|
Member
Join Date: Dec 2011
Posts: 360
Likes: 235
Liked 857 Times in 185 Posts
Mentioned: 188 Post(s)
Tagged: 0 Thread(s)
|
here is an update 
got the debugger working with encrypted spu files.
Now this is goona be very tecnical, so hope there are gonna be some math freaks out there.
been testing this on the lv0 from 4.11.
there are two goodies the debugger for spu encrypted files, and an exploit.
Open ida pro 32 bit (important)
For debugging encrypted elf choose metapc in ida, then bin file.
Go to remote debugger options and choose, run command before debugging, choose full linux system.
go setup host the choose localhost and choose port 8832.
Wupti you go to debugging mode.
Then there is the other thing
this is for coders and math people
Download this pack.
http://www.filedropper.com/pdbforida
they contains of PDB files (information Files)
go to file------->load pdb------------>open one of the pdb files.
uncheck local types
the PDB information files loads into ida and the lv0
you could just load the header PDB, and delete the header
section
but we will load one of the crypto information files.
Now in the function windows all the crypted places in the lv0 shows.
and there are alot since its encrypted. 
but the information files are clever and can tell what the areas of the files means.
and renames the funtions.
here are just some
Scrool that way ------------->
Code:
CryptoPP::ClonableImpl<CryptoPP::SHA1,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA1>>::ClonableImpl<CryptoPP::SHA1,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA1>>(ClonableImpl<CryptoPP::SHA1,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA1>>::ClonableImpl<CryptoPP::SHA1,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA1>> const &) seg000 00027C80 0000002D R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA1,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA1>>::ClonableImpl<CryptoPP::SHA1,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA1>>(void) seg000 00019900 00000039 R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA1,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA1>>::Clone(void) seg000 0002EBD0 00000097 R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA1,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA1>>::operator=(CryptoPP::ClonableImpl<CryptoPP::SHA1,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA1>> const &) seg000 00027870 0000002D R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA1,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA1>>::~ClonableImpl<CryptoPP::SHA1,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA1>>(void) seg000 00027FF0 00000025 R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA224,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA224>>::Clone(void) seg000 0002F320 00000097 R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA256,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA256>>::Clone(void) seg000 0002EFF0 00000097 R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>>::ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>>(ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>>::ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>> const &) seg000 0001AA7C 00000004 R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>>::ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>>(ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>>::ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>> const &) seg000 00028390 0000002E R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>>::Clone(void) seg000 0002FA80 00000097 R F . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>>::operator=(CryptoPP::ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>> const &) seg000 0001ABC0 0000000B R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>>::~ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>>(void) seg000 0001AB70 0000001D R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA512,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA512>>::ClonableImpl<CryptoPP::SHA512,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA512>>(void) seg000 000287F0 00000027 R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA512,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA512>>::operator=(CryptoPP::ClonableImpl<CryptoPP::SHA512,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA512>> const &) seg000 000283F0 0000002D R F . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA512,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA512>>::~ClonableImpl<CryptoPP::SHA512,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA512>>(void) seg000 000283C0 00000024 R . . . . T .
Now we press one function it goes to ida view
Then we press F5 to show the calls.
and Wupti
this is the first SHA1 funtion showed
Code:
void __thiscall CryptoPP__ClonableImpl_CryptoPP__SHA1_CryptoPP__AlgorithmImpl_CryptoPP__IteratedHash_unsigned_int_CryptoPP__EnumToType_enum__CryptoPP__ByteOrder_1__64_CryptoPP__HashTransformation__CryptoPP__SHA1____ClonableImpl_CryptoPP__SHA1_CryptoPP__AlgorithmImpl_CryptoPP__IteratedHash_unsigned_int_CryptoPP__EnumToType_enum__CryptoPP__ByteOrder_1__64_CryptoPP__HashTransformation__CryptoPP__SHA1__(CryptoPP::ClonableImpl<CryptoPP::SHA224,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned int,CryptoPP::EnumToType<enum CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA224> > *this, CryptoPP::ClonableImpl<CryptoPP::SHA224,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned int,CryptoPP::EnumToType<enum CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA224> > *__that)
{
_CF = 1;
_OF = 0;
_AL = -47;
_ZF = 0;
_SF = 1;
__asm
{
daa
pushf
}
JUMPOUT(*(int *)unk_27C93);
}
or the key agreement function showed.
Code:
void __usercall CryptoPP__DL_KeyAgreementAlgorithm_DH_CryptoPP__Integer_CryptoPP__EnumToType_enum_CryptoPP__CofactorMultiplicationOption_0_____AgreeWithStaticPrivateKey____1___dtor_9(int a1<edx>, int a2<ecx>, int a3<esi>, int a4, int a5, int a6, int a7, int a8, int a9, int a10, int a11, int a12, int a13)
{
char v13; // t0@1
int v14; // eax@1
int v15; // ecx@1
v13 = __ROL__(*(_BYTE *)(a2 + 1684849656), a2);
*(_BYTE *)(a2 + 1684849656) = v13;
v14 = *(_DWORD *)(a3 + 4);
*((_BYTE *)&a13 + 8 * a2 + 3) ^= BYTE1(v14);
v15 = a2 - 1;
LOBYTE(v14) = v15 | v14;
vf352b1d1 = v14;
*(_DWORD *)(2 * a1 + 0x78732B0E) |= v15;
__asm { iret }
}
One more
Code:
CryptoPP::PrivateKey *__cdecl _AccessPrivateKey___TF_ObjectImplBase_VTF_DecryptorBase_CryptoPP__U__TF_CryptoSchemeOptions_V__TF_ES_V__OAEP_VSHA1_CryptoPP__VP1363_MGF1_2__CryptoPP__URSA_2_H_CryptoPP__URSA_2_V__OAEP_VSHA1_CryptoPP__VP1363_MGF1_2__2__2_VInvertibleRSAFunction_2__CryptoPP__UEAAAEAVPrivateKey_2_XZ(CryptoPP::TF_ObjectImplBase<CryptoPP::TF_DecryptorBase,CryptoPP::TF_CryptoSchemeOptions<CryptoPP::TF_ES<CryptoPP::OAEP<CryptoPP::SHA1,CryptoPP::P1363_MGF1>,CryptoPP::RSA,int>,CryptoPP::RSA,CryptoPP::OAEP<CryptoPP::SHA1,CryptoPP::P1363_MGF1> >,CryptoPP::Inv *this)
{
signed __int16 v1; // ax@1
char v2; // sf@1
char v3; // of@1
int v4; // ebx@1
int v5; // edi@1
JUMPOUT();
HIBYTE(v1) ^= 0x80u;
UNDEF(v2);
UNDEF(v3);
*(_BYTE *)(v5 + 11) = v1 / *(_BYTE *)(v4 - 11);
JUMPOUT(
!((unsigned __int8)v2 ^ (unsigned __int8)v3),
*(unsigned int *)((char *)_AlgorithmName___AlgorithmImpl_VTF_DecryptorBase_CryptoPP__V__TF_ES_V__OAEP_VSHA1_CryptoPP__VP1363_MGF1_2__CryptoPP__URSA_2_H_2__CryptoPP__UEBA_AV__basic_string_DU__char_traits_D_std__V__allocator_D_2__std__XZ
+ 1));
__asm { bound esi, [ebx-2C94F74Dh] }
_EAX = 904458821;
__asm { aad 0FEh }
JUMPOUT(*(int *)_GetPrivateKey___TF_ObjectImplBase_VTF_DecryptorBase_CryptoPP__U__TF_CryptoSchemeOptions_V__TF_ES_V__OAEP_VSHA1_CryptoPP__VP1363_MGF1_2__CryptoPP__URSA_2_H_CryptoPP__URSA_2_V__OAEP_VSHA1_CryptoPP__VP1363_MGF1_2__2__2_VInvertibleRSAFunction_2__CryptoPP__UEBAAEBVPrivateKey_2_XZ);
So we got debugging of encrypted lv0 from 4.11 and function calls.
the funtions calls are pretty long but not is all about keys.
and all the function for the algorytme are there too, we just have to keep pressing F5
this if the coders and math people go together, no one can stop you.
I would recommend loading the header information files.
and get the information about the header.
regards
Last edited by zadow28; 04-11-2012 at 06:19 AM.
|