ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Wed Apr 14, 2021 10:07 pm

All times are UTC




Post new topic  Reply to topic  [ 3 posts ] 
Author Message
 Post subject: aes 128 cbc block
PostPosted: Thu Dec 31, 2020 1:12 am 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 363
I have this function in c#
Code:
    private void cipher(byte[] buffer, int offset, int count, long streamPos)
    {
        //find block number
        var blockSizeInByte = aes.BlockSize / 8;
        var blockNumber = (streamPos / blockSizeInByte) + 1;
        var keyPos = streamPos % blockSizeInByte;
 
        //buffer
        var outBuffer = new byte[blockSizeInByte];
        var nonce = new byte[blockSizeInByte];
        var init = false;
 
        for (int i = offset; i < count; i++)
        {
            //encrypt the nonce to form next xor buffer (unique key)
            if (!init || (keyPos % blockSizeInByte) == 0)
            {
                BitConverter.GetBytes(blockNumber).CopyTo(nonce, 0);
                encryptor.TransformBlock(nonce, 0, nonce.Length, outBuffer, 0);
                if (init) keyPos = 0;
                init = true;
                blockNumber++;
            }
            buffer[i] ^= outBuffer[keyPos]; //simple XOR with generated unique key
            keyPos++;
        }
    }


its generating a xor key 16 bytes at a time starting with 1 going to x number and ending at 0.

and here is a quick example

Code:
# py 3.9
# pip install pycryptodome
# pip install passlib
from Crypto.Cipher import AES
from passlib.utils.pbkdf2 import pbkdf1
from struct import pack_into


password = b'Jr9DW9ksMRv1Lc796mrwv145fXC3L5VcpmKE5VfCuvbrpZGfYwXMpwo9sGkJ54zHse4G7zftpjkhqHHY60O7aQPj4M2ekKMSw094PmXRkN4ftTmDFlYMPmwK8QvhJ20H'
salt = b'Jr9DW9ksMRv1Lc796mrwv145fXC3L5VcpmKE5VfCuvbrpZGfYwXMpwo9sGkJ54zHse4G7zftpjkhqHHY60O7aQPj4M2ekKMSw094PmXRkN4ftTmDFlYMPmwK8QvhJ20H'
key = pbkdf1(password, salt, 100, keylen=16, hash='sha1')

block_key = key[:16]
block_size = 0x2000
nonce = bytearray([0] * (block_size * 16))

aes = AES.new(block_key, mode = AES.MODE_ECB)

for i in range(0,block_size):
   pack_into('I', nonce, i * 16, (i + 1) % block_size)

out = aes.encrypt(nonce)
print(out.hex())


Code:
   PasswordDeriveBytes pdb = new PasswordDeriveBytes(pwd, salt, "Sha1", 100);
       var buffer = pdb.GetBytes(0x10);
       var nonce = new byte[0x2000];
       var outBuffer = new byte[0x2000];
 
            var aes = new AesManaged();
            aes.KeySize = 128;
            aes.Mode = CipherMode.ECB;
            aes.Padding = PaddingMode.None;
            aes.Key = buffer;
            aes.IV = buffer;
            var encryptor = aes.CreateEncryptor(aes.Key, aes.IV);
       var block = 1;
 
            BitConverter.GetBytes(block).CopyTo(nonce, 0);
            encryptor.TransformBlock(nonce, 0, nonce.Length, outBuffer, 0);


so lets say
buffer is '8e2e1d5a5e3a4a1c7388f6b8d7779d7b'

the key is pushed to outbuffer
the first key block 1 would be
"31 0D 83 A9 D0 C0 10 4F FC ED 31 A7 56 E7 8A 85"
the 2nd key block 2 would be
"12 5F 47 C9 11 0C 35 12 D1 AE 25 EA 15 6C C0 0D"
the third key block 3 would be
"E4 E8 EF A9 4C B1 A2 92 AF 54 F0 E8 A4 88 BF BC"
and it would end on block 0
"FA DB B4 83 B5 DC CC EB 51 1C 3D 28 A3 00 53 3F"

How would this be handled in quickbms?


Last edited by chrrox on Thu Jan 14, 2021 5:42 pm, edited 10 times in total.

Top
   
 Post subject: Re: aes 128 cbc block
PostPosted: Mon Jan 11, 2021 2:08 pm 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 363
Working example to try it online

Code:
using System;
using System.Security.Cryptography;
using System.Text;

               
public class Program
{
   public static void Main()
   {
      string password = "Jr9DW9ksMRv1Lc796mrwv145fXC3L5VcpmKE5VfCuvbrpZGfYwXMpwo9sGkJ54zHse4G7zftpjkhqHHY60O7aQPj4M2ekKMSw094PmXRkN4ftTmDFlYMPmwK8QvhJ20H";
      byte[] salt = Encoding.UTF8.GetBytes( "Jr9DW9ksMRv1Lc796mrwv145fXC3L5VcpmKE5VfCuvbrpZGfYwXMpwo9sGkJ54zHse4G7zftpjkhqHHY60O7aQPj4M2ekKMSw094PmXRkN4ftTmDFlYMPmwK8QvhJ20H" );
      var key = new PasswordDeriveBytes(password, salt, "Sha1", 100);

      
       byte[] Key = key.GetBytes(16);
       var nonce = new byte[0x2000];
       var outBuffer = new byte[0x2000];
 
            var aes = new AesManaged();
            aes.KeySize = 128;
            aes.Mode = CipherMode.ECB;
            aes.Padding = PaddingMode.None;
            aes.Key = Key;
            aes.IV = new byte[16];
            var encryptor = aes.CreateEncryptor(aes.Key, aes.IV);
             var block = 1;
 
            BitConverter.GetBytes(block).CopyTo(nonce, 0);
            encryptor.TransformBlock(nonce, 0, nonce.Length, outBuffer, 0);
          Console.WriteLine(outBuffer[0]);
         Console.WriteLine(outBuffer[1]);
          Console.WriteLine(outBuffer[2]);
         Console.WriteLine(outBuffer[3]);
   }
}


Top
   
 Post subject: Re: aes 128 cbc block
PostPosted: Thu Jan 14, 2021 6:27 pm 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 363
This does this in quickbms to match the xor key.

Code:
set FINAL_SIZE 0x20000
putvarchr MEMORY_FILE FINAL_SIZE 0
for i = 0 < 0x2000
set j long i
math j * 16
set k long i
math k + 1
math k % 0x2000
putvarchr MEMORY_FILE j k long
next i
encryption mcrypt_rijndael-128_ecb "\x8E\x2E\x1D\x5A\x5E\x3A\x4A\x1C\x73\x88\xF6\xB8\xD7\x77\x9D\x7B"  "" 1 16
log NAME 0 FINAL_SIZE MEMORY_FILE


I just can't generate the key in quickbms can't find PBKDF1


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 3 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited