Plugin for IDA 8+ #124
Comments
|
As of IDA 1.8 you can have private Lumina servers up, of which you can just configure a connection to in IDA Options. IDA does not allow connection to a private server without credentials (for some reason) - patching it out causes a trusted cert issue. Apparently these instances also require a trusted certificate. |
|
Yes, that's why I would like to create an open source plugin for this (or use this one #117 (comment)). |
|
Okay, I guess found what is The problem with the Lumina Servers Certificate.So I decompiled ida64.dll to of IDA Pro 8.3 to fix that stupid "invalid_remote_certificate" error. So it needs to have a broken chain: Check the sites yourself: Here is the entire function: bool IDA_CheckCert(struct_IdaCert *aCert)
{
if ( aCert->CerErrCode = QueryContextAttributesA(&aCert->sechandle78, 0x53u, &pBuffer) ) {
aCert->CerErrText = "QueryContextAttributes(SECPKG_ATTR_REMOTE_CERT_CONTEXT)";
return 0;
}
memset(&pChainPara, 0, sizeof(pChainPara)); pChainPara.cbSize = 32;
// First time CertificateChain
if ( !CertGetCertificateChain(0i64, pBuffer, 0i64, pBuffer->hCertStore, &pChainPara, 0, 0i64, &pChainContext) ) {
aCert->CerErrText = "CertGetCertificateChain[1]"; aCert->CerErrCode = GetLastError();
return 0;
}
TrustStatus_dwErrorStatus = pChainContext->TrustStatus.dwErrorStatus; CertFreeCertificateChain(pChainContext);
if ( (TrustStatus_dwErrorStatus & 1) != 0 ) { // =0x1 -> CERT_TRUST_IS_NOT_TIME_VALID
aCert->CerErrText = "expired_remote_certificate";
return 0;
}
// Problem the lumina servers certificate must have the error of an broken certificate chain to be 'genuine'
// https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_trust_status
if ( TrustStatus_dwErrorStatus != CERT_TRUST_IS_PARTIAL_CHAIN ) { //= 0x10000 The certificate chain is not complete.
aCert->CerErrText = "invalid_remote_certificate";
return 0;
}
if ( !CertAddEncodedCertificateToStore(pBuffer->hCertStore, 1u, aCert->pbCertEncoded, aCert->cbCertEncoded, 2u, 0i64) ) {
aCert->CerErrText = "CertAddEncodedCertificateToStore"; aCert->CerErrCode = GetLastError();
return 0;
}
// Second time CertificateChain
if ( !CertGetCertificateChain(0i64, pBuffer, 0i64, pBuffer->hCertStore, &pChainPara, 0, 0i64, &pChainContext) ) {
aCert->CerErrText = "CertGetCertificateChain[2]"; aCert->CerErrCode = GetLastError();
return 0;
}
TrustStatus_dwErrorStatus = pChainContext->TrustStatus.dwErrorStatus; CertFreeCertificateChain(pChainContext);
// lumina server cert chain must NOT end in a root certificate
// If lumen.abda.nl Cert is in Root Trust ; TrustStatus_dwErrorStatus gets 0x0 (CERT_TRUST_NO_ERROR)
if ( TrustStatus_dwErrorStatus != CERT_TRUST_IS_UNTRUSTED_ROOT ) { // = 0x20 The certificate or certificate chain is based on an untrusted root.
aCert->CerErrText = "invalid_remote_certificate";
return 0;
}
if ( CertVerifyTimeValidity(0i64, pBuffer->pCertInfo) ) {
aCert->CerErrText = "expired_remote_certificate"; CertFreeCertificateContext(pBuffer);
return 0;
}
else if ( CertGetNameStringA(pBuffer, 3u, 0, "2.5.4.3", pszNameString, 0x400u) <= 1
|| !strcmp(pszNameString, "internal.hex-rays.com") )
{
aCert->CerErrText = "invalid_remote_certificate"; CertFreeCertificateContext(pBuffer);
return 0;
}
else {
CertFreeCertificateContext(pBuffer);
return 1;
}
}So until you somehow get it done to craft a certificate with a broken chain for the lumina server on lumen.abda.nl. Fileoffset: 000B00E8 32 C0 -> B0 01 You are using a different Version of IDA?->So that is how to find the file offset Having ida64.dll loaded press Shift+F4 to open "Strings" Edit\Patch program\Patch Bytes Well file is probably in use and save not possible. |
|
@naim94a you wanted open source? Here you go https://github.com/tomrus88/OpenLumina. But you will have to create new server certificate because your old certificate doesn't use certificate chains as intended by IDA and official Lumina servers (both public and private). Scripts to generate new compatible certificates can be found in plugin repo. Certificates generated by provided scripts use exact same settings that are used to generate official Lumina server certificates, the only difference is that we create our own private keys (because we don't have original ones). The idea is so that this plugin works with both your server as well as official private Lumina servers (but pirated). In the feature, once you update your server certificate, I think it should be possible to include that new certificate within the plugin as preset certificate (hardcode it just like IDA does) so that users don't have to copy both certificate file and plugin to theirs IDA's. There's also performance benefit from using new generated TLS certificates because they are ECC based certificates instead of RSA. ECC certificates use much shorter keys (256 bits instead of 4096 bits) and that means it's much easier for both server and client to deal with encryption.
This is completely new plugin that was created from scratch today and uses different method (compared to method used in old plugin I shared previously) to fix certificate issues in newer IDA versions. Edit: there's appears to be a bug that prevents this method from working correctly if Lumen server is running on Windows OS, server doesn't send whole certificate chain from certificate file to client as intended for some reason, only first certificate from the chain is being sent and that causes validation on client to fail... Bug is probably somewhere in Windows schannel (less likely) or in rust-native-tls library and it's dependencies (most likely)... Edit2: found a workaround for that bug where when hosting Lumen server on Windows OS it's not sending full certificate chain, if you manually install your generated intermediate certificate to "Current User" certificate store under "Intermediate Certificate Authorities" -> "Certificates" category, server will send certificate chain correctly and validation will succeed as intended. Plugin is Windows only because:
Edit3: there's now experimental versions of plugin for Linux and MacOS. If someone knows how to add Linux/MacOS support to the plugin, feel free to submit PR. |
|
I've also created plugins for Linux and MacOS, they seems to work fine during my limited testing on local server. I had to add support for Linux/MacOS to my closed source plugin that brings Lumina functionality to IDA Freeware to be able to test it, but for version 8.4 only, because those OS's are pain to work with and there's some differences in IDA internals between versions making it even more pain. But we still need server certificate update for it to be useful. At least people who run theirs own Lumina server can use plugin now as long as they generate new compatible certificate. |
It seems that some users are having trouble connecting to unofficial lumina servers with TLS enabled. It seems that the current workarounds aren't simple enough.
We should have a plugin that securely connects to any lumen instance by approving preset certificates in addition to the builtin ones.
The text was updated successfully, but these errors were encountered: