Hi all! First post so I hope no one judges my IQ based on my post count . Anyway, I am working on a program that I have & need some help. A *long* time ago a fellow named JohnWho made a patch for it, that worked really well. That was for v3.0 of this app. It is now @ v4.2. What I have done is studied the changes he made in his patch and then applied them directly as they were to the new app, only manually locating the identical code segments to patch. This worked but then the authors of the app have applied some new kind of protection that throws a stupid error. Well, this is returned in a webpage, not a standard window so I had no idea how to handle it. I tried poking around in the disassembly I had, and also in the EXE itself using a hex editor, but could not find the string that was displayed. I played with the app in OllyDbg a bit and couldn't find the string in memory either. I finally took a *very* hard route (not knowing even which function to possibly break on) and set breakpoints on *all* intramodular calls! I then ran the app and rapidly removed all breakpoints that triggered in the starting process of the app. From there I played in its interface a bit and ruled out more breakpoints. Then I went into the actual webpage it served up, and did what was necessary to get the protection error displayed. Needless to say, this triggered umpteen more breakpoints, but @ least this time I was in the right section of code. After some careful tracing around and watching the stack, I saw the area where the error was being formed & then located the critical jump. I have patched it, and the app appears to work. *HOWEVER* what I discovered is that the authors have implemented some weird type of string encryption. I have had a decoded string and its encoded version, and although they seem to be *exactly* the same character length, the code for what I know to be character X is not the same later on when there is another instance of character X. Now that I knew how they were hiding the strings, I went looking back through the disassembly and I have found many more instances of these encoded strings. This leads me to believe that there may be more hidden checks/triggers. However, since I can't read what the strings say - due to the encryption, I can't really get a feel for what purpose they are there, so I'm not sure which ones may need further attention. What I am wondering is if someone here could give the app a looking over & assist me in figuring out how to decrypt the strings that are encrypted. Here are the relevant files:



Also, here is a sample of one of the encrypted strings, to make it easier to find what I am referring to:

post what you've found already... and read your sig...

Well, isn't that nice. I try to be humorous and still provide lots of information detailing all the steps I have taken thus far to solve this one myself - and in reply all I get is a rather terse "read the rules, nit" type of reaction. Well, thanks for the tremendous help. For those who can't be bothered to download the files and compare them to see what I have done already....

Here is one section where I had to make an edit to 'fix' a 'bug':


Now if we can get done with the put downs, does anyone have any constructive ideas as to what this is (the encryption used on the strings), or how I can best tackle it?

The code you posted does not, at first sight, perform anything specific for encoding or decoding a string. Perhaps the calls are doing it, but it is not at all clear in this code snippet.
The simplest approach to figuring out the encoding schema would be to place memory access break points to the cypher text, then isolate the area of the code that is reading it and decoding your cypher text: You'll often see logical instructions such as XOR, ROL, ROR during encoding and decoding operations.

Thanks for your constructive post. I do realize that no one is under any obligation to answer, I was mostly just annoyed that someone had wasted the time to post what was basically an insult. I would rather they just not bother - there is no reason to senselessly bash someone. I know that sometimes people want you to just do everything for them, but I thought I had made it pretty clear that such wasn't my intent. Thanks for the tip on how to try and find the algo, I will try that. Also, I do realize that the 'Cesar Cipher' is almost never used, it just struck me as odd that there were the exact same number of groupings of numbers as there were actual characters in the decoded string. But you are very right that it could be a simple mutation of XOR or something of that sort. I had not really thought that one through far enough, so my apologies for putting forth a rather stupid analysis.

wasnt an insult, you posted 2 links, and showed no work or understanding

CQ_ :

Let me make this as clear to you as I can. It matters to us not a wit if you stay or do not say if you are going to cop an "attitude" whenever you are reminded of our Rules. They are not in existence for you to "like" or "dislike." They are there for YOU and all other posters on these Forums to READ and Follow. It also matters not whether you like being reminded that they exist, are where YOU are "expected" to read them, and are to be followed.

At this moment, you have two choices. You can drop the "smartass" attitude about being reminded that we do have Rules and that YOU are expected to follow them and that anyone may remind you of that requirement, or you can go somewhere else where they might "appreciate" your presence at a level sufficient to match your own opinion of yourself.

Maybe I'm having a bad hair day or something, but I have no patience for your "attitude." Correct it or lose the privilege of being permitted to post on these Forums. You have been warned and I couldn't care less whether YOU "like it" or not!

I have also edited your attempt at creating a "Signature" to reflect your "displeasure." You don't actually get to have a "personal" Signature appear at your post count, but I edited it so that now it more accurately reflects you "attitude" and your status as a "probationary." Everyone can see it in your profile.

Regards,