[ Cracking / RSA protections maybe explained ]

Date   :   May/June 2000 AD (After death)

by Accz / BLZ

[Tools Used]

Editors        -->  Hiew & Notepad
Debuggers      -->  Softice
Disassemblers  -->  Ida & Wdasm
Music          -->  old Lux Occulta,old Moonspell,new Mayhem,new Iron Maiden cds
Brain speed up -->  Catherine Zeta Jones , Chimay Blue beer

Level : Medium+
Toggle Word Wrap on

[Chapter 0x00]

If you are somewhat comfortable with a debugger, here are some straightforward cracking notes on Powerstrip's RSA protection scheme.  The version i used is 2.67 but you will be able to explore even newer ones.  First of all install the program.  The main executable named pstrip.exe will be copied to your windows directory.
If you examine it for a while you may notice that its packed with AsPack.
That will stop SoftIce loader to break on startup - but who cares, lets enter
some info into the reg box and bpx hmemcpy.
I used 'iamalamer' as username and '1234567890' as reg key.
Now hit the 'OK' button - hopefully you shall see this :

Break due to BPX KERNEL!HMEMCPY  (ET=1.42 seconds) -- then press F12 about
7 times untill you are back in pstrip!code section.
Step out of the calls (gonna take about 6 F12) and you should be facing
the following instructions.

:004B670D 8B45EC                  mov eax, dword ptr [ebp-14]

Lets check and see what Eax holds (d Eax) -- its our username input.
Lets go on with the typical procedure ..do a s 0 l ffffffff 'iamalamer' and
set a BPM at the location you will find. (PS: different than mine of course)

:s 0 l ffffffff 'iamalamer'
Pattern found at 0237:00EBFBB8 (00EBFBB8)
:bpmb cs:ebfbb8 r
Break due to BPMB #022F:00EBFBB8 R DR3  (ET=22.45 milliseconds)

If u press F5 sice will break again, this time we are about here

:00406A0D 807C1FFF20              cmp byte ptr [edi+ebx-01], 20

This is easy to understand, its just a cmp against character 20h, ' ' (space)
Trace a bit more -- the following routines will strip leading and trailing 
spaces out of our username, thus making a seed out of it.

Press F12 to step out of the call, now we should be about here

:004B6713 E8D802F5FF              call 004069F0
:004B6718 8B55F0                  mov edx, dword ptr [ebp-10]

Check which value Edx holds -- its our fixed input ...the 'seed'.
If you are curious (you should be) trace into everything.
There is a XOR loop to be found, a binary conversion of our reg key 
(probably due to bignum library Powerstrip uses) -- but all turn to be non 
important for the correct key to be builted.
Since we are in the middle of a big algo i suggest pressing F10,F8,F12 at 
your will , so you can see the whole picture of this protection scheme.
So after some time of stepping/tracing , or after a short time if u just go
over the calls this is an interesting part we should solve out

:004B6860 E8FF2D0100              call 004C9664
:004B6865 3C01                    cmp al, 01
:004B6867 752B                    jne 004B6894

Step above the call , check AL (its 0) , take the jump and you should see
the infamous 'Beggar off' message

----------------------------------------------------------
| Sorry, the name and key you entered do not correlate   |
| Please try again, using cut-and-paste                  |
----------------------------------------------------------

Obviously we have check when that call returns 01 into AL.
Thus, the next step should be tracing into the call at 4B6860.
And in there we will find a few checks we have to pass.
Step (F10) untill you are about here.

:004C9765 8B45F0                  mov eax, dword ptr [ebp-10]
:004C9768 E83BA0F3FF              call 004037A8
:004C976D 83F824                  cmp eax, 00000024
:004C9770 0F8C15050000            jl 004C9C8B
:004C9776 8B45F4                  mov eax, dword ptr [ebp-0C]
:004C9779 E82AA0F3FF              call 004037A8
:004C977E 83F804                  cmp eax, 00000004
:004C9781 0F8C04050000            jl 004C9C8B
:004C9787 A17C954F00              mov eax, dword ptr [004F957C]

The very first cmp instruction is where EAX here holds the length of our
key -- the check is against $24=36d , so we have a condition rule.
The next cmp instruction is again a length check -- of our username
and a new condition rule.
If any of the checks fails the 'Beggar off' message appears again
So what have we learned so far?
Condition rule I  : Reg kay should be bigger than 36 chars 
Condition rule II : Username should be at least 04 chars long 
Result            : We should have 01 in AL after the call ends.

Load pstrip.exe again but now enter 'iamalamer' and a alphanumerical
reg key about 40 chars long.
This fake info will pass a above the checks and the fun begins here.
If we go on tracing from 4C9787 that we stopped earlier this code
snippet its very easy to be found.

:004C9795 B8BCA54500              mov eax, 0045A5BC

Curious as always, check EAX (?eax and d eax) to see what value does it holds?
And this is what i saw in data window .."TRSARegNuma"
Blah, we should now take a break and learn about rsa protections -- we
cant attack it if we dont know what it is...

[Chapter 0x01]

Know your enemy...
Lets see an example how RSA works.
First of all we have to find 2 prime numbers -- known from now on as P,Q
I say P=5 and Q=11 and now we can name 'modulus N', where N=P*Q=55
Choose another yet number E=17 -- known from now on as 'public exponent'.
(N,E) is our 'public key' ..the one we are gonna distribute.
Be careful : E should *not* have common factors with (P-1) and/or (Q-1)
-- therefore picking a prime as E (like 17) works for sure(?)
Be careful, I said, when choosing E ..Why?
Let P=43,Q=53,E=3 ..all primes right? Then (P-1)(Q-1)=42*52=2184
But wait 2184=3*728 ..so E=3 was a bad choice for this set of (P,Q)

Back to our initial example : P=5 Q=11 N=55 E=17
Now we need to find D our 'private exponent'.
The RSA algorithm defines what D should be:
(E*D-1)  Mod ( P-1)*(Q-1) ) = 0  
(17*D-1) Mod (4*10) = 0 
(17*D-1) Mod (40) = 0  ....and if u solve this D=33

There is a ready to use formula D=(E^-1) Mod ((p-1)*(q-1))

(N,D) is our private key, the decryptor.
Lets say we wanna encrypt 2, then we should use these formulas :
(PS: Remember P=5 Q=11 N=55 E=17 D=33)

Encrypted = ( Input ^ E ) Mod N
Decrypted = ( Encrypted ^ D ) Mod N

Thus , 
Encrypted=( 2 ^ 17) Mod 55 = 131072 mod 55 = 7
Decrypted= (7 ^ 33) Mod 55 = 7730993719707444524137094407 mod 55 = 2

As far as i know the only generic way to crack RSA is to factorize N and find P,Q. (Note: Other ways i have heard of is to find the E-th root of (Encrypted Mod N) since Encrypted = (Input ^ E ) Mod N -- but that MAY work in some cases -- or plaintext attacks etc.)

Then since E is public you can calculate D and code a decryptor.
So now we know our goal ..Find N, P, Q, E, and D in Powerstrip's case.
 
[Chapter 0x02]

Last place we stopped was 4c9795, now we go on tracing...


:004C97B6 BA309D4C00              mov edx, 004C9D30

Guess what Edx holds: a big number which happens to be the modulus N,

N = 447856717395946304164672580486145629905201341197

If we trace a little more into the call below

:004C97F1 E8AA0EF9FF              call 0045A6A0

F8 and we will find this :

:0045A6B3 55                      push ebp
:0045A6B4 6856A74500              push 0045A756
.....
* Possible StringData Ref from Code Obj ->"65537"
Check whats being pushed from 0045A756 (d 45A756)

Its '65537' -- a typical value for RSA schemes.  Of course we WILL check our theory using the RSA theory i mentioned earlier.  Imagine calculating 1234567890^65537. It is a very big number; however, it IS smaller than 1234567890^(some_other_number_E_of_40_digits).  Most authors tend to used fixed numbers as E (Like 3,11,17,65537).  I say E its good to be a prime number where P<E<Q, given that P<Q.

A difficult part about cracking a standard crypto scheme, is how to recognize it.
Well as a wise man said once, "Experience is my best book".

To do the calculations needed here we need a bignum library, such as SSLeay, Miracl, or Freelip.  Get your favorite one. We also need to factorize N. Miracl provides FACTOR.EXE, which is good choice -- it uses modern factorization techniques -- you can also use a math software like Mathematica, or write your own code (hah).  In this case, N is 160bits: it takes just seconds to a modern CPU to factorize it, and a few minutes on mine. :-)

As expected, i used an implementation of MPQS (Multiple polynomial quadratic sieve). Whoever is a math freak knows what im talking about (i dont). If you dont wanna mess with maths , FACTOR.EXE will do the job for you.

A few generic questions may/should rise here :

1) How do we know that any N has P and Q as prime factors.

Answer: "Every integer can be written as a product of primes in an essentially unique way".  The first known proof of the above theorem was given by Euclides - The Elements (Book 7-9), year 300 BC.

2) Can't I just check all prime numbers of my math book and find P,Q easily ?

Answer: As Euclides proved again (The Elements Book 7-9) there are infinitely many primes
numbers. The number of prime numbers of length less/equal to 512 bits is a very big
(greater than 100^140 if i remember correct) -- so dead end.

3) Then RSA is no secure?
Although one RSA-155 number (ie 512bits) have been factorized (using special NFS) by Mongomery's group, it took 500 mainframes and pc's and about 35 Cpu years/8000 mips years. For numbers bigger than 768bits its estimated that the memory needed for factorising will not be able to be addressed on 32-bit chips (Dont try it at home).  Their numbers are estimated to be break-able about year 2025 AD.  If the N (actually P,Q) is well choosen, and key size big enough it wont be broken.

Back to our target now.
We trace more we will see that the reg key is just the typical (fixed_username_in_hex^D) Mod N
Thats means that reg key decrypted should be equal to username..thats all
These are my results: 
N = 447856717395946304164672580486145629905201341197              
P = 535416884131621832563151                                      
Q = 836463568238631481858147                                  
E = 65537

At this point we should check if E, (P-1), and (Q-1) have any common factors.  Using the formula D=(E^-1) Mod ( (P-1)*(Q-1) ), we can calculate D.  I didn't have any ready code for that, but there is always a solution: Let F(n)=(P-1)*(Q-1).  Since (E*D-1) Mod F(N) = 0, there is an integer K such that (E*D-1) = K*F(N).  Therefore D = ( K*F(N)+1 ) / E, K is an integer.
Of course we cant solve this , since D and K are both unknown values ,but we can try (heh)
some loop to bruteforce K -- coz i have a feeling thats its a small number ;-)  A small loop (K=1,K<10000,K++) will find that for K=7573, (K*F(N)+1) mod E = 0 and solving our initial equation, D = 51751208032706736064193586260752171374090050573.

     
[Chapter 0x03]

How to write a keygen?
Pick your favorite library and code it.  If you want to see my not-that-fancy-but-commented-code, its included.
 
A few notes on Miracl functions we will use ..
We have our string to be encrypted lets say in Name
miracl *mip=mirsys(100,256);  // Init miracl lib 100 digit numbers , full width base =256
big n                         // big num variables
n=mirvar(0);                  // create variable
mirkill(n);                   // kills it
mip->IOBASE=16                // numberbase = 16 ie do calculations in hex ..we can use many 
                                 number bases of course
cinstr(n,modulus_N);          // big variable n holds our modulus
powmod(name,d,n,result);      // result=(name^d) mod n
cotstr(serial,result);        // move output to a normal string serial to be displayed
For more see miracl.doc

[Refs]
A) Online
http://www.rsa.com
http://world.std.com/~franl/crypto/
http://ace.ulyssis.org/~triade/Nfs/nfs.html
http://www.cs.uwm.edu/~peralta/papers.html
http://www.utm.edu/research/primes/
http://www.math.uga.edu/~ntheory/web.html
http://web.comlab.ox.ac.uk/oucl/work/richard.brent/talks.html
http://www-groups.dcs.st-and.ac.uk/~history/HistTopics/Prime_numbers.html
ftp://ftp.compapp.dcu.ie/pub/crypto/
ftp://ripem.msu.edu/pub/bignum/

B) Paper
Number theory and its history - Harry Hochstadt
A Course in computational algebraic Number Theory - Henri Cohen
Numbers : Rational and Irrational - Ivan Niven                  
An Introduction to the Theory of Numbers - Zuckerman,Niven,Montgomery
An Introduction to the Theory of Numbers - E.Wright, G.Hardy (a bit advanced :-)
Applied Cryptography - B.Schneier
Handbook of applied Cryptography - R.Rivest     

Proff.Niven passed away last year or so ..Now all bow.

Sorry for my bad english ..im a native english speaker but i like skiping
clases at school.
Maybe my calculations are correct and maybe all the wrong info here wasnt placed on purpose ..or?

[Greets / M00 's]
dimedrol,egoiste,nu,carp,yosh,pain,dustie,bmonkey and everyone at #c4n,#cracking,
#<censored>, BLZ my groupmates ppl i forget, ppl who was/are/will be worthy somehow, 
ppl i talk to online 
(PS: no big greet list anymore - you know who you are)


Ex tenebris ad lucem  / Accz - somewhere in time.