ph3wl
February 21st, 2011, 12:10
Hey guys, I have been working on this for a while now and though it couldn't hurt to post and see what you thought. I would say I'm a little on the obsessed side right now haha
Old Borland c++ app that encrypts a txt file. I have been inside and out of this code I see everything that is happening I guess experience is failing me here. I have patched the encrypter exe to bypass for now but I'm not happy with that as an answer :/
I think its Rijndael S-Box, couple peid crypt plugins have shown the locations of the tables
Test Encryptions (Seems like no matter what is entered its padded to 16bytes)
a =
no characters (empty file) =
this text is greater than sixteen characters =
strings I have found in the exe and dll files that do the encryption/decryption
found some new strings in a diff exe
2435
Update
Found another exe which exposes a lot more info
From what I can tell this is RijndaelDecrypt from Crypto++
The key passed is a1c3e5g7i9k0m2o4q6s8u0w1y2789876
also looks like on encrypt "enc" is added and decrypt "dec" is added to something
I have a lot more to go off now...
Old Borland c++ app that encrypts a txt file. I have been inside and out of this code I see everything that is happening I guess experience is failing me here. I have patched the encrypter exe to bypass for now but I'm not happy with that as an answer :/
I think its Rijndael S-Box, couple peid crypt plugins have shown the locations of the tables
Test Encryptions (Seems like no matter what is entered its padded to 16bytes)
a =
Code:
[~Ÿ}$T
no characters (empty file) =
Code:
—‘RP55Q
this text is greater than sixteen characters =
Code:
QTž’˜x1t9D™D**'‚Vb1w…G(
strings I have found in the exe and dll files that do the encryption/decryption
Code:
ku3V%4Z5ud8Fcbm! (this one shows up in olly at the method call, looks like it gets broken)
Code:
B4!wp0!w
Code:
a1c3e5g7i9k0m2o4q6s8u0w1y2789876 (I am seeing this one only in encrypting exe's hmm)
found some new strings in a diff exe
2435
Update
Found another exe which exposes a lot more info
From what I can tell this is RijndaelDecrypt from Crypto++
The key passed is a1c3e5g7i9k0m2o4q6s8u0w1y2789876
also looks like on encrypt "enc" is added and decrypt "dec" is added to something
I have a lot more to go off now...