Packet Tracer Analysis

Packet Tracer is a very famous program to simulate network made by Cisco. To download program for free, you can go to Netacad and register new account, learn their courses, and learn how to use their tools, ...
In this blog post.
I will summary what I've done wit Packet Tracer v7.2.1 Windows 32bit

Why I did this? I'm a lazy senior Networking student. My teacher give our class a lot homeworks, which is *.pka. These file format include answers, configuration validate, which I need to solve, called *Activity*.  PT nowadays did not separate into Instructor (only version had Activity generator), and Student (did not have that feature, maybe only checking result is enough); just one leftover, Packet Tracer *universal*, has ability to generate *Activity*, also check result.
Activity can be setup with a password, only allow teacher, or anyone knew password to modify. :?  If anyone, included me, can view, edit Activity, they can even view answer sheet :D If packet tracer can do the validation script, then I can.

Searching a little bit, in the past, someone did an analysis on PT, almost 9 years ago, https://b3nj1.blogspot.com/2010/05/packet-tracer-analysis.html.
That blog provide a script,  but things changed, I have tried to compile, run, but fail due to "corrupted" data, turn out PT newer version introduce new way to *encrypt* file. But after *qUncompress*, they still use XML, let me see your hands, security researcher \m/
There are 2 ideas come up:

  1. Decrypt -> Get XML -> patch password to our password -> Encrypt -> redistribute -> profit
  2. Patch program -> skip validation -> Profit
I followed way 1 first, totally disaster :( First, their encryption involved, not only one, but many round of xor-ing just to decrypt a file? Nah, wasted my time. Also, they used *salted* md5 :( Can't easy crack the password.
So I cannot build an program to decrypt their file, unable to get password
Then I find out way 2 is promising, they checked the password I input with password in XML from input file, again, I repeat, *many* times. The algorithm is so simple, MD5 (or SHA1) of salt, concat with my input, must be equal to a value from XML decoded.  Also, QScriptEngine has been involved in this situation, but no hiding, no encrypting, just plaintext.

But as I can count it on my fingers, it doesn't matter. Overload of functions just to check a single password :( SHIT, I will not invest my time into their password validation algorithm. Just *NOP-ed* their check :P

Anti debug made no sense :( Ppl use x64dbg nowaday, a lot :D
And the patch, that's mean I reverse the way how it work (74 -> 75), so in case you input the correct password, it won't work :D

No comments:

Post a Comment