Cast-128 encryption algorithm and mypassword cracking

Encrypted Cast-128AlgorithmAnd mypassword cracking

Author: three cents a piece

1. Overview of Cast-128 encryption algorithms

The cast-128 encryption algorithm is a des-like replacement network (SPNs) encryption system, it has good resistance to differential password analysis, linear password analysis, and password-related analysis. This encryption also has several other ideal features, including avalanche, strict avalanche standard (SAC), bit-independent standard (BIC), no complementary attributes, and no weak or semi-Weak keys. Therefore, for the entire InternetCommunity-- Require strong passwords and easy-to-obtain encryption algorithms -- this is a good choice for general applications.

The entire encryption process is divided into two processes: Key preprocessing and information encryption. The key preprocessing process generates 16 pairs of keys based on the input 128-bit key through a series of S-box replacements. Information Encryption divides the input 64-bit information into the left and right sides of the l0 and R0, generates L16 and R16 through a series of cyclic transformations, and then connects L16 and R16 to generate the output ciphertext. Decryption of the Cast-128 algorithm can also be divided into two processes: Key preprocessing and information decryption. The key preprocessing and encryption are identical, and the input key table is also the same. Information decryption is to reverse a series of cyclic transformations during encryption, and calculate l0 and R0 from L16 and R16 in the reverse order. (For details about the cast-128 algorithm, see rfc2144)

To crack the software that uses the cast128 algorithm, the key is to find the key table used for key preprocessing. With the key table, the plaintext can be decrypted Based on the ciphertext, generally, this is the registration code we are looking. It is not difficult to write a registration machine.

2. instance analysis: mypassword cracking

Mypassword is a private password management software that helps you manage a variety of passwords. It was introduced in the anti-DDoS pro January 2004 issue. The software management account information should be verified using the MD5 algorithm. If you skip Account Verification and open someone else's password file, you will only get some unintelligible garbled characters. If the software is not registered, the system prompts you how many times you use it each time you open the software, reminding you to register the software.

You can use peid to check whether the shell is added. If the shell is added, the shell is removed first. If the shell is not added, you can see what encryption algorithm is used. Check and find that ASPack 2.12-> Alexey solodovnikov, since it is the ASPack shell, you are welcome, the use of stripper v2.07 shell removal machine is very convenient to take off the shell. After shelling, we detected it again with peid and found that the software was compiled with delphi6.0, using the cast and MD5 encryption algorithms.

It is a good habit to use tools such as peid and fileinfo to detect a software every time. It can save time and remedy the problem (what shell should be removed and what language should be used to deal with it, do you want to review any algorithms ). Well, I know it's the software compiled by Delphi. Of course, it's important to use Dede disassembly to find the keyCode. After disassembly, find the "register" button in the "register" dialog box and click the response code at 0x004f0b60. The initialization code of the "register" dialog box is at 0x004f0d18.

After Dede's work is done, open Ida pro disassembly. This tool is not only the king of static disassembly, but now the dynamic debugging function is even more appealing. You can not only change variables into easy-to-understand names, but also write comments to the analyzed code. When you encounter a process, you can first check whether you need to follow up or directly include the variable, the key process can be called in several places, the identification of most library functions makes the code easier to understand and debug (the functions implemented by the function can be known without following up), but the disassembly takes a little longer.

After the disassembly is complete, press f2 to break the breakpoint at 0x004f0b60, and press F9 to run the software. In the "register" dialog box, you will find that some characters have been entered in the "Serial Number" column. Leave it empty, enter 123456789 in the "Registration Code" column, and then press the "register" button.ProgramInterrupt at 0x004f0b60, trace and find that the input length is required, re-enter 1234567890 abcdef in the "Registration Code" column, and then press the "register" button. After the interruption, the following code will be tracked:

Code: 004f0bbb mov eax, [EBP + var_10]; [eax] = "1234567890 abcdef"
Code: 004f0bbe Lea ECx, [EBP + var_c]
Code: 004f0bc1 mov edX, DS: dword_55e6d8
Code: 004f0bc7 call sub_54b2f8
Code: 004f0bcc mov eax, [EBP + var_c]; [eax] = 0d4h, 15 h, 6DH, 0d8h, 3ch, 0b7h, 0f8h
Code: 004f0bcf mov edX, DS: dword_55e4c4
Code: 004f0bd5 mov edX, [edX]; [edX] = "49988800"
Code: 004f0bd7 call @ lstrcmp; compare whether eax and EDX point to the same content
Code: 004f0bdc JZ short loc_4f0bef

Therefore, call sub_54b2f8 must be a key process for follow-up. After some detailed tracking, I came to the following code:

Code: 0054b39c Lea ECx, [EBP + var_20]
Code: 0054b39f mov edX, EDI
Code: 0054b3a1 mov eax, [EBP + var_10]; [eax] = "1234567890 abcdef"
Code: 0054b3a4 call sub_54b1b0
Code: 0054b3a9 mov edX, [EBP + var_20]; [edX] = 0d4h, 15 h, 6DH, 0d8h, 3ch, 0b7h, 0f8h

Follow up call sub_54b1b0 and you will immediately see the code: 0054b1f3 call sub_4bd5a8. If you first look at the key preprocessing process like the cast-128 algorithm, you will first see the following characters in the comments of the Code (which is automatically generated by IDA Pro:

Code: 004bd5c4 mov ECx, offset acast128keymust; "cast128: key must be between 1 and 16 B "...
Code: 004bd5c9 mov DL, 1
Code: 004bd5cb mov eax, DS: dword_40881c
Code: 004bd5d0 call create‑t

Didn't you see it? cast128: Key must... it clearly points out that this is the key preprocessing Process of Cast-128. I remember that the same character was also seen in the previous tracking data collection master v3.73. It seems that they all use the cast-128 Algorithm Module written by the same person. It is preliminarily determined that this is the key preprocessing Process of Cast-128, but it cannot exclude the possibility that the software author will confuse us. Continue to look down:

Code: 004bd61e cmp edi, 0ah
Code: 004bd621 JG short loc_4bd62f
Code: 004bd623 mov dword ptr [EBX + 90 H], 0ch
Code: 004bd62d JMP short loc_4bd639
Code: 004bd62f; zookeeper
Code: 004bd62f
Code: 004bd62f loc_4bd62f:; Code xref: sub_4bd5a8 + 79j
Code: 004bd62f mov dword ptr [EBX + 90 H], 10 h

The above code sets whether 12 or 16 cycles are used for information encryption based on the length of the key table.

Code: 004bd713 mov edX, [ESI + 0ch]
Code: 004bd716 mov ECx, EDX
Code: 004bd718 SHR ECx, 10 h
Code: 004bd71b and ECx, 0ffh
Code: 004bd721 mov ECx, DS: sbox5 [ECx * 4]
Code: 004bd728 XOR ECx, [esi]
Code: 004bd72a mov EDI, EDX
Code: 004bd72c and EDI, 0ffh
Code: 004bd732 XOR ECx, DS: sbox6 [EDI * 4]
Code: 004bd739 mov EDI, EDX
Code: 004bd73b shr edi, 18 h
Code: 004bd73e XOR ECx, DS: sbox7 [EDI * 4]
Code: 004bd745 SHR edX, 8
Code: 004bd748 and EDX, 0ffh
Code: 004bd74e XOR ECx, DS: sbox8 [edX * 4]
Code: 004bd755 mov edX, [ESI + 8]
Code: 004bd758 SHR edX, 18 h
Code: 004bd75b XOR ECx, DS: sbox7 [edX * 4]
Code: 004bd762 mov [EBP + var_34], ECx
......

The above code (Omitted mostly) is used to calculate the sub-key. We know that sub_54b1b0 is the key preprocessing Process of Cast-128, and change sub_54b1b0 to cast128_initkey to facilitate subsequent tracking. Now we need to find the key table used in the key preprocessing process:

Code: 0054b1e6 Lea eax, [EBP + tcastdata]; [eax] = tcastdata
Code: 0054b1ec mov ECx, 10 h; ECx = Key Length
Code: 0054b1f1 mov edX, EBX; [edX] = Key
Code: 0054b1f3 call cast128_initkey

you can obtain the key 01 H, 23 h, 27 h, 67 h, 12 h, 74 h, and 42 h from EDX, 78 h, 23 h, 52 h, 57 H, 35 h, 34 h, 56 h, 78 h, 9ah. Record the key as key2, which we will use when writing a registration machine. After the key is pre-processed, the information is encrypted. The tracing program continues to come to the following code:

code: 0054b25e Lea ECx, [EBP + var_18]
code: 0054b261 Lea edX, [EBP + var_10]; [edX] = 12 h, 34 h, 56 h, 78 h, 90 h, 0abh, 0cdh, 0efh, that is, plaintext
code: 0054b264 Lea eax, [EBP + tcastdata]
code: 0054b26a call sub_4be41c
code: 0054b26f Lea eax, [EBP + var_1c]
code: 0054b272 call @ lstrclr
code: 0054b277 mov EBX, 8
code: 0054b27c Lea ESI, [EBP + var_18]; [esi] = 0d4h, 15 h, 6DH, 0d8h, 3ch, 0b7h, 0f8h, that is, ciphertext

It can be seen that the sub_4be41c process is to convert the plain text in edX into the ciphertext in ESI. However, whether sub_4be41c corresponds to the information encryption process in Cast-128 or the information decryption process, we need to continue the analysis. Following up with sub_4be41c, we will find the following code in the first code section:

Code: 004be4bb cmp dword ptr [EBX + 90 H], 0ch
Code: 004be4c2 jle loc_4be5f0

Here is whether the test cycle is 12 or 16 times. If this code is found at the beginning, it is the information decryption process. If this code is found at the end of the process, this is the information encryption process. Because the encryption code is similar to the decryption code, but the order of the loop is different, it is not easy to distinguish. In addition, you can test it by writing a program to see which of the output results of the encryption process is the same as that of the decryption process.

The sub_4be41c process is the decryption process of the Cast-128 algorithm. You can change sub_4be41c to cast128_decode. Here we can know that the software decrypts the entered registration code through Cast-128 during registration, and then compares the decrypted byte string with 49988800. If the same, it is a legal registration code and the registration is successful. If not, registration fails. So how did 49988800 come out? We need to continue tracking the analysis program. Run the breakpoint at the place where cast128_initkey is called in two places and the program will be interrupted in the following code:

Code: 0054b459 Lea eax, [EBP + tcastdata]; [eax] = tcastdata
Code: 0054b45f mov ECx, 10 h; ECx = Key Length
Code: 0054b464 mov edX, EBX; [edX] = Key
Code: 0054b466 call cast128_initkey

The key here is different from the above key. It is recorded as key1: 01 H, 23 h, 28 h, 67 h, 12 h, 78 h, 56 h, 78 h, 23 h, 50 h, 67 h, 89 h, 34 h, 56 h, 78 h, 9ah. To continue running, we will go to the following code:

Code: 0054b54e Lea ECx, [EBP + var_18]
Code: 0054b551 Lea edX, [EBP + var_18]; [edX] = 0b4h, 46 h, 6bh, 62 h, 0e4h, 0fch, 53 H, 13 H, that is, the serial number
Code: 0054b554 Lea eax, [EBP + tcastdata]
Code: 0054b55a call cast128_decode
Code: 0054b55f Lea eax, [EBP + var_20]
Code: 0054b0000call @ lstrclr
Code: 0054b567 mov EBX, 8
Code: 0054b56c Lea ESI, [EBP + var_18]; [esi] = "49988800"

The code above decrypts the serial number to 49988800. Now we can know how to register: Use key1 to pre-process the key, then decrypt the serial number, get the intermediate variable, and then use key2 to pre-process the key, and then encrypt the intermediate variable to get the registration code. The key code of the registration machine is as follows:

invoke cast_setkey, ADDR key, ADDR key1, 16
invoke rtlzeromemory, addr tmp, sizeof TMP
invoke cast_decrypt, ADDR key, ADDR Buf, addr tmp
invoke cast_setkey, ADDR key, ADDR key2, 16
invoke rtlzeromemory, ADDR Buf, sizeof Buf
invoke cast_encrypt, ADDR key, addr tmp, ADDR Buf