LiSa
May 28th, 2003, 06:21
hello crypto reversers,
I currently reversing a licencing manager system using dongle/token number scheme
Dongle query give 32 bits hostid : rnbosentinelpro static library
A token (16 hex digit) is asked to the user
hi, crypto reversers,
I currently investigating a custom licence manager scheme using sspro dongle and key (named token) registration
but I am stuck understanding which algo is used....
In the registration process, the token and hostid is passed through Is_token_valid_sub_404070
this procedure call sub_402910 which control that hostid/token pairs are valid
in sub_402910
key1 = set_keys_4028A0(hostid, buffer)
key2 = set_keys_4028A0(81040100, buffer)
hostid is expanded to 64 bits value and submitted to parity checking and return key1
an harcoded value 81040100 is also expanded the same way and key 2 is nreturned
then bool sub_decrypt_and_check_402730 (key1, key2, buffer, token) is called
in these sub are called :
sub_unknown_algo_403DD0 (key2,token, 8, switch=1, product name)
operations on modified token
sub_unknown_algo_403DD0 ((key1,token,8,0, switch=0, productname)
operation on modified token
return good or bad in esi
Is_token_valid_ and rnbo fct can easely be patched to enable the whole stuff but,
I want to understand the inner behavior of sub_403DD0. This procedure use mainly two calls, in
which there are unrolled loop with tons of round which look like a custom DES implementation.
Can you have a look at this stuff
program removed...
I currently reversing a licencing manager system using dongle/token number scheme
Dongle query give 32 bits hostid : rnbosentinelpro static library
A token (16 hex digit) is asked to the user
hi, crypto reversers,
I currently investigating a custom licence manager scheme using sspro dongle and key (named token) registration
but I am stuck understanding which algo is used....
In the registration process, the token and hostid is passed through Is_token_valid_sub_404070
this procedure call sub_402910 which control that hostid/token pairs are valid
in sub_402910
key1 = set_keys_4028A0(hostid, buffer)
key2 = set_keys_4028A0(81040100, buffer)
hostid is expanded to 64 bits value and submitted to parity checking and return key1
an harcoded value 81040100 is also expanded the same way and key 2 is nreturned
then bool sub_decrypt_and_check_402730 (key1, key2, buffer, token) is called
in these sub are called :
sub_unknown_algo_403DD0 (key2,token, 8, switch=1, product name)
operations on modified token
sub_unknown_algo_403DD0 ((key1,token,8,0, switch=0, productname)
operation on modified token
return good or bad in esi
Is_token_valid_ and rnbo fct can easely be patched to enable the whole stuff but,
I want to understand the inner behavior of sub_403DD0. This procedure use mainly two calls, in
which there are unrolled loop with tons of round which look like a custom DES implementation.
Can you have a look at this stuff
program removed...