PDA

View Full Version : New in crypto


Melin
March 7th, 2004, 04:07
Hi guys,

I'm using an Scada aplication with an editor of scrips that uses cryptographics, and need to decryp them in our application (I have a demo from a supplier with a functions that I need to use).

I wish if some one can help me, and tell what kind of crypto is used in program or give me any suggestions.

Example of function encrypted:

BAF21170A7899570B629BEEE55BC729463E7
BAF20B678DA7
BAF2C82C46E741F6227385F67DB7BB57CA0B41A620F9051411B5194A898B92E99B
BAF2C83C4AE8423900
BAF2C8E1033DFD211A59B2E41908180F58B0D8
BAF2C83C4AE8423903
BAF2C8E1033DFD211A59B2E40D0818F53E93CF0E421156E3
BAF2C83C4AE8423902
BAF2C8E1033DFD211A59B2E40216E729E77DACE516
BAF2C83C4AE8423905
BAF2C8E1033DFD211A59B2E41DFA01021D0E040F
BAF2C83C4AE8423904
BAF2C8E1033DFD211A59B2E41FFB05071A4EF167FC6AFF49
BAF2C83C4AE842103CB93EB3
BAF2C8E1033DFD211A59B2E404262AE139AE2D7F9FAF
BAF2C83EBB75F93FED0B6396DD
BAF20B699A
BA314CA0

I know that the last line is: (space)END

any suggestion?

xoder
March 7th, 2004, 13:56
i dont think you can tell what crypto is used just by pasting some hex values.
you should try to find out where the decryption is done and try to find the keys.

all lines except the last one start with "BAF2" so they possibly all have the same start in plaintext.

have you used a tool like peid on your target? does it find any common encryption algorithms?



regards

xoder

mike
March 9th, 2004, 04:14
Looks to me like a simple byte-wise obfuscation. Can you create scripts yourself and look at the encrypted versions? If so, try changing one letter at a time and look at the result. If not, can you guess what the scripts look like other than the END line? Try changing some bytes around to see if you can make it give you some error that leaks info about what happened. Say that the command is really "BREAK" but you don't know that. Then you change the last letter. It could come back with an error like "no such command [BREA#]" that tells you a lot of plaintext.

nikolatesla20
March 9th, 2004, 13:25
I did some quick research, and I wonder if this might be what you are encountering:

Appears that SCADA, at least the popular "WebAccess" app that I found, uses Tcl Scripts. Have you considered that this might be Tcl script that has been compiled to bytecode?

For example,

http://www.scriptics.com/software/tclpro/compiler.html

Is one such tool. If it's bytecode, you won't have access to the original source. It says tho that you can load bytecode and run it if you have the appropriate Tcl engine..

-nt20

Melin
March 9th, 2004, 17:20
Thanks to all that read or answer.

I have the program to cryp the files and test how it works, and with the w32disaxxx, I found the call with the password that I use on my files.

But I don't know what kind of cryp is using.

Now, I'm searching what is the password on my files when I compile the project, its hard for me and slowly.

If anyone wants the program I can send (2,5Mb).

Best regards,
Melin

PD: Tomorrow I will post one function encrypted and originally with password used.

Melin
March 10th, 2004, 04:53
Hi guys:

here an example how to works the program:

Password used: 1234 (there are a tab before every letter)

FUNCTION test()
Sleep(1);
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
A
B
C
END

And here the code encrypted:

DD40DA748A6CB84B033E07040C03105181D0C51ABF07454718738A7BC1DD0747CE4FCA4BDA71A63890CE889B2078E764E432 F50849C48C9475A87C

DD6ED36DCD
DD6E
DD71D262F4
DD155895EC708BE90C1DA33A993F554D
DDD719B628BC1F74918BF4
DDD72B
DDD728
DDD729
DDD72E
DDD72F
DDD72C
DDD72D
DDD712
DDD713
DDD710
DDD711
DDD716
DDD717
DDD714
DDD715
DDD71A
BFF979
BFF97E
BFF97F
BFF97C
BFF97D
BFF962
BFF963
BFF960
BFF961
BFF966
BFF909
BFF90E
BFF90F
BF34B0C7


Any suggestion?
Melin

xoder
March 10th, 2004, 05:52
why dont you use a debugger like olly or softice and see what the encryption routine does? i guess it would be much easier to do it this way than making wild guesses on how the encryption is done. i dont think its any hard encryption algorithm used, the results look too much the same. maybe its just some XORs etc.

Melin
April 20th, 2004, 13:00
Hi:

I found that the compiler create a temporaly file decripted in memory:
Any suggestions to save the file decrypted?

Thanks
Melin

dELTA
April 20th, 2004, 16:27
Just dump that decrypted buffer from the memory to a file. Use a hex editor with memory reading capabilities or inject memory dumping code directly into the application.

mike
April 20th, 2004, 18:03
By the way, the last byte of each line from A to P is xored with 0x6A; it looks like a stream cipher of some kind. That means that you can XOR values into the ciphertext and you'll get the same value XORed into the plaintext.