Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Help Understanding WIBU-BoX internal encryption process

All-in-one reversing related discussions
Post Reply
qd0097
Junior Member
Posts: 14
Joined: Wed Dec 02, 2015 11:59 pm

Help Understanding WIBU-BoX internal encryption process

Post by qd0097 »

I have developed a fake wkWin64.dll that responds well with the host program I am trying to fool.

However, I have run up on to a problem. The access method request by the host program requires that I use direct method encryption (WKB_SEL_DIRECT). This encryption process is symmetrical.

Unfortunately, I don't know what type of FEAL WIBU-BOX v11 uses in the encryption/decryption process. From my research, there appear to be many different types of FEAL encryption methods (FEAL-8, FEAL-4, FEAL-NX, FEAL-N...ect).

I have the AsicBuild, Firm Code. User Code and Selection Code, but I don't know what the 88bit const value pertains to.
I have searched online and throughout the WIBU-SDK but I can't find up to date details on the inner workings of the WIBU-BOX anywhere online.

So, when the host program calls WkbCrypt2, I can't really do much.

Image

NOTE: I don't have access to a WIBU-BOX usb.

If anyone could provide some resources or impart some knowledge my way. That would be awesome.
User avatar
FoxB
Posts: 457
Joined: Thu Mar 21, 2002 7:20 am
Location: Earth
Contact:

Post by FoxB »

wibu algo v1 is some knuth47 permutate, not used in modern wibu-protected software.
wibu algo v2, v3 is FEAL-8, 40-bit selection sequence key, can be recovered by use the brute-force process.
wibu algo v4, v5 is FEAL-32, 64-bit selection sequence key.

algo v2 == v3, v4 == v5. difference for the FC only.

const is 0x37 for v2, v3
const is (FirmCode & 0xFF) for v4, v5
qd0097
Junior Member
Posts: 14
Joined: Wed Dec 02, 2015 11:59 pm

Post by qd0097 »

I do not have a WIBU-BOX dongle so I can't really be sure what algorithm version will suffice. I do remember the dongle was in use from 2011-2012. It might have been a WibuBox/RU+ or WibuBox/RU. Not really sure. I only have the dongle dump now which states that the version of wibu-box is 11, but I haven't found anything to correlate that with an algorithm.

Image

You mentioned that Wibu's V2 algorithm can be brute-forced. I am a bit confused by that given that I have the AsicBuild, Firm Code. User Code and Selection Code. So my thought process was that I would just need to go over the encrypted bytes in the same process as pictured in my first post.

Lastly, I just want to clarify, did you mean the 88bit const for v2 & v3 is 0x37 and for v4 & 5 the const is the firmware bit masked with 0xff (0x000fd0b0 & oxff)?
User avatar
FoxB
Posts: 457
Joined: Thu Mar 21, 2002 7:20 am
Location: Earth
Contact:

Post by FoxB »

it not dependent at asic ver
qd0097
Junior Member
Posts: 14
Joined: Wed Dec 02, 2015 11:59 pm

Post by qd0097 »

Oh my mistake. Thanks

Do you know what the 88bit const refers to?
User avatar
FoxB
Posts: 457
Joined: Thu Mar 21, 2002 7:20 am
Location: Earth
Contact:

Post by FoxB »

i think wiby-guys only. but for real purpose you not need this 88 bit.
from v2,3,4,5 cipher you can extract some data for brute-force. for v2,3 is possible extract key in 1-4 day (8 round of the feal cipher and 40 bit key), for v4,5 - not possible (32 round of the feal cipher and 64 bit key) in reasonable time.
qd0097
Junior Member
Posts: 14
Joined: Wed Dec 02, 2015 11:59 pm

Post by qd0097 »

Okay. Got it. Thanks for your help. It has really cleared up a lot of my misconceptions.
Really appreciate it. 😁
Post Reply