Any one see this Cryptographic?

[winndy]

0041C249 . C74424 60 6>mov dword ptr ss:[esp+60],CD49046B
0041C251 . C74424 64 C>mov dword ptr ss:[esp+64],829A80CB
0041C259 . C74424 68 C>mov dword ptr ss:[esp+68],3F5157C0
0041C261 . C74424 6C 8>mov dword ptr ss:[esp+6C],B50C6384
0041C269 . C74424 70 5>mov dword ptr ss:[esp+70],AA56D550
0041C271 . C74424 74 7>mov dword ptr ss:[esp+74],B05ADF71
0041C279 . C74424 78 D>mov dword ptr ss:[esp+78],7B2E3CD4
0041C281 . C74424 7C C>mov dword ptr ss:[esp+7C],CFB69AC3

any one who knows the Cryptographic?
thanks.

[Archer]

It can be everything, even not crypto stuff. Try to use PEId's plugin KANAL to identify crypto signatures.

I saw the same thing twice before, not the same dwords, but it was setting up the bignum for rsa, but like he said use KANAL, or CRYPTOSEARCHER should give a better result.

[MaRKuS-DJM]

i had a target where these commands prepare a SHA-routine.

[SLV]

its simply 8 dwords... we need more code and if KANAL willn't detect this constants than it may be simply home-made crypto... or it may be a big nums...

[NeOXOeN]

There is also one good crypto searcher by Christal on http://christal1.cjb.net/

try that if Peid doesnt work...


BYe NeOXOeN

[winndy]

Well£¬thanks all ,firstly.
I met this when I tried to make a keygen of WMV to AVI MPEG DVD WMV Converter 1.4.8.
It's easy to patch.But i want a keygen.
The offical site is:http://www.alloksoft.com.

Code:

0041C220    > \6A FF       push -1
0041C222    .  68 191D4300 push WMV_to_A.00431D19                  ;  SE handler installation
0041C227    .  64:A1 00000>mov eax,dword ptr fs:[0]
0041C22D    .  50          push eax
0041C22E    .  64:8925 000>mov dword ptr fs:[0],esp
0041C235    .  81EC 940000>sub esp,94
0041C23B    .  8B8424 A400>mov eax,dword ptr ss:[esp+A4]
0041C242    .  53          push ebx
0041C243    .  56          push esi
0041C244    .  50          push eax
0041C245    .  8D4C24 10   lea ecx,dword ptr ss:[esp+10]
0041C249    .  C74424 60 6>mov dword ptr ss:[esp+60],CD49046B
0041C251    .  C74424 64 C>mov dword ptr ss:[esp+64],829A80CB
0041C259    .  C74424 68 C>mov dword ptr ss:[esp+68],3F5157C0
0041C261    .  C74424 6C 8>mov dword ptr ss:[esp+6C],B50C6384
0041C269    .  C74424 70 5>mov dword ptr ss:[esp+70],AA56D550
0041C271    .  C74424 74 7>mov dword ptr ss:[esp+74],B05ADF71
0041C279    .  C74424 78 D>mov dword ptr ss:[esp+78],7B2E3CD4
0041C281    .  C74424 7C C>mov dword ptr ss:[esp+7C],CFB69AC3
0041C289    .  E8 E8280100 call <jmp.&MFC42.#537>                  ;  kernel32.lstrlenA;MSVCRT.memcpy
0041C28E    .  8B8C24 B000>mov ecx,dword ptr ss:[esp+B0]
0041C295    .  C78424 A400>mov dword ptr ss:[esp+A4],0
0041C2A0    .  51          push ecx
0041C2A1    .  8D4C24 0C   lea ecx,dword ptr ss:[esp+C]
0041C2A5    .  E8 CC280100 call <jmp.&MFC42.#537>
0041C2AA    .  8B5424 0C   mov edx,dword ptr ss:[esp+C]
0041C2AE    .  8B35 BC2544>mov esi,dword ptr ds:[<&MSVCRT._mbscmp>>;  msvcrt._mbscmp
0041C2B4    .  68 60FC4300 push WMV_to_A.0043FC60                  ; /s2 = ""
0041C2B9    .  52          push edx                                ; |s1
0041C2BA    .  C68424 AC00>mov byte ptr ss:[esp+AC],1              ; |
0041C2C2    .  FFD6        call esi                                ; \_mbscmp

if(Decipher(Registrationcode)==username)
Registration successful.

It seems the initial value .
It should be symmetrical cipher .
cipher(username)=Registrationcode

Quote:

Originally Posted by winndy

It should be symmetrical cipher .
cipher(username)=Registrationcode

Actually you are not right This is asymmetric crypto

These three calls look like BigCreate or smth like that:

Code:

.text:0041C2ED                 call    sub_401974
....
.text:0041C300                 call    sub_401974
....
.text:0041C317                 call    sub_401974

and for the third call you have this parameter

Code:

push    10001h

This is typical value for public exponent (E) for RSA cryptosystem.



on this line

Code:

0041C289   . E8 E8280100    CALL <JMP.&MFC42.#537>

in esp+60 you have:

Code:

0012CDF4  6B 04 49 CD CB 80 9A 82  kI§¯§­Ђљ‚
0012CDFC  C0 57 51 3F 84 63 0C B5  §¡WQ?„c.µ
0012CE04  50 D5 56 AA 71 DF 5A B0  P§·VЄq§ÁZ¡ã
0012CE0C  D4 3C 2E 7B C3 9A B6 CF  §¶<.{§¤љ&para;§±

Code:

6B 04 49 CD CB 80 9A 82 C0 57 51 3F 84 63 0C B5 50 D5 56 AA 71 DF 5A B0 D4 3C 2E 7B C3 9A B6 CF

if we remove spaces we get this:

Code:

6B0449CDCB809A82C057513F84630CB550D556AA71DF5AB0D43C2E7BC39AB6CF

Now paste it in RSA Tool in Modulus (N) field and push 'Reverse'. Now you've got public key:

Code:

CFB69AC37B2E3CD4B05ADF71AA56D550B50C63843F5157C0829A80CBCD49046B

To create keygen you have to find factors (find p and q that p*q=N). For this needs you can use RSA Tool, but when you have modulus > 200 bits (in your case you have 256 bits) RSA Tool is too slow. So you should better use tools by Satoshi Tomabechi.

You can get these tools here:

Code:

http://www.asahi-net.or.jp/~KC2H-MSM/cn/

When you get p and q you can calculate D.

When you have N & D you can code keygen

[winndy]

cbs,Good man!
You are right!

N=CFB69AC37B2E3CD4B05ADF71AA56D550B50C63843F5157C0829A80CBCD49046B
I use ppsiqsv1.1 to get the factors p and q.
P=E4E7E39EE5E5C98788BF466DDCBAB2DF
Q=E84C8EBF8D5AA6A5ACB2569542DBCBF5
and use tE's RSA tool.
E=10001
D=3CE0C02B5B070A3D2C12F63A523A70FA57692AFC70FAE36480D0E33205F6B4C1

BRD made a keygen of this product v1.4.6 which could bu used on v1.4.8.
I disassembled the keygen to study,^_^.
the RSA value of name should be changed to registration key by some tricks.

Really appreciate the help of all you!

Regards

Quote:

Originally Posted by winndy

I disassembled the keygen to study,^_^.
the RSA value of name should be changed to registration key by some tricks.

Well, not the best way but applicable... only for study!

I've received PM asking which tool by Satoshi Tomabechi to use. Generally PPSIQS is used.
But don't use RSA Tool for large composite numbers. It's too slow. I have tested RSA Tool vs PPSIQS and PPSIQS is approximately 3 (!) times faster. I tried RSA-255/256 many times and on my machine I get factors for a bit more than one hour. RSA Tool requires ~4-5 hours for the same task. RSA Tool is designed for 'playing' with numbers and keys generation And it's much better to use specialized tools for factoring.
BTW I'm not sure if RSA Tool keys generation scheme is secure

[winndy]

Quote:

Originally Posted by cbs

Well, not the best way but applicable... only for study!

Yes,sir,It's only for study!

Quote:

Originally Posted by cbs

I've received PM asking which tool by Satoshi Tomabechi to use. Generally PPSIQS is used.
But don't use RSA Tool for large composite numbers. It's too slow. I have tested RSA Tool vs PPSIQS and PPSIQS is approximately 3 (!) times faster. I tried RSA-255/256 many times and on my machine I get factors for a bit more than one hour. RSA Tool requires ~4-5 hours for the same task. RSA Tool is designed for 'playing' with numbers and keys generation And it's much better to use specialized tools for factoring.

I agree with you!I got the factors by PPSIQS in about 1 hour.
But RSAtool is very slow.
I use RSAtool to calculate D.

Quote:

Originally Posted by cbs

BTW I'm not sure if RSA Tool keys generation scheme is secure

Have you look at API Spy Version 2.5,by Vitaly Evseenko?

I downloaded it from programmerstools.
I cracked it,a username could have many keys.
In fact,It uses RSA.
When I search RSA in tut from pediy.com(chinese site),
I found someone has cracked the apis32,and made a keygen.
In the tut,he said it used RSA,and surely it was!
I got a little puzzled.
In RSA,one username has one code.
But i could get two or four ,or more.
Does RSA have collision like MD5?
If so,RSA should not be used on digital signature.

Regards

RSA doesn't have collision, but usually what's encrypted isn't the actual document, it's the hash of the document. Since asymetric crypto is too slow usually they just take a hash of the doc and then encrypt the hash with RSA with private key. Then the end user uses public key to decrypt hash, takes hash themselves of the document, and compares hashes. If they match this means document hasn't been changed. If MD5 (the most common hash) has collision (still very rare I think) then that is why you may see it because possibly they are RSA the hash only.

-Lunar

[winndy]

Quote:

Originally Posted by Lunar_Dust

RSA doesn't have collision, but usually what's encrypted isn't the actual document, it's the hash of the document. Since asymetric crypto is too slow usually they just take a hash of the doc and then encrypt the hash with RSA with private key. Then the end user uses public key to decrypt hash, takes hash themselves of the document, and compares hashes. If they match this means document hasn't been changed. If MD5 (the most common hash) has collision (still very rare I think) then that is why you may see it because possibly they are RSA the hash only.

-Lunar

Thanks for your explanation.
I am still in the mist.
RSA(hash1)=RSA(hash2)
Whether the hash1 or hash2 are MD5 hash is not important.
What's important is that two different hash arrived the same RSA value.

Anyway,I generally agree with you that RSA has no collision.
Maybe when the program apis32 v2.5 checks the regcode,
It is not the standand RSA_Decipher procedure,so I could
got different Regcode for the same username.

You could look at the apis32 v2.5.
And I will provide more keys for the same username.

Regards

What is the needed to use PPSIQS, i am receiving only...

Input number (input 0 to exit)

[SlashZero]

Hey bytescrk,

just input public Modulus in Base10 ... and ... ENTER ... play with ur girlfriend



Bye