base64 + MD5-raw
#1
Hi folks, 

i'm having a complex situation here. I think i'll just share alle the information, maybe there is any geek around who is able to help me into the right direction.

What is the plan?
I bought an old machine that does certain treatments. The company who made it is broke, and stopped all support for their devices. (yes, that is crap, but true).
In the device is a license system that grants an amount of treatments. 
The license keys were always free when you bought disposables/supplies from the company, but they don't sell supplies nor licenses anymore. 

Now, i found someone who makes the supplies that fit my machine. I just need to find out how to bypass the license system. You might wonder why i am even trying to do this? Well, the older version of this machine used a deadly easy license system (just follow-up numbers + some random numbers around it). So i guess this should'nt be so hard even. And beside that, the machine did'nt cost me alot and i like to make a little gamble.

The codes
The codes that are entered on the device, are base64 (well, i think they are.).
In the machine are some treatments left. These codes we're given in a while ago, and still work:

Code:
1vZOlhtCXL+PLoneWTo0Ng
I2jeOeznDKOHtmy6og4wQg
PUbEGIjdCDLEww4Yz5A0+g
vo5ynZ34070IunIjS4RTdw
/Ixh7vSQFisNtkvkCI27Aw
C/MsAno5fLPjHwYG75TLPQ

Decoding
Well, if they are base64... then why not just decode them?
Well, i did just that. The outcome is as follows:
Code:
��N�B\��.��Y:46
#h�9�� ���l��0B
=F���2��ϐ4�
��r���ӽ�r#K�Sw
��a���+ �K���
�,z9|����=
As you can see, there is a lot of abracadabra in here. 
To me this seems like MD5-RAW. Right? Correct me if i'm wrong here. 

The bruteforce
I own a 6x Nvidia 1070 miner. This machine loves hashcat.
Now i need a commandline that somehow firsts does a base64_decode, and then compare my mask to the md5_raw.

I expect the input string to be something like 1234-12345678-x. So i want to bruteforce that against my list. 

Can someone please think with me, and point me into the right direction?

Thanks for your kinds support.
If you need more information, please ask me.
#2
It's a bunch of base64-encoded binary data but that's really all you can say. What makes you think it's hashes at all?
#3
(05-21-2018, 08:39 PM)undeath Wrote: What makes you think it's hashes at all?

There has to be some information stored in the hash.
Like the type of procedure, and the amount of procedures that are added.
Have a look at some previously added codes in the device.
They have different amounts and treatments.

[Image: lj4zfEP.png]
#4
Wouldn't some kind of encryption be much more likely, given that it seems to store some kind of extractable information?
#5
(05-21-2018, 07:20 PM)roomtoetje Wrote: In the device is a license system that grants an amount of treatments. 
The license keys were always free when you bought disposables/supplies from the company, but they don't sell supplies nor licenses anymore. 
-----
I expect the input string to be something like 1234-12345678-x. So i want to bruteforce that against my list. 

How do you input the license info? If you just input the base-64 data and the device knows it is "iFlap with 30 Delta" then it is most likely not a hash but encrypted data. If you have to input the type and other info, it might be a signature or custom check/hash. Could you elaborate more on why you think it is "something like 1234-12345678-x"?

This whole thing is very difficult to reverse engineer on only the input data. Finding firmware upgrades and decompiling that or gaining access to the device through debug ports (JTAG for example) would allow you to more precisely determine how this system works. Also, since they are defunct you might also find info from other users online or the company that provides the third-party supplies (you are most likely not the first person to ask for this).
#6
(05-22-2018, 03:15 PM)DanielG Wrote: How do you input the license info? 
The previous owner recieved the codes as they are entered. So, just like stated above. including / and +.
They are always 22 digits. 

Big note: There is NO internet connection on the machine. everything happens local.
if there is an update, you will recieve it by CD-ROM. Well, not anymore..

(05-22-2018, 03:15 PM)DanielG Wrote: If you just input the base-64 data and the device knows it is "iFlap with 30 Delta" then it is most likely not a hash but encrypted data.
The only thing you enter, is the 22-digits hash. No need to tell the machine the type or amount of treatments.
Previous owner told me that if he ordered 20 disposable parts, there would a 20-digit license key included.
All data is included in the hash.

(05-22-2018, 03:15 PM)DanielG Wrote: If you have to input the type and other info, it might be a signature or custom check/hash. Could you elaborate more on why you think it is "something like 1234-12345678-x"?
I'm not sure about this. i just have this feeling. 
On the other hand i think there is some kind of private key in the machine.

(05-22-2018, 03:15 PM)DanielG Wrote: This whole thing is very difficult to reverse engineer on only the input data. Finding firmware upgrades and decompiling that or gaining access to the device through debug ports (JTAG for example) would allow you to more precisely determine how this system works.
I am currently making an clone of the disk. After that i'm gonna try to decompile / reverse engineer / try to bypass the check. Will keep you updated. Might need some additional assistance later.
#7
(05-22-2018, 07:38 PM)roomtoetje Wrote:
(05-22-2018, 03:15 PM)DanielG Wrote: If you just input the base-64 data and the device knows it is "iFlap with 30 Delta" then it is most likely not a hash but encrypted data.
The only thing you enter, is the 22-digits hash. No need to tell the machine the type or amount of treatments.
Previous owner told me that if he ordered 20 disposable parts, there would a 20-digit license key included.
All data is included in the hash.

Then it is very very likely not a hash and you won't be able to use hashcat for this. The 16 bytes of data you are describing here could be a single AES block of data.