Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 07-19-2020, 16:34
Windoze Windoze is offline
Friend
 
Join Date: Nov 2019
Location: Germany
Posts: 33
Rept. Given: 3
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 45
Thanks Rcvd at 32 Times in 13 Posts
Windoze Reputation: 0
Alternate Approach to FlexLM Brute-Force

Hello,

I was looking through the old leaked FlexLM v9.2 source and had an idea...

What we want is LM_SEED1 - 3 but they are nowhere in the shipped files.
But we can get ENCRYPTION_SEED1 and ENCRYPTION_SEED2 from the target.
They are directly generated from the LM_SEEDS via a FIPS186 random generator.
The algorithm used in this RNG is SHA1. This should be much faster to brute force than the elliptic curve crypto.

Did anyone try this approach before? Do you think this is possible?

- Windoze
Reply With Quote
The Following User Says Thank You to Windoze For This Useful Post:
WRP (07-20-2020)
  #2  
Old 08-17-2020, 19:44
Vladimir Vladimir is offline
Friend
 
Join Date: Aug 2019
Location: Earth
Posts: 12
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 16
Thanks Rcvd at 24 Times in 4 Posts
Vladimir Reputation: 0
Yes, surely it seems be any approach to solve problem.

I had a similar project on my desk that uses Flexlm 11.x, I tried doing Brute-F but when I got the estimated time , the numbers were jaw dropping.

I had IDA sig along with til for major of Flexlm function(which i planned to release on exetools very soon if every thing goes well.)
Reply With Quote
The Following 2 Users Say Thank You to Vladimir For This Useful Post:
deepzero (08-17-2020), niculaita (08-22-2020)
  #3  
Old 08-20-2020, 22:06
nathan nathan is offline
Friend
 
Join Date: Jul 2009
Posts: 37
Rept. Given: 4
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 17
Thanks Rcvd at 26 Times in 17 Posts
nathan Reputation: 5
Did you actually give it a try or it is just an high level idea so far ?
Reply With Quote
  #4  
Old 08-20-2020, 22:08
nathan nathan is offline
Friend
 
Join Date: Jul 2009
Posts: 37
Rept. Given: 4
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 17
Thanks Rcvd at 26 Times in 17 Posts
nathan Reputation: 5
And may be this could be a good starting point https://forum.exetools.com/showthread.php?t=19605
Reply With Quote
  #5  
Old 08-21-2020, 00:46
Windoze Windoze is offline
Friend
 
Join Date: Nov 2019
Location: Germany
Posts: 33
Rept. Given: 3
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 45
Thanks Rcvd at 32 Times in 13 Posts
Windoze Reputation: 0
Quote:
Originally Posted by nathan View Post
Did you actually give it a try or it is just an high level idea so far ?
It's just an idea at the moment
Reply With Quote
  #6  
Old 10-18-2020, 03:52
JohnDoe JohnDoe is offline
Guest
 
Join Date: Sep 2020
Posts: 3
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 4
Thanks Rcvd at 1 Time in 1 Post
JohnDoe Reputation: 0
I think to bruteforce SHA-1 with 160bit key is a quite challenging task.
Despite successful theoretical attacks on the algorithm in practice, it will take a huge amount of time
Reply With Quote
  #7  
Old 10-18-2020, 09:44
Rasmus Rasmus is offline
Friend
 
Join Date: Jul 2019
Posts: 174
Rept. Given: 0
Rept. Rcvd 8 Times in 7 Posts
Thanks Given: 106
Thanks Rcvd at 102 Times in 60 Posts
Rasmus Reputation: 8
Quote:
Originally Posted by JohnDoe View Post
I think to bruteforce SHA-1 with 160bit key is a quite challenging task.
Despite successful theoretical attacks on the algorithm in practice, it will take a huge amount of time
Yeah, not new news
Reply With Quote
  #8  
Old 10-19-2020, 09:35
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 725
Rept. Given: 35
Rept. Rcvd 48 Times in 30 Posts
Thanks Given: 666
Thanks Rcvd at 1,050 Times in 475 Posts
chants Reputation: 48
Do you know multiple hashes from the same key with different known plaintext?

E.g
Fixed text+salt1+password->sha1 hash1
Fixed text+salt2+password->sha1 hash2
...

Then a SAT solver starts to beat brute force and with enough salt and hash pairs starts to become practical.

I've wanted to do this exact idea on IDA7.2 since we have 2 decompiler installers with identical filename guids and almost surely same passwords. Sure a single hash is hard to break but it would be really interesting to know when this attack becomes practical. I dont think it's been researched much.
Just a thought as if there is a context where 80 or so input bit are unknown but dozens of pairs are available then brute force will take a century but a SAT solver would might take minutes. I say might because presumably the equations sharing input bits should reduce the search much more quickly. You dont need the whole 160 bit hash either. Probability wise you need around the same % as % input bits are unknown. Unknown input bits×160/512. Again I dont know as I need time for such research but sometime I might do this for publication even. It's too interesting not to try
Reply With Quote
  #9  
Old 10-21-2020, 04:04
Windoze Windoze is offline
Friend
 
Join Date: Nov 2019
Location: Germany
Posts: 33
Rept. Given: 3
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 45
Thanks Rcvd at 32 Times in 13 Posts
Windoze Reputation: 0
The algorithm used by FlexLM is as follows: (Pseudocode)
Code:
byte in1[32] = {0};
in1[0..3] = Seed1;
in1[4..7] = Seed2;
in1[8..11] = Seed3;
hash1 = SHA1(in1);

byte in2[64] = {0};
in2[0..19] = hash1;
hash2 = SHA1(in2);

if (hash2[0..3] == EncryptionSeed1 && hash2[4..7] == EncryptionSeed2) {
    Seeds found :)
}
So it is a double SHA1. Also since the second hash has 64 input-bytes you need 2 rounds. So it is 3 rounds of SHA1 in total for each try.

Also some of the Seed Values can be skipped, since FlexLM will not accept them.
Code:
l_reasonable_seed(unsigned int seed)
{
	if (!seed || 
		(seed == 1234567890) ||
		(seed == 123456789) ||
		(seed == 0x11223344) ||
		(seed == 0x00112233) ||
		(seed == 0x44556677) ||
		(seed == 0xdeadbeef) ||
		(seed == 0x12345678) ||
		(seed == 0x87654321) ||
		(seed == 0xabcdef01) ||
		(seed == 0x90abcdef) ||
		(seed == 0x01234567) ||
		(seed == 0x76543210) ||
		(seed >  0xfff00000) || /* small negative number */
		(seed <  0x00f00000) ) /* small number */
			return 0;
	return 1; /* success */
}
Reply With Quote
The Following User Says Thank You to Windoze For This Useful Post:
DominicCummings (09-19-2021)
  #10  
Old 10-21-2020, 19:23
FoxB FoxB is online now
VIP
 
Join Date: Jan 2002
Location: Earth...
Posts: 934
Rept. Given: 15
Rept. Rcvd 125 Times in 83 Posts
Thanks Given: 20
Thanks Rcvd at 675 Times in 278 Posts
FoxB Reputation: 100-199 FoxB Reputation: 100-199
from l_prikey.c :

/*
* l_genseed
* hardware dependent. Generate random seeds.
* Exits with error message to stderr upon error
*/
int
l_genseed( void)
{.....

explain about
Quote:
if (hash2[0..3] == EncryptionSeed1 && hash2[4..7] == EncryptionSeed2) {
Seeds found

Last edited by FoxB; 10-22-2020 at 01:13.
Reply With Quote
The Following User Says Thank You to FoxB For This Useful Post:
niculaita (10-23-2020)
Reply

Tags
flexlm

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Flexlm ECC alternate patching methods nathan General Discussion 102 05-31-2019 06:30
Brute Forcing a Custom CRC chessgod101 Source Code 0 05-30-2014 03:48


All times are GMT +8. The time now is 18:33.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )