Log in

View Full Version : Vendors Custom Decryption


PizzaPan
May 5th, 2006, 11:56
Sorry to bother guys, i have been working on a couple of targets for the past couple of days and after some analysis i came to the conclusion the files are encrypted using some type of des.

My analysis:
I am aware target specific code is not allowed, however i am not too sure about the name of the company, i couldn't see it mentioned in the FAQ, so i will go ahead and type it, and if i there is a problem please forgive me and edit it.

The targets i were working on both belong to the company COMPANY NAME DELETED, and they both use FlexLM, i had no problem retrieving the initial features, and patching the ecc verification process.

Later on it scans through your license file looking for various features in the format:

XXXX_YYYY: X = 4 Digit Vendor, Y = 4 Digit Product ID

Now they have a entire table of this, so i dumped it and wrote a quick parser, and everything is fine, until i come to the second target which is a addon for the first target.

Second Target:
The second target is a type of library addon for the first target and from what i could tell it uses the vendor string from the features as a decryption key to decrypt the library file.

Example:
FEATURE XXXX_YYYY DEAMON DATE EXP COUNT \
ISSUER=X HOSTID=X SIGN=ECC_239BIT_SIG
VENDOR_STRING=XXXXXXXXXXXXXXXXXXXXXXXX

It takes the "XXXXXXXXXXXXXXXXXXXXXXXX" checks its 0x18 in length and then splits it in to 2 strings, both 0xC in length.

This is then converted further into dwords and used later i assume in the decryption process.

My question:
If they are still using 3des which i assume is correct, there really is no way to decrypt these without the real key is there?

Also i am not a expert on encryption, but from reading the 168bit key is not going to be brute forced anytime soon, but could i assume that if i were to get the real keys from somebody else that everybody else would have that same string because in the end the 3des key must be the same to decrypt it ?

Example:
User X Buys Feature "XXXX_YYYY" and gets Vendor String "ABCD"
User Y Buys Feature "XXXX_YYYY" and gets Vendor String "ABCD" also ?

Thanks.

JMI
May 5th, 2006, 13:13
PizzaPan:

If you've actually READ the FAQ you should know better than to identify a target company product and then target specific code. If someone wants to know that information to attempt to help you with your project, you can provide that information by PM or email. I edited your Post to remove the target company name.

Regards,

PizzaPan
May 5th, 2006, 13:44
I appreciate you resolving it, and i apologize again, if you wouldn't mind please point me to the part about company name, i am not saying your wrong at all, just i can't seem to find the part that talks about it, i am hoping my eyesight is not as bad as i think:

Code:

* DO NOT POST TARGET SPECIFIC CODE THAT INCLUDES THE NAME OF THE TARGET: this means do not post code that shows where and how to patch/keygen blah blah blah on a specific target. Keep your code snippets as generic as possible while explaining your problem.

* DO NOT UPLOAD (ATTACH) ANY KIND OF COPYRIGHTED MATERIAL, INCLUDING EXECUTABLES OR OTHER PARTS OF SOFTWARE THAT YOU DO NOT HAVE EXPLICIT RIGHTS TO DISTRIBUTE (AND DON'T EVEN THINK ABOUT UPLOADING PATCHED, OR OTHERWISE MODIFIED VERSIONS OF THE SAME)!


That's the only part i could find that referenced target specific information, and the main reason i also posted that company name was the previous search for that yielded the search i was talking about and the company name was posted there also. (no doubt before the rules were updated)

Maybe a quick update to "DO NOT POST TARGET SPECIFIC CODE THAT INCLUDES THE NAME OF THE TARGET OR THE COMPANY NAME" would be suited.

Thanks again.

JMI
May 5th, 2006, 17:48
Let me make this as clear as I can. IT DOES NOT MATTER IF YOU THINK I MAY BE WRONG! What matters is that you follow the instructions you are given by the administrators of these Forums.

Your first Post identified a protection system used by a particular software company's products, which is their own protection system utilizing Flemlm.

NONE of the other Posts which mention the name of that company POSTED ANY CODE!!! It is the combination of the two facts which transgress our Rules. We have already had to move are Server at least two times because of software company complaints to our ISP about their perceptions we were permitting explicit discussion of how to bypass the protection of their software.

Those types of information can be freely exchanged by PM or email without creating risk to our relationship with our ISP. So instead of trying to argue your way out of a very mild reminder, why don't you just wise up, shut up, and get on with your topic without the name of the company.

Regards,

PizzaPan
May 5th, 2006, 18:18
Hehe

Of course i understand problems regarding specific bypass information and stuff, maybe i didn't explain my self correctly i am only stating the fact its not clear enough in the faq about company name, it only lists "target specific" which to most people including me, means the actual product.

Anyways i understand now what you mean, the combination of company + protection is not good, also the thread is a complete mess now, any chance you could clean our various responses ?

Thanks.

JMI
May 5th, 2006, 18:26
And I made it clear to you that you are NOT to mention a company name and then Post target specific code from their software.

And you are incorrect. You are "arguing" and attempting to justify your position as an "honest misinterpretation", when all you really need to do is follow the directions you have been given. It IS resolved. You are NOT to do so again, whether or not YOU believe the FAQ is clear on this point.

EDIT JMI: Ah! I see you have modified your Post while I was responding to what you wrote originally. Since the points raised here are important for the security of our ISP connection, I'm going to leave the Thread as it now stands.

If anyone has information to assist PizzaPan with his quest, feel free to jump in now.

Regards,

esther
May 5th, 2006, 21:16
Thank you for pointing the mistake in FAQ.The FAQ should be updated

Aimless
May 5th, 2006, 21:58
with the company name, the target and where it can be download. If its on anything other than Windows OS, I will not be able to assist you.

Also, let me know WHAT it is that you want.

(1) Do you want to crack apps 1 and 2 or
(2) Are you merely trying to understand the ALGORITHM behind the protection or
(3) Are you trying to create a vaild license file (different from patching/cracking).

Have Phun

Woodmann
May 5th, 2006, 21:59
Howdy,

I shall update the FAQ so as to include every possibility of someone not understanding the intent.

woodmann

SiGiNT
May 6th, 2006, 02:09
Since I'm not familiar with your target, (i assume you are trying to both understand and/or bypass the protection), I can't say positively, but normally patching the ECC, at least the way I and a lot of other people do it, should result in no analaysis of the encrypted data on the feature lines, this holds true for versions 8, (not sure maybe only later versions) and 9 - but in FlexNet (ver 10.x), the ECC is not fully implemented and nopping an initial jmp over it is necessary, BUT this no longer works in all cases - for further info find my post on this - if thats the case PM me.

SiGiNT

FoxB
May 6th, 2006, 02:35
4PizzaPan:

If need additional info, PM me.

WBR

EDIT JMI: FoxB, if I wouldn't let PizzaPan Post the name of the software, why in the hell would YOU think I'd let YOU Post the software company name with one "obvious" letter changed??? Try such a TOTALLY STUPID stunt again and YOU will join the "Goner" group of banned Users.