Results 1 to 7 of 7

Thread: Crypto Scheme

  1. #1
    galgal
    Guest

    Crypto Scheme

    Hey,

    I'm working on some project where I need to modify a binary file for some internal debugging. The binary file is verified before executed and after doing some reversing, I managed to see that the hash is calculated via SHA1, but there's some sort of a signature at the end of the file, which is used to verify the hash.

    Unfortunately, FindCrypt (IDA plug-in) and Hash and Crypto Detector couldn't detect the algorithm used. After reversing some of the function, it seems that it some sort of a key building functions using existing keys.

    A. Is anybody familiar with this code/see it in other programs?
    B. How would you suggest to progress?

    Below is an example of one of the functions

    Code:
    55                         push   ebp
    8B EC                      mov    ebp, esp
    53                         push   ebx
    56                         push   esi
    57                         push   edi
    8B 7D 08                   mov    edi, [ebp+arg_0]
    8B 75 0C                   mov    esi, [ebp+arg_4]
    8B 5D 10                   mov    ebx, [ebp+arg_8]
    33 C9                      xor    ecx, ecx
    8B 06                      mov    eax, [esi]
    F7 E3                      mul    ebx
    03 C1                      add    eax, ecx
    83 D2 00                   adc    edx, 0
    03 07                      add    eax, [edi]
    83 D2 00                   adc    edx, 0
    89 07                      mov    [edi], eax
    8B CA                      mov    ecx, edx
    8B 46 04                   mov    eax, [esi+4]
    F7 E3                      mul    ebx
    03 C1                      add    eax, ecx
    83 D2 00                   adc    edx, 0
    03 47 04                   add    eax, [edi+4]
    83 D2 00                   adc    edx, 0
    89 47 04                   mov    [edi+4], eax
    8B CA                      mov    ecx, edx
    8B 46 08                   mov    eax, [esi+8]
    F7 E3                      mul    ebx
    03 C1                      add    eax, ecx
    83 D2 00                   adc    edx, 0
    03 47 08                   add    eax, [edi+8]
    83 D2 00                   adc    edx, 0
    89 47 08                   mov    [edi+8], eax
    8B CA                      mov    ecx, edx
    8B 46 0C                   mov    eax, [esi+0Ch]
    F7 E3                      mul    ebx
    03 C1                      add    eax, ecx
    83 D2 00                   adc    edx, 0
    03 47 0C                   add    eax, [edi+0Ch]
    83 D2 00                   adc    edx, 0
    89 47 0C                   mov    [edi+0Ch], eax
    8B CA                      mov    ecx, edx
    8B 46 10                   mov    eax, [esi+10h]
    F7 E3                      mul    ebx
    03 C1                      add    eax, ecx
    83 D2 00                   adc    edx, 0
    03 47 10                   add    eax, [edi+10h]
    83 D2 00                   adc    edx, 0
    89 47 10                   mov    [edi+10h], eax
    8B CA                      mov    ecx, edx
    8B 46 14                   mov    eax, [esi+14h]
    F7 E3                      mul    ebx
    03 C1                      add    eax, ecx
    83 D2 00                   adc    edx, 0
    03 47 14                   add    eax, [edi+14h]
    83 D2 00                   adc    edx, 0
    89 47 14                   mov    [edi+14h], eax
    8B CA                      mov    ecx, edx
    8B 46 18                   mov    eax, [esi+18h]
    F7 E3                      mul    ebx
    03 C1                      add    eax, ecx
    83 D2 00                   adc    edx, 0
    03 47 18                   add    eax, [edi+18h]
    83 D2 00                   adc    edx, 0
    89 47 18                   mov    [edi+18h], eax
    8B CA                      mov    ecx, edx
    8B 46 1C                   mov    eax, [esi+1Ch]
    F7 E3                      mul    ebx
    03 C1                      add    eax, ecx
    83 D2 00                   adc    edx, 0
    03 47 1C                   add    eax, [edi+1Ch]
    83 D2 00                   adc    edx, 0
    89 47 1C                   mov    [edi+1Ch], eax
    8B CA                      mov    ecx, edx
    8B 46 20                   mov    eax, [esi+20h]
    
    .....
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by galgal View Post
    B. How would you suggest to progress?
    Hex-Rays

  3. #3
    galgal
    Guest
    Quote Originally Posted by disavowed View Post
    Hex-Rays
    It indeed helps to understand the code, but it doesn't progress me in generating the correct signature after I modified the file. I already wrote my own 'verifier' to better understand the code and the relationship between variables.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Seems like part of a bignum routine (so some arithmetic on large integers like in RSA or DH). Just a first impression.

  5. #5
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Given that you're modifying the binary anyway, why not just patch the hash-validation code instead of trying to overwrite the verification-hash data?

  6. #6
    Not much idea about it. Not able to follow you from the given function. I tried to discuss this issue with my friend who is good in these. But just went on a tour and will be back by next month only. Will write back to you once he is back.
    ________________
    pst repair
    Last edited by neerm; January 29th, 2011 at 14:08.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Registered User
    Join Date
    Nov 2003
    Location
    .hr
    Posts
    40
    Hi,

    Your code looks like:
    edi += esi*ebx
    edi, esi - bignum
    ebx - uint32

    Is data at the and of the file a digital signature (right click -> properties -> dig.sig.) ?

    Does the verifier program use advapi32 crypto functions like CryptVerifySignature (good crypto analyzers like PEiD/KANAL report this)?

    If it's a custom sig then you can patch the keys/constants (like 0x10001 to 0x1) or, as disavowed said, hash-validation code.

Similar Threads

  1. ARTeam: Reversing the Protection Scheme of HellRaiser System Util v4 crackme
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: July 22nd, 2010, 09:12
  2. ARTeam: Reversing Of A Protection Scheme Based On Drivers: Sandboxie by Shub
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: August 18th, 2007, 03:33
  3. Crypto crackme: MD5 + DES
    By lordor in forum Mini Project Area
    Replies: 13
    Last Post: June 17th, 2004, 15:41
  4. Crypto tool
    By SheepShagger in forum Off Topic
    Replies: 11
    Last Post: May 29th, 2004, 12:17
  5. Crypto
    By JJ in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: November 8th, 2000, 09:47

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •