![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/securevpn_popularity-486x1080.png\")
<\/figure>\n\n\n\nThe Google Play page of the application specifies it is developed by Secure Signal inc:<\/p>\n\n\n\n Contrary to what this name could lead to believe, this society has nothing to do with the editor of the Signal application.<\/p>\n\n\n\n On the Google Play page, we can find an email address (secure-vpn@free-signal.com), a physical address and a website to contact the developer:<\/p>\n\n\n\n This website is securesignal.app. <\/p>\n\n\n\n We can see the laudatory testimony of Marsha Singer, Tim Shaw and Lindsay Spice:<\/p>\n\n\n\n By a quite extraordinary chance, these three people has Doppelg\u00e4ngers who gave equally laudatory testimonials for another application, apptuary.com. <\/p>\n\n\n\n This application has a dedicated website whose appearance is quite similar to securesignal.app:<\/p>\n\n\n\n Another contact email appears on the site (contact@securesignal.app):<\/p>\n\n\n\n The rest of the site gives some indications regarding the technical capabilities of the VPN, with the usual promises (No Log, Safe Protocol, Privacy, etc), without giving any detail.<\/p>\n\n\n\n The free-signal.com and secure.free-signal.com websites don’t give any clue either.<\/p>\n\n\n\n A user who wants to know whether an application is intrusive but doesn’t know how\/doesn’t want to extract the manifset can use the website https:\/\/reports.exodus-privacy.eu.org.<\/p>\n\n\n\n It turns out that Secure VPN uses 2 trackers and requires 16 permissions:<\/p>\n\n\n\n Some of these permissions:<\/p>\n\n\n\n such as <\/p>\n\n\n\n are not required by a VPN app, and are here only for adverstisement\/profiling needs ( Secure VPN interface is very simple.<\/p>\n\n\n\n When launched for the first time, the application asks the user if s.he consent to their personal data being used for various purposes, including advertising:<\/p>\n\n\n\n The user then has access to a grayed icon which must be clicked on to mount the VPN tunnel:<\/p>\n\n\n\n The connection icon turns blue when the VPN tunnel is mounted:<\/p>\n\n\n\n A visit to whatismyip.com confirms that the IP address observed by a visited website is different from the actual IP address of the phone:<\/p>\n\n\n\n Having a look at the AndroidManifest.xml file of a studied application is an essential step, and we will be no exception.<\/p>\n\n\n\n The manifest declares 24 activities. Among these, 18 are part of the application itself (all are members of the package We will not dwell on the activities of the application: Indeed, the purpose of a VPN client is to encrypt\/decrypt incoming traffic.<\/p>\n\n\n\n This task, carried out in the background, requires the execution of a service. The manifest declares 12 services. <\/p>\n\n\n\n Two of them, are part of the application itself:<\/p>\n\n\n\n These two services inherit from the android.net.VpnService class, a class used to implement a VPN client. Such a service will create a virtual network interface ( Once the VPN is launched,<\/p>\n\n\n\n The class The This method is called when the user clicks on the login icon mentioned before.<\/p>\n\n\n\n We can trace the call to this The According to Android documentation, (https:\/\/developer.android.com\/reference\/java\/lang\/Thread#start()), calling the The This method The application embeds 3 native libraries, libz.so, liblog.so and libchannel.so.<\/p>\n\n\n\n The latter is significantly larger than the two other, and it is this one who implements most of the native methods used by the application’s java classes.<\/p>\n\n\n\n Intuitively, the \u00ab\u00a0easiest\u00a0\u00bb way to create a VPN client is to \u00ab\u00a0wrap\u00a0\u00bb an OpenVPN client into an apk: The application will contain a class inheriting from None of the functions exported by libchannel.so contain in their name the keywords \u00ab\u00a0openvpn\u00a0\u00bb or \u00ab\u00a0ovpn\u00a0\u00bb, contained by a large number of functions exported by the libovpn library used in this type of applications:<\/p>\n\n\n\n This suggests that Secure VPN does not use OpenVPN, although it is possible that libchannel.so is a customized version of libovpn.<\/p>\n\n\n\n If we examine the traffic intercepted after launching the application and setting up the VPN tunnel, we observe, over the sessions:<\/p>\n\n\n\n Although port 443 is dedicated to TLS traffic, the captured traffic is not TLS traffic, an application TLS packet necessarily begins with In the same way, traffic on port 53 is not DNS traffic, as indicated by the errors reported by wireshark:<\/p>\n\n\n\n Calling the This function creates an object of the Let’s give some details on the respective roles of these initialization functions:<\/p>\n\n\n\n Once all these initialization steps are done, the Basically, this function is an infinite loop in which some files descriptors are monitored through the When an application wants to send a network packet, this plaintext packet is written on Conversely, an packet incoming from the VPN server is decrypted and written on Thus,<\/p>\n\n\n\n Firstly, this function reads the packet to send from The packet is then processed by the Firstly, this function performs initialization steps. <\/p>\n\n\n\n One of these steps is to write to magic word `\\x01\\x00_SiG` in the buffer whose address is stored at the beginning of the `SignalPackage`.<\/p>\n\n\n\n The rest of the work is done by the `SignalPackage::setData`, and the encrypted packet is then sent to the VPN server.<\/p>\n\n\n\n After some preliminary checks, the These two computed integers are written in a buffer whose address is stored in the The purpose of these 128 bits could be to give a way to the VPN server to identify which user has sent a given packet.<\/p>\n\n\n\n The This function contains two logical blocks conditioned by the value of its last argument, If As we will see later, most of VPN servers use AES. We therefore won’t dwell on the second block, the one who calls ChaCha20.<\/p>\n\n\n\n The heuristic used to encrypt a plaintext packet is the following:<\/p>\n\n\n\n Once we understand well enough how outgoing packets are processed, studying the incoming packets processing chain is much more easy !<\/p>\n\n\n\n Let’s briefly describe how a packet is decrypted:<\/p>\n\n\n\n The received packets is processed by the Inside it, the packet decryption is done by Even if libchannel contains some AES-something functions, it cannot be excluded that, voluntarily or not, the developer used something else than AES. <\/p>\n\n\n\n It is therefore preferable to ensure that the encryption is actually done by AES.<\/p>\n\n\n\n The encryption function, called in We could analyze the Ghidra-decompiled code to ensure that this function really perform an AES encryption, but encryption algorithm are complicated animals. Moreover, we can hook We therefore launch a script (trace_AesGm.js) who intercepts The script prints the input and the output of By the way, we can see that the arguments of Let’s reproduce the AES GCM computation with a few lines of python (decrypt.py script):<\/p>\n\n\n\n This script produces the same output as the one observed at the end of In AES, each round (the key is a 16 bytes one, so there is 10 rounds) applies three successive transformations – even if the last round is a little bit different:<\/p>\n\n\n\n For efficiency reasons, these transformations are generally implemented in the form of tables precomputed and stored in binary.<\/p>\n\n\n\n This is not what happens here. If we look the tables used by the and if we look where is defined this table We see that its content is not initialized.<\/p>\n\n\n\n We also observe a cross-reference leading to a function A few online searches allow us to find traces of an AES implementation using an The AES implementation in question is that of the mongoose embedded web server, published by the company Cesanta: https:\/\/github.com\/cesanta\/mongoose\/blob\/master\/mongoose.c<\/p>\n\n\n\n A comparison of the code decompiled by Ghidra and the code of Furthermore, the other cryptographic functions used when processing a packet are also present in this repository.<\/p>\n\n\n\n This element allows us to understand the respective roles of the arguments of the cryptographic functions GCM is an authenticated<\/em> mode: <\/p>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/securevpn_securesignal-486x1080.png\")
<\/figure>\n\n\n\nSecure VPN app website<\/h4>\n\n\n\n
![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/securevpn_contact_1-486x1080.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/website1.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/apptuary.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/securesignalcontact.png\")
<\/figure>\n\n\n\nFirst analysis with Exodus privacy<\/h4>\n\n\n\n
![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/exodus_rapport1.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/exodus_rapport2.png\")
<\/figure>\n\n\n\nQUERY_ALL_PACKAGES<\/code>, ACCESS_ADSERVICES_TOPICS<\/code>, ACCESS_ADSERVICES_ATTRIBUTION<\/code> or ACCESS_ADSERVICES_AD_ID<\/code> <\/p>\n\n\n\nQUERY_ALL_PACKAGES<\/code> allows to list the applications installed on a phone, which can say a lot about its owner).<\/p>\n\n\n\nFirst use<\/h4>\n\n\n\n
![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/securevpn_approbation_2-486x1080.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/securevpn_main_1-486x1080.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/securevpn_connection_1-486x1080.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/securevpn_whatismyip-486x1080.png\")
<\/figure>\n\n\n\nThe manifest<\/h4>\n\n\n\n
com.signallab.secure.activity<\/code>).<\/p>\n\n\n\ncom.signallab.secure.service.SecureService<\/code> and com.signallab.lib.SignalService<\/code>, <\/p>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/manifest_list_services.png\")
<\/figure>\n\n\n\n\/dev\/tun<\/code>, typically).<\/p>\n\n\n\n\n
SignalService<\/code> contains a method loop()<\/code>, who calls a method connect()<\/code> from SignalHelper<\/code> class:<\/p>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/SignalServiceLoop.png\")
<\/figure>\n\n\n\nconnect()<\/code> method is a native one:<\/p>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/SignalHelperNativeMethods.png\")
<\/figure>\n\n\n\nconnect()<\/code> method with Frida (it’s the trace_SignalHelper_connect.js script in the associated github https:\/\/github.com\/T0lva\/securevpn):<\/p>\n\n\n\nSpawned `com.fast.free.unblock.secure.vpn`. Resuming main thread! \n[Pixel 7a::com.fast.free.unblock.secure.vpn ]->\nappel de connect - arguments :\ntunfd : 263\nhost : 205.185.127.80\nudpPorts : 53,9981\ntcpPorts : 443,9981\nuserId : 3363728822350923000\nuserToken : 2374040680779317000\nkey : Fh8YUC9uTVv2qJikWbXCHh\nsupportBt : false\nalgo : 1\n\nappel de connect - pile d'appel :\njava.lang.Exception\n at com.signallab.lib.SignalHelper.connect(Native Method)\n at com.signallab.lib.SignalService$VpnThread.loop(SignalService.java:144)\n at com.signallab.lib.SignalService$VpnThread.run(SignalService.java:1)<\/code><\/pre>\n\n\n\nconnect()<\/code> method arguments are:<\/p>\n\n\n\n\n
\/dev\/tun<\/code>,<\/li>\n\n\n\nuserId<\/code> et userToken<\/code>) who identify the user,<\/li>\n\n\n\nFh8YUC9uTVv2qJikWbXCHh<\/code> here),<\/li>\n\n\n\nstart<\/code> method of a Thread<\/code> object induces the call of the run<\/code> method of the object in question.<\/p>\n\n\n\nstart<\/code> method of VpnThread<\/code> is precisely called in the onStartCommand<\/code> method of SignalService<\/code>:<\/p>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/SignalService_onStartCommand.png\")
<\/figure>\n\n\n\nonStartCommand<\/code> is the entry point by which this service can be launched.<\/p>\n\n\n\nThe application’s native libraries<\/h4>\n\n\n\n
android.net.VpnService<\/code>, which will eventually launch the client native.<\/p>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/libovpn.png\")
<\/figure>\n\n\n\nTraffic exchanged with the VPN server<\/h4>\n\n\n\n
\n
\\x17\\x03<\/code>:<\/p>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/traffic_443.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/traffic_53.png\")
<\/figure>\n\n\n\nDescent to native layer<\/h4>\n\n\n\n
connect()<\/code> method of the SignalHelper<\/code> class results in a call to the function of the same name in libchannel.so.<\/p>\n\n\n\nSignalLinkClient<\/code> class and positions different fields of this object with the functions setSignalRouter<\/code>, enableObscure<\/code>, setUsers<\/code>, setProto<\/code>, setBackupPort<\/code>, connect<\/code> and setTunnel<\/code>, before to call the runLoop<\/code> function which is the main infinite loop of the VPN client service.<\/p>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/native_connect.png\")
<\/figure>\n\n\n\n\n
SignalLinkClient<\/code> initializes an object SignalPackage<\/code>. One of the fields of the SignalLinkClient<\/code> points toward this SignalPackage<\/code> object. The 8 first bytes of the SignalPackage<\/code> then point to a 1500 bytes buffer. 1500 is a common MTU value: This buffer will probably be used to handle network packets.<\/li>\n\n\n\nSignalLinkClient::setSignalRouter<\/code>: This function copies the address of a static object SignalRouter<\/code> at the beginning of the SignalLinkClient<\/code>. The SignalRouter<\/code> object contains several function pointers. As those functions are not used in packet encryption\/decryption, we won’t give much attention to them.<\/li>\n\n\n\nSignalLinkClient::enableObscure<\/code> modifies the SignalPackage<\/code> adressed by one of the field of the SignalLinkClient<\/code>: At the end of this function, one of the fields of the SignalPackage<\/code> points toward a SignalObfuscator<\/code>, who essentially contains the obfuscation key. This obfuscation key is one of the parameters of the SignalHelper.connect<\/code> function.<\/li>\n\n\n\nSignalLinkClient::setUser<\/code> copies the intergers userId<\/code> and userToken<\/code> into the SignalLinkClient<\/code>.<\/li>\n\n\n\nSignalLinkClient::setProto<\/code> and SignalLinkClient::setBackupPort<\/code> respective effects is 1\/to set some booleans who indicate the supported protocols (UDP and TCP) 2\/to set port numbers.<\/li>\n\n\n\nSignalLinkClient::connect<\/code> function initializes the RemoteLink *<\/code> arrays, which are objects who describe a VPN server (IP address + port + protocol).<\/li>\n\n\n\nSignalLinkClient::setTunnel<\/code> copies the file descriptor on the \/dev\/tun<\/code> virtual interface into the SignalLinkClient<\/code>.<\/li>\n<\/ul>\n\n\n\nThe infinite processing loop,
SignalLinkClient::runLoop()<\/code><\/h4>\n\n\n\nrunLoop<\/code> function is called.<\/p>\n\n\n\nepoll<\/code> api:<\/p>\n\n\n\n\/dev\/tun<\/code>. The VPN client reads this packet, encrypts it and send it to the VPN server.<\/p>\n\n\n\n\/dev\/tun<\/code> in order to be delivered to the recipient application.<\/p>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/runLoop.png\")
<\/figure>\n\n\n\n\n
\/dev\/tun<\/code>, encrypted and sent to the server by the SignalLinkClient::processTunIn<\/code> function,<\/li>\n\n\n\n\/dev\/tun<\/code> by the SignalLinkClient::processLinkData<\/code> function.<\/li>\n<\/ul>\n\n\n\nOutgoing packets processing<\/h3>\n\n\n\n
The outgoing packets
SignalLinkClient::processTunIn<\/code> processing function<\/h5>\n\n\n\n\/dev\/tun<\/code> into the 0x468<\/code> offset of the SignalLinkClient<\/code> object. <\/p>\n\n\n\nSignalLinkClient::writeToLink<\/code> subfunction.<\/p>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/processTunIn.png\")
<\/figure>\n\n\n\nThe
SignalLinkClient::writeToLink<\/code> function<\/h5>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/writeToLink.png\")
<\/figure>\n\n\n\nThe `SignalPackage::setData` function<\/h5>\n\n\n\n
SignalPackage::setData<\/code> function computes two 64-bits integers from the userId<\/code> and userToken<\/code> integers who identify the user.<\/p>\n\n\n\nSignalPackage<\/code> object. The plaintext packet is copied just after these two integers.<\/p>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/setData.png\")
<\/figure>\n\n\n\nSignalObfuscator::encode<\/code> is finally called. This is this very function who will call all the cryptographic functions who encrypt the packet.<\/p>\n\n\n\nThe
SignalObfuscator::encode<\/code> function<\/h5>\n\n\n\nalgo<\/code>.<\/p>\n\n\n\nalgo<\/code> is set to 1<\/code>, then the packet is encrypted with AES GCM. If it is set to 0<\/code>, encryption is done using ChaCha20.<\/p>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/encode.png\")
<\/figure>\n\n\n\n\n
gcm_setkey<\/code>, who calls aes_setkey<\/code>, who in its turn calls aes_set_encryption_key<\/code>).<\/li>\n\n\n\ngcm_start<\/code> function. In practice, the obfuscation key is not long enough (it should have at least 16 + 12 = 28 bytes), and the 6 last bytes of the nonce are always set to zero.<\/li>\n\n\n\ngcm_update<\/code>. The encrypted packet is written inside the SignalObfuscator<\/code> object.<\/li>\n\n\n\ngcm_finish<\/code> function.<\/li>\n\n\n\nSignalLinkClient::writeToLink<\/code> function.<\/li>\n<\/ul>\n\n\n\nThe incoming packets
SignalLinkClient::processLinkData<\/code> processing function<\/h5>\n\n\n\nSignalLinkClient::writeToTun<\/code> function. <\/p>\n\n\n\nSignalPackage::decodePackage<\/code>, via the SignalObfuscator::decode<\/code> function, the counterpart of SignalObfuscator::encode<\/code> for decryption side.<\/p>\n\n\n\nIs it really AES ?<\/h4>\n\n\n\n
gcm_setkey<\/code> and gcm_update<\/code>, is the aes_cipher<\/code> function.<\/p>\n\n\n\naes_cipher<\/code> with Frida, so why bother ?<\/p>\n\n\n\ngcm_setkey<\/code>, gcm_update<\/code> and gcm_finish<\/code> :<\/p>\n\n\n\nthomas@ankou:~\/articles\/securevpn$ frida -U -p $(frida-ps -U | grep 'Secure VPN' | awk -F ' ' '{print $1}') -l trace_AesGcm.js \n ____\n \/ _ | Frida 16.2.1 - A world-class dynamic instrumentation toolkit\n | (_| |\n > _ | Commands:\n \/_\/ |_| help -> Displays the help system\n . . . . object? -> Display information about 'object'\n . . . . exit\/quit -> Exit\n . . . .\n . . . . More info at https:\/\/frida.re\/docs\/home\/\n . . . .\n . . . . Connected to Pixel 7a (id=3C221JEHN01971)\n\n[Pixel 7a::PID::21108 ]-> Entering into gcm_setkey\ngcm_setkey, input : \\x46\\x68\\x38\\x59\\x55\\x43\\x39\\x75\\x54\\x56\\x76\\x32\\x71\\x4a\\x69\\x6b\ngcm_setkey, key_len : 16\nEntering into gcm_start\ngcm_start, mode : 1\ngcm_start, iv : \\x57\\x62\\x58\\x43\\x48\\x68\\x00\\x00\\x00\\x00\\x00\\x00\ngcm_start, iv_len : 12\nEntering into gcm_update\ngcm_update, input len : 90\ngcm_update, input : \\xd5\\xc2\\xb3\\x50\\x09\\xd8\\xfc\\x6e\\x56\\x9d\\x01\\x17\\x37\\x34\\x01\\x01\\x00\\x00\\x5f\\x53\\x69\\x47\\x2e\\xae\\x5d\\x8a\\xc8\\xf8\\x43\\x9a\\x20\\xf2\\x49\\x6b\\xc4\\x2d\\x80\\xbd\\x45\\x00\\x00\\x34\\x0b\\xe9\\x40\\x00\\x40\\x06\\x2a\\x4e\\xc0\\xa8\\x01\\x86\\x8e\\xfa\\xb3\\x64\\x8e\\x36\\x01\\xbb\\xef\\x16\\x68\\xf5\\x5d\\x8d\\xa5\\x89\\x80\\x11\\x01\\x2c\\x74\\x97\\x00\\x00\\x01\\x01\\x08\\x0a\\x9e\\x0f\\xe7\\xd0\\xb4\\x12\\xd7\\x63\ngcm_update, gcm_mode : 1\ngcm_update, output after : \\x48\\xb7\\xff\\x55\\xd1\\x7c\\x26\\x92\\x5e\\x4d\\x2d\\x5f\\x48\\x65\\xa9\\xa9\\xa8\\x0f\\x4a\\x56\\x3e\\x84\\x32\\xbc\\x61\\xea\\xae\\x06\\xb9\\x87\\x31\\x65\\x33\\xcf\\x3a\\x1d\\x8f\\x49\\x79\\x3f\\x1d\\xe2\\xca\\x33\\xb5\\xe5\\xd6\\xa8\\xd7\\xd9\\x57\\xcc\\x2d\\x67\\x8d\\xfb\\x34\\x35\\x3a\\x74\\x07\\x1c\\x7d\\x44\\x08\\x94\\x97\\xd0\\x3e\\x8e\\x85\\x8d\\x34\\x55\\x79\\x0b\\xba\\xfa\\xb3\\x39\\x28\\xc2\\xe2\\xa0\\x0e\\xd9\\x78\\x4f\\x9b\\x52\nEntering into gcm_finish\ngcm_finish, tag ptr : 0x0\ngcm_finish, tag len : 0\nStopping script\n[Pixel 7a::PID::21108 ]-><\/code><\/pre>\n\n\n\ngcm_update<\/code>, and also the nonce and the encryption key.<\/p>\n\n\n\ngcm_finish<\/code>, namely the pointer and the length of the tag, are null.<\/p>\n\n\n\n```\n#!\/usr\/bin\/python3\n# -*- coding: utf-8 -*-\n\nfrom Cryptodome.Cipher import AES\n\nkey = b'\\x46\\x68\\x38\\x59\\x55\\x43\\x39\\x75\\x54\\x56\\x76\\x32\\x71\\x4a\\x69\\x6b'\nnonce = b'\\x57\\x62\\x58\\x43\\x48\\x68\\x00\\x00\\x00\\x00\\x00\\x00'\nplaintext = b'\\xd5\\xc2\\xb3\\x50\\x09\\xd8\\xfc\\x6e\\x56\\x9d\\x01\\x17\\x37\\x34\\x01\\x01\\x00\\x00\\x5f\\x53\\x69\\x47\\x2e\\xae\\x5d\\x8a\\xc8\\xf8\\x43\\x9a\\x20\\xf2\\x49\\x6b\\xc4\\x2d\\x80\\xbd\\x45\\x00\\x00\\x34\\x0b\\xe9\\x40\\x00\\x40\\x06\\x2a\\x4e\\xc0\\xa8\\x01\\x86\\x8e\\xfa\\xb3\\x64\\x8e\\x36\\x01\\xbb\\xef\\x16\\x68\\xf5\\x5d\\x8d\\xa5\\x89\\x80\\x11\\x01\\x2c\\x74\\x97\\x00\\x00\\x01\\x01\\x08\\x0a\\x9e\\x0f\\xe7\\xd0\\xb4\\x12\\xd7\\x63'\n\ncipher = AES.new(key, AES.MODE_GCM, nonce)\nciphertext = cipher.encrypt(plaintext)\n\nprint(f\"enc ciphertext : {ciphertext}\")\n```<\/code><\/pre>\n\n\n\ngcm_finish<\/code>: The VPN client really uses AES GCM !<\/p>\n\n\n\nthomas@ankou:~\/articles\/securevpn$ .\/decrypt.py \nenc ciphertext : b'H\\xb7\\xffU\\xd1|&\\x92^M-_He\\xa9\\xa9\\xa8\\x0fJV>\\x842\\xbca\\xea\\xae\\x06\\xb9\\x871e3\\xcf:\\x1d\\x8fIy?\\x1d\\xe2\\xca3\\xb5\\xe5\\xd6\\xa8\\xd7\\xd9W\\xcc-g\\x8d\\xfb45:t\\x07\\x1c}D\\x08\\x94\\x97\\xd0>\\x8e\\x85\\x8d4Uy\\x0b\\xba\\xfa\\xb39(\\xc2\\xe2\\xa0\\x0e\\xd9xO\\x9bR'<\/code><\/pre>\n\n\n\nIdentification of the cryptographic implementation used<\/h4>\n\n\n\n
\n
aes_cipher<\/code> function:<\/p>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/aes_cipher.png\")
<\/figure>\n\n\n\nDAT_0015ed78<\/code> :<\/p>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/sbox.png\")
<\/figure>\n\n\n\naes_init_keygen_tables<\/code>, whose role, as its name suggests, is to initialize the tables in question.<\/p>\n\n\n\naes_init_keygen_tables<\/code> function:<\/p>\n\n\n\n![\"\"](\"https:\/\/tolva.fr\/wp-content\/uploads\/2024\/05\/aes_init_keygen_tables.png\")
<\/figure>\n\n\n\naes_init_keygen_tables<\/code> present on github confirms that the version present in libchannel.so probably comes from this repository.<\/p>\n\n\n\ngcm_setkey<\/code>, gcm_start<\/code>, gcm_update<\/code> and gcm_finish<\/code> used by libchannel.so.<\/p>\n\n\n\nFocus on the cryptographic mechanisms used<\/h4>\n\n\n\n