Sunday, December 29, 2013

Pwning a SafeNET Microdog - Part 2

Part 2 - Microdog 3.4 Client Lib

The older (3.4) client lib actually used a different method to obfuscate the Dongle Serial and ID which doesn't use AES or any kind of hashing. 

First of all, there's an InfoBuffer area that starts with 'NEIWAIJM'. Not too far after that, we have two areas referenced by PickupDogID and PickupSerialNo - very nice of RainbowChina to leave this binary unstripped.



 The algorithms for these are pretty straightforward:
 A DogSerial is 4 bytes.
A DogID is 8 bytes.
 A DogSerial buffer is 48 bytes (4 * 12)
A DogID buffer is 96 bytes (8 * 12)

Basically, a key is split into sections of 12 bytes - as each byte in the sequence is read, it's either subtracted from the current number, added, or XORed depending on if its byte 1,2,3,4,5,etc.

For get_serial:
 bytes 0 , 3 , 6 , 9 are Added
 bytes 1 , 4 , 7 , 10 are Subtracted
 bytes 2 , 5 , 8 , 11 are XORed

 For get_dog_id:
 bytes 0 , 3 , 6 , 9 are Added
 bytes 1 , 4 , 7 , 10 are XORed
 bytes 2 , 5 , 8 , 11 are Subtracted




How do we repack? Well, we COULD reverse this algorithm, but the algorithhm itself is inherently weak...
Think about this: What happens when you Add, Subtract, or XOR 0? That's right, Nothing!!!

Technically, we could take an 8 byte DogID and 4 byte serial, split the bytes up and stick one at the beginning of each 12 byte row and it would work! Something like this:



 And repacking our new dongle ID works :)


Full Code:

No comments:

Post a Comment