Log in

View Full Version : .net String decryption

KarlK
January 23rd, 2012, 02:34
I am trying to reverse a key verification. The target is written in .net and obfuscated with a to me unknown obfuscator. All the method, class names etc. got renamed to some weired unicode characters. The Strings an encrypted in a similar matter. This is what I got so far:
Verification works like this:
Read Code from registry and check if valid (generating a valid key is not my problem, that was a no-brainer) Read Email from registry Read hash from registry Generate hash like md5(const String + email + const String + code + const String) and compare both

The last thing is where I get stuck. I can't get the Strings (at lest two) to plaintext. The hash is sent initially by a server on activation. The decryption Class looks like this:

Code:
internal sealed class Class2

{

    // Methods

    public static string smethod_0(string string_0, int int_0)

    {

        return string.Intern(Class1.class1_0.method_0(string_0, int_0));

    }



    // Properties

    public static string String_0

    {

        get

        {

            return "XXX"; //32char hexadecimal, only unencrypted String so far, hash of some sort?

        }

    }



    // Nested Types

    private sealed class Class1

    {

        // Fields

        private byte[] byte_0;

        public static readonly Class2.Class1 class1_0 = new Class2.Class1();



        // Methods

        private Class1()

        {

            Stream manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream(Class2.String_0);

            if (manifestResourceStream != null)

            {

                this.byte_0 = new byte[0x100];

                manifestResourceStream.Read(this.byte_0, 0, this.byte_0.Length);

            }

        }



        public string method_0(string string_0, int int_0)

        {

            int length = string_0.Length;

            int index = int_0 & 0xff;

            char[] chArray = string_0.ToCharArray();

            while (--length >= 0)

            {

                chArray[length] = (char) (chArray[length] ^ (this.byte_0[index] | int_0));

            }

            return string.Intern(new string(chArray));

        }

    }

}


There is also a small addon program which uses the same license/obfuscator and Class but the String_0 is different there.
So every time a String is used, it uses the function Class2.smethod_0(weired unicode, integer). I just copied the the smethod_0 to my key-generator and strangely some values get decrytped right but the most of them do not. For example:
decodestring("\uf78e\uf78c\uf79b\uf786\uf799\uf78e\uf79b\uf786\uf780\uf781\uf7b0\uf78c\uf780\uf78b\uf78a", 0xf7ef) returns "activation_code" which is right
decodestring("\uf31a\uf318\uf30f\uf312\uf30d\uf31a\uf30f\uf312\uf314\uf315\uf324\uf31e\uf316\uf31a\uf312\uf317", 0xf369) should return "activation_email" but it does not.
I got the right values from watching the process via ProcMon trying to access the registry.
Any help would be greatly appreciated.