Armadillo ECDSA-113

[cjack]

Hi Contextrax, I have a VERY BAD target that I'm trying to reverse since a lot of time! The problem here is that it use A LOT of protected executables, so, maybe, the right way will be attacking the ECDSA certificate itself
Need support to calculate the last 4 ecc_curve_array[] parameters.
If you can help I'll extract the public certificate and post it here asap.
I think that a tool to calculate the 8 ecc_curve_array[] parameters will be AMAZING

[Megin]

Quote:

Originally Posted by cjack

Hi Contextrax, I have a VERY BAD target that I'm trying to reverse since a lot of time! The problem here is that it use A LOT of protected executables, so, maybe, the right way will be attacking the ECDSA certificate itself
Need support to calculate the last 4 ecc_curve_array[] parameters.
If you can help I'll extract the public certificate and post it here asap.
I think that a tool to calculate the 8 ecc_curve_array[] parameters will be AMAZING

Maybe you share the target with us so we can check?

[cjack]

Yes sure! Here the link:

h**ps://mega.nz/#!V8RFxCDL!7JYuUUybRoJelyZwNvp8yB-LmkBGKEeJA_uUjfmxNls

I've put into the zip just the registration app and a trial key (expired on november 2017 but if you set the clock back it'll work).
As serial number use the string "Evaluation".

Hope to start the bruteforcing soon Curious to see how many time will take!

[Apuromafo]

Quote:

Originally Posted by cjack

Yes sure! Here the link:

h**ps://mega.nz/#!V8RFxCDL!7JYuUUybRoJelyZwNvp8yB-LmkBGKEeJA_uUjfmxNls

I've put into the zip just the registration app and a trial key (expired on november 2017 but if you set the clock back it'll work).
As serial number use the string "Evaluation".

Hope to start the bruteforcing soon Curious to see how many time will take!

im think there is not necesary do many with that app , i will send some private msj
x64dbg (no plugins)
hide command
bp in 00402A90 as hw bp and start to check
is posible use the values (provided) or any fake.
here must be the end:

Quote:

00403251 68 50714100 PUSH reg3.00417150
00403256 6A 06 PUSH 6
00403258 8B0D 18714100 MOV ECX,DWORD PTR DS:[417118]
0040325E 51 PUSH ECX
0040325F E8 EC2B0000 CALL reg3.00405E50
00403264 83C4 0C ADD ESP,0C
00403267 B9 06000000 MOV ECX,6
0040326C BE 40584100 MOV ESI,reg3.00415840 ; ASCII "Thank you for registering."
00403271 8DBD E0FEFFFF LEA EDI,DWORD PTR SS:[EBP-120]
00403277 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
00403279 66:A5 MOVS WORD PTR ES:[EDI],WORD PTR DS:[ESI]
0040327B A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
0040327C 6A 00 PUSH 0
0040327E 68 00534100 PUSH reg3.00415300 ; ASCII "Encryptionizer Key Registration"
00403283 8D95 E0FEFFFF LEA EDX,DWORD PTR SS:[EBP-120]
00403289 52 PUSH EDX
0040328A 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0040328D 50 PUSH EAX
0040328E FF15 74214100 CALL DWORD PTR DS:[412174]
00403294 C705 BC6C4100 00>MOV DWORD PTR DS:[416CBC],0
0040329E 6A FF PUSH -1
004032A0 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
004032A3 51 PUSH ECX
004032A4 FF15 64214100 CALL DWORD PTR DS:[412164]
004032AA C745 F8 01000000 MOV DWORD PTR SS:[EBP-8],1

if not have the program, will call to program regedit values , im think there not must be a normal app with armadillo (minimum protection)

BR, Apuromafo

[contextrax]

Quote:

Originally Posted by cjack

Hi Contextrax, I have a VERY BAD target that I'm trying to reverse since a lot of time! The problem here is that it use A LOT of protected executables, so, maybe, the right way will be attacking the ECDSA certificate itself
Need support to calculate the last 4 ecc_curve_array[] parameters.
If you can help I'll extract the public certificate and post it here asap.
I think that a tool to calculate the 8 ecc_curve_array[] parameters will be AMAZING

You want to break 4 113 bit's ECC curves by solving ECDSA?
We used like 6 months last time so unless you have access to a lot of CPU's this will take forever.

[sendersu]

Quote:

Originally Posted by contextrax

You want to break 4 113 bit's ECC curves by solving ECDSA?
We used like 6 months last time so unless you have access to a lot of CPU's this will take forever.

What is more important in bruteforcing - CPU GHz speed or # of cores?