WIBU protection

knuth20 implementation analysis

by anonymous 15.09.2006.

Intro Couple of weeks ago, I faced WIBU dongle protection. Before that, I had no expirience with it. The first thing I've checked was CrackZ great site a out dongles. It was ver! helpful since I found WIBU "#I docu$entation. %xcept that, there was couple of tutorials which explained onl! patching the right calls in target's code. "t the eginning, I thought $! target is also a exa$ple of la$e dongle i$ple$entation and ! si$ple patching the conditional &u$p's( I could solve the whole issue. "fter reading a WIBU "#I docu$entation and tracing a target, I saw that there was no eas! wa! solving this. The target that I was working on used WIBU to decr!pt i$portant data, so there was no si$ple Is)ongle#resent'( function call. *ext thing I tried to look for WIBU e$ulator or at least $onitor which would help $e tracing the calls and argu$ents. +f course, sa$e could e done ! setting the B# in de ugger, ut I prefer dongle $onitoring tool. ,ou are free to call $e la-! ./( I had no luck searching WIBU $onitoring tool or e$ulator. "ll I got was responses fro$ dongle/e$ulator sellers tr!ing to get the du$p data and sell $e their e$ulators. *o useful infor$ation there there, not even an answer to single 0uestion a out the protection. "fter all, that is the reason wh! I'$ writting this short docu$ent. Thanks to so$e nice gu! on I1C 2c3n I got $! hands on WIBU 4)5. 4hortl! after that, I started to write $! own WIBU )66 'WkWin78.)66(. It wasn't an!thing special, I've coded $ost of the functions &ust to return correct value 'T1U%(. I wanted to keep the cracking on dongle/ground, without touching the target code itself if possi le. I've hit the wall when I faced Wk Cr!pt8 function. 1eturning the correct value in function wasn't enought. The target application i$ple$ented Wk Cr!pt8 function inside vital target's functions such as Save Project, Open Project, Import and si$iliar.

1st step monitor the target 9irst thing, we got our $onitor up : running. "fter that, start the target. We have to deter$inate which calls are eing $ade and is there an! encr!ption;decr!ption involved.

While reading the WIBU 4)5, we see that Wk Cr!pt8 works with Wk 4elect8. Wk 4elect8 is used for algorith$ selection and internal ke! generation.
Syntax INT WkbSelect2(HWKBENTRY hwkbe, ULONG flCtrl, ULONG ulSelectCode, VOID *pvCtrl)

We see that 8nd para$eter is used for algorith$ selection and 7rd para$eter is selection code. Based on selection code, Wk 4elect8 generates internal ke! for knuth8< algorith$. "nother look at WIBU 4)5 gives us=
flSelCtrl is only used if the WKB_AREA_SELECT flag is set and contains the selection flags which must be one of the following values WKB_SEL_DIRECT !"#""""$ di%ect enc%y&tion'dec%y&tion via the W(B)*B+, WKB_SEL_KNUTH20 !"#""-"$ indi%ect Knuth enc%y&t'dec%y&tion WKB_SEL_DEC_FEAL !"#""."$ indi%ect o%iginal /EAL dec%y&tion WKB_SEL_ENC_FEAL !"#""0"$ indi%ect o%iginal /EAL enc%y&tion WKB_SEL_DEC_PERM !"#""1"$ indi%ect &e%mutation dec%y&tion2 WKB_SEL_ENC_PERM !"#""3"$ indi%ect &e%mutation enc%y&tion2 WKB_SEL_SYMFEAL !"#""4"$ indi%ect symmet%ic /EAL enc%y&tion'dec%y&tion2 WKB_SEL_USE_CACHE !"#""/"$ uses a &%eviously set and cached indi%ect selection5 which was sto%ed into the cache because the WKB_SEL_SET_CAC6E was set in the WKBSELECT st%uctu%e2 The %etu%ned cache identification is sto%ed in the ulSelectCode membe% instead of a Selection Code2 (f the WKB_AREA_SELECT flag is not set5 this value must be set to "2

Based on that info, we are sure that that it uses knuth8< algorith$. This is a positive thing for us since this algorith$ is not strong. "s I said, Wk Cr!pt8 is so$ehow i$ple$ented in 4ave #ro&ect, +pen #ro&ect and si$iliar vital functions inside the target. The data which is decr!pted is never the sa$e. This excludes the ta le approach 'record the data in;out and alwa!s return the correct data with fake )66(. I extracted the knuth8< algorith$ fro$ the official WkWin78.)66 and it goes like this=
$ov ecx, c 4rc $ov eax, offset ke! $ov edx, ecx push esi $ov esi, >eax?@A dec ecx push edi $ov edi, >eax?<ChA push e x $ov e x, pv)est inc ecx push e p $ov e p, pvCtrl $ov >esp?<e3hA, c 4rc loopBC= $ov $ov add $ov $ov xor and $ov xor inc test &$ov inc endBofBpv)est= test esi, esi &locB8<<<9338 dec esi &$p takenBD locB8<<<9338= $ov takenBD= test edi, edi &locB8<<<933C dec edi &$p takenB@ locB8<<<933C= $ov takenB@= $ov ecx, >esp?<e3hA dec ecx $ov >esp?<e3hA, ecx &n- loopBC pop e p pop e x pop edi pop esi edi, >eax?3A esi, >eax?3A cl, >eax?edi?C@hA dl, >eax?esi?C@hA dl, cl >eax?esi?C@hA, dl cl, dl edx, edx ecx, <99h dl, >e p?<A edx, ecx e p e x, e x endBofBpv)est >e xA, dl e x

2nd step - Internal key calculation +k, when we appl! this algorith$ inside our fake Wk Cr!pt8 function, there's onl! one thing $issing= internal ke!. "s I said efore, this ke! is generated so$ewhere inside Wk 4elect8 function. "t this $o$ent, I do not have algorith$ for that. I was luck! that $! target had fixed select codes passed in Wk 4elect8 which guaranteed the sa$e internal ke!s. The next thing !ou should ask !ourself is = how do I retrieve that ke!E ,ou can set a B# in WkWin78.)66 inside this algorith$ and check it out or !ou could calculate it ased on the encr!pted;decr!pted data. Take Cst and 3th !te fro$ encr!pted : decr!pted data. <x"D ... <xFG ... / encr!pted <x3H ... <x3H ... / decr!pted " step( <x"D I+1 <x3H J <x%8 K proceed with this K FIRST !T" <xFG I+1 <x3H J <x)7 K re$e$ er this K S"#O$% !T" B step( <x%8 ; <x8 'this is constant( J <xDC K potenc&a' (ey <xDC L 7 'this is constant( J <xCH7 $ote) *(bSe'ect2 +or(s on'y +&t, one byte- so a'+ays .&scar. ot,er bytes C step( Co$pare= <xCH7 : <x)7'secon. byte( K not sa$eM 1epeat the process fro$ step B, ut add !te 'C' to in front first !te. <xC%8 ; <x8 J <x9C K potenc&a' (ey <x9C L 7 J <x8)7 K remember) on'y one byte- .&scar. t,e rest. #orrect &s) 0/%0 Co$pare= <x)7 and <x)7 'secon. byte( K sa$eM We have the internal ke! and it's <x9C.

3rd Internal key structure uns&1ne. c,ar (ey2134 5 60/10- 0/00- 0/00- 0/0- 77 0/10 0/10- 0/00- 0/00- 0/00- 77 0/10 0/10- 0/00- 0/00- 0/00- 77 0/10 0/02- 0/00- 0/00- 0/00- 77 0/20 0/0%- 0/F0- 0/8%- 0/ 8- 77 0/baa.900. 0/0%- 0/F0- 0/8%- 0/ 8- 77 0/baa.900. 0/F1- 0/F1- 0/F1- 0/F1- 77 9&'' t,&s +&t, (ey 0/F1- 0/F1- 0/F1- 0/F1- 77 9&'' t,&s +&t, (ey 0/F1- 0/F1- 0/F1- 0/F1- 77 9&'' t,&s +&t, (ey 0/F1- 0/F1- 0/F1- 0/F1- 77 9&'' t,&s +&t, (ey 0/F1- 0/F1- 0/F1- 0/F1- 77 9&'' t,&s +&t, (ey 0/0%- 0/F0- 0/8%- 0/ 8- 77 0/baa.900. 0/8 - 0/8 - 0/8 - 0/8 - 77 0/abababab 0/8 - 0/8 - 0/8 - 0/8 :; 77 0/abababab "s !ou can see, the knuth8< ke! si-e of HG !tes. *ow with this knowledge, we can create a ke! for ever! select code that we need. I've placed a switch/case in $! Wk 4elect8 function which does the following= s+&tc, <u'Se'ect#o.e= 6 case 0/>1?) memcpy<(ey2current- (ey21- 56=; brea(; case 0/999) memcpy<(ey2current- (ey22- 56=; brea(; .e9au't) error<@un(no+n se'ect co.eAB=; brea(; : Inside $! Wk Cr!pt8, algorith$ alwa!s uses ke!Bcurrent as the internal ke! data and that's itM I got $! dongle e$ulated. "s !ou can see, this is ver! li$ited e$ulation. I was luck! that this was enought for $! target. There was 8H fixed select codes, so that $eans 8H internal ke!s. I've calculated the$ and added in $! fake )66 ... added knuth8< algorith$ which uses it, that's it.

Conclusion The right thing to do would e to du$p all possi le ke!s, so if !our target uses the knuth8< algorith$, ut select code is different ever! ti$e, !ou should code a du$per and retrieve all possi le ke!s. That would look so$ething like=
call WkbAccess2 call WkbOpen2 for (i = 0; i < 0xFFFF; i++) { call WkbSelect2 // se !i! as Select"o#e call $ea#%rocess&e'or( // se 0x200)*+A, -arco#e# a##r (in .k.in/2) to 0et a##r1xxx1a##ress call $ea#%rocess&e'or( // rea# .-ole ke( block (+2 b(tes) call S341.rite1so'e.-ere1selectco#e1an#1ke(block call Wkb5nSelect2 6 call Wkb"lose2

N! target Wk 4elect8 ul4electCode was li$ited to <x9999 possi le ke!s, !ou should also check if that's in !our case too. +r even etter would e to extract the internal ke! generation algorith$ fro$ Wk 4elect8M ./( Thank !ou, this is all I have to sa! a out this. Na! e so$eone will find it usefulM "ll this wouldn't e possi le without 4a 's helpM Oood luckM