EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #61  
Old 02-17-2018, 04:54
contextrax contextrax is offline
Friend
 
Join Date: Aug 2017
Posts: 43
Rept. Given: 0
Rept. Rcvd 17 Times in 7 Posts
Thanks Given: 4
Thanks Rcvd at 66 Times in 18 Posts
contextrax Reputation: 17
Quote:
Originally Posted by MrScotc View Post
Hi, is it possible to write down all your discovery and translate into a PDF ?
Be my guest
Reply With Quote
  #62  
Old 02-18-2018, 02:36
cjack's Avatar
cjack cjack is offline
Family
 
Join Date: Jan 2002
Posts: 132
Rept. Given: 158
Rept. Rcvd 169 Times in 30 Posts
Thanks Given: 189
Thanks Rcvd at 157 Times in 36 Posts
cjack Reputation: 100-199 cjack Reputation: 100-199
Thank's for sharing ECC Source contextrax!
Excuse me for my ignorance but, how to calculate the 8 ecc_curve_array[] parameters of an armadillo protected application?
Reply With Quote
  #63  
Old 02-20-2018, 02:29
contextrax contextrax is offline
Friend
 
Join Date: Aug 2017
Posts: 43
Rept. Given: 0
Rept. Rcvd 17 Times in 7 Posts
Thanks Given: 4
Thanks Rcvd at 66 Times in 18 Posts
contextrax Reputation: 17
Quote:
Originally Posted by cjack View Post
Thank's for sharing ECC Source contextrax!
Excuse me for my ignorance but, how to calculate the 8 ecc_curve_array[] parameters of an armadillo protected application?
The first four of them does not need to be changed for a amradillo protected target.
They are the hamming weight, A in the koblitz curve equation (y^2 + xy = x^3 + Ax^2 + B), point order and cofactor.
The last four is the x,y coordinate for the base point and public point in polynomial base.
Armadillo uses a 32 bit's seed for the base point so you will have to use arma source code to calc these values. They are however i the Type 2 Optimal Normal Base and you will have to do base conversion of them to go to x^113+x^9+1
But for testing speed or making a linux or GPU version then this is not necessary.

The test curve that I use have A in the equation set to "0". This result in a different curve used for testing only. The order of this curve is 0x2000000000000000480DCA1242B1C and contains the factors:
Prime factor : 2 - (2 bits)
Prime factor : 2 - (2 bits)
Prime factor : 18B9 - (13 bits)
Prime factor : 1A89A0F - (25 bits)
Prime factor : 31F1F2A998BD31AF391 - (74 bits)
(Found by schoof2 from miracl library. "schoof2.exe 0 1 113 9")

This makes is pretty good for testing (coz of the low order) and the test curve base point has a order of 0x31F1F2A998BD31AF391. (74 bit)
You will also notice that the equivalence classes is maintained in all these subgroup (They all contain 113*2 as factors of p-1) which of course is typical for a koblitz curve.

For base conversion you could make a matrix B=[1, b, b^2....,b^(m-1)] (m=113 for this base)
Multiplying b^m*B^-1 should give you a polynomial base and to go from this base to x^113+x^9+1 you can use one of the 113 roots.
For root finding you can use magma or sage or some other algo if you want to make one yourself.

Hope this helps.

Last edited by contextrax; 02-20-2018 at 03:17.
Reply With Quote
The Following 3 Users Say Thank You to contextrax For This Useful Post:
alekine322 (10-25-2018), cjack (02-25-2018), tonyweb (02-25-2018)
  #64  
Old 02-20-2018, 03:46
cdrom0 cdrom0 is offline
Friend
 
Join Date: Jan 2018
Posts: 1
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
cdrom0 Reputation: 0
Hello! This is really cool, but isn't Armadillo discountinued? I am asking because I couldn't find it's homepage anymore.
Reply With Quote
  #65  
Old 02-20-2018, 04:11
contextrax contextrax is offline
Friend
 
Join Date: Aug 2017
Posts: 43
Rept. Given: 0
Rept. Rcvd 17 Times in 7 Posts
Thanks Given: 4
Thanks Rcvd at 66 Times in 18 Posts
contextrax Reputation: 17
Quote:
Originally Posted by cdrom0 View Post
Hello! This is really cool, but isn't Armadillo discountinued? I am asking because I couldn't find it's homepage anymore.
Yes that is true but there is still allot of programs that uses it for protection and for licensing coz of the "unbreakable" elliptic curve system they use
Reply With Quote
  #66  
Old 09-14-2018, 12:53
cjack's Avatar
cjack cjack is offline
Family
 
Join Date: Jan 2002
Posts: 132
Rept. Given: 158
Rept. Rcvd 169 Times in 30 Posts
Thanks Given: 189
Thanks Rcvd at 157 Times in 36 Posts
cjack Reputation: 100-199 cjack Reputation: 100-199
Hi Contextrax, I have a VERY BAD target that I'm trying to reverse since a lot of time! The problem here is that it use A LOT of protected executables, so, maybe, the right way will be attacking the ECDSA certificate itself
Need support to calculate the last 4 ecc_curve_array[] parameters.
If you can help I'll extract the public certificate and post it here asap.
I think that a tool to calculate the 8 ecc_curve_array[] parameters will be AMAZING

Last edited by cjack; 09-14-2018 at 13:50.
Reply With Quote
  #67  
Old 09-14-2018, 22:48
Megin Megin is offline
Friend
 
Join Date: Jul 2018
Posts: 24
Rept. Given: 0
Rept. Rcvd 4 Times in 4 Posts
Thanks Given: 53
Thanks Rcvd at 69 Times in 26 Posts
Megin Reputation: 4
Quote:
Originally Posted by cjack View Post
Hi Contextrax, I have a VERY BAD target that I'm trying to reverse since a lot of time! The problem here is that it use A LOT of protected executables, so, maybe, the right way will be attacking the ECDSA certificate itself
Need support to calculate the last 4 ecc_curve_array[] parameters.
If you can help I'll extract the public certificate and post it here asap.
I think that a tool to calculate the 8 ecc_curve_array[] parameters will be AMAZING
Maybe you share the target with us so we can check?
Reply With Quote
  #68  
Old 09-15-2018, 04:47
cjack's Avatar
cjack cjack is offline
Family
 
Join Date: Jan 2002
Posts: 132
Rept. Given: 158
Rept. Rcvd 169 Times in 30 Posts
Thanks Given: 189
Thanks Rcvd at 157 Times in 36 Posts
cjack Reputation: 100-199 cjack Reputation: 100-199
Yes sure! Here the link:

h**ps://mega.nz/#!V8RFxCDL!7JYuUUybRoJelyZwNvp8yB-LmkBGKEeJA_uUjfmxNls

I've put into the zip just the registration app and a trial key (expired on november 2017 but if you set the clock back it'll work).
As serial number use the string "Evaluation".

Hope to start the bruteforcing soon Curious to see how many time will take!
Reply With Quote
The Following 2 Users Say Thank You to cjack For This Useful Post:
gsaralji (09-17-2018), niculaita (09-15-2018)
  #69  
Old 10-11-2018, 19:16
contextrax contextrax is offline
Friend
 
Join Date: Aug 2017
Posts: 43
Rept. Given: 0
Rept. Rcvd 17 Times in 7 Posts
Thanks Given: 4
Thanks Rcvd at 66 Times in 18 Posts
contextrax Reputation: 17
Quote:
Originally Posted by cjack View Post
Hi Contextrax, I have a VERY BAD target that I'm trying to reverse since a lot of time! The problem here is that it use A LOT of protected executables, so, maybe, the right way will be attacking the ECDSA certificate itself
Need support to calculate the last 4 ecc_curve_array[] parameters.
If you can help I'll extract the public certificate and post it here asap.
I think that a tool to calculate the 8 ecc_curve_array[] parameters will be AMAZING
You want to break 4 113 bit's ECC curves by solving ECDSA?
We used like 6 months last time so unless you have access to a lot of CPU's this will take forever.
Reply With Quote
  #70  
Old 10-21-2018, 20:39
ismail ismail is offline
Friend
 
Join Date: Jul 2010
Posts: 7
Rept. Given: 22
Rept. Rcvd 11 Times in 5 Posts
Thanks Given: 3
Thanks Rcvd at 0 Times in 0 Posts
ismail Reputation: 11
can u share the target?
Reply With Quote
  #71  
Old 10-22-2018, 15:27
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 815
Rept. Given: 324
Rept. Rcvd 216 Times in 110 Posts
Thanks Given: 152
Thanks Rcvd at 222 Times in 113 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
Quote:
Originally Posted by contextrax View Post
You want to break 4 113 bit's ECC curves by solving ECDSA?
We used like 6 months last time so unless you have access to a lot of CPU's this will take forever.

What is more important in bruteforcing - CPU GHz speed or # of cores?
Reply With Quote
  #72  
Old 10-25-2018, 08:15
alekine322's Avatar
alekine322 alekine322 is offline
VIP
 
Join Date: Apr 2011
Location: North America
Posts: 176
Rept. Given: 932
Rept. Rcvd 58 Times in 31 Posts
Thanks Given: 509
Thanks Rcvd at 48 Times in 23 Posts
alekine322 Reputation: 58
Quote:
Originally Posted by contextrax View Post
The first four of them does not need to be changed for a amradillo protected target.
They are the hamming weight, A in the koblitz curve equation (y^2 + xy = x^3 + Ax^2 + B), point order and cofactor.
The last four is the x,y coordinate for the base point and public point in polynomial base.
Armadillo uses a 32 bit's seed for the base point so you will have to use arma source code to calc these values. They are however i the Type 2 Optimal Normal Base and you will have to do base conversion of them to go to x^113+x^9+1
But for testing speed or making a linux or GPU version then this is not necessary.

The test curve that I use have A in the equation set to "0". This result in a different curve used for testing only. The order of this curve is 0x2000000000000000480DCA1242B1C and contains the factors:
Prime factor : 2 - (2 bits)
Prime factor : 2 - (2 bits)
Prime factor : 18B9 - (13 bits)
Prime factor : 1A89A0F - (25 bits)
Prime factor : 31F1F2A998BD31AF391 - (74 bits)
(Found by schoof2 from miracl library. "schoof2.exe 0 1 113 9")

This makes is pretty good for testing (coz of the low order) and the test curve base point has a order of 0x31F1F2A998BD31AF391. (74 bit)
You will also notice that the equivalence classes is maintained in all these subgroup (They all contain 113*2 as factors of p-1) which of course is typical for a koblitz curve.

For base conversion you could make a matrix B=[1, b, b^2....,b^(m-1)] (m=113 for this base)
Multiplying b^m*B^-1 should give you a polynomial base and to go from this base to x^113+x^9+1 you can use one of the 113 roots.
For root finding you can use magma or sage or some other algo if you want to make one yourself.

Hope this helps.
I see that you have a mathematical or physical profile.
You have tried to use your models to find the protection system of flex_LM
It also uses an ECC protection system.
(If I'm wrong, please correct me)
Reply With Quote
  #73  
Old 10-26-2018, 14:17
RedLord RedLord is offline
Friend
 
Join Date: Nov 2016
Posts: 6
Rept. Given: 0
Rept. Rcvd 2 Times in 1 Post
Thanks Given: 5
Thanks Rcvd at 30 Times in 5 Posts
RedLord Reputation: 2
Quote:
Originally Posted by alekine322 View Post
I see that you have a mathematical or physical profile.
You have tried to use your models to find the protection system of flex_LM
It also uses an ECC protection system.
(If I'm wrong, please correct me)
Yes, but flex uses more stronger ECC

Last edited by RedLord; 10-26-2018 at 14:54.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 20:41.


ICP05004977
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX