Cryptography is only part of the solution

Posted by Miguel Lopes on Fri, Jun 10, 2016
In Encriptação, Segurança,

On my previous post I set out to do some reverse engineering on portuguese software. This time I took a look at a billing software. Since the requirement to use billing software came into law, their market has grown a lot. With some good and bad examples.

The software in question uses a lot of open source, it uses the Eclipse Rich Client Platform, with a couple of plugins like Birt.

Until now my only experience with Java was on android apps by doing some assessments but I never had to write code.

After downloading and browsing the content a bit I decided to download Eclipse to check the jars for exposed functions.

With that in mind I added every jar I could find some of them were inside other jars and then I started poking around and found that the PRP used was Blowfish after that I found some functions with a name that suggested that they were used to handling the licences.

Looking at the arguments the functions could accept it was possible to call these functions on my own application and then encrypt them without even knowing the key or the mode in which they were being encrypted.

First the licences were limited to the existing functions but after a couple of tries I wrote my own.

A couple of hours later I had made my first Java application which was able to generate valid licences. This was a good example to demonstrate that even with a good cryptographic implementation doesn’t mean that the application will be safe.

The code below is an already expired licence provided as proof so don’t try to use as it may lock your access to the software.

HiDLZChMPl1R76q5qyckBoeUQ2qSxDh9wBMwedOtUcU7G3LqbsSNSuq2UBXxDP8ZMMLzChHQbNkfH1eAeARsJE1jIGqbab2f9y2m6B+WvHhZvXwu2df/hTH/hlpkwqjGst+JDPo2spI3TkiAt3YcJnT9gTHh8tPy969rm1JWdidMP7+JxC3vi7jn/0k+4ZiOREd8mOLpS+4I1+qgKRK+RXZA2LRlxAA1mBa8gOjItWKpNMTXkwa/PcAtVCMnNjrDC53EeM5138act3T7k3W/rZX9+3VWufmJn2v7zQzqR0sBBn29WCIqp65tEfsONlAgN+hUqsT5o8xgVFyOnT1GbKk0xNeTBr89wC1UIyc2OsMLncR4znXfxpy3dPuTdb+tlf37dVa5+Ykmhp1Xdlk+hGkYXSn7Tdy1P0BX6nFAo0ESKDXqWHfACOF/k44fGPGchsgkGiQQVU+8idp2daGAJKaAJPBAcpMPkOaziy0iV6LtlmVnLxsErkCvSOqd6USaO6ZTL6zccuRqsjqxx92FJnT9gTHh8tPy969rm1JWdidMP7+JxC3vi7jn/0k+4ZiO7E9YbXCvbBW/9916oFApIm4wKYOKR12/CzlGErbGBqjLcsCd9XmFGJUGy5ongI0Wv4v4miAq/KbXp+SkkFobjx28x3hEJ5cs8IM1i4WeXzIgZq/LqzWNJeZ7vpkbpMbKRv/rGM6E3pFZ8ynVtYJesW+rapuWXRXGlQbLmieAjRa/i/iaICr8pten5KSQWhuPHbzHeEQnlyzwgzWLhZ5fMhgO8rS4KHBI2cmRF88MLlXiIfPiCMqO+8baeBqZ3bE83T4mDHENnZC/VYKo/PRoleF/k44fGPGchsgkGiQQVU+8idp2daGAJKaAJPBAcpMPkOaziy0iV6JrOMizmaX5XqBWKvSm9rdXDwVUbmddjlmUnvmRECP+SUygHk5MrxRZYBnfFxMdPL9Y8QWf91OD/V8RqzZvwWZ0Ufn78YyJ5tlGXh9j6JpZ5w9nv3LDDLL3DwVUbmddjlmUnvmRECP+SUygHk5MrxRZYBnfFxMdPL9Y8QWf91OD/aT7kAQfDMuX7sX2VQjCI0ti62XrAx0GNUGzCmQug7tU183KRbgIHXNeSA0xheRbBAHDslKp+gQyOgZj04QZFNs/0BA4CPbz3cFHqBPDG4wbPnn5IK2ajo9VKX0B8VeMHFBlwfK9rl/xg1WSGJ58ITUunNBrTgldsQuzgKc+xIAB+KeWMOwpAm2xX74NI5C6XOaOAGp6LtRERu3uMGkZwytGlUXKwvBx3Czy5n+ElI0wVhX7diKIOMrujptGnA3trkaVRcrC8HHcr8yxzVbI6IlSJ45ONOkKsQfYtrYHS8LAJ6OrKMrCQZabhbvrrefJ6WrV2INSoGGapYgdX/fCVC5WbNRNiQGWXR+CDd3y9RiPJQ7aRIGrnH0dH8Bus+htlnT9gTHh8tPy969rm1JWdidMP7+JxC3vi7jn/0k+4ZiOREd8mOLpS+6JiwVAsLVQLBv5BMugJ/JuUp9TmnIdJNg4vZVL3ptLvxM6NpFveb31L3NkDz7oj6k=


comments powered by Disqus