Page 1 of 6 123456 LastLast
Results 1 to 15 of 78

Thread: WIBU WkbCrypt2 (WITH dongle)

  1. #1
    fritzFS
    Guest

    WIBU WkbCrypt2 (WITH dongle)

    Hello,

    I've started to analyze this target and I've removed dongle checks ...
    When I run the application, I tried to use some function in it and then it crashes.

    So, back to work.

    Every function has this kind of block inside and there it crashes.

    Code:
    .text:00404D8F                 mov     edx, [ebx]      ; i.e. 412168
    .text:00404D91                 push    esi
    .text:00404D92                 push    edi
    .text:00404D93                 mov     ecx, ebx
    .text:00404D95                 call    dword ptr [edx+78h] ; i.e. 402410 - with dongle
    When there's no dongle, call at 404D95 tries to call invalid address.

    412168 is inside .rdata section.

    That section differs, when it's looked just on the hard drive and when looked in the running (with dongle) process.

    From the hard drive:
    Code:
    74 70 01 00 60 70 01 00 4A 70 01 00 ...
    From the running process:
    Code:
    44 61 34 77 CE AD 38 77 8E AE 38 77 ...
    I tried dumping the running process and run that file, but crashes right away.
    After that, I've looked in target's directory and there's plenty of DLL's ...
    Also, .rdata sections in ALL DLL's differs, those that are loaded and those from the hard drive.

    I've read mueller5321 thread about wkcrypt issue, but I'm still stuck.

    Also, I've read SnakeByte's & CrackZ tutorial about Wibu dongle.

    Is there anyone with similiar expirience?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2

    hmm

    I really am not sure of your actual approach, or in fact what the hell you are saying, however, I know this dongle quite well. I am guessing that api's are still called via the wkwin32.dll. In that case, the method for reversing your application can be really easy by simply emulating the dll itself. Infact, you wont even need to recode the dll, you can use the existing one and hexedit it. I would start by opening the dll and exe. Then find the apis used in your application with a signature or it may just be in the import table in plaintext. Then, go to the wkwin32.dll and patch out the calls it uses. Example..

    Now in order to kill the dongle you gotta understand it... so a look at a couple of the apis...

    WkbListPort2( HWKB_LOCAL, WKB_LEVEL1, PortName, &BoxList, sizeof( BoxList )
    WkbListBox2( HWKB_LOCAL, WKB_LEVEL1 | WKB_LIST_DATA, PortName, BoxList.awkbsr, &BoxData, sizeof( BoxData )
    hEntry = WkbOpen2( HWKB_LOCAL, WKB_STDCTRL | WKB_OPEN_FIND | WKB_VERSION2,
    PortName,
    BoxData.awkbbxe[ EntryIndex ].ulFirmCode,
    BoxData.awkbbxe[ EntryIndex ].ulUserCode,
    NULL );
    Okay so from our sample we see 3 easy apis. If you see the api guide on Crackz site you should see most just need to return TRUE.
    example:
    INT WKAPIENTRY _export WkbClose2( HWKBENTRY hwkbe )
    {
    return TRUE;
    }

    The only api's you would have to be concenred with , as in all dongles are read and crypt. So what I would do in your case is find out how its used. Example, for wkcrypt2 go ahead and just
    INT WKAPIENTRY _export WkbCrypt2( HWKBENTRY hwkbe, ULONG flCtrl, VOID FAR * pvDest,VOID FAR * pvCtrl, UINT cbSrc, UINT FAR * pcbDest )

    __asm{int 3}
    return TRUE;

    Once you do that you can break on the api and look at all the arguments sent. You will also be able to backtrace to the call and see what reason it is calling the crypt for. you might want to be careful, wkbcrypt2 is an actual encryption call to feal-n. The application might be using it to decrypt files, or if its packed, decrypt a section of its own executable. I take it your app is not packed, or you would not have gotten it to run anyways.

    Once you understand the call to wkbcrypt2 from your application you should be able to determine what value it wants back. After determining the value simply just hardcode the return by doing a table emulator. OR, let the call go with success through the dll, and hardcode the value in the .exe to pass. So in the .dll itll just return true, but in the .exe you do cmp eax, val patch. Btw, if you do not have a dongle, be cautious that if you hardcode a good jump in the .exe it is not a crucial part of the applications functionality (generally not).

    Anyways, thast hte best way to do it. Otherwise, you are going to be running around a .exe messing up the stack, return values, u name it. Just emulate it at the core , so that no matter how many calls there are in the .exe its nullified. Have fun.

  3. #3
    fritzFS
    Guest
    Hello Sab,

    yes, the communication with dongle is via wkwin32.dll.

    I was thinking of that approach also, but then I saw 'WIBU-KEY API' and most of those API's return handle of something and NULL on error.

    Anyway, as I understood it, there's no simple TRUE or FALSE ...

    So, I tried to patch it on 'higher level', inside application's executable file and his DLL's.

    I'll try patching it in wkwin32.dll now, as you said, and report the results here!

    Sab, thank you for your post!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Hi Fritz:

    Typically, when an API call returns TRUE, it means it returns the value 1 in EAX.

    When an API returns FALSE, it returns the value 0 or sometimes the value FFFFFFFF in EAX.

    Of course if you let the API try to comunicate with the dongle and there is none connected an error will occur.

    You may want to patch the code at wkwin32.dll to just write an 00000001 in eax, balance the stack if necessary, and return to your app EXE or DLL module, therefore bypassing most "Dongle are you there?" Checks.

    When the APP expects something else from the Dongle, a specific value, it will be written usually to some buffer pointed in the stack.

  5. #5
    fritzFS
    Guest
    Hello Naides and Sab,

    I've done more tracing with WKWIN32.DLL and this is my notes:

    While application is loading, this is the WIBU calls and their return value (address is just an address of last instruction in function in wkwin32.dll)

    Code:
    WkbGetVersion2
    	- (0x2000295E)	EAX = 0x4602
    
    WkbQueryStatus2 
    	- (0x20002A01)	EAX = 0x4
    
    WkbAccess2
    	- (0x20001253)	EAX = 0x10
    
    WkbOpen2
    	- (0x20003BC2)	EAX = 0x11
    
    WkbQuerySystem2
    	- (0x200022A8)	EAX = 0xFFFFFFFE
    			EBX = 0x1
    			ECX = 0x0
    			EDX = 0x14
    
    // REPEATS 21 TIMES
    WkbSelect2
    	- (0x20004522)	EAX = 0x1
    
    WkbCrypt2
    	- (0x20004F0F)	EAX = 0x1
    
    WkbUnSelect2
    	- (0x20004D1A)	EAX = 0x1
    
    // END OF LOOP
    But, I think this can be a real problem since additional calls are made while the application is used ... see below :

    When in application and I try to use one of it's functions, following calls are also logged:

    WkbSelect2
    WkbCrypt2
    WkbSelect2
    WkbCrypt2
    WkbUnSelect2
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    fritzFS
    Guest
    Also, about WkbCrypt2 ...

    Inside WkbCrypt2 in WKWIN32.DLL :

    .text:20004D5A mov ebx, [esp+4+flCtrl] ; EBX = 0x101

    I have trouble understanding this 0x101 with my WIBU-KEY API version of document.

    Is it : WKB_LEVEL_1 | WKB_CRYPT_COPY ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    fritzFS
    Guest
    Hello, I've done more tracing in WkbCrypt2 (with dongle) and this is the results:

    Code:
    .text:20004D20 ; int __stdcall WkbCrypt2(int hwkbe,int flCtrl,int pvDest,LPVOID pvCtrl,UINT cbSrc,int pcbDest)
    .text:20004D20                 public WkbCrypt2
    .text:20004D20 WkbCrypt2       proc near               ; CODE XREF: sub_20006E90+27p
    .text:20004D20                                         ; sub_20008F00+CEp ...
    .text:20004D20
    .text:20004D20 hwkbe           = dword ptr  10h
    .text:20004D20 flCtrl          = dword ptr  14h
    .text:20004D20 pvDest          = dword ptr  18h
    .text:20004D20 pvCtrl          = dword ptr  1Ch
    .text:20004D20 cbSrc           = dword ptr  20h
    .text:20004D20 pcbDest         = dword ptr  24h
    .text:20004D20
    .text:20004D20                 push    ebx 
    .text:20004D21                 push    ebp
    .text:20004D22                 push    esi
    .text:20004D23                 lea     eax, [esp+pvDest] ; EAX = 0x12EE64
    .text:20004D27                 push    edi
    .text:20004D28                 push    eax
    .text:20004D29                 call    sub_20005D40
    .text:20004D2E                 test    eax, eax        ; EAX = 1
    .text:20004D30                 jz      loc_20004F40    ; not taken
    .text:20004D36                 lea     ecx, [esp+4+pvCtrl] ; ECX = 0x12EE68
    .text:20004D3A                 push    ecx
    .text:20004D3B                 call    sub_20005D40
    .text:20004D40                 test    eax, eax        ; EAX = 1
    .text:20004D42                 jz      loc_20004F40    ; not taken
    .text:20004D48                 lea     edx, [esp+4+pcbDest] ; EDX = 0x12EE70
    .text:20004D4C                 push    edx
    .text:20004D4D                 call    sub_20005D40
    .text:20004D52                 test    eax, eax        ; EAX = 1
    .text:20004D54                 jz      loc_20004F40    ; not taken
    .text:20004D5A                 mov     ebx, [esp+4+flCtrl] ; EBX = 0x101
    .text:20004D5E                 mov     eax, [esp+4+hwkbe] ; EAX = 0x11
    .text:20004D62                 push    ebx
    .text:20004D63                 push    eax
    .text:20004D64                 call    sub_20007E10
    .text:20004D69                 test    eax, eax        ; EAX = 1
    .text:20004D6B                 jz      loc_20004F40    ; not taken
    .text:20004D71                 mov     ecx, [esp+4+pvDest] ; ECX = 0x12EF98
    .text:20004D75                 xor     esi, esi
    .text:20004D77                 test    bl, 1
    .text:20004D7A                 mov     ebx, [esp+4+cbSrc] ; EBX = 0x38
    .text:20004D7E                 mov     [esp+4+hwkbe], ecx
    .text:20004D82                 jz      short loc_20004DC4 ; not taken
    .text:20004D84                 mov     eax, [esp+4+pvCtrl] ; EAX = 0x12EF34
    .text:20004D88                 push    ebx             ; ucb
    .text:20004D89                 push    eax             ; lp
    .text:20004D8A                 mov     [esp+0Ch+hwkbe], eax
    .text:20004D8E                 call    sub_20007F70
    .text:20004D93                 test    eax, eax        ; EAX = 1
    .text:20004D95                 jz      loc_20004F40    ; not taken
    .text:20004D9B
    .text:20004D9B loc_20004D9B:                           ; CODE XREF: WkbCrypt2+AAj
    .text:20004D9B                 mov     edi, [esp+4+flCtrl] ; EDI = 0x101
    .text:20004D9F
    .text:20004D9F loc_20004D9F:                           ; CODE XREF: WkbCrypt2+BEj
    .text:20004D9F                 and     edi, 0F0h
    .text:20004DA5                 push    ebx             ; EBX = 0x38
    .text:20004DA6                 mov     ebp, edi
    .text:20004DA8                 and     ebp, 70h
    .text:20004DAB                 cmp     ebp, 10h
    .text:20004DAE                 jnz     short loc_20004DE0; taken
    
    .text:20004DE0 loc_20004DE0:                           ; CODE XREF: WkbCrypt2+8Ej
    .text:20004DE0                 mov     eax, [esp+8+pvDest] ; EAX = 0x12EF98
    .text:20004DE4                 push    eax             ; lp
    .text:20004DE5                 call    sub_20007FA0
    .text:20004DEA                 test    eax, eax        ; EAX = 1
    .text:20004DEC                 jz      loc_20004F40    ; not taken
    .text:20004DF2
    .text:20004DF2 loc_20004DF2:                           ; CODE XREF: WkbCrypt2+A2j
    .text:20004DF2                 test    ebp, ebp        ; EBP = 0
    .text:20004DF4                 jz      short loc_20004E11 ; taken
    
    .text:20004E11 loc_20004E11:                           ; CODE XREF: WkbCrypt2+D4j
    .text:20004E11                                         ; WkbCrypt2+D9j
    .text:20004E11                 test    esi, esi        ; ESI = 0
    .text:20004E13                 jz      loc_20004ED7    ; taken
    
    .text:20004ED7 loc_20004ED7:                           ; CODE XREF: WkbCrypt2+F3j
    .text:20004ED7                 mov     eax, dword_200175A4 ; EAX = 0x1432064
    .text:20004EDC                 mov     ecx, [eax]      ; ECX = 0x38
    .text:20004EDE                 test    ecx, ecx        ; ECX = 1432168
    .text:20004EE0                 jz      short loc_20004F12 ; not taken
    .text:20004EE2                 test    esi, esi        ; ESI = 0
    .text:20004EE4                 jz      short loc_20004EEB ; taken
    
    .text:20004EEB loc_20004EEB:                           ; CODE XREF: WkbCrypt2+1C4j
    .text:20004EEB                 xor     eax, eax
    .text:20004EED
    .text:20004EED loc_20004EED:                           ; CODE XREF: WkbCrypt2+1C9j
    .text:20004EED                 mov     edx, [esp+4+pcbDest] ; EDX = 0x12EE94
    .text:20004EF1                 push    edx             ; int
    .text:20004EF2                 mov     edx, [esp+8+pvDest] ; EDX = 0x12EF98
    .text:20004EF6                 push    edi             ; int
    .text:20004EF7                 push    eax             ; lp
    .text:20004EF8                 mov     eax, [esp+10h+hwkbe] ; EAX = 0x12EF34
    .text:20004EFC                 push    esi             ; int
    .text:20004EFD                 push    ebx             ; int
    .text:20004EFE                 push    eax             ; int
    .text:20004EFF                 push    edx             ; int
    .text:20004F00                 push    ecx             ; int
    .text:20004F01                 call    sub_20004350    ; RET : EAX = 0x38, EDX = 0x32
    .text:20004F06                 call    sub_20007EF0    ; RET : EAX = 1, ECX = 0, EDX = 0
    .text:20004F0B                 pop     edi
    .text:20004F0C                 pop     esi
    .text:20004F0D                 pop     ebp
    .text:20004F0E                 pop     ebx
    .text:20004F0F                 retn    18h
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    fritzFS
    Guest
    Silly me ..
    I've re-read the WIBU-KEY API and noticed that encryption/decryption algoritam is selected by WkbSelect2 API, not WkbCrypt2 so ... here it goes, I traced WkbSelect2 API also ...

    Code:
    .text:200044B0 WkbSelect2      proc near               ; CODE XREF: sub_20006E60+19p
    .text:200044B0                                         ; sub_20006EF0+75p ...
    .text:200044B0
    .text:200044B0 hwkbe           = dword ptr  4
    .text:200044B0 flCtrl          = dword ptr  8
    .text:200044B0 ulSelectCode    = dword ptr  0Ch
    .text:200044B0 pvCtrl          = dword ptr  10h
    .text:200044B0
    .text:200044B0                 lea     eax, [esp+pvCtrl]
    .text:200044B4                 push    ebx
    .text:200044B5                 push    eax
    .text:200044B6                 call    sub_20005D40
    .text:200044BB                 test    eax, eax
    .text:200044BD                 jz      short loc_2000451C
    .text:200044BF                 mov     ebx, [esp+4+flCtrl] ; EBX = 0x110
    .text:200044C3                 mov     ecx, [esp+4+hwkbe] ; ECX = 0x11
    ...
    0x110 - is that "WKB_LEVEL1 | WKB_SEL_KNUTH20 " ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Founder FoxB's Avatar
    Join Date
    Mar 2002
    Location
    Earth
    Posts
    450
    Your sw used WIBU envelope?

  10. #10
    fritzFS
    Guest
    No, I cannot find any signatures in PE sections ...
    And I patched Is_Dongle_Here check and the application runs, so there's no envelope ... Just WkbCrypt2 ...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11

    hmm

    okay fritz.. i usually dont help beyond my initial post but I feel this post might help others and u did a lot of documenting... anyways.. here goes:

    WkbGetVersion2
    - (0x2000295E) EAX = 0x4602

    WkbQueryStatus2
    - (0x20002A01) EAX = 0x4

    WkbAccess2
    - (0x20001253) EAX = 0x10

    WkbOpen2
    - (0x20003BC2) EAX = 0x11

    WkbQuerySystem2
    - (0x200022A8) EAX = 0xFFFFFFFE
    EBX = 0x1
    ECX = 0x0
    EDX = 0x14

    // REPEATS 21 TIMES
    WkbSelect2
    - (0x20004522) EAX = 0x1

    WkbCrypt2
    - (0x20004F0F) EAX = 0x1

    WkbUnSelect2
    - (0x20004D1A) EAX = 0x1

    // END OF LOOP
    Either code a dll (which is a bit of work) and do something like..
    INT WKAPIENTRY _export WkbClose2( HWKBENTRY hwkbe )
    {
    return TRUE;
    }

    or i think better for you..
    Open wkwin32.dll get its export addresses, then in hiew patch out using this style..:

    wkbOpen2 :
    push ebp
    mov ebp, esp
    xor eax, eax
    mov eax, 11h
    pop ebp
    retn 18h
    ----------------------------------

    WkbClose2:
    push ebp
    mov ebp, esp
    mov eax, 1
    pop ebp
    retn 4

    ---------------------------------
    WkbGetLastError
    push ebp
    mov ebp, esp
    xor eax, eax // note return 0 on this api
    pop ebp
    retn
    --------------------------------
    WkbQueryEntry2:
    push ebp
    mov ebp, esp
    mov eax, 1
    pop ebp
    retn 10h
    ---------------------------------
    Do this for all api below:
    wkbcrypt2
    wkbselect2
    wkbunselect2
    WkbQuerySystem2
    WkbGetVersion2
    WkbQueryStatus2
    WkbAccess2
    WkbOpen2

    After you do that.. then set a int3 inside of wkbcrypt2 and break on it each time. THe value 0x101 you seen is from wkbselect, which sets the mode of encrypt or decrypt. All you need to do is just look at the values going in, the query value, and the values going out, the response value. If you do not have a dongle, then you have to figure out what the response values are. Once you figure out the values in/out you can just do something inside the dll like..

    WkbCrypt2 :

    push ebp
    mov ebp, esp
    push ebx
    push esi
    push edi
    mov edi, [ebp+1Ch]
    mov esi, [ebp+18h]
    mov ebx, [ebp+10h]
    mov eax, [ebp+14h]
    xor eax, eax
    int 3 // once you figured out all the ins/out values
    inc eax
    pop edi
    pop esi
    pop ebx
    pop ebp
    retn 18h

    now you can fill in where xor eax, eax ->inc eax is with something like...
    for (int i = 0; i<21; i++)
    if (QueryValue == tableOfQueries[i])
    responseval = tableOfResponses[i];

    as to say: find the corresponding response code that goes with the query value you found through debugging. Okay start hunting the in/out responses from wkbcrypt, and then get back to us.

  12. #12
    Sab kicks ass

    Woodmann

  13. #13
    yes i agreee-... nice info...

    bye

  14. #14
    Founder FoxB's Avatar
    Join Date
    Mar 2002
    Location
    Earth
    Posts
    450
    Quote Originally Posted by Sab
    .....
    for (int i = 0; i<21; i++)
    if (QueryValue == tableOfQueries[i])
    responseval = tableOfResponses[i];
    ...

    Valid only for static tableOf.., imho.

    WBR

  15. #15
    fritzFS
    Guest
    Thank you Sab,

    For now, I've modified WKWIN32.DLL in all mentioned functions except WkbCrypt2. I'll start to work on it as soon as I get home (2 days).

    I'll post my results here!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. New WIBU Envelope v5.20
    By FoxB in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: July 14th, 2007, 23:38
  2. RC sim dongle
    By milcoi in forum The Newbie Forum
    Replies: 2
    Last Post: September 14th, 2006, 16:56
  3. Replies: 1
    Last Post: August 31st, 2005, 23:06
  4. Need nfo about dongle
    By blade-II in forum The Newbie Forum
    Replies: 7
    Last Post: December 4th, 2002, 19:29
  5. WS Cad 4.0 + WIBU-Key
    By faka in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: December 24th, 2000, 18:45

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •