Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 16:14

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 6 posts ] 
Author Message
 Post subject: Des in a file format
PostPosted: 12 Dec 2010 23:53 

Joined: 27 Feb 2009 04:03
Posts: 11
This is the output from signsrch
Code:
Signsrch 0.1.6a
by Luigi Auriemma
e-mail: aluigi@autistici.org
web:    aluigi.org
  optimized search function from Andrew http://www.team5150.com/~andrew/
  disassembler engine from Oleh Yuschuk

- open file "G:\GuJian\Bin\GuJian.exe"
- 7282688 bytes allocated
- load signatures
- open file c:\signsrch\signsrch.sig
- 1774060 bytes allocated for the signatures
- 2278 signatures in the database
- start signatures scanning:

  offset   num  description [bits.endian.size]
  --------------------------------------------
  005541a0 31   Adler CRC32 (0x191b3141) [32.le.1024]
  005551a0 32   Adler CRC32 (0x191b3141) [32.be.1024]
  005545a0 33   Adler CRC32 (0x01c26a37) [32.le.1024]
  005555a0 34   Adler CRC32 (0x01c26a37) [32.be.1024]
  005549a0 35   Adler CRC32 (0xb8bc6765) [32.le.1024]
  005559a0 36   Adler CRC32 (0xb8bc6765) [32.be.1024]
  00470868 145  SHA256 Hash constant words K (0x428a2f98) [32.le.256]
  00470998 149  Hash constant words K for SHA-384 and SHA-512 [64.le.640]
  004273c0 221  DES odd_parity [..256]
  00470e00 222  DES semi weak keys [..96]
  004274c0 223  DES skb [32.le.2048]
  00426bc0 225  DES SPR SPtrans [32.le.2048]
  00461060 242  EC curve _EC_NIST_PRIME_192_SEED [..20]
  004610a0 243  EC curve _EC_NIST_PRIME_224_SEED [..20]
  004610e0 244  EC curve _EC_NIST_PRIME_384_SEED [..20]
  00461120 245  EC curve _EC_NIST_PRIME_521_SEED [..20]
  00461160 246  EC curve _EC_X9_62_PRIME_192V2_SEED [..20]
  004611a0 247  EC curve _EC_X9_62_PRIME_192V3_SEED [..20]
  004611e0 248  EC curve _EC_X9_62_PRIME_239V1_SEED [..20]
  00461220 249  EC curve _EC_X9_62_PRIME_239V2_SEED [..20]
  00461260 250  EC curve _EC_X9_62_PRIME_239V3_SEED [..20]
  004612a0 251  EC curve _EC_X9_62_PRIME_256V1_SEED [..20]
  004612e0 252  EC curve _EC_SECG_PRIME_112R1_SEED [..20]
  00461320 253  EC curve _EC_SECG_PRIME_112R2_SEED [..20]
  00461360 254  EC curve _EC_SECG_PRIME_128R1_SEED [..20]
  004613a0 255  EC curve _EC_SECG_PRIME_128R2_SEED [..20]
  0046140c 256  EC curve _EC_SECG_PRIME_160R1_SEED [..20]
  0046144c 257  EC curve _EC_SECG_PRIME_160R2_SEED [..20]
  00461594 258  EC curve _EC_SECG_CHAR2_113R1_SEED [..20]
  004615d4 259  EC curve _EC_SECG_CHAR2_113R2_SEED [..20]
  00461614 260  EC curve _EC_SECG_CHAR2_131R1_SEED [..20]
  00461654 261  EC curve _EC_SECG_CHAR2_131R2_SEED [..20]
  004616c0 262  EC curve _EC_SECG_CHAR2_163R1_SEED [..20]
  00461700 263  EC curve _EC_NIST_CHAR2_163B_SEED [..20]
  00461740 264  EC curve _EC_SECG_CHAR2_193R1_SEED [..20]
  00461780 265  EC curve _EC_SECG_CHAR2_193R2_SEED [..20]
  004617ec 266  EC curve _EC_NIST_CHAR2_233B_SEED [..20]
  00461884 267  EC curve _EC_NIST_CHAR2_283B_SEED [..20]
  004618f0 268  EC curve _EC_NIST_CHAR2_409B_SEED [..20]
  0046195c 269  EC curve _EC_NIST_CHAR2_571B_SEED [..20]
  0046199c 270  EC curve _EC_X9_62_CHAR2_163V1_SEED [..20]
  004619dc 271  EC curve _EC_X9_62_CHAR2_163V2_SEED [..20]
  00461a1c 272  EC curve _EC_X9_62_CHAR2_163V3_SEED [..20]
  00461a88 273  EC curve _EC_X9_62_CHAR2_191V1_SEED [..20]
  00461ac8 274  EC curve _EC_X9_62_CHAR2_191V2_SEED [..20]
  00461b08 275  EC curve _EC_X9_62_CHAR2_191V3_SEED [..20]
  00461b74 276  EC curve _EC_X9_62_CHAR2_239V1_SEED [..20]
  00461bb4 277  EC curve _EC_X9_62_CHAR2_239V2_SEED [..20]
  00461bf4 278  EC curve _EC_X9_62_CHAR2_239V3_SEED [..20]
  00461c8c 279  EC curve _EC_X9_62_CHAR2_359V1_SEED [..20]
  00558070 1161 DES initial permutation IP [..64]
  005580f0 1163 DES permuted choice table (key) [..56]
  00558138 1164 DES permuted choice key (table) [..48]
  00558168 1165 DES S-boxes [..512]
  00472d92 1188 small prime numbers used in libgcrypt [16.le.1336]
  00473f58 1312 Generic squared map [32.le.64]
  00473f55 1313 Generic squared map [32.be.64]
  00427540 1463 DES2_DS [32.le.128]
  005580b0 1556 DES_fp [..64]
  00558368 1558 DES_p32i [..32]
  00009f3a 1767 anti-debug: IsDebuggerPresent [..17]
  000114d0 2253 PADDINGXXPADDING [..16]


I understand if you have no desire to look at this but if anyone could and its quick that would be great.
Or if someone can point me to some tutorials for getting these types of keys.
http://www.sendspace.com/file/i11d4s
i included all exe and dll files and 2 sample archives.


Top
 Profile  
 
 
 Post subject: Re: Des in a file format
PostPosted: 13 Dec 2010 12:04 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
have you already tried setting the breakpoints on all the signatures starting with DES (I don't remember what is the first one that handles the key) displayed by "signsrch -F file.exe"?


Top
 Profile  
 
 Post subject: Re: Des in a file format
PostPosted: 13 Dec 2010 21:50 

Joined: 27 Feb 2009 04:03
Posts: 11
This is the output i get from that I will try setting breakpoints at those locations anything specific that should stand out to me so i know its the key?
is this what i should look at
00f340f0 1163 DES permuted choice table (key) [..56]

also what plug-ins do you use to hide the Olly program from things like securerom?
Code:
C:\Users\Chris>c:\signsrch\signsrch.exe -F G:\GuJian\Bin\GuJian.exe

Signsrch 0.1.6a
by Luigi Auriemma
e-mail: aluigi@autistici.org
web:    aluigi.org
  optimized search function from Andrew http://www.team5150.com/~andrew/
  disassembler engine from Oleh Yuschuk

- open file "G:\GuJian\Bin\GuJian.exe"
- 7282688 bytes allocated
- load signatures
- open file c:\signsrch\signsrch.sig
- 1774060 bytes allocated for the signatures
- 2278 signatures in the database
- start signatures scanning:

  offset   num  description [bits.endian.size]
  --------------------------------------------
..............................................................
.......................................................
  00c08517 31   Adler CRC32 (0x191b3141) [32.le.1024]
  00f311a0 32   Adler CRC32 (0x191b3141) [32.be.1024]
  00c08521 33   Adler CRC32 (0x01c26a37) [32.le.1024]
  00f315a0 34   Adler CRC32 (0x01c26a37) [32.be.1024]
  00c08536 35   Adler CRC32 (0xb8bc6765) [32.le.1024]
  00f319a0 36   Adler CRC32 (0xb8bc6765) [32.be.1024]
  00c59867 145  SHA256 Hash constant words K (0x428a2f98) [32.le.256]
  00c59997 149  Hash constant words K for SHA-384 and SHA-512 [64.le.640]
  00c103bb 221  DES odd_parity [..256]
  00c59dff 222  DES semi weak keys [..96]
  00c104bf 223  DES skb [32.le.2048]
  00c0fbbf 225  DES SPR SPtrans [32.le.2048]
  00c4a05a 242  EC curve _EC_NIST_PRIME_192_SEED [..20]
  00c4a09e 243  EC curve _EC_NIST_PRIME_224_SEED [..20]
  00c4a0df 244  EC curve _EC_NIST_PRIME_384_SEED [..20]
  00c4a11e 245  EC curve _EC_NIST_PRIME_521_SEED [..20]
  00c4a15e 246  EC curve _EC_X9_62_PRIME_192V2_SEED [..20]
  00c4a19e 247  EC curve _EC_X9_62_PRIME_192V3_SEED [..20]
  00c4a1db 248  EC curve _EC_X9_62_PRIME_239V1_SEED [..20]
  00c4a21e 249  EC curve _EC_X9_62_PRIME_239V2_SEED [..20]
  00c4a25e 250  EC curve _EC_X9_62_PRIME_239V3_SEED [..20]
  00c4a29e 251  EC curve _EC_X9_62_PRIME_256V1_SEED [..20]
  00c4a2de 252  EC curve _EC_SECG_PRIME_112R1_SEED [..20]
  00c4a31e 253  EC curve _EC_SECG_PRIME_112R2_SEED [..20]
  00c4a35f 254  EC curve _EC_SECG_PRIME_128R1_SEED [..20]
  00c4a39f 255  EC curve _EC_SECG_PRIME_128R2_SEED [..20]
  00c4a409 256  EC curve _EC_SECG_PRIME_160R1_SEED [..20]
  00c4a449 257  EC curve _EC_SECG_PRIME_160R2_SEED [..20]
  00c4a590 258  EC curve _EC_SECG_CHAR2_113R1_SEED [..20]
  00c4a5d3 259  EC curve _EC_SECG_CHAR2_113R2_SEED [..20]
  00c4a613 260  EC curve _EC_SECG_CHAR2_131R1_SEED [..20]
  00c4a652 261  EC curve _EC_SECG_CHAR2_131R2_SEED [..20]
  00c4a6be 262  EC curve _EC_SECG_CHAR2_163R1_SEED [..20]
  00c4a6fe 263  EC curve _EC_NIST_CHAR2_163B_SEED [..20]
  00c4a73e 264  EC curve _EC_SECG_CHAR2_193R1_SEED [..20]
  00c4a77e 265  EC curve _EC_SECG_CHAR2_193R2_SEED [..20]
  00c4a7eb 266  EC curve _EC_NIST_CHAR2_233B_SEED [..20]
  00c4a882 267  EC curve _EC_NIST_CHAR2_283B_SEED [..20]
  00c4a8ef 268  EC curve _EC_NIST_CHAR2_409B_SEED [..20]
  00c4a95b 269  EC curve _EC_NIST_CHAR2_571B_SEED [..20]
  00c4a99b 270  EC curve _EC_X9_62_CHAR2_163V1_SEED [..20]
  00c4a9da 271  EC curve _EC_X9_62_CHAR2_163V2_SEED [..20]
  00c4aa1a 272  EC curve _EC_X9_62_CHAR2_163V3_SEED [..20]
  00c4aa83 273  EC curve _EC_X9_62_CHAR2_191V1_SEED [..20]
  00c4aac6 274  EC curve _EC_X9_62_CHAR2_191V2_SEED [..20]
  00c4ab06 275  EC curve _EC_X9_62_CHAR2_191V3_SEED [..20]
  00c4ab6f 276  EC curve _EC_X9_62_CHAR2_239V1_SEED [..20]
  00c4abb2 277  EC curve _EC_X9_62_CHAR2_239V2_SEED [..20]
  00c4abf2 278  EC curve _EC_X9_62_CHAR2_239V3_SEED [..20]
  00c4ac87 279  EC curve _EC_X9_62_CHAR2_359V1_SEED [..20]
  00c08854 1161 DES initial permutation IP [..64]
  00f340f0 1163 DES permuted choice table (key) [..56]
  00f34138 1164 DES permuted choice key (table) [..48]
  00c0878a 1165 DES S-boxes [..512]
  00c5bd91 1188 small prime numbers used in libgcrypt [16.le.1336]
  00c5cf57 1312 Generic squared map [32.le.64]
  00c5cf53 1313 Generic squared map [32.be.64]
  00c1053f 1463 DES2_DS [32.le.128]
  00c08863 1556 DES_fp [..64]
  00c0873a 1558 DES_p32i [..32]
  00409f3a 1767 anti-debug: IsDebuggerPresent [..17]
  004114d0 2253 PADDINGXXPADDING [..16]

- 62 signatures found in the file


Top
 Profile  
 
 Post subject: Re: Des in a file format
PostPosted: 14 Dec 2010 00:56 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
for the olly plugin I used one called "IsDebuggerPresent" just like the function.

while for DES sincerely I don't remember what was the correct one, anyway it takes less than one minute to put the breakpoints on the 11 DES* functions listed there


Top
 Profile  
 
 Post subject: Re: Des in a file format
PostPosted: 14 Dec 2010 02:16 

Joined: 27 Feb 2009 04:03
Posts: 11
I got olly to go undetected and the executable loads now i could not get the program you showed to work against secure rom but i found the program re-pair.exe it modifies olly so programs wont see its default names. I am trying to use the output from signsrch to set the breakpoints but i do not see those points listed so i run the program first then look for those addresses or can i manually specify them?

I found something that might be a decryption for some of the files in the game or its a virus i do not know because i was not brave enough to try.
http://patch.ali213.net/showpatch/7626.html
A According to this the key is based on the file name.


Top
 Profile  
 
 Post subject: Re: Des in a file format
PostPosted: 14 Dec 2010 10:36 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
if the addresses reported by signsrch don't match with the one you see in olly you can simply use signsrch on the process:
signsrch -P process_name

the filename base key has a sense so it's probably as they say


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 6 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: