Results 1 to 10 of 10

Thread: New in crypto

  1. #1
    Melin
    Guest

    New in crypto

    Hi guys,

    I'm using an Scada aplication with an editor of scrips that uses cryptographics, and need to decryp them in our application (I have a demo from a supplier with a functions that I need to use).

    I wish if some one can help me, and tell what kind of crypto is used in program or give me any suggestions.

    Example of function encrypted:

    BAF21170A7899570B629BEEE55BC729463E7
    BAF20B678DA7
    BAF2C82C46E741F6227385F67DB7BB57CA0B41A620F9051411B5194A898B92E99B
    BAF2C83C4AE8423900
    BAF2C8E1033DFD211A59B2E41908180F58B0D8
    BAF2C83C4AE8423903
    BAF2C8E1033DFD211A59B2E40D0818F53E93CF0E421156E3
    BAF2C83C4AE8423902
    BAF2C8E1033DFD211A59B2E40216E729E77DACE516
    BAF2C83C4AE8423905
    BAF2C8E1033DFD211A59B2E41DFA01021D0E040F
    BAF2C83C4AE8423904
    BAF2C8E1033DFD211A59B2E41FFB05071A4EF167FC6AFF49
    BAF2C83C4AE842103CB93EB3
    BAF2C8E1033DFD211A59B2E404262AE139AE2D7F9FAF
    BAF2C83EBB75F93FED0B6396DD
    BAF20B699A
    BA314CA0

    I know that the last line is: (space)END

    any suggestion?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    xoder
    Guest
    i dont think you can tell what crypto is used just by pasting some hex values.
    you should try to find out where the decryption is done and try to find the keys.

    all lines except the last one start with "BAF2" so they possibly all have the same start in plaintext.

    have you used a tool like peid on your target? does it find any common encryption algorithms?



    regards

    xoder
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    הבּרוּ נשׂאי כּלי יהוה mike's Avatar
    Join Date
    Mar 2001
    Posts
    491
    Looks to me like a simple byte-wise obfuscation. Can you create scripts yourself and look at the encrypted versions? If so, try changing one letter at a time and look at the result. If not, can you guess what the scripts look like other than the END line? Try changing some bytes around to see if you can make it give you some error that leaks info about what happened. Say that the command is really "BREAK" but you don't know that. Then you change the last letter. It could come back with an error like "no such command [BREA#]" that tells you a lot of plaintext.

  4. #4
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    I did some quick research, and I wonder if this might be what you are encountering:

    Appears that SCADA, at least the popular "WebAccess" app that I found, uses Tcl Scripts. Have you considered that this might be Tcl script that has been compiled to bytecode?

    For example,

    http://www.scriptics.com/software/tclpro/compiler.html

    Is one such tool. If it's bytecode, you won't have access to the original source. It says tho that you can load bytecode and run it if you have the appropriate Tcl engine..

    -nt20

  5. #5
    Melin
    Guest
    Thanks to all that read or answer.

    I have the program to cryp the files and test how it works, and with the w32disaxxx, I found the call with the password that I use on my files.

    But I don't know what kind of cryp is using.

    Now, I'm searching what is the password on my files when I compile the project, its hard for me and slowly.

    If anyone wants the program I can send (2,5Mb).

    Best regards,
    Melin

    PD: Tomorrow I will post one function encrypted and originally with password used.
    Last edited by Melin; March 9th, 2004 at 17:23.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Melin
    Guest
    Hi guys:

    here an example how to works the program:

    Password used: 1234 (there are a tab before every letter)

    FUNCTION test()
    Sleep(1);
    A
    B
    C
    D
    E
    F
    G
    H
    I
    J
    K
    L
    M
    N
    O
    P
    Q
    R
    S
    T
    U
    V
    W
    X
    Y
    Z
    A
    B
    C
    END

    And here the code encrypted:

    DD40DA748A6CB84B033E07040C03105181D0C51ABF07454718738A7BC1DD0747CE4FCA4BDA71A63890CE889B2078E764E432 F50849C48C9475A87C

    DD6ED36DCD
    DD6E
    DD71D262F4
    DD155895EC708BE90C1DA33A993F554D
    DDD719B628BC1F74918BF4
    DDD72B
    DDD728
    DDD729
    DDD72E
    DDD72F
    DDD72C
    DDD72D
    DDD712
    DDD713
    DDD710
    DDD711
    DDD716
    DDD717
    DDD714
    DDD715
    DDD71A
    BFF979
    BFF97E
    BFF97F
    BFF97C
    BFF97D
    BFF962
    BFF963
    BFF960
    BFF961
    BFF966
    BFF909
    BFF90E
    BFF90F
    BF34B0C7


    Any suggestion?
    Melin
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    xoder
    Guest
    why dont you use a debugger like olly or softice and see what the encryption routine does? i guess it would be much easier to do it this way than making wild guesses on how the encryption is done. i dont think its any hard encryption algorithm used, the results look too much the same. maybe its just some XORs etc.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Melin
    Guest
    Hi:

    I found that the compiler create a temporaly file decripted in memory:
    Any suggestions to save the file decrypted?

    Thanks
    Melin
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Just dump that decrypted buffer from the memory to a file. Use a hex editor with memory reading capabilities or inject memory dumping code directly into the application.

  10. #10
    הבּרוּ נשׂאי כּלי יהוה mike's Avatar
    Join Date
    Mar 2001
    Posts
    491
    By the way, the last byte of each line from A to P is xored with 0x6A; it looks like a stream cipher of some kind. That means that you can XOR values into the ciphertext and you'll get the same value XORed into the plaintext.

Similar Threads

  1. I need help with this crypto algorithm
    By imautopilot in forum RCE Cryptographics
    Replies: 0
    Last Post: April 23rd, 2009, 08:08
  2. help with crypto identification
    By aeon in forum RCE Cryptographics
    Replies: 1
    Last Post: June 7th, 2007, 11:23
  3. A little help in understanding some crypto
    By nikolatesla20 in forum RCE Cryptographics
    Replies: 11
    Last Post: December 17th, 2004, 12:15
  4. asprotect and crypto
    By mike in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: March 2nd, 2001, 17:19
  5. Advanced RSA, ECC and crypto keygenning...
    By x30n- in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: January 19th, 2001, 12:49

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •