Reversing and Bypassing DRM/HSM Dongles

every night yes this is my talk and reversing and bypassing dongle based DRM systems so Who am I I'm security engineer I work in vertical transportation here in Connecticut it's only a couple of those companies I work mostly in Apps Act right so I work with our development teams trying to make sure that the products that we produce are ready to go and be out in the world and you know kind of all over the world about 80% of the blue team working secure architecture code reviews that kind of thing but about 20% of the time I get to you know kind of put my my black head on and do some red team stuff

testing some some vendor supplied products or products that we produce which I guess makes me on the dark medium violet team we're all about adding extra colors so dongles right I imagine most of the people in this room in most of your industries think the dongles are pretty much dead you probably don't deal with them on any kind of frequent basis but they still exist and they're still out there and there's a couple of reasons why the first is that there's lots of systems that are offline especially in the defense industry there are air gap systems in my industry there's a lot of remote sites right places where Internet connectivity isn't a given right to G

cell access isn't even a given right so companies still have a need to want to enforce DRM whether that's for licensing right making sure that they're getting the money that's owed to them and by their clients or if it's the protection of intellectual property right protecting against you know industrial espionage and things like that there's also legacy products I imagine lots of people here who work in the industry know that legacy is incredibly hard to kill so something might have been produced 15 20 years ago that used a dongle based DRM system it's still there it's still kicking around it's probably not going anywhere in the next five to ten years either so the one that happened across

my desk is made by a company called seku tech and they make something called the eunuch II and it comes in a couple different flavors there's the standard right where you know this thing basically has a microcontroller on it where you can store some on dongle instructions on there you can store some encryption keys there are some license modules on there right this is how you control what features of an application are on there how many times it can launch things like that there's also a random number generator there's also the unit key time which takes all of those same features and adds a real-time clock and a battery on there right so now you

can't just change the time on your server and look you're licensed again and then there's the unique E Drive which takes all of those same standards but it also adds so like some read-only storage to it some cd-rom emulation and it also adds some RSA functionality signing encrypting decrypting of things like that so the one that I had like I said came across my desk is that the unique e time and that's that's the one that I had for doing all this actual hands-on testing but all of the libraries that we go through when we're doing this reversing are standard across all of them so really this is like this is like a product line level of

vulnerability so some of the key features that I investigated and they're there in quotes for a reason the first is the envelop er right which is your company has an application it was developed it was tested and now you want to just add DRM to it well they provide something called the envelop er which is just take that existing application shove it into this tool it's going to spit you out a protected executable with DRM functionality built into it also those dongles stored and executed instructions this should in theory be really hard to reverse without exploiting the hardware it turns out that's not the case and we'll see why licensing modes right this is the number

of launches time to expire feature available of the random number generator its built-in there as well as some anti debug functionality which they claim is robust and some ability to encrypt and decrypt buffers so the authentication system for the eunuch II it's there's two there's a two password scheme the first is a user password right this is essentially a read-only user and it's made up of two 16-bit integers we have 32 bits of password if we're gonna try and brute-force this and the second one is an admin password which means that you need to have those two user passwords as well as the two admin passwords right so we've got 64 bits needed to log in and that gives you read

and write functionality however some of those functions still aren't directly exposed and we'll see that's actually the only part of this that does so far we I haven't been able to to break so the first is the envelop err right it takes the application in and it wraps it the enveloped app app basically works by checking for the dongles existence making sure that that user key that exists can log into the dongle right making sure that there's there's a match there and then it's constantly in the background it spawns a thread which is just some random time interval checking for the existence that dongle and that the logins still works on Windows it turns out that this is just a really

heavily obfuscated dotnet executable so since it's dotnet my preferred tool whenever I have something in dotnet that I'm gonna start reversing his DNS by and like I said it's it's really heavily obfuscated things are kind of all over the place these these screenshots actually don't do a very good job of showing kind of how spread out things got after it was obfuscated tools like de for dot didn't really help D obfuscate it it's really awesome when it does work out that way you're right back to basically the same executable so so we're kind of stuck manually digging our way through it unfortunately right the the anti debug functionality that we talked about is is there so as I'm trying to step through

this and set breakpoints on interesting looking functions the application keeps crashing kind of manually digging our way through we find it to a single call to unique e DLL and this functions to spend other thread and the crash is happening after this call so this is not a dotnet library unfortunately so we're gonna change tools and working it over to Guidry luckily when we're looking for anti debug functionality there's only a few places that we can actually you know where you can determine whether or not a debuggers present and all of them are coming from kernel32.dll so we can go to the imports tab look up you know go to all of our imports to from kernel32 and

we can hopefully you can see it there but we can find is debugger present and ghij is really nice there's every place where is debugger present is called so now literally all we have to do is double click on that and we're move on to our function you should also notice that for this being one of the main features is the anti debug functionality this is a small list right there's one function call so we move over to that function call and we see that we have our call here to is debugger present you'll see it on the decompiled view there and then we have a comparison to whether or not it's equal to zero which

luckily means that the patch for this is going to be really tiny right we only have to patch a single instruction and we've bypassed all of the anti debug functionality unfortunately the only place where kyndra has really choked on me is in patching binaries so I had to move from cateura to r2 and cutter and I performed the patch there and then re-exam bit right so we're gonna we're going to patch are jumping on zero here to jump less than and all of the anti debug functionality is gone so we can go back into DN Spy and now debugging is a lot easier we can start tracking we also know that we're looking for interesting

calls to unique e 32 dll that's where all of the the interesting calls to you know the actual drm are happening and so one of the first things that we can find is the first half of our password right this these are our user keys this is gonna be really important later for bypassing the rest of the system is the fact that these user keys must be in any application that's going to be using the dongle functionality we can also extract the AES key some things can't be diabla scattered away it's right there we can just dump that AES key and the last piece of this this is just an Etsy executable which is short for the

original executable that we had rent that we were attempting to protect it basically just got put into an encrypted zip functionality included in the dotnet assembly and that's what's being shipped out here with the code to check for the dongle so that's been covered in a bunch of other places if you google dumping Nazi executables you'll find it in about three seconds it's a really trivial task so kind of like we said right there's easy enough unfortunately the vendor even says that that's easy enough which is surprising for one of their core claims for their marketing right they say you know this is from their documentation please do not only check if the unique a dongle

exists right if the dongles attached this form of protection is extremely easy to crack it was they say the real value add is and again this is in their words from their documentation in the random number generation which is based off of the vendor seen value securely reading and checking the license modules those license modules that we talked about only you can't directly read the value out of this as a user you can only kind of check whether or not the value that you passed in is valid but admins can write new values to these modules or in performing unusual mathematical algorithms right these are those dongle based instructions that we talked about and viewing and editing

those requires the full password right which requires the add the vendor seed value to get they also say the password generation algorithm is irreversible so yeah clearly we need that vendor seed value right that's that's the keys to the kingdom here um and if we've compromised that we've compromised pretty much everything that you could do with this all of their core claims over protecting that value so there's there's two obvious places to start right the first is we can check where it's consumed right when you go to perform an admin action the other place that would make sense is where that vendor seed value gets turned into for passwords right there it's not a it's not a

one-to-one relationship there's some kind of there's some kind of math that's happening there right the the password consumption API is non-trivial right there's a lot of weirdness going on with random values based off of the current system time and I'm lazy so I'm not doing that one but the API for where that seed has turned into passwords looks far less complex so that's where I focused my time so we're back into getcha and the method that we're looking for from their documentation is the Uni key generate new password method right which is where we pass in a 32-bit vendor seed value now if you are somebody who's involved with cryptography quite a bit alarm bells should already be going off in

your head somehow 32 bits of value is becoming 64 bits of password there's only a couple of ways to do that kind of key expansion right um and the even less of them to do it securely and they did not choose any of those so we end up in this block of code so if you're if you take a look at it some things should already start to jump out for you primarily should be that md5 piece of things so basically what's happening here is you're just passing in that 32-bit z value you're passing it in to md5 and you're you're taking its digest that's your mathematically slow operation of this whole thing that's it

I mean it's sort of it there's also some weird map that happens on the digest right they do some like rotation of this hash that way it's not just an md5 hash I think this is how they made themselves feel better at night I really genuinely don't know what this block of code is doing I also genuinely don't care because get so far especially with arm right they provide a whole bunch of libraries compiled for a whole bunch of things so I actually got to pick and choose what D compiled more nicely um GUID row for arm is like really good very very close to what the original values would be so I literally took this

and copied it and then finally after that that weird math function we're just taking the bottom 64 bits of that hash plus that weird math and those are our passwords so kind of just sum up what we've got to this point right is we have a 32-bit input expanded to 128 bits but a md5 sum computationally not important obfuscation of the fact that it's just an md5 hash right then we're only using the bottom 64 bits of it and this is the really important piece we have an Oracle for what the likely inputs are we have an Oracle because we have to have the bottom 32 bits of that that's our user password so we can brute force this

without needing to do anything fancy right this isn't going to require a GPU cluster we're not going to go over to AWS and go rent some GPUs I'm just gonna use my laptop so I did and there's a proof of concept out there that you can go and grab I wrote it in rust because rust is awesome if any of you deal with CVS on a daily basis and you see how many of them come from see and memory you should also love for rust that's my my little plug but the the end state of this is you can brute force the entire key space in about 10 minutes on a reasonably powerful laptop and what you

can see from this output is uh I gave it to user C values and I think this one took about six minutes it spit out what the admin speed values are as well as what the original vendor seed was so now with just that and using a tool that they provide for free called their console right we can dump the instructions that are on the dongle right those things that should have required us to compromise the hardware right or just displayed and we can take them and copy them and do whatever we want with them or change them right and just say oh you're just return zero now that was easy we can predict the output of the dongle

based random number generator if the software that's using this was relying on that random number generator to do anything especially if it was cryptographic um he was probably owned anyway because this is as bad you can also change this licensing my modes and the time-based expiration value so you know you're licensed for all of the features forever you can dump or change the dongles memory and you can change the dongle encryption keys but you can't view them so you can change those keys but you'll you'll lose any of the old data that was encrypted by it so kinda that's that's bad enough right we bypassed it without doing using any of the expanded functionality that was

available to us by the vendor but there is an additional feature they provide and that additional feature is the ability to remotely update someone's software right so let's imagine at the pre-course didn't work right they they provide this remote update utility and what you do is you take the updated data that you want to store in the dongle right whether that's an update to the dongles memory and update to the licensing modules or you know and anything else that its doors and you produce an update file and there's an optional password on here which is going to do some encryption for us of that file which also doesn't make a tremendous amount of sense because

you're about to give that password to the user who's required to use it in order to update their dongle so I'm not quite sure who that encryption is protecting against but it's there so then the user runs the updater or some or you use the library that they provided to to interface with that update file and the the dongle is updated right that that unit key is updated but that's a right operation right right operations required the admin password also correct it can't just be in there can it yes it can yeah so long story short this is an ini file that has been kind of minorly obfuscated and gets parsed it's also potentially encrypted but they provide on their

website the libraries so reverse engineering the weird xor obfuscation that they did of this file in order to just take an update file that they gave you and reverse-engineer it it's just really really easy so I didn't I didn't build a proof of concept for this because I kind of tackled this piece of it later on but it's really trivial to do and as soon as as anybody's gone and done it you you have the under passwords because they supplied them to you um so about that password protection right they do provide it right that should add some level functionality other than the fact that they're gonna give you the password for it but even if you didn't right even if

we were trying to think so they were upset I tried to work the word dongle as many times into this presentation as I could I just tried to hand that back on [Music]

it's just sorry about that technical difficulties quick replay for everybody who came in late all right yes who about that password protection right it turns out that they are they kind of follow a familiar pattern here right of not really understanding how to do key expansion or key derivation they follow that exact same scheme which is taking in the password running it through md5 and using that as a generation into a es so there are other definite cryptographic attacks here in even in the case where you're trying to prevent you know the the use case where this update file is intercepted in transit right cracking it md5 just isn't isn't suitable for that task to make matters

worse that a big file they also don't really understand how to use AES it's an ECB mode which means that especially in the case where one of those key features that you're doing is updating that dongle memory right we should be able to play pick and choose with blocks of memory and repeat them right so even if we didn't have the ability to correct the vendor seed value there's other probably very serious cryptographic flaws in how this update mechanism is working that should result in more serious things than just just a crash of the updater and for any of you this is just kind of a public service announcement yeah all modes are beautiful but not easy be so

to sum it up there's a couple things that haven't been broken yet right there are four encryption slots that store those four 128-bit keys for us and there's that encrypt and decrypt buffer API however that isn't even a yes being used in the case of that right and it kind of makes sense because this is a really tiny cheap microcontroller that was developed I probably not in the past ten years probably older than that which drove their decision to use T the tiny encryption algorithm but it is also an ECB mode so even if you do have some set of values that are you know encrypted by a key right there are you're depending on how they're used right like any other

crypto mode it there could be very serious issues with it unfortunately well fortunately right-t isn't explicitly broken the best case is a two to the hundred twenty six based attack which means that for any encrypted block there are three possible passwords for decrypting it that's still well above probably anybody that's in this room unless you're working for the NSA which case we should talk uh but probably not going to be the way I haven't found a way to dump these keys yet that being said I've recently kind of continuing research I took this thing apart there's an exposed you are that's that's exposed on the board that I've started playing around with it has some non-trivial API

so I'm hoping to continue to break this additionally it looks like there's a lot of user side checking when you perform the read dongle memory on those bounds I'm also hopeful that kind of continuing reversing this will find a way to just dump all of the firmware from the dongle because then we can find all sorts of other fun things um soon I think it's important to add a time frame to this right especially there were some people who this was their first besides and I know uh certainly was the case for me which is you kind of get that feeling when you're watching something that someone just sat down and hacked this out maybe there are

people in this room who could do that but it is not me dumping of the enveloped app was probably about like two days of man-hours but I'm also really familiar with reversing dotnet executables so I had a step forward there I'd also already seen nazi executables and in that kind of storage so dumping that piece of it was was really pretty trivial reversing and creating the seed exploit was a few weeks worth of work this was on and off but that includes a lot of other time spent on failed exploitation paths and trying to find other exploits that may have been here I actually kind of thought things would be harder than they were to to reverse that vendor seed

value because I was looking at where they were consumed for a while I also spend some time trying to find out exactly how they were there's no explicit replay attack that's available of just sniffing the the USB bus between the PC and the dongle like there are on some other very large manufacturers right so you can just create a virtual USB Drive and launch the application once and then you have a replay attack and you're done so yes Bennett spent a lot of other time on that um this should be reversible in in future work I'm probably mostly done with the eunich II but if you're interested it's it's just a random value based off of the current time and some

other weird obfuscation so the conclusions running your crypto on someone else's machine doesn't work right it hasn't worked for like literally anybody it hasn't worked for the HDMI standard it didn't work with DVDs it hasn't worked with DRM systems up until now so you there there is a there is a drive from the upper levels of business especially those who may not be very familiar with the work it is that we're doing to try and get you to perform DRM and it's really hard to explain that somebody probably put more work into integrating the unit integrating the unity into their application to prevent things being stolen right than it did for me to crack it and that's you know

that's just that that's a lot of wasted time on something that if there's a dedicated attacker who's attempting to do this they're just going to do so yeah DRM is hard offline DRM is even harder right because you control everything you control the full piece of this rig which is like with the other DRM systems I mean just replaying over a USB bus it's a lot harder to do when it's your server on the other side in your data center and I guess the last thing is don't use md5 most of you should know that already but just in case don't uh and especially you don't use it for key derivation and also don't use ECB mode that's just my

my public service piece that does anybody have any questions now the question was are they still being sold yes they are now they're like $40 a pop or something like that and it they're not always explicitly branded as unique keys what are the things that they offer right is is rescanning them and and having your company's name on the outside of them and things like that why so the question was what motivated me to do this work the answer to that is that I had a push from higher levels of my organization to try and find out a DRM system that would protect our intellectual property and so part of that work is taking a vendor solution

and finding out whether it's worth something right it's possible that some company out there is gonna finish figure out DRM right at some point that will probably be the case it's just not today and not with what we currently know about Krypton the question was do they have a bug bounty program no and this is really just the inherent design of their software I even if they wanted to fix this I'd really think that the only fix for them is to build a different product that would just be broken in some other way I

haven't had any interactions at the bender I have not so this is essentially just a full disclosure of of these issues the question is uh could it have been harder to do yes it could have been harder um unfortunately right I imagine that their business requirements are that it needs to be remotely updatable and it needs to be remotely a payable offline right so could it have been harder to brute force that yeah absolutely it could have been you know pbkdf2 and ten thousand iterations right and it would still be running on my laptop from several months ago and my house would be a lot warmer but at the end of the day right it needs to be we

need to talk about much larger values and that also for them probably means a more expensive microcontroller on the other end of it

all right awesome thank you so much I really appreciate [Applause]