|
|
Castork
A computer scientist and security specialist once remarked to me, “from other people’s experiences I’d just waste a lot of time analyzing it and then they make some trivial change, claim it was really unbreakable now, and the whole thing would start again…”
So it is with version 2.1 of UBE 98. A while ago, Mike Stay and Joe Peschel broke one of the first versions of UBE 98. You may want to look at Peschel’s essay, “Breaking the Unbreakable.” A company called at Atlantic Coast subsequently purchased the rights to UBE. Apparently, that company came across Peschel’s essay, as Steve Lee of Atlantic Coast, wrote, in sci.crypt:
“During the Summer, and part way during the BBC "promotion" of the Unbreakable Encryption program my company, in it's naivety bought the rights to the program for a fairly low price, realising it was not perfect but assuming the author knew his subject.The well-known cryptographer Bruce Schneier, wondered if Lee was joking. Still, Lee got responses in the newsgroup. Some suggested how he might fix UBE; other respondents suggested he scrap the project. For more, click here to read messages in dejanews.“You may well laugh at such naivety but I don't think all is lost.
“Over the last few weeks we began to realise something was seriously wrong and have withdrawn evaluation copies from our server and our Compuserve forum and have held any orders on backorder.
“I became aware that the author (who turns out to be 14 years old) was not able to handle criticism from the public well so he has been forwarding any such emails and I have found a hard core of nice people who have been very constructive in helping us analyse all the faults.
“I am due to release a new version (it is due out once my copy of Shrinker arrives to compress the executables) and trust that we have a workable solution. I have had the comments from one member of this Newsgroup that the author is incapable of writing a competent program. Since 1986 I have had people telling me that program authors are not up to it (I have been told that about some (now) pretty well know and respected authors in the past) and am confident that given the right assistance and materials, the author of UBE *can* produce a decent program. It is easier to criticise than to create!
“If anyone can justify it through their personal understanding of security issues, I would be more than pleased to send a pre-release version over the next few days from the date of this message (licensed). I would rather give away a hundred licenses and get it right than screw up with a stupid design fault on release.
“I am writing this message in the spirit of goodwill and would be grateful if you would consider responding similarly.”
Instead, the company chose to ignore the advice given in sci.crypt.
UBE 98 most fatal flaw is it’s implementation of a 255 byte modified RC4 key. The key is always the same, despite what you’ll read as you install the program. That key is protected by a password, which you can change. Changing the password, however, does not affect encryption.
Apparently, the company determined that the implementation of the encryption algorithm was correct, or, they just assumed, naively, that it had to be right. In either case, they must have determined that Peschel’s attack on the code was the only weakness that need to be defended. This attack simply changed a jump instruction to bypass the password. So the company, apparently, decided to “fix” UBE by preventing disassembly of the HOOK32.EXE, and any self-extracting encrypted file. Their solution was to use a file compressor called Shrinker. Shrinker does prevent disassembly of the code, until, of course, you un-shrink the files using any of various de- or un-shrinkers.
Now, I looked at a dead-listing of the code of HOOK32.EXE and self-extracting files. My problem was with the latter dead-listing in that when I de-shrunk a self-extracting file, the program did correctly decrypt the file. Even a good password failed to work. (Perhaps, someone who is more adept at de-compressing PE files will have better luck. If you do, e-mail me!)
I decided to use to SoftICE to crack UBE. After trying several different breakpoints to explore to UBE, I decided on using HMEMCPY. It appears that this API will give results quicker than others. After following along in the code for a while I discovered that UBE leaves the good password in memory unencrypted!
1. In Explorer, right-click on a .UBE file.
2. Type in a password; for example “badpass,” and uncheck the “Shred original objects” box. (We may want to look at the original encrypted file later.
3. CTRL+D to bring up SoftICE.
4. Set a BPX (breakpoint on execution) on HMEMCPY.
5. F5
6. Once you are back at the UBE screen, click “Decrypt,” and SoftICE should pop.
7. Instead of pressing F10 about 25 times (to the REPZ MOVSD instruction)F10 utnil you get to line :9E3C.
8. At the instruction there dump the contents of the ESI register: d esi. You should see the password you entered, in this case “badpass.” On my system it’s at 2BAF:000001D2.
9. Now we’d like to find out where this information will be copied. So, after stepping to :9E8C we d es:edi.
10. In the Data Window, you’ll see the segment: offset that your spurious password will occupy. In my case, it’s 2FFF:00000000. Of course, there is nothing significant in that location, yet.
11. Now press F10 until you are the past the second REPZ MOVSB instruction. You’ll notice the password we entered now in the above data location. (You may have also noticed “badpass” gradually appearing as you pressed F10.)
12. The segment 2FFF seems strange so we’ll use the page command: page 2fff:00000000 to determine a linear address.
13. This command shows 10824454 as the linear address, and it’s there where we’ll set a breakpoint on range using selector 30: brp 30:10824454 30:10824454+7 rw.
14. This breakpoint will monitor all of the reads and writes in this 7 byte range.
15. Now, we’ll disable the breakpoint of HMEMCPY: bd: 00.
16. Press F5 to continue the UBE program. SoftICE should pop, breaking on a read to our memory range. (I landed at 014F:00403d33.)
17. Dump the contents of the EDI register: d edi, and you’ll see your spurious password. Now dump the contents of the ESI register: d esi, and you’ll see the correct password unencrypted. (In my case it was at: 157:10823DC0)
00) BPX KERNEL!HMEMCPY Break due to BPX KERNEL!HMEMCPY (ET=5.55 seconds) KERNEL!HMEMCPY 012F:9E18 55 PUSH BP 012F:9E19 8BEC MOV BP,SP 012F:9E1B 1E PUSH DS 012F:9E1C 6657 PUSH EDI 012F:9E1E 6656 PUSH ESI 012F:9E20 FC CLD 012F:9E21 668B4E06 MOV ECX,[BP+06] 012F:9E25 67E377 JECXZ 9E9F (NO JUMP) 012F:9E28 6633F6 XOR ESI,ESI 012F:9E2B 668BFE MOV EDI,ESI 012F:9E2E C5760A LDS SI,[BP+0A] 012F:9E31 C47E0E LES DI,[BP+0E] 012F:9E34 668B460A MOV EAX,[BP+0A] 012F:9E38 663B460E CMP EAX,[BP+0E] 012F:9E3C 734E JAE 9E8C (JUMP DOWN) :d esi here! 012F:9E3E 66C1C010 ROL EAX,10 012F:9E42 C1E803 SHR AX,03 012F:9E45 66C1C010 ROL EAX,10 012F:9E49 6603C1 ADD EAX,ECX 012F:9E4C 668B560E MOV EDX,[BP+0E] 012F:9E50 66C1C210 ROL EDX,10 012F:9E54 C1EA03 SHR DX,03 012F:9E57 66C1C210 ROL EDX,10 012F:9E5B 663BC2 CMP EAX,EDX 012F:9E5E 722C JB 9E8C 012F:9E60 FD STD 012F:9E61 6603F9 ADD EDI,ECX 012F:9E64 6603F1 ADD ESI,ECX 012F:9E67 6683EF04 SUB EDI,04 012F:9E6B 6683EE04 SUB ESI,04 012F:9E6F 6651 PUSH ECX 012F:9E71 66C1E902 SHR ECX,02 012F:9E75 F36766A5 REPZ MOVSD 012F:9E79 6683C703 ADD EDI,03 012F:9E7D 6683C603 ADD ESI,03 012F:9E81 6659 POP ECX 012F:9E83 6683E103 AND ECX,03 012F:9E87 F367A4 REPZ MOVSB 012F:9E8A EB13 JMP 9E9F 012F:9E8C 6651 PUSH ECX :d es:edi here! 012F:9E8E 66C1E902 SHR ECX,02 012F:9E92 F36766A5 REPZ MOVSD 012F:9E96 6659 POP ECX 012F:9E98 6683E103 AND ECX,03 012F:9E9C F367A4 REPZ MOVSB 012F:9E9F 33D2 XOR DX,DX the bad password appears :page 2fff:00000000 Linear Physical Attributes Type 10824454 031D0454 P D A U RW System :bpr 30:10824454 30:10824454+7 rw :bd 0 Hit F5. Break due to BPR #0030:10824454 #0030:1082445B RW :d esi 014F:00403D33 8B1F MOV EBX,[EDI] d:esi (for real password)Besides leaving the good password in the clear, UBE also decrypts the message in memory. Additionally, if you wander about for a time, you’ll find the key in memory! This can all be done by entering the wrong password – and, of course, using SoftICE.
Having re-booted, go to Explorer and double-click 2-1test.txt.ube. (Notice that UBE tells us what type of file is encrypted, namely, here, a text file.)
Our approach in finding the password to UBE’s self-extracting encrypted files begins the by using the method of extracting UBE’s conventionally encrypted files. As before, we’ll begin by setting a BPX on HMEMCPY. Likewise, we’ll execute a page command to find the linear address for setting a breakpoint on range. We’ll do a bit more stepping with F10 than we previously did and we’ll toggle a jump flag, but we’ll eventually find the real password in the clear, but, in a different register than before.
Let’s enter, as before, “badpass” as our password. Make sure SoftICE is running.
1. CTRL+D to start SoftICE. Set a BPX on HMEMCPY.
2. F5.
3. Now that you are back at the UBE self-extracting file, click “Decrypt.”
4. SoftICE should pop on the breakpoint you set, landing in KERNEL!HMEMCPY.
5. Step over the instructions, as before using the F10 key.
6. At :9E3C dump the contents of ESI; it’s the bad password you entered.
7. Upon our next step (hitting F10 once again) we’ll jump to :9E8C.
8. Let’s dump es:edi to find the location where “badpass” will be copied. On my system it was 1C27:00000000.
9. Continue stepping till you get to the line :9E9F. Now we should see “badpass” in the Data Window.
10. We’ll now page 1C27:00000000, as before, so that we’ll get linear address to set our BPR on.
11. In my case, that meant setting a :bpr 30:008c6040 30:008c6040+7 rw.
12. Disable the breakpoint that you set on HMEMCPY, and press F5.
13. Press F5 and SoftICE should break as UBE read the memory range where “badpass” was copied.
14. I ended up at :00406869.
15. This time we’ll continue to step (F10) Our goal is to reach the RET instruction at :00406881.
16. Along the way is a JB and a JA instruction that don’t jump, but JNZ at :0040687C does cause a jump up in the code, back to where we started at :00406869. In fact, if you continue to step you’ll jump about a half-dozen times before you reach :0040687E. Most annoying. If you don’t care to take so many jumps you can toggle the jump flag at :0040687C by issuing the command :r fl z. In either case, you’ll eventually get to the RET instruction by continuing to step through the code.
17. The RET instruction will take us to :00433E78, and we’ll continue to step until we reach the CALL at :00433E84.
18. Now, for amusement, we’ll dump ESI which tells us the filename, dump ECX and we’ll “badpass” in upper case, and, finally, dump EDX for the correct password, “scrotum.”
:bpx hmemcpy Break due to BPX KERNEL!HMEMCPY (ET=7.42 seconds) KERNEL!HMEMCPY 012F:9E18 55 PUSH BP 012F:9E19 8BEC MOV BP,SP 012F:9E1B 1E PUSH DS 012F:9E1C 6657 PUSH EDI 012F:9E1E 6656 PUSH ESI 012F:9E20 FC CLD 012F:9E21 668B4E06 MOV ECX,[BP+06] 012F:9E25 67E377 JECXZ 9E9F (NO JUMP) 012F:9E28 6633F6 XOR ESI,ESI 012F:9E2B 668BFE MOV EDI,ESI 012F:9E2E C5760A LDS SI,[BP+0A] 012F:9E31 C47E0E LES DI,[BP+0E] 012F:9E34 668B460A MOV EAX,[BP+0A] 012F:9E38 663B460E CMP EAX,[BP+0E] 012F:9E3C 734E JAE 9E8C (JUMP DOWN) :d esi here! 012F:9E3E 66C1C010 ROL EAX,10 012F:9E42 C1E803 SHR AX,03 012F:9E45 66C1C010 ROL EAX,10 012F:9E49 6603C1 ADD EAX,ECX 012F:9E4C 668B560E MOV EDX,[BP+0E] 012F:9E50 66C1C210 ROL EDX,10 012F:9E54 C1EA03 SHR DX,03 012F:9E57 66C1C210 ROL EDX,10 012F:9E5B 663BC2 CMP EAX,EDX 012F:9E5E 722C JB 9E8C 012F:9E60 FD STD 012F:9E61 6603F9 ADD EDI,ECX 012F:9E64 6603F1 ADD ESI,ECX 012F:9E67 6683EF04 SUB EDI,04 012F:9E6B 6683EE04 SUB ESI,04 012F:9E6F 6651 PUSH ECX 012F:9E71 66C1E902 SHR ECX,02 012F:9E75 F36766A5 REPZ MOVSD 012F:9E79 6683C703 ADD EDI,03 012F:9E7D 6683C603 ADD ESI,03 012F:9E81 6659 POP ECX 012F:9E83 6683E103 AND ECX,03 012F:9E87 F367A4 REPZ MOVSB 012F:9E8A EB13 JMP 9E9F 012F:9E8C 6651 PUSH ECX :d es:edi 012F:9E8E 66C1E902 SHR ECX,02 012F:9E92 F36766A5 REPZ MOVSD 012F:9E96 6659 POP ECX 012F:9E98 6683E103 AND ECX,03 012F:9E9C F367A4 REPZ MOVSB 012F:9E9F 33D2 XOR DX,DX the bad password appears :page 1c27:00000000 Linear Physical Attributes Type 008C6040 02AA9040 P D A U RW System :bpr 30:008c6040 30:008c6040+7 rw :bd 0 F5 Break due to BPR #0030:008C6040 #0030:008C6047 RW 014F:00406869 8A02 MOV AL,[EDX] 014F:0040686B 3C61 CMP AL,61 014F:0040686D 7206 JB 00406875 (NO JUMP) 014F:0040686F 3C7A CMP AL,7A 014F:00406871 7702 JA 00406875 (NO JUMP) 014F:00406873 2C20 SUB AL,20 014F:00406875 8806 MOV [ESI],AL 014F:00406877 42 INC EDX 014F:00406878 46 INC ESI 014F:00406879 4B DEC EBX 014F:0040687A 85DB TEST EBX,EBX 014F:0040687C 75EB JNZ 00406869 (JUMP UP) * 014F:0040687E 5F POP EDI 014F:0040687F 5E POP ESI 014F:00406880 5B POP EBX 014F:00406881 C3 RET *At this jump you may want to change the flag so that the instruction does not jump :r fl z; otherwise pressing F10 will jump several times before reaching RET. Finally, after pressing F10, RET takes us to this code snippet: 014F:00433E78 8B45FC MOV EAX,[EBP-04] 014F:00433E7B 50 PUSH EAX 014F:00433E7C 8D45F0 LEA EAX,[EBP-10] 014F:00433E7F BAF0674300 MOV EDX,004367F0 014F:00433E84 E82FFAFCFF CALL 004038B8 :d edx And the real password appears.You can look for the decrypted plaintext in memory, too, and wander about searching for the key.
Here’s a self-extracting encrypted file for you to examine.
Good luck!
Write and let me know about your methods.
Ps. : In its disclaimer, the company writes:
"Whilst we have called the program "Unbreakable Encryption" this is a marketing title rather than a description of the functionality of the program. We can make no claims as to the "unbreakability" or otherwise of this program as, being humans, we do not know the abilities of future or present computers and software.Quite a weasel clause, isnt it?“Please rest assured that as soon as any bona-fide problem is brought to our attention, if we can, we will try to resolve the problem in good time and will upgrade all users on our maintenance plan (Extended Support).”
Do you think they will really fix anything?
Copyright Castork, April, 1999.
Converted to hypertext by Joe Peschel April 14, 1999.
