Join Hands for Open Source Sify Dialer

nishnet2002

Newbie
[OP]
Jan 11, 2005
15
0
Hello guys, i have kindof worked on BBClient.exe to find its encryption/decryption technique... well the exams are on head so didn't give much time.. the following data might be useful to reverse engg the code..

Sify has comeup with new broadband dialer. The technical details what i found out are as follows:

1) The BBClient sends data using some encryption technique.


2) The data sent is in following format:
cons= ....240 characters.....&macaddress=0C-0C-0C-0C-0C-0C
The characters found to be
* nos 1 -- 9
* alpha a --- f
This concludes that it is represented in HEXADECIMAL FORMAT.


3) CONS contains encrypted data as follows:
&curservid=.....&prevservid=....&version=....&sessionid=...&srcip=....&username=...&password=..

(I am still guessing what are these for : curservid and prevservid )


4) There are two keys embedded into BBClient.exe
key1=29355d121c211de0717c127166713ebb
(key2 I will give it later)


5) One key is found in Crypt.dll which is as follows:
F9E5CCCE853B11D4A5470050DA8C23EA

--- I will work on this after my exams by that time i hope some one would carry forward the work
 

Tushar

Regular
Regulars
May 5, 2005
341
0
Hmm eentresting, so they are encrypting and not hashing :SAnyways, even I've got my exams coming so cant contribute much...... :(. Nevertheless great work on the disassembly.My guess for servid would be the Service Plan ID like QMU7/QMU1 etc. No idea what previous and current are for though...Are you confident that its encrypted and not hashed, and that there are 7 values sent and not 6. Coz if you do a sha1 hash of the 6 values , thats 40 * 6 = 240 string in hex format. Maybe the keys are just a salt.......I will check later if I get the time, whether a sha1 of the following values yields the same result as what is sent to the server.One thing to keep in mind is that they are using PHP backend so the encryption method should be available in PHP. A base_64 most probably if its an encrypted value.
 

kingkrool

Regular
Regulars
May 3, 2005
108
0
240 chars? No wonder I cudn't figure it out... I was stuck on 239.. I got it frm your dump. Anyway, that does look suspiciously like SHA1 except for the fact that there are seven values rather than the necessary 6.
BTW, how did u figure out the contents of the string?
The keys could be something else in entirety, but they are 128 bit... so possibly that is some form of symmetric encryption/authentication.

If instead of seven items, there are 6, then we have 160 bits per item, ie a 160 bit block. And that could be the following:
http://en.wikipedia.org/wiki/SHACAL

SHACAL-1 uses keys of 128bit (which are padded up to 512 bits)

"My guess for servid would be the Service Plan ID like QMU7/QMU1 etc"
I don't think so. All those fields there must either entered by the user (username/pass), available from the system (IP) or retrieved from the server (sessionid). But how could it possibly know which service plan ID to use for the login? That information (mapping of service plan to login) is available after logging in, not before.
 


Tushar

Regular
Regulars
May 5, 2005
341
0
bah nevermind my post, its too late in the night for my brains to work : P.

Like I said in the ither thread the vars can be from the foll:
ip
macaddress
os
version
php_session_id
username
password

I had stated that the key I gave in the dump was edited........

BTW, how did u figure out the contents of the string? [/b]
On disassembling, any good disassembler will list the String Outputs, this is one of them.
 

max

Regulars
Regulars
Oct 6, 2005
2,766
6
Good good :). Let us all work towards it. Like all engineering students, I too have my exams. BTW can someone figure out the API that crypt.dll uses? Can we use it without actually breaking their encryption? Please correct me if we can't use their DLL. I am not knowledgeable about Windows programming.Tushar / other Sify users, I have one request for you guys. Put in dummy user names and passowrds like test and test and find out the encryption string. Do this with atleast 5 to 10 username / password combos. We can take the help of some people who know about encryption. May be they can figure out what the heck the encryption is!And please remember, I dont personally own a Sify connection. So I can't do any testing on my side. But if I am given the protocol specs then I can whip up a client for Linux and possibly for Windows too! :D
 

kingkrool

Regular
Regulars
May 3, 2005
108
0
It is not a question of breaking their encryption - that is impossible (well with Sify you never know... but normally you can't). The question is, can we figure out which technique they are using? Possibly.
 

max

Regulars
Regulars
Oct 6, 2005
2,766
6
kingkrool, yes, by "breaking" or "cracking" their encryption I meant that we need to reverse engineer their encryption algorithm. Using their own DLL wouldn't be appropriate because that will attract legal action against us. So we need to know the encryption algorithm which isn't very difficult if they are using a two way algo.