openssl incompatible with RNDecryptor? - objective-c

I am trying to perform decryption with RNDecryptor. What I have done is to take the output from an openssl encryption operation and try to decode it using RNDecryptor.
This command encrypts this string with aes-256-cbc with a passcode of abc.123. It then
converts the output to base64.
$ echo "This is good" | openssl enc -e -aes-256-cbc -k abc.123 -md md5 -base64
U2FsdGVkX1+mgp+PlVPeyjiEJzkN6jWwN9z5CynnHu4=
I then take the base64 string "U2FsdGVkX1+mgp+PlVPeyjiEJzkN6jWwN9z5CynnHu4=", and put it into my Objective C program...
NSString *b64Encrypted = #"U2FsdGVkX1+mgp+PlVPeyjiEJzkN6jWwN9z5CynnHu4=";
NSData *notB64 = [b64Encrypted base64DecodedData];
NSData *decryptedData = [RNDecryptor decryptData:notB64 withPassword:#"abc.123" error:&decryptionError];
if (decryptionError != nil) {
NSLog([decryptionError debugDescription]);
}
Result is
Error Domain=net.robnapier.RNCryptManager Code=2 "Unknown header" UserInfo=0x102505ab0 {NSLocalizedDescription=Unknown header}
When I take a close look at the data, This is some things I notice...
From openssl, the data from hexdump looks like the following... (Note I did not convert to base64)
~ $ echo "This is good" | openssl enc -e -aes-256-cbc -k abc.123 -md md5 -out g.1
~ $ hexdump g.1
00000 53 61 6c 74 65 64 5f 5f 19 dd cc 48 19 9e c3 2c Salted__...H...,
00010 16 1c 71 c5 c7 56 3b 97 c8 48 fc ae 7c 56 a1 91 ..q..V;..H..|V..
What I notice is that the data starts with "Salted__" then the next 8 bytes is the salt.
When I use the RNEncryptor method, the resulting data never starts with the "Salted__" seen when using openssl. It does always start with the hex value of 0x0201
NSData *encryptedData = [RNEncryptor encryptData:data
withSettings:kRNCryptorAES256Settings
password:password
error:&error];
So my question is... Is RNEncryptor/RNDecryptor doing the right thing, and is it compatible with openssl?

So I found out the problem. Basically to be compatible with opessl, use the RNOpenSSLEncryptor class.
For reference the RNDecryptor class has a header in the expected data. The first two bytes make up the header. The first byte indicates the presences of v1hmac or RNCrypterFileVersion. The second byte is an option to go along with the first byte.
So if you want to be compatible with opnssl, use the RNOpenSSLEnryptor/RNOpenSSLDecryptor class.

OpenSSL adds its own salt. You can try -nosalt option in enc command.

Related

How to use ExtFilterDefine for png files in perl as one liner?

Because of md5 hash scanning tools like wpscan, I want to prevent the script kiddies to detect as much information as possible about my wordpress site. With to following perl snippet, I m trying to add some extra characters to all requested png files. But it does not work and I don't know why. Does somebody can help me out?
My goal is not to change it right inside the files - just for requested output on screen.
ExtFilterDefine pngfilter mode=output intype=image/png cmd="/usr/bin/perl -pe 'END { unless (-f q{/tmp/md5_filter.tmp}) { print qq(\/*) . time() . qq(\*/) } }'"
I use the same snippet logic for css and js files. Here it works as expected.
It does work.
$ perl -pe 'END { print qq(/*) . time() . qq(*/) }' derpkin.png >derpkin_.png
$ diff <( hexdump -C derpkin.png ) <( hexdump -C derpkin_.png )
3023,3024c3023,3025
< 0000bce0 00 00 00 00 49 45 4e 44 ae 42 60 82 |....IEND.B`.|
< 0000bcec
---
> 0000bce0 00 00 00 00 49 45 4e 44 ae 42 60 82 2f 2a 31 36 |....IEND.B`./*16|
> 0000bcf0 35 36 33 35 30 37 37 36 2a 2f |56350776*/|
> 0000bcfa
At least, it works in the sense that it does exactly what you wanted it to do. But does it makes sense to add arbitrary text to the end of a PNG? I'm not familiar enough withe PNG file format to answer that.
Caveat: It will not work on Windows because of CRLF ⇔ LF translation.

