Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Any one see this Cryptographic? (https://forum.exetools.com/showthread.php?t=8302)

winndy 10-13-2005 22:18
Any one see this Cryptographic?
 
0041C249 . C74424 60 6>mov dword ptr ss:[esp+60],CD49046B
0041C251 . C74424 64 C>mov dword ptr ss:[esp+64],829A80CB
0041C259 . C74424 68 C>mov dword ptr ss:[esp+68],3F5157C0
0041C261 . C74424 6C 8>mov dword ptr ss:[esp+6C],B50C6384
0041C269 . C74424 70 5>mov dword ptr ss:[esp+70],AA56D550
0041C271 . C74424 74 7>mov dword ptr ss:[esp+74],B05ADF71
0041C279 . C74424 78 D>mov dword ptr ss:[esp+78],7B2E3CD4
0041C281 . C74424 7C C>mov dword ptr ss:[esp+7C],CFB69AC3

any one who knows the Cryptographic?
thanks.

Archer 10-14-2005 00:45
It can be everything, even not crypto stuff. Try to use PEId's plugin KANAL to identify crypto signatures.

Peter[Pan] 10-14-2005 01:30
I saw the same thing twice before, not the same dwords, but it was setting up the bignum for rsa, but like he said use KANAL, or CRYPTOSEARCHER should give a better result.

MaRKuS-DJM 10-14-2005 02:16
i had a target where these commands prepare a SHA-routine.

SLV 10-14-2005 02:17
its simply 8 dwords... we need more code :) and if KANAL willn't detect this constants than it may be simply home-made crypto... or it may be a big nums...

NeOXOeN 10-14-2005 04:58
There is also one good crypto searcher by Christal on http://christal1.cjb.net/

try that if Peid doesnt work...


BYe NeOXOeN

winndy 10-14-2005 12:33
Well��thanks all ,firstly.
I met this when I tried to make a keygen of WMV to AVI MPEG DVD WMV Converter 1.4.8.
It's easy to patch.But i want a keygen.
The offical site is:http://www.alloksoft.com.

Code:
0041C220    > \6A FF      push -1
0041C222    .  68 191D4300 push WMV_to_A.00431D19                  ;  SE handler installation
0041C227    .  64:A1 00000>mov eax,dword ptr fs:[0]
0041C22D    .  50          push eax
0041C22E    .  64:8925 000>mov dword ptr fs:[0],esp
0041C235    .  81EC 940000>sub esp,94
0041C23B    .  8B8424 A400>mov eax,dword ptr ss:[esp+A4]
0041C242    .  53          push ebx
0041C243    .  56          push esi
0041C244    .  50          push eax
0041C245    .  8D4C24 10  lea ecx,dword ptr ss:[esp+10]
0041C249    .  C74424 60 6>mov dword ptr ss:[esp+60],CD49046B
0041C251    .  C74424 64 C>mov dword ptr ss:[esp+64],829A80CB
0041C259    .  C74424 68 C>mov dword ptr ss:[esp+68],3F5157C0
0041C261    .  C74424 6C 8>mov dword ptr ss:[esp+6C],B50C6384
0041C269    .  C74424 70 5>mov dword ptr ss:[esp+70],AA56D550
0041C271    .  C74424 74 7>mov dword ptr ss:[esp+74],B05ADF71
0041C279    .  C74424 78 D>mov dword ptr ss:[esp+78],7B2E3CD4
0041C281    .  C74424 7C C>mov dword ptr ss:[esp+7C],CFB69AC3
0041C289    .  E8 E8280100 call <jmp.&MFC42.#537>                  ;  kernel32.lstrlenA;MSVCRT.memcpy
0041C28E    .  8B8C24 B000>mov ecx,dword ptr ss:[esp+B0]
0041C295    .  C78424 A400>mov dword ptr ss:[esp+A4],0
0041C2A0    .  51          push ecx
0041C2A1    .  8D4C24 0C  lea ecx,dword ptr ss:[esp+C]
0041C2A5    .  E8 CC280100 call <jmp.&MFC42.#537>
0041C2AA    .  8B5424 0C  mov edx,dword ptr ss:[esp+C]
0041C2AE    .  8B35 BC2544>mov esi,dword ptr ds:[<&MSVCRT._mbscmp>>;  msvcrt._mbscmp
0041C2B4    .  68 60FC4300 push WMV_to_A.0043FC60                  ; /s2 = ""
0041C2B9    .  52          push edx                                ; |s1
0041C2BA    .  C68424 AC00>mov byte ptr ss:[esp+AC],1              ; |
0041C2C2    .  FFD6        call esi                                ; \_mbscmp
if(Decipher(Registrationcode)==username)
Registration successful.

It seems the initial value .
It should be symmetrical cipher .
cipher(username)=Registrationcode

cbs 10-16-2005 23:07
Quote:
Originally Posted by winndy
It should be symmetrical cipher .
cipher(username)=Registrationcode
Actually you are not right ;) This is asymmetric crypto :)

These three calls look like BigCreate or smth like that:

Code:
.text:0041C2ED                call    sub_401974
....
.text:0041C300                call    sub_401974
....
.text:0041C317                call    sub_401974
and for the third call you have this parameter
Code:
push    10001h
This is typical value for public exponent (E) for RSA cryptosystem.



on this line

Code:
0041C289  . E8 E8280100    CALL <JMP.&MFC42.#537>
in esp+60 you have:

Code:
0012CDF4  6B 04 49 CD CB 80 9A 82  kI����Ђљ‚
0012CDFC  C0 57 51 3F 84 63 0C B5  ��WQ?„c.&micro;
0012CE04  50 D5 56 AA 71 DF 5A B0  P��VЄq��Z��
0012CE0C  D4 3C 2E 7B C3 9A B6 CF  ��<.{��љ&para;��
Code:
6B 04 49 CD CB 80 9A 82 C0 57 51 3F 84 63 0C B5 50 D5 56 AA 71 DF 5A B0 D4 3C 2E 7B C3 9A B6 CF
if we remove spaces we get this:

Code:
6B0449CDCB809A82C057513F84630CB550D556AA71DF5AB0D43C2E7BC39AB6CF
Now paste it in RSA Tool in Modulus (N) field and push 'Reverse'. Now you've got public key:

Code:
CFB69AC37B2E3CD4B05ADF71AA56D550B50C63843F5157C0829A80CBCD49046B
To create keygen you have to find factors (find p and q that p*q=N). For this needs you can use RSA Tool, but when you have modulus > 200 bits (in your case you have 256 bits) RSA Tool is too slow. So you should better use tools by Satoshi Tomabechi.

You can get these tools here:
Code:
http://www.asahi-net.or.jp/~KC2H-MSM/cn/
When you get p and q you can calculate D.

When you have N & D you can code keygen ;)

winndy 10-17-2005 18:22
cbs,Good man!
You are right!

N=CFB69AC37B2E3CD4B05ADF71AA56D550B50C63843F5157C0829A80CBCD49046B
I use ppsiqsv1.1 to get the factors p and q.
P=E4E7E39EE5E5C98788BF466DDCBAB2DF
Q=E84C8EBF8D5AA6A5ACB2569542DBCBF5
and use tE's RSA tool.
E=10001
D=3CE0C02B5B070A3D2C12F63A523A70FA57692AFC70FAE36480D0E33205F6B4C1

BRD made a keygen of this product v1.4.6 which could bu used on v1.4.8.
I disassembled the keygen to study,^_^.
the RSA value of name should be changed to registration key by some tricks.

Really appreciate the help of all you!

Regards

cbs 10-18-2005 01:02
Quote:
Originally Posted by winndy
I disassembled the keygen to study,^_^.
the RSA value of name should be changed to registration key by some tricks.
Well, not the best way :rolleyes: but applicable... only for study!

