Kanal how does signature analysis work?
 

Hi guys,
I'm a new member of this great forum. I'm also new to the art of reversing and hoping to reverse a Delphi app.

I scanned the exe with Kanal v2.2 tool and it reports that it contains RC5/RC6 crypto signatures.

Is the signature a recognisable block of bytes which are the opcodes used in the algorithm? Or is a signature defined in some other way?

Be as technical as you want any reply.

Thanks for your help

:)

Most crypto algorithms use certain constants to initialize/assist the computation. It probably searches for these.

For example, md5:

0x67452301;
0xefcdab89;
0x98badcfe;
0x10325476;

Hmmm.....
If KANAL used those constants for detecting crypto algos
in exeutables, I'd understand why it doesn't show us
the address of the crypto code.
Many ppl asked sKAMER whether he could improve
KANAL in that way that it shows us the address
of the crypto code.
I'd also understand why it does not detect the RSA algo:
'cause it does not use any constants.

none ask me, if i remember..but im bussy atm

try ask snaker - this is dsk* a deadly-skills-coder :)

i think this elite hero have too much time than me

That could be the answer, RC5 uses 2 constants :
1.) the base of natural logarithms
2.) the golden ratio.

I expect RC6 will be the same as this too is a parameterized algorithm where block size, key size, and the number of rounds are variable; with a 2040 bit upper limit on the key size.

Are the any crypto experts on this forum that know how to exploit poorly implemented rc5 code to obtain private keys?

Or has anyone seen keygens for apps that use rc5 in there protection scheme? I need all the help I can get.

All my searches point to the distributed.net site which is of no real help to me.

Thanks for the replies so far.

5Alive:)

I don't have much experiance with RC5
but I could imagine that you will find that
key when you trace the app....

To the best of my knowledge RC5 is a private-key-only
cipher.
This means that the key used for decryption is the same
that is used for encryption.

Correct me if I'm wrong ;)

You make it sound so easy. :)

You are right RC5 only uses a private key of variable length,
it is a symmetric block cipher meaning that the same key is used for both encryption and decryption.

5Alive.

rc5 isnt a hard stuff

Are you speaking from experience? Any knowledge you can share would be very helpful to me.

What is the best approach to finding a private key as they are not hidden in the code anywhere.

Thanks.

5Alive.

any crypto defeating depends on crypto implementation

where can i get Kanal v2.2
 

where can i get Kanal v2.2 to download

Naturally, can what should I be looking for?

You should try Dede and look for used units, there are only few implementations of RC5 on net. I dont'n know what you're trying to crack but I'd bet that it will use DCPCrypt1/2(hxxp://www.cityinthesky.co.uk/). Load it into Delphi, make sample app, debug in Delphi internal debugger and learn.

need help decripting a file
 

i am a newbe at crytography. need help decripting a file and i do not know where to start, the file i am decrypting has no attchments to it . i made a copy of the file and put a attchment txt to it and open it in read form it is encrypted . how do i fix it

Thanks for nonambiguous comments, I am using DeDe which is a great tool and has helped me a lot in understanding how the program works, though I still have much to learn.

I was hoping that it uses a standard library suchs as DCPCrypt, it uses something called TCipherStreamFactoryRC5 to handle the decryption.

Web searches have proved fruitless, so I can only guess it is a custom lib. Anyone heard of this ?

5Alive

1. Try CC from 'Help Me - CRC Check and FileSize Check' topic
h**p://w*w.exetools.com/forum/showthread.php?threadid=2385

2. RC5/6 was implemented in a lot libraries on the net.

3. See atach as example RC6 work (it's source for Oscar 17(Summer Edition) Serials Database decipher).

Sorry, I forgot about RC6 Src

do you still have a page alephz?

remember great tools posted on it.

thanks

It was killed immediatly after I put on some stuff about
F-Group Software junk progs. (h**p://w*w.fgroupsoft.com)

Unfortunately, for now I haven't time to recovery it and more
sad, haven't time to enjoy with new junk from F-Group Software.

Well, I keep it in my TODO list :-\

No problem, I was a little confused by the previous file contents, had that somethings missing feeling.

Thankyou. I'll give this a look over.

5Alive

well,thanks for the answer!

Ups. I forgot I'm not supposed to post Requests in this Forum and JMI edited my post to this stupid message. :cool:

Actually if I'd taken the time to use the "search" button and "kanal" on the left side, I would have found the answer to my question is here:

http://www.exetools.com/forum/showthread.php?s=&threadid=2348&highlight=kanal

pd. LOL JMI 10x friend. :D

Just a quick update, the cc tool confirmed that the exe had rc5, now knowing these offsets I was able to locate the subroutine.
Thanks alephz!


I have since found a string ref to RC4 too! I think the serial number is a rc4 key, and the content decryption is handled by RC6.

The app produces a unique system id number using API calls to GetSystemInfo, GetComputerNameA and GetVolumeInformationA.
This is to restrict a valid password to a single PC.

If your system ID changes, you are sent an new serial to unlock the content. Therefore, system ID is equivalent to a user name and the serial is the password.

So I think I am looking at some sort of RC4 keygen. Yikes!
I've got some more questions I'll try to answer myself before posting.

I'm new to reverse engineering, where do the hours go?

5Alive.

RC4 isn't that hard ;)

Is the best solution to rip the RC4 code and insert it into yor own app? I'm using DeDe and IDA.

Once I isolated the code, is MASM the best tool for keygen creation?

I notice that Dede doesn't recognise win32 API calls and IDA doesn't recognise some custom Delphi library calls.

Can this be fixed, or do I need to work between the two to build a clearer picture of what the functions are doing?

I've compiled/created DCU/DSF file from source code to help me identify calls in DeDe.

As far as I'm aware FLIRT only supports Delphi 1.0 TPUs which is of no use to me. Anyone know any different and like to share their knowledge?

Thanks 5Alive.

You can try to rip the RC4 code.....
But pay attention to the S-box and to the field K!
Don't forget to rip the init routine!

When I code a keygen in ASM, I use MASM(32 v8).

That's why I usually use Olly and/or DeDe with IDA.
As sKAMER said: Olly and IDA --> deadly combo :D

Thanks, I'll keep your comments in mind when attempting this.

5Alive.

[QUOTE]Originally posted by ArC
[B]You can try to rip the RC4 code.....
But pay attention to the S-box and to the field K!
Don't forget to rip the init routine![QUOTE]

To find the values of the S-box and K field I would need to single step with a debugger to extract these values. Is this correct?

5Alive.

Usually there should be an init routine
which inits the S-Box and the K field.
If you want to rip, you will have to rip the init routine as well.
However, you should trace (with a debugger) the init routine
as well since it usually contains the key.

Thanks, I'll look into trying this. I have source for RC4 just now so I'll probably create my own little program to encrypt/decrypt to familiarise myself with it's workings.

5Alive.

why not doing a tutorial on the work,implementing rca and so?!

would be appreciated for a lot of people!

cya

I'd be happy to do that, though don't expect it any time soon as I have a lot to learn myself. :)

There is already some work done my Lord Lucifer himself. so you can refer to his site for more info.

refer his site here : h**p://www.elitecoding.net/~lucifer48/

BTW the soft is called File Check Package. I havent tried it but it seems worth the look. its something on lines of SFV check.