PDA

View Full Version : Help Understanding WIBU-BoX internal encryption process


qd0097
November 2nd, 2018, 23:37
I have developed a fake wkWin64.dll that responds well with the host program I am trying to fool.

However, I have run up on to a problem. The access method request by the host program requires that I use direct method encryption (WKB_SEL_DIRECT). This encryption process is symmetrical.

Unfortunately, I don't know what type of FEAL WIBU-BOX v11 uses in the encryption/decryption process. From my research, there appear to be many different types of FEAL encryption methods (FEAL-8, FEAL-4, FEAL-NX, FEAL-N...ect).

I have the AsicBuild, Firm Code. User Code and Selection Code, but I don't know what the 88bit const value pertains to.
I have searched online and throughout the WIBU-SDK but I can't find up to date details on the inner workings of the WIBU-BOX anywhere online.

So, when the host program calls WkbCrypt2, I can't really do much.

https://i.imgur.com/vHjVPwz.png

NOTE: I don't have access to a WIBU-BOX usb.

If anyone could provide some resources or impart some knowledge my way. That would be awesome.

FoxB
November 3rd, 2018, 02:48
wibu algo v1 is some knuth47 permutate, not used in modern wibu-protected software.
wibu algo v2, v3 is FEAL-8, 40-bit selection sequence key, can be recovered by use the brute-force process.
wibu algo v4, v5 is FEAL-32, 64-bit selection sequence key.

algo v2 == v3, v4 == v5. difference for the FC only.

const is 0x37 for v2, v3
const is (FirmCode & 0xFF) for v4, v5

qd0097
November 3rd, 2018, 04:09
I do not have a WIBU-BOX dongle so I can't really be sure what algorithm version will suffice. I do remember the dongle was in use from 2011-2012. It might have been a WibuBox/RU+ or WibuBox/RU. Not really sure. I only have the dongle dump now which states that the version of wibu-box is 11, but I haven't found anything to correlate that with an algorithm.

https://i.imgur.com/yveneUy.png

You mentioned that Wibu's V2 algorithm can be brute-forced. I am a bit confused by that given that I have the AsicBuild, Firm Code. User Code and Selection Code. So my thought process was that I would just need to go over the encrypted bytes in the same process as pictured in my first post.

Lastly, I just want to clarify, did you mean the 88bit const for v2 & v3 is 0x37 and for v4 & 5 the const is the firmware bit masked with 0xff (0x000fd0b0 & oxff)?

FoxB
November 3rd, 2018, 12:00
it not dependent at asic ver

qd0097
November 3rd, 2018, 19:40
Oh my mistake. Thanks

Do you know what the 88bit const refers to?

FoxB
November 4th, 2018, 01:53
i think wiby-guys only. but for real purpose you not need this 88 bit.
from v2,3,4,5 cipher you can extract some data for brute-force. for v2,3 is possible extract key in 1-4 day (8 round of the feal cipher and 40 bit key), for v4,5 - not possible (32 round of the feal cipher and 64 bit key) in reasonable time.

qd0097
November 4th, 2018, 03:04
Okay. Got it. Thanks for your help. It has really cleared up a lot of my misconceptions.
Really appreciate it. 😁