation procedures either for each version or even as a polymorphic-like machine, to prevent the eventuality that once someone defeats THE Asprotect validation algorithm, all Asprotected applications are automatically compromised.

    Finallly, did you try my suggestion to use KANAL, the plugin for PEID, to look for other hash or crypto signatures. There are other tools that do the same function.

  9. #9
    Bitman
    Guest
    Quote Originally Posted by naides View Post
    It would not surprise me that Alexey introduced a variety of different validation procedures either for each version or even as a polymorphic-like machine, to prevent the eventuality that once someone defeats THE Asprotect validation algorithm, all Asprotected applications are automatically compromised.
    Very likely indeed!

    Quote Originally Posted by naides View Post
    Finallly, did you try my suggestion to use KANAL, the plugin for PEID, to look for other hash or crypto signatures. There are other tools that do the same function.
    Kanal added no further info; RDG Packer Detector confirms "ASProtect SKE 2.xx".

    Regards,
    -- bitman
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    chrisgbk
    Guest
    ASProtect uses RSA assymetric encryption for registrations keys; this is well documented. If you are able to break ASProtect and generate keys, that means you are able to derive the private key, and by extension you are also able to break RSA; congratulations, you just solved a hard problem in computing/mathematics! --See edit; possible in some cases due to poor usage.

    This is why all attacks on ASProtect rely on circumventing, rather than generating keys. Even for previous versions, I only know of exactly -one- (private) key generator for an ASProtect protected program in existance, and it exists only because the machine which hosted the key generator (for automated registration via electronic purchase) was compromised, resulting in the private key being found. In which case, again, ASProtect wasn't broken; something else was.

    Edit: I take some of that back; after reading up more on it, it seems that ASProtect uses a poor implementation so that you can recover some of the needed values, and then bruteforce the remaining RSA section since it is only 32 bits, then you are free to generate keys. The tutorial mentioned above goes into this.

    When someone has all the tools at their disposal, but uses them poorly, makes things easy to break.
    Last edited by chrisgbk; June 4th, 2007 at 18:31.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    The entire purpose of the "SKE" version (Short Key Edition) of Asprotect is to have shorter keys than the originally used full-length RSA keys. This means that the entire security of the RSA algorithm isn't used (if RSA is actually used at all for the short keys, contrary to the long ones?).
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  12. #12
    it's been a while since i had a look, but... doesn't asprotect ske use streamsec libraries?

  13. #13
    nah,
    to me it reminds some matrix accumulation of the elliptic curves. I tried to look at, but the snippet you posted might be 'everything'. I'm sure there are things you missed, because by this way it cannot be rebuilt properly. However, it really resembles it could, when I gave it a deeper look.

    However, it is known that you can shorten evaluation of the bit-strings by precalculating -and that's what ASPR looks like to do.

    Have really nor the time nor the will to upack aspr ske dll and try to rebuild the algo -also, I'm pretty sure chunks of it will be polyed
    mmh...
    I had some very good link somewhere on a paper about binary strings, elliptic curves and such -try to google with both, a nice PDF will pop out somewhere.

    edit----
    nice, didnt know about streamsec library... and yeah, they implements ECC over finite (and binary I'am sure about) fields^^
    Last edited by Maximus; June 5th, 2007 at 19:58.
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

Similar Threads

  1. # a bomb from McAfee (a nasty one)
    By nezumi-lab in forum Blogs Forum
    Replies: 2
    Last Post: June 7th, 2009, 05:50
  2. Unable to pass exceptin when condition log
    By Teerayoot in forum OllyDbg Support Forums
    Replies: 2
    Last Post: June 16th, 2003, 05:11
  3. Softice breakpoints sometimes leave nasty int 3 !?
    By MrSmith in forum Tools of Our Trade (TOT) Messageboard
    Replies: 7
    Last Post: December 9th, 2001, 06:07
  4. The new MS protection scheme
    By Goat in forum Advanced Reversing and Programming
    Replies: 14
    Last Post: August 31st, 2001, 05:06
  5. A nasty one!?
    By meRlin in forum Advanced Reversing and Programming
    Replies: 17
    Last Post: April 1st, 2001, 04:07

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •