PDA

View Full Version : Help with decrypting the contents in the file


chiali
January 14th, 2008, 17:30
Hi,

This is my first post. I hope to keep the rules in tact. I am debugging a program and here is the list see below.

1. What is the problem....
In the program, I put a break point on the WriteFile API and I see that the buffer that's being written to the file. Obviously it's encrypted since it's junk.

2. What is the protection.....
When I use the PEID, it says there is no encryption.
3. What tools are you using....
OllyDbg, PEID
4. What tutorials have you read....
I have followed the tutorials by lena151. Very good ones.

5. Show your output listing WITH comments....
Let me know what exactly do you want me to post.
6. NOW ask your question....
How can I see (un-encrypt) the contents that are being written to the file?

naides
January 14th, 2008, 22:45
Quote:
[Originally Posted by chiali;71795]Hi,

This is my first post. I hope to keep the rules in tact. I am debugging a program and here is the list see below.

1. What is the problem....
In the program, I put a break point on the WriteFile API and I see that the buffer
This buffer is written verbatim to "the file" by the WriteFile API. Your problem is finding out the routine that "fills" that buffer with the encrypted junk with the hope that you can, by tracing, figure out where such routine is reading from, the unencrypted equivalent. That may not be a trivial task. I would start by placing a hardware breakpoint on write to the first bytes of the buffer, restart Olly and cross your fingers that the buffer address is conserved between run and run . . .


that's being written to the file.

You say "the file" but I cannot figure out what file: The executable itself? an output file? please elaborate

Obviously it's encrypted since it's junk.

2. What is the protection.....
When I use the PEID, it says there is no encryption.

Did you use the KANAL plug in?

3. What tools are you using....
OllyDbg, PEID
4. What tutorials have you read....
I have followed the tutorials by lena151. Very good ones.

5. Show your output listing WITH comments....
Let me know what exactly do you want me to post.
6. NOW ask your question....
How can I see (un-encrypt) the contents that are being written to the file?
See above


In blue

chiali
January 15th, 2008, 14:31
Naides,

I am talking about the output file. Here is more elaborate explanation. The file that I am working off is the .exe file which has other files in it compressed. But I unpacked it to just the executable.

I did already try the suggestion that you gave me about WriteFile API and the break points. It seems it's encrypted.

But to me it seems like the program should know how to decrypt since it needs to use that information for decision making.

Also, I am using Kanal plugin and it says none.

I believe this is a challenging one to reverse just because you cannot use the exe file more than once for installation. Obviously you are guys are subject matter. I think once it installs it writes something back to the exe file so that the next time the installation would know it's already been installed. Even though I figured out the algorithm for password protection, it some how it still knows that the executable has already been used for installation and therefore cannot install it.

And this is where I am trying to want to see the contents written to file. During installation, when it writes the file, I am assuming it's extracting it from the exe file (packing).

Any ideas are greatly appreciated.

Thanks

dELTA
January 16th, 2008, 04:23
It would be extremely simple to see if anything is written back to the exe file, just diff it with the original exe once the installation is complete.

http://www.woodmann.com/collaborative/tools/index.php/Category:Binary_Diff_Tools

Patching the exe like this would be a very uncommon (and stupid) solution, so my guess would be that they are rather "hiding" this information anywhere on disk or in the registry (which is of course also on disk in the end, but anyway).

Such things are also normally detected with different kinds of diffing or monitoring tools (see the subcategories too):

http://www.woodmann.com/collaborative/tools/index.php/Categoryiff_Tools

http://www.woodmann.com/collaborative/tools/index.php/Category:Monitoring_Tools