Jump to content
Tuts 4 You

mrexodia's Blog

  • entry
    1
  • comments
    2
  • views
    17,851

Entries in this blog

 

Attacking Armadillo's Stolen Keys feature

Hello everyone, Lately I thought it would be good to share some of the stuff I did with Armadillo to the general public, this time it will be about Armadillo’s Stolen Keys feature. When I have some time available, I will update this blog, but in general I don’t like typing long essays so don’t expect too much from that promise. What are stolen keys? Quite obvious, stolen keys are stolen (or otherwise illegally obtained) serials for an Armadillo project. The project developer can maintain a list of these stolen keys and when one of them is entered in the registration dialog it will not be accepted. Very briefly, in Armadillo you have various types of keys and also various key levels. Except unsigned keys (level 0), all keys consist of two parts: [KEYBYTES][sIGNATURE] The signature is the digital signature of the keybytes, this is just to verify the integrity of a key. For this post, only it’s size is of importance. The keybytes also have a variable length. Every serial in Armadillo can store 5 so-called ‘otherinfo’ WORD, 1 date WORD, 1 DWORD (symmetric key) and optionally a keystring. The symmetric key is the key we are looking for when dealing with Armadillo. It is (together with some other constant values) used to decrypt certificate descriptors. These are used to decrypt the program code an optionally the secured sections. Here is a the outline of a key: [ [OTHERINFO][DATE][sYM][KEYSTRING] ][sIGNATURE] As you can see, our target is somewhere near the middle of a key that is fully filled. Luckily, with the correct info, we can strip out the signature, leaving us 1-6 WORDS (otherinfo+encoded date value) and possible a keystring. Before I continue I would like to point out that the stolenkeys are not stored unencrypted in the target file. Every key is encrypted using a simple XOR-encryption with the name bound to the key as seed. Encryption/Decryption goes as follows: char tmp[2048]="";CookText(tmp, name); //UPPERCASE and strip bad charactersunsigned int seed=crc32(tmp, strlen(tmp), NewCRC32); //CRC32 of nameInitRandomGenerator(seed); //Initialize random number generatorfor(int i=0; i<keylength; i++) keybytes[i]^= NextRandomRange(256); NextRandomRange gets a pseudo-random byte in the provided range, in this case a byte. Here is the source code from the random number generator: /* source start */#define m 100000000L#define m1 10000L#define b 31415821L unsigned long a; unsigned long mult(long p, long q){ unsigned long p1=p/m1, p0=p%m1, q1=q/m1, q0=q%m1; return (((p0*q1+p1*q0) % m1) * m1+p0*q0) % m;} void InitRandomGenerator(unsigned long seed){ a=seed;} void NextRandomSeed(){ a=(mult( a, b )+1) % m;} unsigned long NextRandomRange(long range){ NextRandomSeed(); return (((a/m1)*range)/m1);}/* source end */ Attacking Our goal is to find the decryption key of the stolen key. Let’s take a close look at the random number generator. Actually, when we look at NextRandomSeed, we can see one very easily: the final seed is divided by m (100000000) and the remainder becomes the actual new seed. This means that every seed is limited to 99999999 and that is a fairly small amount of brute force attempts! Our goal for today is to write a function, that returns a possible symmetric key from a seed and a piece of data collected from any stolen key (specifically the encrypted symmetric key). Before I start with that I would like to point out that the first two bytes of a stolen key can always be considered junk. This is because either the date, or various otherinfo parameters are always before the symmetric key. In reality, only a maximum of 4 otherinfo parameters is possible (the SoftwarePassport GUI does not have a use for the 5th otherinfo parameter). This means that we would only have to try a maximum of 5 times before we actually find the symmetric key. /* source start */unsigned long NextRandomRangeMod(unsigned int seed){ return (((a/m1)*256)/m1);} unsigned int NextRandomSeed(unsigned int seed){ return (mult( seed, b )+1) % m;} unsigned int decrypt_data(unsigned int seed, unsigned int data){ int next=seed; int res=NextRandomRangeMod(next)<<24; //no little edian next=NextRandomSeed(next); res|=NextRandomRangeMod(next)<<16; next=NextRandomSeed(next); res|=NextRandomRangeMod(next)<<8; next=NextRandomSeed(next); res|=NextRandomRangeMod(next); return res^data;} int main(){ stolen_data=0x????????; for(int i=0; i<m; i++) { unsigned int sym=decrypt_data(i, stolen_data); if(VerifySym(sym)) //imaginary function that checks the sym { printf(“found: %.8X”, sym); break; } }}/* end of code */ Conclusion When implemented in CUDA, brute forcing Armadillo v3-v7.2 goes from ~20 to less than a second. Armadillo v7.4 and higher goes from 2.5-3 hours to 4 minutes! Little tool I created for testing my theories, it actually works! In the attachment I included a DLL that implements the algorithm (and various other Armadillo-related algorithms) with multi-threaded support. I decided not to include the tool because this post is about how it works, not all the tools I created in my life. Last but not least, a hint to the guys at SiliconRealms: do not store (encrypted) keys in a protected file, just store a list of hashes I hope you learned something from this! Greetings, Mr. eXoDia PS If you have any remarks or found a mistake (not related to grammar please), feel free to PM me.

mrexodia

mrexodia

×