extract source code from ELF with debug symbols

I'm trying to extract the original source code from an ELF with debug symbols.
$ sed -n "14,16p" main.c
for (int p=start;p<end;p++)
if (isPrime(p))
printf("%d\n",p);
I want the "closest", preceeding source line from a given address:
$ gcc -g -O0 main.c -o main
$ objdump -D -S main > main.asm
$ sed -n "451,457p" main.asm
if (isPrime(p))
6ba: 8b 45 f4 mov -0xc(%rbp),%eax
6bd: 89 c7 mov %eax,%edi
6bf: e8 86 ff ff ff callq 64a <isPrime>
6c4: 85 c0 test %eax,%eax
6c6: 74 16 je 6de <main+0x49>
printf("%d\n",p);
So given the 0x6bf call instruction, I would like to extract if (isPrime(p)).
This seems possible since objdump does it (right?)
I'm trying to extract the original source code from an ELF with debug symbols.
That's impossible: the ELF with debug symbols contains no original source code.
What you appear to be after is source code location, i.e. file and line. Armed with file name, line number, and the original source, you can trivially print that line.
To recover file/line info, you could use addr2line -e main 0x6bf.
It turns out that it can be quite easily done with pyelftools:
import elftools
from elftools.elf.elffile import ELFFile as ELF
def addr_2_line(ELFname: str, addr: int) -> int:
with open(ELFname, "rb") as fl:
elf = ELF(fl)
dwarf_info = elf.get_dwarf_info()
for cu in dwarf_info.iter_CUs():
line = 1
for entry in dwarf_info.line_program_for_CU(cu).get_entries():
if entry.state:
if addr > entry.state.address:
line = entry.state.line
else:
return line
address = addr_2_line("main", 0x6bf)
print(f"src code[ 0x6bf ] = {address}")
When I run it it indeed gives the desired line:
src code[ 0x6bf ] = 15
It is probably worth checking if no adjustments are needed when there are more than just one compilation unit (cu)

modified elf symbol but not reflecting in disassembly

I have used a symbol "__copy_start" inside my assembly code which is coming from linker script. symbol is defined as ABS in symbol table.
This symbol is used inside a macro to copy data from one memory location to another.
After looking at varenter code hereious ways to modify this symbol directly in elf i decided to write C code of my own to modify the symbol value.
To do that i traversed entire symbol table and did string match for the symbol i am interested in. When there is a symbol name match i just assigned symbol_table.st_value = new value.
To make sure the new value is taken i did readelf -s and checked that it does show the new value assigned by me.
Now, when i disassemble the modified elf i find that the new value has not taken effect and i still see the assembly code doing copy from old symbol value.
My question is:
Am i doing something wrong here? is it possible to change the symbol values in elf? If yes, please let me know the correct way to do it. How do i achieve what i intend to do here.
Note: I don't have the source code so taking this approach.
Thanks in advance,
Gaurav
wanted to add more information so that people can understand better.
copying the elf header below:
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
**Type: EXEC (Executable file)**
Machine: Ubicom32 32-bit microcontrollers
Version: 0x1
Entry point address: 0xb0000000
Start of program headers: 52 (bytes into file)
Start of section headers: 33548 (bytes into file)
Flags: 0x6
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 2
Size of section headers: 40 (bytes)
Number of section headers: 6
Section header string table index: 3
Here as you can see that file is of type executable.
output of readelf -S copied below:
There are 6 section headers, starting at offset 0x830c:
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] NULL 00000000 000000 000000 00 0 0 0
[ 1] .text PROGBITS 3ffc0000 004000 000ebc 00 AX 0 0 1
[ 2] .sdram PROGBITS 50000000 008000 0002e4 00 WA 0 0 1
[ 3] .shstrtab STRTAB 00000000 0082e4 000028 00 0 0 1
[ 4] .symtab SYMTAB 00000000 0083fc 0001c0 10 5 20 4
[ 5] .strtab STRTAB 00000000 0085bc 00019a 00 0 0 1
I am using one of the symbol named "__copy_start" in an instruction to copy the data from .sdram section to .text section. I was under an impression that i could go and change the symbol_table.st_value and then get the desired work done. But unfortunately that is not the case. Seems like it is already compiled and cannot be changed like this.
Any idea how this could be done would be really helpful.
Regards,
Gaurav
Are you sure that the object code actually uses a relocation to reference the data at the __copy_start symbol? Even for position-independent code, it is usually possible to turn section start addresses into relative addresses, which do not need a relocation. (That the symbol itself remains present with an absolute address does not change this.)
You can check this by using readelf -r or eu-readelf -r and examining the output. It is also visible in the objdump --dissassemble --reloc output.

How to send APDU to Mifare Classic 1k card?

What I am trying to achieve is to send APDU command to MIFARE Classic 1K card to change its A and B keys.
I was able to establish a connection with the card and use a default key (FFFFFFFFFFFF) to read block 0 and block 1. I used HID MifareSamples application for it.
Now, I would like to change A key from default to something else. I found a solution here, at stackoverflow (Mifare Change KEY A and B) which suggests that I have to send this APDU:
New key A = 00 11 22 33 44 55 Access bits not overwritten Key B not
used (so FF FF FF FF FF FF)
=> Write to Sector Trailer 00 11 22 33 44 55 FF 0F 00 FF FF FF FF FF FF FF
I found a good tool JSmartCard Explorer which allows you to send APDUs to cards. Then I read PCSC specifications 3.2.2.1.4 Load Keys Command chapter and understood that the command should probably look like this:
FF 82 00 00 18 00 11 22 33 44 55 FF 0F 00 FF FF FF FF FF FF FF
But unfortunately JSmartCard tool fails with "Command not allowed (no current EF)".
What I am doing wrong? How can I change the key?
First of all, MIFARE Classic cards do not use APDU commands. Hence, you do not send APDUs to the card but to the card reader (which translates them into MIFARE Classic commands). APDU commands to be processed by the reader typically start with the class byte FF.
In MIFARE Classic cards, the keys (A and B) and the access conditions for each sector are stored in the sector trailer (the last block of each sector). A MIFARE Classic 1K card has 16 sectors with 4 blocks each.
So if you want to set the keys & access conditions for sector 0, you would need to write them to block 3 (the last block of sector 0). The PC/SC standard defines the write command (UPDATE BINARY) for storage cards as:
FF D6 XXYY 10 ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
Where XXYY is the block address and ZZ... is the data to be written to the block.
The format of the sector trailer is (see this answer for further details):
<key A> | access bits | general purpose byte | <key B>
So in order to set
key A = 00 11 22 33 44 55
key B = 66 77 88 99 AA BB
access bits = 787788 (sector trailer is writable using key B only; access bits/GPB can be read with key A or B; data blocks are writable using key B only; data blocks can be read with key A or B)
GPB is set to 69
for sector 0, you would use the following write command:
FF D6 0003 10 001122334455 787788 69 66778899AABB
Note that you cannot partially update the sector trailer, you always have to construct and write the whole sector trailer.

How to save and retrieve string with accents in redis?

I do not manage to set and retrieve string with accents in my redis db.
Chars with accents are encoded, how can I retrieve them back as they where set ?
redis> set test téléphone
OK
redis> get test
"t\xc3\xa9l\xc3\xa9phone"
I know this has already been asked
(http://stackoverflow.com/questions/6731450/redis-problem-with-accents-utf-8-encoding) but there is no detailed answer.
The Redis server itself stores all data as a binary objects, so it is not dependent on the encoding. The server will just store what is sent by the client (including UTF-8 chars).
Here are a few experiments:
$ echo téléphone | hexdump -C
00000000 74 c3 a9 6c c3 a9 70 68 6f 6e 65 0a |t..l..phone.|
c3a9 is the representation of the 'é' char.
$ redis-cli
> set t téléphone
OK
> get t
"t\xc3\xa9l\xc3\xa9phone"
Actually the data is correctly stored in the Redis server. However, when it is launched in a terminal, the Redis client interprets the output and applies the sdscatrepr function to transform non printable chars (whose definition is locale dependent, and may be broken for multibyte chars anyway).
A simple workaround is to launch redis-cli with the 'raw' option:
$ redis-cli --raw
> get t
téléphone
Your own application will probably use one of the client libraries rather than redis-cli, so it should not be a problem in practice.