Results 1 to 6 of 6

Thread: Delphi RE for obtain decrypted data

  1. #1
    zgrp
    Guest

    Delphi RE for obtain decrypted data

    Hello,

    I'm analyzing a code that was made in Delphi. At start I know that the code generate it:

    I input | Program Generate
    -----------------------------------------------
    69911130 | bhpSiBSTcfU=
    69911280 | bhpSiBSQd1k=
    69900570 | bhpSiYIvOJk=
    57050820 | bWtW7lxL+18=
    57017210 | bWtW6itkCb8=

    Based on it, i startd to analyze the code, it was generated with Delphi and use a library for encryption called DCPcrypt2 that is avaible at http://www.cityinthesky.co.uk/files/dcpcrypt2.zip

    The description of this library is

    DCPcrypt is an open source library of cryptographic components (encryption and hash algorithms) for Borland Delphi 4, 5, 6, C++ Builder (3?), 4, 5, 6 and Kylix 1, 2 for Linux.
    The idea behind DCPcrypt is that it should be possible to "drop in" any algorithm implementation to replace another with minimum or no code changes. To aid in this goal all cryptographic components are descended from one of several base classes, TDCP_cipher for encryption algorithms and TDCP_hash for message digest algorithms.

    DCPcrypt v2 contains full implementations of the following algorithms:

    Blowfish, Twofish
    Cast-128, Cast-256
    DES, 3DES
    Ice, Thin Ice, Ice2
    IDEA
    Mars
    Misty1
    RC2, RC4, RC5, RC6
    Rijndael (the new AES)
    Serpent
    TEA
    Haval
    MD4, MD5
    RipeMD-128, RipeMD-160
    SHA-1, SHA-256, SHA-384, SHA-512
    Tiger

    The code appear to use twofish to encrypt data (but it have some entrys for SHA-1, and i don't imaginate it, since it should encrypt and not hash). At code i can see this entrys referent to librarys...

    debian:/w/tmp/code# strings GPprog.exe |grep -A 3 -B 3 -i algorithm|more
    TDCP_hash
    TDCP_hash
    DCPcrypt2
    Algorithml
    HashSize
    EDCP_cipher
    TDCP_cipher
    TDCP_cipher
    DCPcrypt2
    Algorithml
    MaxKeySize
    TDCP_ciphermode
    cmCBC cmCFB8bit
    --
    Font.Style
    Left
    TDCP_sha1 DCP_sha11
    Algorithm
    SHA1
    HashSize
    Left
    TDCP_twofish
    DCP_twofish
    Algorithm
    Twofish
    MaxKeySize
    BlockSize
    --
    TipoLogradouro
    Size
    TDCP_sha1 DCP_sha11
    Algorithm
    SHA1
    HashSize
    Left
    TDCP_twofish
    DCP_twofish
    Algorithm
    Twofish
    MaxKeySize
    BlockSize
    --
    Left
    TDCP_twofish
    DCP_twofish
    Algorithm
    Twofish
    MaxKeySize
    BlockSize
    Left
    TDCP_sha1 DCP_sha11
    Algorithm
    SHA1
    HashSize
    Left


    Well, so I started to look at the code, I downloaded DeDe and obtained some good information with dede + ollydb

    Crypt Function
    offset start: 0050B31C
    offset end: 0050B414

    Intersting data thougth debugation:

    at offset: 0050B329
    ECX=00DBF040, {ASCII "aVqT0Q/wHIc="}
    Stack [SS:0012F8C0]=00DB4F40

    other offsets:
    EAX=0050B4DC {GPprog.0050B4DC}, ASCII "GPprog"
    EDX=00DBF054, {ASCII, "acqua"}
    ESI=00DBF054, {ASCII, "acqua"}
    0012E9C4 | 00DBFA10 ASCII "evilacqua"

    Here is the code showed in DeDe when click in the event CriptoString in the Unit Form gpbConsultaZGRP that is the "screen I input values and it encrypt".

    Unit Form = gpbConsultaZGRP
    Class Name = TfrmConsultaZGRP
    Event = CriptoString - RVA = 0050B31C - Hint = 0013

    0050B31C 55 push ebp
    0050B31D 8BEC mov ebp, esp
    0050B31F 83C4F4 add esp, -$0C
    0050B322 53 push ebx
    0050B323 56 push esi
    0050B324 33DB xor ebx, ebx
    0050B326 895DF4 mov [ebp-$0C], ebx
    0050B329 894DF8 mov [ebp-$08], ecx
    0050B32C 8955FC mov [ebp-$04], edx
    0050B32F 8BD8 mov ebx, eax
    0050B331 8B45FC mov eax, [ebp-$04]

    * Reference to: system.@LStrAddRef;
    |
    0050B334 E8978FEFFF call 004042D0
    0050B339 8B45F8 mov eax, [ebp-$08]

    * Reference to: system.@LStrAddRef;
    |
    0050B33C E88F8FEFFF call 004042D0
    0050B341 8B450C mov eax, [ebp+$0C]

    * Reference to: system.@LStrAddRef;
    |
    0050B344 E8878FEFFF call 004042D0
    0050B349 33C0 xor eax, eax
    0050B34B 55 push ebp
    0050B34C 68ECB35000 push $0050B3EC

    ***** TRY
    |
    0050B351 64FF30 push dword ptr fs:[eax]
    0050B354 648920 mov fs:[eax], esp

    * Reference to field TfrmConsultaZGRP.OFFS_0324
    |
    0050B357 8B9B24030000 mov ebx, [ebx+$0324]

    * Reference to class TDCP_sha1
    |
    0050B35D 8B0DB81A4F00 mov ecx, [$004F1AB8]
    0050B363 8B55FC mov edx, [ebp-$04]
    0050B366 8BC3 mov eax, ebx

    |
    0050B368 E87340FEFF call 004EF3E0
    0050B36D 8D45F4 lea eax, [ebp-$0C]
    0050B370 8B55F8 mov edx, [ebp-$08]

    * Reference to: system.@LStrLAsg;
    |
    0050B373 E8BC8BEFFF call 00403F34
    0050B378 8B450C mov eax, [ebp+$0C]
    0050B37B BA04B45000 mov edx, $0050B404

    * Reference to: system.@LStrCmp;
    |
    0050B380 E8A78EEFFF call 0040422C
    0050B385 750D jnz 0050B394
    0050B387 8D4DF8 lea ecx, [ebp-$08]
    0050B38A 8B55F4 mov edx, [ebp-$0C]
    0050B38D 8BC3 mov eax, ebx
    0050B38F 8B30 mov esi, [eax]
    0050B391 FF5654 call dword ptr [esi+$54]
    0050B394 8B450C mov eax, [ebp+$0C]
    0050B397 BA10B45000 mov edx, $0050B410

    * Reference to: system.@LStrCmp;
    |
    0050B39C E88B8EEFFF call 0040422C
    0050B3A1 750D jnz 0050B3B0
    0050B3A3 8D4DF8 lea ecx, [ebp-$08]
    0050B3A6 8B55F4 mov edx, [ebp-$0C]
    0050B3A9 8BC3 mov eax, ebx
    0050B3AB 8B30 mov esi, [eax]
    0050B3AD FF5658 call dword ptr [esi+$58]
    0050B3B0 8BC3 mov eax, ebx
    0050B3B2 8B10 mov edx, [eax]
    0050B3B4 FF5248 call dword ptr [edx+$48]
    0050B3B7 8BC3 mov eax, ebx
    0050B3B9 8B10 mov edx, [eax]
    0050B3BB FF5244 call dword ptr [edx+$44]
    0050B3BE 8B4508 mov eax, [ebp+$08]
    0050B3C1 8B55F8 mov edx, [ebp-$08]

    * Reference to: system.@LStrAsg;
    |
    0050B3C4 E8278BEFFF call 00403EF0
    0050B3C9 33C0 xor eax, eax
    0050B3CB 5A pop edx
    0050B3CC 59 pop ecx
    0050B3CD 59 pop ecx
    0050B3CE 648910 mov fs:[eax], edx

    ****** FINALLY
    |
    0050B3D1 68F3B35000 push $0050B3F3
    0050B3D6 8D45F4 lea eax, [ebp-$0C]
    0050B3D9 BA03000000 mov edx, $00000003

    * Reference to: system.@LStrArrayClr;
    |
    0050B3DE E8DD8AEFFF call 00403EC0
    0050B3E3 8D450C lea eax, [ebp+$0C]

    * Reference to: system.@LStrClr(String;String);
    |
    0050B3E6 E8B18AEFFF call 00403E9C
    0050B3EB C3 ret


    * Reference to: system.@HandleFinally;
    |
    0050B3EC E9E383EFFF jmp 004037D4
    0050B3F1 EBE3 jmp 0050B3D6

    ****** END
    |
    0050B3F3 5E pop esi
    0050B3F4 5B pop ebx
    0050B3F5 8BE5 mov esp, ebp
    0050B3F7 5D pop ebp
    0050B3F8 C20800 ret $0008


    ----------------------------------------------------------------

    In Reference to class TDCP_sha1 the call 004EF3E0 have

    004EF3E0 55 push ebp
    004EF3E1 8BEC mov ebp, esp
    004EF3E3 83C4F8 add esp, -$08
    004EF3E6 53 push ebx
    004EF3E7 56 push esi
    004EF3E8 57 push edi
    004EF3E9 894DF8 mov [ebp-$08], ecx
    004EF3EC 8955FC mov [ebp-$04], edx
    004EF3EF 8BD8 mov ebx, eax
    004EF3F1 807B2400 cmp byte ptr [ebx+$24], $00
    004EF3F5 7407 jz 004EF3FE
    004EF3F7 8BC3 mov eax, ebx
    004EF3F9 8B10 mov edx, [eax]
    004EF3FB FF5244 call dword ptr [edx+$44]
    004EF3FE 33C0 xor eax, eax
    004EF400 55 push ebp

    * Possible String Reference to: '`@N'
    |
    004EF401 68BBF44E00 push $004EF4BB

    ***** TRY
    |
    004EF406 64FF30 push dword ptr fs:[eax]
    004EF409 648920 mov fs:[eax], esp
    004EF40C 8B45F8 mov eax, [ebp-$08]

    * Possible reference to virtual method TDCP_sha1.OFFS_38
    |
    004EF40F FF5038 call dword ptr [eax+$38]
    004EF412 85C0 test eax, eax
    004EF414 7903 jns 004EF419
    004EF416 83C007 add eax, +$07
    004EF419 C1F803 sar eax, $03

    * Reference to: system.@GetMem;
    |
    004EF41C E80F34F1FF call 00402830
    004EF421 8BF0 mov esi, eax
    004EF423 8BCB mov ecx, ebx
    004EF425 B201 mov dl, $01
    004EF427 8B45F8 mov eax, [ebp-$08]

    * Possible reference to virtual method TDCP_sha1.OFFS_2C
    |
    004EF42A FF502C call dword ptr [eax+$2C]
    004EF42D 8BF8 mov edi, eax
    004EF42F 8BC7 mov eax, edi
    004EF431 8B10 mov edx, [eax]

    * Possible reference to virtual method TDCP_sha1.OFFS_40
    |
    004EF433 FF5240 call dword ptr [edx+$40]
    004EF436 8B55FC mov edx, [ebp-$04]
    004EF439 8BC7 mov eax, edi

    |
    004EF43B E8B0FEFFFF call 004EF2F0
    004EF440 8BD6 mov edx, esi
    004EF442 8BC7 mov eax, edi
    004EF444 8B08 mov ecx, [eax]

    * Possible reference to virtual method TDCP_sha1.OFFS_44
    |
    004EF446 FF5144 call dword ptr [ecx+$44]
    004EF449 8BC7 mov eax, edi

    * Reference to: system.TObject.Free(TObject);
    |
    004EF44B E8243CF1FF call 00403074
    004EF450 8BC3 mov eax, ebx
    004EF452 8B10 mov edx, [eax]
    004EF454 FF5238 call dword ptr [edx+$38]
    004EF457 8BF8 mov edi, eax
    004EF459 8B45F8 mov eax, [ebp-$08]

    * Possible reference to virtual method TDCP_sha1.OFFS_38
    |
    004EF45C FF5038 call dword ptr [eax+$38]
    004EF45F 3BF8 cmp edi, eax
    004EF461 7D16 jnl 004EF479
    004EF463 6A00 push $00
    004EF465 8BC3 mov eax, ebx
    004EF467 8B10 mov edx, [eax]
    004EF469 FF5238 call dword ptr [edx+$38]
    004EF46C 8BC8 mov ecx, eax
    004EF46E 8BD6 mov edx, esi
    004EF470 8BC3 mov eax, ebx
    004EF472 8B18 mov ebx, [eax]
    004EF474 FF5340 call dword ptr [ebx+$40]
    004EF477 EB13 jmp 004EF48C
    004EF479 6A00 push $00
    004EF47B 8B45F8 mov eax, [ebp-$08]

    * Possible reference to virtual method TDCP_sha1.OFFS_38
    |
    004EF47E FF5038 call dword ptr [eax+$38]
    004EF481 8BC8 mov ecx, eax
    004EF483 8BD6 mov edx, esi
    004EF485 8BC3 mov eax, ebx
    004EF487 8B18 mov ebx, [eax]
    004EF489 FF5340 call dword ptr [ebx+$40]
    004EF48C 8B45F8 mov eax, [ebp-$08]

    * Possible reference to virtual method TDCP_sha1.OFFS_38
    |
    004EF48F FF5038 call dword ptr [eax+$38]
    004EF492 8BD0 mov edx, eax
    004EF494 85D2 test edx, edx
    004EF496 7903 jns 004EF49B
    004EF498 83C207 add edx, +$07
    004EF49B C1FA03 sar edx, $03
    004EF49E 8BC6 mov eax, esi
    004EF4A0 B9FF000000 mov ecx, $000000FF

    * Reference to: system.@FillChar;
    |
    004EF4A5 E81638F1FF call 00402CC0
    004EF4AA 8BC6 mov eax, esi

    * Reference to: system.@FreeMem;
    |
    004EF4AC E89733F1FF call 00402848
    004EF4B1 33C0 xor eax, eax
    004EF4B3 5A pop edx
    004EF4B4 59 pop ecx
    004EF4B5 59 pop ecx
    004EF4B6 648910 mov fs:[eax], edx
    004EF4B9 EB20 jmp 004EF4DB

    * Reference to: system.@HandleAnyExZGRPtion;
    |
    004EF4BB E96040F1FF jmp 00403520

    * Possible String Reference to: 'Unable to allocate sufficient memor
    | y for hash digest'
    |
    004EF4C0 B9ECF44E00 mov ecx, $004EF4EC
    004EF4C5 B201 mov dl, $01

    * Reference to class EDCP_cipher
    |
    004EF4C7 A108EF4E00 mov eax, dword ptr [$004EEF08]

    * Reference to: axctrls.TOleStream.Create(TOleStream;boolean;IStream);
    |
    004EF4CC E8EBDAF1FF call 0040CFBC

    * Reference to: system.@RaiseExZGRPt;
    |
    004EF4D1 E8F643F1FF call 004038CC

    * Reference to: system.@DoneExZGRPt;
    |
    004EF4D6 E86144F1FF call 0040393C

    ****** END
    |
    004EF4DB 5F pop edi
    004EF4DC 5E pop esi
    004EF4DD 5B pop ebx
    004EF4DE 59 pop ecx
    004EF4DF 59 pop ecx
    004EF4E0 5D pop ebp
    004EF4E1 C3 ret

    I'm supposing that it's using twofish and the key "aVqT0Q/wHIc=" or some of the other ascii colected in offsets above.

    Any idea ? Tip ? Help ?

    Regards,
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Why the hell would you believe we would want to have you post lines and lines and lines of code you don't understand and then be asked how to solve your problem???? Didn't you bother to read the FAQ at all?

    Regards,
    JMI

  3. #3
    zgrp
    Guest

    Smile

    Hello JMI,

    Thks for reply. I had read the FAQ, I tryed to post the maximum information that I have, not with the intention that someone WILL make the job for me, but that some members of forum give-me suggestions in your experiences...

    Thks a lot and sorry if I was unclean...

    Regards,
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    I don't really know whether you may not a bathed recently, but just posting lines and lines and lines of code for someone else to solve for you is not how things are expected to be done here. Apparently, while you were reading the FAQ, you missed that part about "doing some of your own work" and "showing you have done some of your own work." You've only "shown" that you can display a bunch of code you don't understand, and you want "someone else" to do the work. The only information you provided was that you don't know how to interpret this code.

    What you did instead simply adds unnecessary and unwanted volumne to the database.

    DO NOT DO THIS AGAIN.

    Regards,
    JMI

  5. #5
    zgrp
    Guest
    Hello JMI,

    Ok, I understood my post isn't appreciated here.

    Sorry and thks.

    Regards
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    zgrp:

    Perhaps we are having a language problem and a failure to communicate. It is not "a post" that is not appreciated, it is a post which just displays a long, long, long string of code without your having shown any work of your own which is not in compliance with our rules. This is not a place to just post a bunch of code and ask someone else to tell you how it works if you do not show that you have done anything to help yourself solve YOUR problem. If you had shown such an effort and still not figured out some part of the code, posting a part of it and asking a specific question would have been OK.

    Regards,
    JMI

Similar Threads

  1. How can I check quickly if a pdf is decrypted right?
    By joblack in forum RCE Cryptographics
    Replies: 5
    Last Post: June 6th, 2010, 03:36
  2. How do I obtain a global variable?
    By kralik in forum The Newbie Forum
    Replies: 3
    Last Post: October 14th, 2009, 05:01
  3. using filestreams to store data..or code as data?
    By BanMe in forum The Newbie Forum
    Replies: 7
    Last Post: August 8th, 2009, 21:58
  4. make olly treat stuff in data section as data
    By gtype in forum OllyDbg Support Forums
    Replies: 0
    Last Post: March 4th, 2009, 15:29
  5. # thinking in IDA Pro - how to obtain a copy
    By nezumi-lab in forum Blogs Forum
    Replies: 0
    Last Post: May 10th, 2008, 23:40

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •