LG laf KILOMETER COMMAND encryption

[doctorsu]

this lg laf download command that is encrypt

the encrypt depends on KILOCENT COMMAND RESPONSE example

kilocent command
4b 49 4c 4f 43 45 4e 54 00 00 00 00 00 00 00 00 KILOCENT........
00 00 00 00 00 00 00 00 e3 7b 00 00 b4 b6 b3 b0 ........م{..´¶³°
phone answer
4b 49 4c 4f 43 45 4e 54 fe 1c d6 03 00 00 00 00 KILOCENT‏.ض.....
00 00 00 00 00 00 00 00 90 8e 00 00 b4 b6 b3 b0 ........گژ..´¶³°

after that comes the kilometer comand

4b 49 4c 4f 4d 45 54 52 00 00 00 00 04 00 00 00 KILOMETR........
00 00 00 00 10 00 00 00 d2 c2 00 00 b4 b6 b3 b0 ........زآ..´¶³°
00 24 b5 59 6f d1 db a3 af c6 00 37 03 df a4 78 .$µYoرغ£¯ئ.7.ك¤x

{00 24 b5 59 6f d1 db a3 af c6 00 37 03 df a4 78}

the above hex line was calculate thru { fe 1c d6 03 } that we get in
kilocent respons

any body no how to calcualte it

[doctorsu]

Who interested

Bros

[.:hack3r2k:.]

Get ida and disassemble laf daemon ;-) All is inside =)

Br

[doctorsu]

in python

from Crypto.Cipher import AES



def key_transform(old_key):
new_key = ''
for x in range(32,0,-1):
new_key += chr(ord(old_key[x-1]) - (x % 0x0C))
return new_key

def key_xoring(key2_t, kilo_challenge):
key2_t_xor = ''
i = 0
while i <= 28:
key2_t_xor += chr(ord(key2_t[i]) ^ ord(kilo_challenge[3]))
key2_t_xor += chr(ord(key2_t[i+1]) ^ ord(kilo_challenge[2]))
key2_t_xor += chr(ord(key2_t[i+2]) ^ ord(kilo_challenge[1]))
key2_t_xor += chr(ord(key2_t[i+3]) ^ ord(kilo_challenge[0]))
i = i + 4
return key2_t_xor

def do_aes_encrypt(key2_t_xor):
plaintext = b''
for k in range(0,16):
plaintext += chr(k)
obj = AES.new(key2_t_xor, AES.MODE_ECB)
return obj.encrypt(plaintext)

def do_challenge_response(comm):
request_kilo = make_request(b'KILO', args=[b'CENT', b'\0\0\0\0', b'\0\0\0\0', b'\0\0\0\0'])
kilo_header, kilo_response = comm.call(request_kilo)
kilo_challenge = kilo_header[8:12]
chalstring = ":".join("{:02x}".format(ord(k)) for k in kilo_challenge)
_logger.debug("Challenge: %s" %chalstring)
key2 = 'qndiakxxuiemdklseqid~a~niq,zjuxl' # if this doesnt work try 'lgowvqnltpvtgogwswqn~n~mtjjjqxro'
kilo_response = do_aes_encrypt(key_xoring(key_transform(key2), kilo_challenge))
respstring = ":".join("{:02x}".format(ord(m)) for m in kilo_response)
_logger.debug("Response: %s" %respstring)
request_kilo_metr = make_request(b'KILO', args=[b'METR', b'\0\0\0\0', b'\x02\0\0\0', b'\0\0\0\0'], body=bytes(kilo_response))
metr_header, metr_response = comm.call(request_kilo_metr)

it use AES MODE_ECB crypt

can we use it in delphi

[doctorsu]

can any one help
this is the key := qndiakxxuiemdklseqid~a~niq,zjuxl

for AES encryption ECB MODE

[doctorsu]

lets translate the python code to delphi

function key_transform (old_key:string): string;
var
x :integer;
begin
result:='';
for x := 32 downto 0 do
result:= result + chr(ord(old_key[x-1])-( x mod $0C)) ;
end;

[doctorsu]

function key_xoring ( key2_t :string ; kilo_challenge :string) : string ;
var
i :integer;
begin
result := '';
i:=0 ;
while i <= 28 do begin
result := result + chr(ord(key2_t[i]) xor ord (kilo_challenge[3])) ;
result := result + chr(ord(key2_t[i+1]) xor ord(kilo_challenge[2]));
result := result + chr(ord(key2_t[i+2]) xor ord(kilo_challenge[1])) ;
result := result + chr(ord(key2_t[i+3]) xor ord (kilo_challenge[0])) ;

i := i + 4 ;
end;

that`s give me error on yellow line


[DCC Error] Unit1.pas(8339): E2157 Element 0 inaccessible - use 'Length' or 'SetLength'

[doctorsu]

if somebody fix proplem for above function

we will need aes encriptin for the output of it