After 20 Years Sega Saturn DRM Cracked.... and what it has to do with calendaring.....

Bravo to Dr Abrasive for cracking the Sega Saturn DRM method.

What on earth does this have to do with calendaring?

Well, since we broke Meeting Maker, Oracle Calendar Server, Zimbra, Oracle Beehive, and a few other encoding schemes, we're not allowed to talk about, we're sort of connoisseurs of reverse engineering and call out kudos where they are warranted.

What's kind of amazing is that none of the engineers came forward in the last 20 freaking years with anything that would help this.  Of course, for Meeting Maker the group of hacks finally working on it only started to contact us after we'd done everything significant to read their data and insert it into Exchange.

And don't even get us started about the Oracle people!!!!

#MeetingMaker User Password Recovery

Meeting Maker 7x / 8x User Password Recovery

First get comfortable with reading binary data.

Second, open up a Meeting Maker Server Export in said binary file viewer.

Third, figure out how to turn all this gobbledygook into something semi-useful (as we have done below), but barring that, search for your USER NAME or USER LOGIN, in the example below we use “Adam Ant” with User Login “adam”

Adam’s password is encrypted in the line beginning with “OVNI 0103” (which will ALWAYS immediately follow his USER LOGIN)

The first digit “1” tells me the password is 1-byte long.  In this example I know his password is “b” but it is encrypted in the export file as “c”

You should start to suspect a pattern.

If the clear password is “aa” (61 61h) the hex string is “63 8C”

The pattern holds.  The first encrypted character = character + LENGTH of password

Now we proceed to the next digits in turn and build a table (a, aa, aaa, aaaa, b, bb, bbb...) you get the idea) which we will leave as an exercise for the reader. 

Going down the column is less clear than going across the rows.  Going from “a” to “b” everything augments by one (and this has held across a range of experimentation), meaning we can in a pinch use each “a” length cipher as a base to figure out anything of that length.

So the algorithm:

1.       Find a user

2.       Read the password length

3.       Subtract length from the first digit to get the hex of the first character

4.       Use the “a” column in your table as an offset for all the other letters in the password sequence. 

5.       Do not ask for any more information you script kiddies in India – this is more than adequate.

So the 7 digit string “7B 96 BA E9 04 38 26” deciphers as “theman5”

7 letter “50 A4 B6 EA 04 FD 24” deciphers as “Ivana33”

5 letter “70 8F D0 E1 14” is “kayak”

Go wild.

Hacking Canon Firmware -- Use This on Meeting Maker

With Meeting Maker in the final throes of its extended swan song, I'd like to point folks who still want to roll their own server-side migration to Hacking Canon Pixma Printers.  Aside from being an excellent tutorial on reverse engineering, it's pretty much the same method we used (all those years ago) in breaking the Meeting Maker export format. 

Keep in mind, the issue there is not getting at the encryption key (since except for the user passwords there isn't one and you can break those in a few minutes), but establishing the encoding scheme for individual data records.  After you run this for the first few you'll have the wash-rinse-repeat cycle for the entire data set.

You'll then have to assemble object-oriented database elements into something like a coherent whole, but if you get this far into the process that should not be a barrier to success.

Only other hint I need to give you: work on the server export file not the live server data.  The live server data is a hot mess horror show.