I've received PM asking which tool by Satoshi Tomabechi to use. Generally PPSIQS is used.
But don't use RSA Tool for large composite numbers. It's too slow. I have tested RSA Tool vs PPSIQS and PPSIQS is approximately 3 (!) times faster. I tried RSA-255/256 many times and on my machine I get factors for a bit more than one hour. RSA Tool requires ~4-5 hours for the same task. RSA Tool is designed for 'playing' with numbers and keys generation ;) And it's much better to use specialized tools for factoring.
BTW I'm not sure if RSA Tool keys generation scheme is secure ;)

winndy 10-18-2005 11:56
Quote:
Originally Posted by cbs
Well, not the best way :rolleyes: but applicable... only for study!
Yes,sir,It's only for study! ;)

Quote:
Originally Posted by cbs
I've received PM asking which tool by Satoshi Tomabechi to use. Generally PPSIQS is used.
But don't use RSA Tool for large composite numbers. It's too slow. I have tested RSA Tool vs PPSIQS and PPSIQS is approximately 3 (!) times faster. I tried RSA-255/256 many times and on my machine I get factors for a bit more than one hour. RSA Tool requires ~4-5 hours for the same task. RSA Tool is designed for 'playing' with numbers and keys generation ;) And it's much better to use specialized tools for factoring.
I agree with you!I got the factors by PPSIQS in about 1 hour.
But RSAtool is very slow.
I use RSAtool to calculate D.
Quote:
Originally Posted by cbs
BTW I'm not sure if RSA Tool keys generation scheme is secure ;)
Have you look at API Spy Version 2.5,by Vitaly Evseenko?

I downloaded it from programmerstools.
I cracked it,a username could have many keys.
In fact,It uses RSA.
When I search RSA in tut from pediy.com(chinese site),
I found someone has cracked the apis32,and made a keygen.
In the tut,he said it used RSA,and surely it was!
I got a little puzzled. :confused:
In RSA,one username has one code.
But i could get two or four ,or more.
Does RSA have collision like MD5?
If so,RSA should not be used on digital signature.

Regards

Lunar_Dust 10-18-2005 22:00
RSA doesn't have collision, but usually what's encrypted isn't the actual document, it's the hash of the document. Since asymetric crypto is too slow usually they just take a hash of the doc and then encrypt the hash with RSA with private key. Then the end user uses public key to decrypt hash, takes hash themselves of the document, and compares hashes. If they match this means document hasn't been changed. If MD5 (the most common hash) has collision (still very rare I think) then that is why you may see it because possibly they are RSA the hash only.

-Lunar

winndy 10-18-2005 23:13
Quote:
Originally Posted by Lunar_Dust
RSA doesn't have collision, but usually what's encrypted isn't the actual document, it's the hash of the document. Since asymetric crypto is too slow usually they just take a hash of the doc and then encrypt the hash with RSA with private key. Then the end user uses public key to decrypt hash, takes hash themselves of the document, and compares hashes. If they match this means document hasn't been changed. If MD5 (the most common hash) has collision (still very rare I think) then that is why you may see it because possibly they are RSA the hash only.

-Lunar
Thanks for your explanation.
I am still in the mist.
RSA(hash1)=RSA(hash2)
Whether the hash1 or hash2 are MD5 hash is not important.
What's important is that two different hash arrived the same RSA value.

Anyway,I generally agree with you that RSA has no collision.
Maybe when the program apis32 v2.5 checks the regcode,
It is not the standand RSA_Decipher procedure,so I could
got different Regcode for the same username.

You could look at the apis32 v2.5.
And I will provide more keys for the same username.

Regards

bytescrk 10-18-2005 23:46
What is the needed to use PPSIQS, i am receiving only...

Input number (input 0 to exit)

SlashZero 10-19-2005 02:55
Hey bytescrk,

just input public Modulus in Base10 ... and ... ENTER ... play with ur girlfriend ;)



Bye

cbs 10-19-2005 03:23
Quote:
Originally Posted by winndy
You could look at the apis32 v2.5.
And I will provide more keys for the same username.
I'll have a look at this when I get free minute ;)

Quote:
Originally Posted by Lunar_Dust
If MD5 (the most common hash) has collision (still very rare I think) ...
Agree with you about that RSA itself can't have collisions ;) It can only be a result of collision in hash.
Otherwise you won't be able to read messages encrypted with RSA - because they could have few meanings :D

What about MD5 - actually now MD5 is definitely not safe (because of this MD5(x)=MD5(y) => MD5(x+z)=MD5(y+z) ). You can check out this article:
Code:
http://www.codeproject.com/dotnet/HackingMd5.asp
Microsoft has even decided to ban MD5:

Quote:
Originally Posted by eweek.com
Microsoft is banning certain cryptographic functions from new computer code, citing increasingly sophisticated attacks that make them less secure, according to a company executive. The Redmond, Wash., software company instituted a new policy for all developers that bans functions using the DES, MD4, MD5 and, in some cases, the SHA1 encryption algorithm, which is becoming "creaky at the edges," said Michael Howard, senior security program manager at the company, Howard said.


Quote:
Originally Posted by bytescrk
What is the needed to use PPSIQS, i am receiving only...
You can also use 'packet factoring', i.e. you can create ppsiqs.in (or whatsoever).
In this file you put all your numbers that you would like to factor in decimal notation (base-10) like this:

Code:
224723992774119006825578513302384489873
156501211667442645087401128910164446481
119399008393514320049994534947283967297
211087890988599145775593649671167343561
222924203035635853575650313518923532737
Then you type
Code:
ppsiqs.exe < ppsiqs.in
and then you will have results in SIQS.LOG

bytescrk 10-19-2005 03:52
I am receiving "unknown function"

My OS is Windows XP Pro SP2, i seen in the .txt file included

* Environment

OS : Windows 95
Windows 98
Windows NT4.0
Windows 2000

cbs 10-19-2005 09:57
Quote:
Originally Posted by bytescrk
I am receiving "unknown function"

My OS is Windows XP Pro SP2, i seen in the .txt file included

* Environment

OS : Windows 95
Windows 98
Windows NT4.0
Windows 2000
I suppose you are trying to enter a number written in hexadecimal notation (base-16). And you have to enter a number in decimal notation (base-10).
For example let's factor number
Code:
E7C8A74C73FD2FBAC4F42216DFA687C1
in decimal notation it's
Code:
308093519617663552837864268966148868033


Code:
Input number ( input 0 to exit )
E7C8A74C73FD2FBAC4F42216DFA687C1

unkown function E7C8A74C73FD2FBAC4F42216DFA687C1

Code:
Input number ( input 0 to exit )
308093519617663552837864268966148868033

PPSIQS Ver 1.1 by S.Tomabechi 2001
C39=308093519617663552837864268966148868033
#FactorBase 512 max FactorBase 7867
max LargePrime 288950 Upper Bound 5251270668
SieveWidth 12288 SieveUnit 12288 CutOff 71 multiplier 1
To stop sieving, press Ctrl + Pause


458(640)/544
search cycles
102 duplicated data merged in Large Prime
56 duplicated data merged
(f)  type 458 total 631
(p)  type 1523( p_p 229, p_p_pp 0, p_p_p_p_pp_pp 0)
(pp) type 0( pp_pp 0, pp_pp_pp 0, others 0)

block Lanczos method
#singleton 29 : zero-weight columns 6
477*515 matrix 16.1363 entries / row
nonzero entry 7697 memory 31K
 #iteration 16 gained 32 solutions  0:00:00:07
found  factor 18014544488287572347
cputime 0:00:08:73
t et 60 6814407600
Jacobi Sum Test ( APR-CL )
for P=2 Q=3 5 7 13 11 31 61
for P=3 Q=7 13 31 61
for P=5 Q=11 31 61
final test
t et 60 6814407600
Jacobi Sum Test ( APR-CL )
for P=2 Q=3 5 7 13 11 31 61
for P=3 Q=7 13 31 61
for P=5 Q=11 31 61
final test
;)


All times are GMT +8. The time now is 19:12.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX