AMX has always had a good reputation of making programs and touchpanel projects extractable from the device they’re loaded into. Nearly all AMX touchpanels can be extracted, but source code can be a little more unlikely.
AMX software is developed in a program called NetLinx Studio. Depending on some preference values set by the user, when a program is compiled, an SRC file (for “source”) can be generated containing all of the source files used to compile. If this file exists, an upload of the compiled binary will also queue up an upload of the SRC file. Another preference option in NetLinx Studio is to generate these SRC files encrypted with a password.
As it turns out, an SRC file is simply a ZIP file with a different extension. Likewise, the encryption method used with SRC files is the same legacy encryption offered by PKZIP version 2.x. This type of encryption is vulnerable to something called a known-plaintext attack, which means that if you already know some of the contents of a ZIP file, you can deduce how it was encrypted by comparing the original and encrypted versions. And by luck, we have that too.
NetLinx Studio includes in every SRC file a copy of NetLinx.axi, which defines all of the language constants and definitions used at the time of compilation. This is important, because everyone uses the same NetLinx.axi files, so SRC files are especially vulnerable to the known-plaintext attack. The only difficult part is in gathering the various versions of NetLinx.axi.
I observed that ZIP headers expose the CRC of the unencrypted file. Using this CRC, I can uniquely identify the version of NetLinx.axi inside the encrypted SRC file. After going through our historical files and gathering (what I believe to be) every version of NetLinx.axi that was ever released, and discovering their CRC values, I built a library of these sorted by CRC for the attack. The shell script that I wrote follows this sequence:
- Get the CRC value from the ZIP header for NetLinx.axi
- Look up that value in our folder; if it isn’t found, bail out
- Automatically set up the correct command line for PkCrack
- PkCrack outputs the password for the SRC file to successfully extract.
This process takes about 5-10 seconds in total.
Technologies: AMX; Linux, Bash