Log in

View Full Version : Need some hints for a wkcrypt target


mueller5321
April 23rd, 2002, 00:07
I try to decrypt a target which is protected with wkcrypt.
WKCRYPT is a product from wibu and the target can only be
decrypted if the specific dongle is available.

It seams that the original code is not encrypted. Only on the beginn of the start the dongle is checked and the procadresses are decrypted by the cipher of the dongle.

Is there a easy way with procdump or revirgin?
I found a tutorial from snakebyte but there are to much api-calls to repair. So i hope there is a better and faster way.

Can anybody give me an hint? Or a tutorial?

Woodmann
April 23rd, 2002, 01:10
Hi,

Quote:
So i hope there is a better and faster way.


There isn't. I think the thing you might be looking for is called
a "kR/-\c". It is for people who don't have the desire to learn.

Needless to say,look for a link below to crackz archive.
It is a good place to start if you want to learn.

Peace, Woodmann

mueller5321
April 23rd, 2002, 08:50
Quote:
I think the thing you might be looking for is called
a "kR/-\c".


Your are wrong. I already handled Flexlm to the beginning time when NB start doning his famous work. And i need no tool like "FlExGeN".

Also i know crackZ archiv. The only listed tutorial there give some hinds about the wkopen and wkcrypt which only checks the presents of the dongle, what is really simple to patch.
(Ther is a better one from snakebyte in the net, which gives much mor information about my problem. But do not want to resolve about 100 apicalls by my own)

I have already patched a lot of different targets which use other dongle like rainbow or also hardlocks and hasps.

The thing i looking for are more deep information about.
Or do you know the detailed algorithm inside the dongle?

WKcrypt used to beginning after checking the dongle presents (Simple to patch and step offer) the wkcypt api-function to decrypt a jumptable. So without the dongle it is really difficult to find the entry.
With dongle it is no problem to get the real eip.

The problem i have at the moment is to handle the resolving of the api call adresses.
Maybe i should try to get deeper inside of the usage of your (sorry not yours tsehp's) tool (revirgin).

Woodmann
April 23rd, 2002, 20:05
Hi,
You have my apologies. Your request appeared sort of lame.

The only way I have seen this done is via the hardway,
look at all the api's and work from there.

Perhaps if you find an easier way you would write a tutorial?

Peace, Woodmann

CrackZ
April 23rd, 2002, 23:09
Hrm,

1. I don't think your description of the problem is really very clear, or at least from what I gather of it. Tools like Procdump and Revirgin really aren't going to help you if your program uses WKBCrypt2() or its variants to decrypt a jump table, I really don't know what sort of information you were expecting them to be able to collect to resolve essentially unknown references to either codeblocks or API's, it just doesn't make any sense.

Your best bet might be building a list of unreferenced areas in IDA, I've had similar situations with other implementations where the dongle data decrypts the address of an address to be jumped too (trust me, if you've got lots of these you might need a LOT of luck, but then again.....).

2. You give no details of the parameters to WKBCrypt2() either, it has as I recall a selection of algorithms to use internally, some of these encryptions (transformed internally) have been broken, whilst others remain secure, again, you need to provide more information.....

I'm not going to provide you with the information I do know about Wibu internally, but I'll suggest to you now to analyse wkwin32.dll if you are really serious about this.

Regards (awaiting further clarification, code, info's).

CrackZ.

mueller5321
April 24th, 2002, 11:02
@woodmann. I understand. Maybe i should write my questitions more detailed and like a lamer crack request.

@crackz: The master of dongle at it self :-)
You must differ between wbkcrypt2() and wkcrypt.

wbkcrypt2 is the api-call, which is used to decrypt a area of code or data.

wkcrypt is a tool like sentinel which can be used to protect the whole program without the need to implement the api-calls at it self. It is like aspack but the api-addresses and some tables are encrypted. The decrypt algorithm is only placed inside the dongle.
Which something like AES(Snakebyte mentioned, but i can't believe) and the firm and user code is used to parameter this algorithm.
AES i can't belive because the algorithm seams to be symetric.
And additional you can use different parameter in sequence:
Para Set 1 Para Set 2
(org -------------> encrypt1 --------------> encrypt2)

Para Set 2 Para Set 1
(org -------------> encrypt1 --------------> encrypt2)

give the same result for encrypt2 but encrypt 1 is different.

the wkcrypt in the form i have seen is very simple with dongle but very hard (or simple impossible) without.

wkcrypt remove the original api-call list (this is the reason i want use revirgin).
First they checks the apperance of the dongle with the correct firm and user code like the super pros from rainbow. Till here no problem.
After this wkcrypt use wbkcrypt2() to decrypt a area of data where pointers to the original programm entry point and some other subfunctions are placed.
The the api-calls are resolved by decrypting a table.
After this the programm goes back to the code on the Program entry point and
jump indirect via the decrypted table to some more programm parts or the original programm.
It seams to be very simple because the orginal code is not crypted at all. Only the original programm entry point is encrypted.

But now there come the biggest problem.
Additional the wkcrypt code decrypt tables with the api-addresses. The Names are still present (not encrypted but the addressed are encrypted.
So it looks like a typical job of procdump.

Snakebyte use a standard assembler code module which gives back the correct addresses to the procstartadress request.
The addresses and names must be fetched via debugging (not a big thing). But there a a lot of calls which have to be resolved and so i asked if there is now easier way to do the job.

I used procdump till yet only with original scripts and write not my own. It seams i have to write one for the dump job.

The i should use revirgin to resolve the procstartadresses of the original program together with the dongle.
So i have only to jump to the original entry point and replace the procaddress table with the decrypted and the job must be done.

Can somebody give me a link to well documented tutorial for the use of procdump and revirgin? Best in german. (You see i will do the job by my own :-)

Also i nice thing would be the algorithm inside the dongle ;-)
The a general decrypter could be made.

P.S. Wibu-key write very nice information about really difficult implementations of dongle checks. Seach the web. THe are really nice to read:-)

Sab`
April 24th, 2002, 23:20
algorithm = fealN, knuth20, permutation (in this case feal)
see wkwin32.dll like crackz said all information needed is available. .exe = decryptable without dongle. Have fun.

-Sab

mueller5321
April 26th, 2002, 21:59
Next step reached :-)

I found a very simple and fast way to get offer the wkcrypt layer.
It is really simple.
I start the program with dongle. Then i maid a dump with procdump (you can also used an other dumper).
The dumped File isn't working. Ok but that is no problem.
I export the segment with the now decrypted table infos and import it in the original version instead of the encrypted ones (in my case 2 Segments).
Instead of the donglecheck with decrypt function i call direct the resolv-function of the api-calls and vola im inside the layer and all api-calls are resolved. Also the crypted indirect EIP is correct and i haven't to change the EIP.

Now i have to fight with the expected dongle query entries and other things but the crypted layer is beated :-))
The only bad thing is that the call are all done indirect via memory entries and so i dead code listing is not very nice to read.

Have anybody a better way than my?
Maybe i writte a procdump script which is done this automatic.

mueller5321
May 9th, 2002, 19:11
I want to verify my methode.
Have anybody a url of the development kit for wkcrypt.

Or

A small target (maybe notepad), which can i have in 3 versions.
(original unprotected, protected with wkcrypt and a procdumped protected version)?


Thanks a lot

Max