Cracking RSA-2048(not really)

Another boring day and another tinkering post. For couple of days I was just resting at home and learning new stuff about computers especially programming. When I was tinkering with my old Dreambox 800, I found a cool plugin named AirPlayer. It turns your Dreambox to Apple TV so that you can stream the media on your iPhone to your box easily. However there was one problem. Cool features aren’t enabled unless we pay.

I am not a cheap person but I didn’t like their attitude. They used open source software, added couple of bits and charge for money. I checked the LICENSE file and I saw this

This plugin is NOT free software. It is open source, you are allowed to
modify it (if you keep the license), but it may not be commercially
distributed other than under the conditions noted above.

It means it is absolutely legal to modify this plugin in any way we like if we keep the license and don’t sell it. OK, let’s fix it. I setup plugin on my box and checked plugin folder for files. This plugin doesn’t work if IPTV is not working for you. According to my tests, OpenPLI 4 and OpenATV 4 doesn’t work. Dreambox uses Python for its plugins. Authors also didn’t put .py files but compiled pyo files to hide plugin content. I uncompyled pyo files and started checking to learn how the protection works. Protection is something like below

User must enter premium key for premium features. If there is premium key, this key is used with MAC address, boxid, model to check if the user has valid credentials. So this plugin sends your MAC address and model every time you use this plugin. Boxid is generated from server and according to my test it increments every time you ask for it. It is only used for statistics. Model number is not important. Let’s see how the protection really works. RED color shows the package sent from my Deambox and green color donates package received from server.

GET /boxid.php?model=dm800&version=0.4.1&token=00%3A09%3A33%3A34%3A35%3A36 HTTP/1.1

Host: airplayer.toeppe.com

2217326

GET /validate.php?model=dm800&version=0.4.1&boxid=2217326& token=00%3A09%3A33%3A34%3A35%3A36&key=NONE

Host: airplayer.toeppe.com

fVyICjb2yWTirkjpXU4LM…….(BASE 64 string)

Base64 reply of server is decrypted by RSA-2048 and checked if the user is in trial period or registered. I can’t believe how greedy they are. They basically used open source technologies and protect it like a hawk. Fortunately, these guys are not the brightest. I disassembled libairtunes.so.0 and found the function named checkValidation. I don’t know much about MIPS instruction set but REC Studio 4 helped me to understand the underlying code. It decodes base64 encoded string and then decrypt that value with RSA-2048. Decrypted message is composed of information separated by newline. For example

"Model=?????/\n"\
"Valid=??????\n"
"Mac=???????\n"\
"boxid=????????\n"\
"key=????????\n"\
"message=???????\n";

Model and message part is not important. It is not checked. Valid show the validity of the key. It is a number result of time function. Plugin checks this value for trial days. Mac address must be same as your MAC address. Boxid is not important but it must be same as in your config. We actually can’t find RSA-2048 private key from public key. Therefore I created new public-private key pair with OpenSSL and patched files with my key. RSA-2048 is defeated lol. I also created key generator to register the plugin. During this analysis, I updated my iPhone to iOS 8 and found out that AirPlayer stopped working. Thanks to discussions at XBMC forums I found the reason and added some workaround code to enable streaming on iOS 8. If you want you may download my modified Airplayer and keygen from here. Until next time, peace

One thought on “Cracking RSA-2048(not really)

  1. […] Just some string greps shows that it is probably coded by some German person. Is it because of my Airplayer keygen? If malware author reads this, please tell me what was your motive. Last time I checked, I am not a […]

Comments are closed.