Hi,

This is my first post. I hope to keep the rules in tact. I am debugging a program and here is the list see below.

1. What is the problem....
In the program, I put a break point on the WriteFile API and I see that the buffer that's being written to the file. Obviously it's encrypted since it's junk.

2. What is the protection.....
When I use the PEID, it says there is no encryption.
3. What tools are you using....
OllyDbg, PEID
4. What tutorials have you read....
I have followed the tutorials by lena151. Very good ones.

5. Show your output listing WITH comments....
Let me know what exactly do you want me to post.
6. NOW ask your question....
How can I see (un-encrypt) the contents that are being written to the file?

In blue

Naides,

I am talking about the output file. Here is more elaborate explanation. The file that I am working off is the .exe file which has other files in it compressed. But I unpacked it to just the executable.

I did already try the suggestion that you gave me about WriteFile API and the break points. It seems it's encrypted.

But to me it seems like the program should know how to decrypt since it needs to use that information for decision making.

Also, I am using Kanal plugin and it says none.

I believe this is a challenging one to reverse just because you cannot use the exe file more than once for installation. Obviously you are guys are subject matter. I think once it installs it writes something back to the exe file so that the next time the installation would know it's already been installed. Even though I figured out the algorithm for password protection, it some how it still knows that the executable has already been used for installation and therefore cannot install it.

And this is where I am trying to want to see the contents written to file. During installation, when it writes the file, I am assuming it's extracting it from the exe file (packing).

Any ideas are greatly appreciated.

Thanks

It would be extremely simple to see if anything is written back to the exe file, just diff it with the original exe once the installation is complete.

http://www.woodmann.com/collaborative/tools/Category:Binary_Diff_Tools

Patching the exe like this would be a very uncommon (and stupid) solution, so my guess would be that they are rather "hiding" this information anywhere on disk or in the registry (which is of course also on disk in the end, but anyway).

Such things are also normally detected with different kinds of diffing or monitoring tools (see the subcategories too):

http://www.woodmann.com/collaborative/tools/Categoryiff_Tools

http://www.woodmann.com/collaborative/tools/Category:Monitoring_Tools