Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 08-04-2003, 20:33
alephz alephz is offline
VIP
 
Join Date: May 2002
Location: Israel
Posts: 390
Rept. Given: 126
Rept. Rcvd 291 Times in 93 Posts
Thanks Given: 180
Thanks Rcvd at 69 Times in 23 Posts
alephz Reputation: 200-299 alephz Reputation: 200-299 alephz Reputation: 200-299
Quote:
Originally posted by 5Alive
I was hoping that it uses a standard library suchs as DCPCrypt, it uses something called TCipherStreamFactoryRC5 to handle the decryption.
1. Try CC from 'Help Me - CRC Check and FileSize Check' topic
h**p://w*w.exetools.com/forum/showthread.php?threadid=2385

2. RC5/6 was implemented in a lot libraries on the net.

3. See atach as example RC6 work (it's source for Oscar 17(Summer Edition) Serials Database decipher).
Attached Files
File Type: rar oscar.rar (52.2 KB, 40 views)
Reply With Quote
  #17  
Old 08-04-2003, 20:53
alephz alephz is offline
VIP
 
Join Date: May 2002
Location: Israel
Posts: 390
Rept. Given: 126
Rept. Rcvd 291 Times in 93 Posts
Thanks Given: 180
Thanks Rcvd at 69 Times in 23 Posts
alephz Reputation: 200-299 alephz Reputation: 200-299 alephz Reputation: 200-299
Quote:
Originally posted by alephz
3. See atach as example RC6 work (it's source for Oscar 17(Summer Edition) Serials Database decipher).
Sorry, I forgot about RC6 Src
Attached Files
File Type: zip crypto stuff.zip (7.1 KB, 39 views)
Reply With Quote
  #18  
Old 08-04-2003, 23:01
bolo2002 bolo2002 is offline
VIP
 
Join Date: Apr 2002
Posts: 614
Rept. Given: 111
Rept. Rcvd 14 Times in 13 Posts
Thanks Given: 217
Thanks Rcvd at 238 Times in 152 Posts
bolo2002 Reputation: 14
do you still have a page alephz?

remember great tools posted on it.

thanks
Reply With Quote
  #19  
Old 08-04-2003, 23:17
alephz alephz is offline
VIP
 
Join Date: May 2002
Location: Israel
Posts: 390
Rept. Given: 126
Rept. Rcvd 291 Times in 93 Posts
Thanks Given: 180
Thanks Rcvd at 69 Times in 23 Posts
alephz Reputation: 200-299 alephz Reputation: 200-299 alephz Reputation: 200-299
Quote:
Originally posted by bolo2002
do you still have a page alephz?
It was killed immediatly after I put on some stuff about
F-Group Software junk progs. (h**p://w*w.fgroupsoft.com)

Unfortunately, for now I haven't time to recovery it and more
sad, haven't time to enjoy with new junk from F-Group Software.

Well, I keep it in my TODO list :-\
Reply With Quote
  #20  
Old 08-05-2003, 01:09
5Alive 5Alive is offline
Friend
 
Join Date: Aug 2003
Posts: 82
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 1 Time in 1 Post
5Alive Reputation: 0
Quote:
Originally posted by alephz
Sorry, I forgot about RC6 Src
No problem, I was a little confused by the previous file contents, had that somethings missing feeling.

Thankyou. I'll give this a look over.

5Alive
Reply With Quote
  #21  
Old 08-06-2003, 02:22
bolo2002 bolo2002 is offline
VIP
 
Join Date: Apr 2002
Posts: 614
Rept. Given: 111
Rept. Rcvd 14 Times in 13 Posts
Thanks Given: 217
Thanks Rcvd at 238 Times in 152 Posts
bolo2002 Reputation: 14
Quote:
Originally posted by alephz
It was killed immediatly after I put on some stuff about
F-Group Software junk progs. (h**p://w*w.fgroupsoft.com)

Unfortunately, for now I haven't time to recovery it and more
sad, haven't time to enjoy with new junk from F-Group Software.

Well, I keep it in my TODO list :-\

well,thanks for the answer!
Reply With Quote
  #22  
Old 08-06-2003, 23:26
ByTESCRK
 
Posts: n/a
Ups. I forgot I'm not supposed to post Requests in this Forum and JMI edited my post to this stupid message.

Actually if I'd taken the time to use the "search" button and "kanal" on the left side, I would have found the answer to my question is here:

http://www.exetools.com/forum/showthread.php?s=&threadid=2348&highlight=kanal

pd. LOL JMI 10x friend.

Last edited by ByTESCRK; 08-07-2003 at 23:51.
Reply With Quote
  #23  
Old 08-07-2003, 18:14
5Alive 5Alive is offline
Friend
 
Join Date: Aug 2003
Posts: 82
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 1 Time in 1 Post
5Alive Reputation: 0
Quote:
Originally posted by alephz
1. Try CC from 'Help Me - CRC Check and FileSize Check' topic
h**p://w*w.exetools.com/forum/showthread.php?threadid=2385

2. RC5/6 was implemented in a lot libraries on the net.
Just a quick update, the cc tool confirmed that the exe had rc5, now knowing these offsets I was able to locate the subroutine.
Thanks alephz!


I have since found a string ref to RC4 too! I think the serial number is a rc4 key, and the content decryption is handled by RC6.

The app produces a unique system id number using API calls to GetSystemInfo, GetComputerNameA and GetVolumeInformationA.
This is to restrict a valid password to a single PC.

If your system ID changes, you are sent an new serial to unlock the content. Therefore, system ID is equivalent to a user name and the serial is the password.

So I think I am looking at some sort of RC4 keygen. Yikes!
I've got some more questions I'll try to answer myself before posting.

I'm new to reverse engineering, where do the hours go?

5Alive.
Reply With Quote
  #24  
Old 08-07-2003, 20:02
ArC ArC is offline
VIP
 
Join Date: Jan 2003
Location: NTOSKRNL.EXE
Posts: 172
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 5
Thanks Rcvd at 17 Times in 12 Posts
ArC Reputation: 1
RC4 isn't that hard
Reply With Quote
  #25  
Old 08-07-2003, 20:20
5Alive 5Alive is offline
Friend
 
Join Date: Aug 2003
Posts: 82
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 1 Time in 1 Post
5Alive Reputation: 0
Is the best solution to rip the RC4 code and insert it into yor own app? I'm using DeDe and IDA.

Once I isolated the code, is MASM the best tool for keygen creation?

I notice that Dede doesn't recognise win32 API calls and IDA doesn't recognise some custom Delphi library calls.

Can this be fixed, or do I need to work between the two to build a clearer picture of what the functions are doing?

I've compiled/created DCU/DSF file from source code to help me identify calls in DeDe.

As far as I'm aware FLIRT only supports Delphi 1.0 TPUs which is of no use to me. Anyone know any different and like to share their knowledge?

Thanks 5Alive.
Reply With Quote
  #26  
Old 08-07-2003, 20:29
ArC ArC is offline
VIP
 
Join Date: Jan 2003
Location: NTOSKRNL.EXE
Posts: 172
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 5
Thanks Rcvd at 17 Times in 12 Posts
ArC Reputation: 1
Quote:
Is the best solution to rip the RC4 code and insert it into yor own app?
You can try to rip the RC4 code.....
But pay attention to the S-box and to the field K!
Don't forget to rip the init routine!

Quote:
Once I isolated the code, is MASM the best tool for keygen creation?
When I code a keygen in ASM, I use MASM(32 v8).

Quote:
I notice that Dede doesn't recognise win32 API calls and IDA doesn't recognise some custom Delphi library calls
That's why I usually use Olly and/or DeDe with IDA.
As sKAMER said: Olly and IDA --> deadly combo

Last edited by ArC; 08-07-2003 at 20:35.
Reply With Quote
  #27  
Old 08-07-2003, 20:36
5Alive 5Alive is offline
Friend
 
Join Date: Aug 2003
Posts: 82
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 1 Time in 1 Post
5Alive Reputation: 0
Thanks, I'll keep your comments in mind when attempting this.

5Alive.
Reply With Quote
  #28  
Old 08-07-2003, 20:40
5Alive 5Alive is offline
Friend
 
Join Date: Aug 2003
Posts: 82
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 1 Time in 1 Post
5Alive Reputation: 0
[QUOTE]Originally posted by ArC
[B]You can try to rip the RC4 code.....
But pay attention to the S-box and to the field K!
Don't forget to rip the init routine![QUOTE]

To find the values of the S-box and K field I would need to single step with a debugger to extract these values. Is this correct?

5Alive.
Reply With Quote
  #29  
Old 08-07-2003, 20:47
ArC ArC is offline
VIP
 
Join Date: Jan 2003
Location: NTOSKRNL.EXE
Posts: 172
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 5
Thanks Rcvd at 17 Times in 12 Posts
ArC Reputation: 1
Usually there should be an init routine
which inits the S-Box and the K field.
If you want to rip, you will have to rip the init routine as well.
However, you should trace (with a debugger) the init routine
as well since it usually contains the key.
Reply With Quote
  #30  
Old 08-07-2003, 20:53
5Alive 5Alive is offline
Friend
 
Join Date: Aug 2003
Posts: 82
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 1 Time in 1 Post
5Alive Reputation: 0
Thanks, I'll look into trying this. I have source for RC4 just now so I'll probably create my own little program to encrypt/decrypt to familiarise myself with it's workings.

5Alive.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Any current Crypto Scanners or tools like KANAL in use? TempoMat General Discussion 13 09-18-2021 00:53
Kanal koncool General Discussion 7 08-01-2003 04:56


All times are GMT +8. The time now is 18:45.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )