Configuration file encryption method of Skynet firewall -- Discuss rc6 algorithm (www.team509.com)

Author: doublelee
Date: 2005-6-1

Tiannet firewall version 2.50 is compiled using Borland C and the rule configuration file is encrypted. To bypass its monitoring, you must be able to read and write its rule configuration file and restart it.

This article mainly describes how to read and write the configuration file. By the way, we will talk about the basic situation of rc6 as a memo.

Author: doublelee
Date: 2005-6-1

Tiannet firewall version 2.50 is compiled using Borland C and the rule configuration file is encrypted. To bypass its monitoring, you must be able to read and write its rule configuration file and restart it.

This article mainly describes how to read and write the configuration file. By the way, we will talk about the basic situation of rc6 as a memo.

To be honest, this software is still relatively green, and there are no DLL files. Just a few EXE files can intercept almost all local network data packets. However, this lacks the necessary protection. As a common process, the typical disadvantage is that the process can be easily killed.
In fact, the tracking process is nothing more than a few moves. Enter IDA to find the keyword apprule. Dat or config. ini. Although Borland C's parameter passing method is unpleasant and does not press the stack, it seems that SkyNet is a program without shell, and it will not be held accountable if it is much less troublesome.
The decompiled file contains the symbolic information such as rc6: trc6. The work is no longer difficult, so we can check the source code of rc6 and quickly clarify our ideas. The built-in encryption algorithm of Skynet firewall is standard rc6. It uses a-bit key with a group length of BITs and ECB mode. The key is "tenyks ".
I have already added a lot of posts. Here I only paste the reverse compilation code (rulewize.exe) corresponding to the subsequent setkey function.
 
. Text: 00408284; why? S u B r o u t I n e?
. Text: 00408284
. Text: 00408284; attributes: BP-based frame
. Text: 00408284
. Text: 00408284; _ fastcall rc6: trc6: calculatesubkeys (void)
. Text: 00408284 public @ rc6 @ trc6 @ calculatesubkeys $ qqrv
. Text: 00408284 @ rc6 @ trc6 @ calculatesubkeys $ qqrv proc near; Data xref:. Text: 0040823co
. Text: 00408284
. Text: 00408284 m_l_table = dword ptr-58 h
. Text: 00408284 m_ B = DWORD PTR-18 h
. Text: 00408284 M_a = dword ptr-14 h
. Text: 00408284 m_k = dword ptr-10 h
. Text: 00408284 m_j = dword ptr-0ch
. Text: 00408284 m_ I = DWORD PTR-8
. Text: 00408284 l_key = dword ptr-4
. Text: 00408284
. Text: 00408284 push EBP
. Text: 00408285 mov EBP, ESP
. Text: 00408287 add ESP, 0ffffffa8h
. Text: 0040828a mov [EBP + l_key], eax
. Text: 0040828d mov eax, [EBP + l_key]
. Text: 00408290 mov ECx, [eax + 10 h]
. Text: 00408293 Lea edX, [EBP + m_l_table]
. Text: 00408296 mov eax, [EBP + l_key]
. Text: 00408299 mov eax, [eax + 14 H]
. Text: 0040829c call @ system @ move $ qqrpxvpvi; System: Move (void *, void *, INT)
. Text: 004082a1 mov eax, [EBP + l_key]
. Text: 004082a4 mov dword ptr [eax + 30 h], 0b7e15163h
. Text: 004082ab mov [EBP + m_ I], 1
. Text: 004082b2
. Text: 004082b2 loc_4082b2:; Code xref: rc6: trc6: calculatesubkeys (void) + 4ej
. Text: 004082b2 mov eax, [EBP + l_key]
. Text: 004082b5 mov edX, [EBP + m_ I]
. Text: 004082b8 mov eax, [eax + EDX * 4 + 2ch]
. Text: 004082bc add eax, 9e3779b9h
. Text: 004082c1 mov edX, [EBP + l_key]
. Text: 004082c4 mov ECx, [EBP + m_ I]
. Text: 004082c7 mov [edX + ECx * 4 + 30 h], eax
. Text: 004082cb Inc [EBP + m_ I]
. Text: 004082ce CMP [EBP + m_ I], 2ch
. Text: 004082d2 jnz short loc_4082b2
. Text: 004082d4 XOR eax, eax
. Text: 004082d6 mov [EBP + m_ I], eax
. Text: 004082d9 XOR eax, eax
. Text: 004082db mov [EBP + m_j], eax
. Text: 004082de XOR eax, eax
. Text: 004082e0 mov [EBP + M_a], eax
. Text: 004082e3 XOR eax, eax
. Text: 004082e5 mov [EBP + m_ B], eax
. Text: 004082e8 mov [EBP + m_k], 1
. Text: 004082ef
. Text: 004082ef loc_4082ef:; Code xref: rc6: trc6: calculatesubkeys (void) + e4.7
. Text: 004082ef mov eax, [EBP + l_key]
. Text: 004082f2 mov edX, [EBP + m_ I]
. Text: 004082f5 mov eax, [eax + EDX * 4 + 30 h]; eax = l_key [I];
. Text: 004082f9 add eax, [EBP + M_a]
. Text: 004082fc add eax, [EBP + m_ B]
. Text: 004082ff mov edX, 3
. Text: 00408304 call m_rotl_eax_edx
. Text: 00408309 mov [EBP + M_a], eax
. Text: 0040830c mov eax, [EBP + l_key]
. Text: 0040830f mov edX, [EBP + m_ I]
. Text: 00408312 mov ECx, [EBP + M_a]
. Text: 00408315 mov [eax + EDX * 4 + 30 h], ECx; l_key [I] =;
. Text: 00408319 mov edX, [EBP + M_a]
. Text: 0040831c add edX, [EBP + m_ B]
. Text: 0040831f mov eax, [EBP + m_j]
. Text: 00408322 mov eax, [EBP + eax * 4 + m_l_table]
. Text: 00408326 add eax, [EBP + M_a]
. Text: 00408329 add eax, [EBP + m_ B]
. Text: 0040832c call m_rotl_eax_edx
. Text: 00408331 mov [EBP + m_ B], eax; B = rotl ()
. Text: 00408334 mov eax, [EBP + m_j]
. Text: 00408337 mov edX, [EBP + m_ B]
. Text: 0040833a mov [EBP + eax * 4 + m_l_table], EDX; L [J] = B;
. Text: 0040833e mov eax, [EBP + m_ I]
. Text: 00408341 Inc eax
. Text: 00408342 mov ECx, 2ch
. Text: 00408347 CDQ
. Text: 00408348 idiv ECx; I = (I + 1) % 44;
. Text: 0040834a mov [EBP + m_ I], EDX
. Text: 0040834d mov eax, [EBP + m_j]
. Text: 00408350 Inc eax
. Text: 00408351 and eax, 8001_fh
. Text: 00408356 JNS short loc_40835d
. Text: 00408358 dec eax
. Text: 00408359 or eax, 0fffffff0h
. Text: 0040835c Inc eax
. Text: 0040835d
. Text: 0040835d loc_40835d:; Code xref: rc6: trc6: calculatesubkeys (void) + d2j
. Text: 0040835d mov [EBP + m_j], eax
. Text: 00408360 Inc [EBP + m_k]
. Text: 00408363 CMP [EBP + m_k], 85 H
. Text: 0040836a jnz short loc_4082ef
. Text: 0040836c mov ESP, EBP
. Text: 0040836e pop EBP
. Text: 0040836f retn
. Text: 0040836f @ rc6 @ trc6 @ calculatesubkeys $ qqrv endp
. Text: 0040836f

Rc6 can be downloaded everywhere, C. ASM Single Chip Microcomputer accelerated version of Perl. However, some for Delphi users still charge fees, which is a shame. I am in the Workshop.
In the process of simulating its encryption, I encountered a little trouble, B. r. the fixed key length of the rc6 version written by gladman for the AES test is 256bit. I tracked this point for half a day and changed it to 512. There are no other problems. Remove the header file "aes_defs.h. The corner is repaired and supplemented. In addition, it can be seen that gladman has made some optimizations for the election for AES, which may make the speed faster.
 
The following describes the possibility that no program can crack the ciphertext.
The first encryption mode is ECB. A small plaintext change causes only one group of ciphertext changes. It is easy to determine the group length by selecting the plaintext attack, and then deduce the possible encryption algorithm. I made a preliminary judgment on this point before I cut the software.
Secondly, although the key uses bits, the key used for initialization is fixed! In addition, the "tenyks" with only 6 bytes is used, and there is a possibility of brute-force cracking.
In general, although Skynet's configuration file encryption uses a good algorithm, it is a pity that it is only a piece of window paper. The main weakness is that the fixed key is too short. However, even if it is complicated, it is useless.

A brief description of rc6:
Rc6 is one of the series of encryption algorithms designed by Ron Rivest. It is improved from RC5. What is different from RC4 is that RC5 and rc6 are both group encryption algorithms, and because I have participated in the AES trials, they are all designed to adjust the length of keys and groups. Though not selected, it is one of the most outstanding encryption algorithms.
The compilation code of rc6 has the following points:
1, exclusive or less, with many shifts. During key initialization, the Left shift is performed twice in a 132 cycle. The first shift is fixed to three digits. There are four shifts left in the encryption or decryption code. Generally, this shift is represented as a call.
2. There are constants 0xb7e15163 and 0x9e3779b9 in the initialization function.
3. During the encryption process, an integer table with 44 elements is maintained, that is, a total of 176 bytes (l_key in the Code ). Last Post code
 
Rc6 (set_key (const u1byte in_key [], const u4byte key_len) is a function that I have modified and pasted out. If it is not changed, it will not be pasted.

//////////////////////////////////////// //////////////////////////////////////// /////////
// Rc6.c
//...

# Define keylen 64*8 // 512 bit key length only, eg, 64 bytes.

// Initialise the key schedule from the user supplied key
// Void rc6 (set_key (const u1byte in_key [], const u4byte key_len, const Enum dir_flag F ))
Void rc6 (set_key (const u1byte in_key [], const u4byte key_len ))
{
U4byte L [keylen/32], I, J, K, a, B, T;
U1byte * PL = (u1byte *) L;
 
Rc6 (l_key) [0] = 0xb7e15163;
 
For (k = 1; k <44; ++ K)

Rc6 (l_key) [k] = rc6 (l_key) [k-1] + 0x9e3779b9;
 
// For (k = 0; k <key_len/32; ++ K)
// L [k] = u4byte_in (in_key + 4 * k );

For (k = 0; k <keylen/8; ++ K)
PL [k] = in_key [K % key_len];

T = (keylen/32)-1; // t = (key_len/32 );
 
A = B = I = J = 0;
 
For (k = 0; k <132; ++ K)
{
A = rotl (rc6 (l_key) [I] + A + B, 3 );
B + =;
B = rotl (L [J] + B, B );
Rc6 (l_key) [I] = A; L [J] = B;
I = (I = 43? 0: I + 1); // I = (I + 1) % 44;
J = (j = t? 0: J + 1); // J = (J + 1) % T;
}
 
Return;
}

//////////////////////////////////////// //////////////////////////////////////// /////////
// Main. c

# Include "rc6.h"
# Include

Int main (INT argc, char * argv [])
{
Char f [16];
File * fdat, * ftxt;

Fdat = fopen ("apprule. dat", "rb ");
If (! Fdat)
Return 0;

Ftxt = fopen ("apprule.txt", "WB ");
If (! Ftxt)
Return 0;

Rc6 (set_key) ("tenyks", 6 );

While (fread (F, 1, 16, fdat ))
{
Rc6 (decrypt) (F, F );
Fwrite (F, 1, 16, ftxt );
}

Fclose (fdat );
Fclose (ftxt );

Return 1;

// Rc6 (encrypt) (F, F); encryption
// Rc6 (decrypt) (F, F); decrypt

}