PDA

View Full Version : String encrypted - decrypt?


C0d3r-F4N
November 8th, 2015, 12:55
Hello,

i'm using w32dasm, but all strings and comments are encrypted.
Is it possible to decrypt it?

Kayaker
November 9th, 2015, 00:06
C0d3r-F4N, please do yourself a favor and use the free version of IDA:

https://www.hex-rays.com/products/ida/support/download_freeware.shtml

WDasm was notorious for not parsing all strings correctly, and unicode strings not at all. Unless you're absolutely sure about it, it's possible that the strings aren't even encrypted at all, just that WDasm can't handle them.

From your posts it's obvious that you want to learn, and that's great to see. But you might as well learn to use the proper tools from the start. WDasm is very old and deprecated and IDA is far, far, far superior for a number of reasons. If in fact your strings are encrypted and the situation is fairly simple, you might even learn how to use an IDA script to decrypt them, such is the capability of the tool. Simply being able to view things like unlimited cross-references (XREFS) in IDA, you'll find that your reversing sessions will be much more effective and enjoyable. At least give it a try over WDasm and see what you think - Please!

Kayaker

C0d3r-F4N
November 9th, 2015, 07:17
In OllyDbg i see this encrypted Strings in CPU-window (comment) too, but not all encrypted.
In OllyDbg under All referenced text strings are all readable (all ok).

I only want to use free tools, IDA isn't!
IDA 5.0 is old, like wdasm, so IDA 5.0 it's free.

bilbo
November 11th, 2015, 07:24
Hi C0d3r-F4N,

if you have time and will to experiment, you could try some of the stuff enumerated in this thread...
http://reverseengineering.stackexchange.com/questions/1817/is-there-any-disassembler-to-rival-ida-pro ("http://reverseengineering.stackexchange.com/questions/1817/is-there-any-disassembler-to-rival-ida-pro")

I unfortunately cannot give advices to you, because I use IDA... Even if I think it could be more powerful with some little effort (ever tried to decompile MFC programs?)

Best regards
bilbo

C0d3r-F4N
November 13th, 2015, 08:09
Quote:
[Originally Posted by bilbo;97215]
if you have time and will to experiment...

Yes, i have time.
I know it's a long way to learn...
Quote:
[Originally Posted by bilbo;97215]
(ever tried to decompile MFC programs?)

No, never.
I'm a newbie.

blabberer
November 15th, 2015, 16:09
you want to learn

post back how you will approach this encranked trings

Code:

N3q8ryccAAO8i9I7KwEAAAAAAABEAAAAAAAAAIJADYsAJpaOcAAX9+wFu+r0/5QBL0TuTr0JNP5Qt9TpkrI3Nqa8kld8rNDm8ZEmgd46Memejm/4M+e9sN+NmzeMOFot38eVT7VmgG5SrtOx7qTtqZrijA1nn+VzDF3Yc3H2J1+UG9nT6A3e8iHf02VQjZVBWxot/yXoOQMjYrZxunhko0ZaJsPlXkguqS2dxqmSZNx1+SknoeKl6weQLfOE6nArFKGn3LdV7ktp+OF1fkvWEEffyfxLT0LBgyzw7zEN7 FTTQbsn/A8Y7igE8m6Uf41YNyKOPHaikLn8ASdQtkL6HqrF1f5j9pUFqSZfbwCU/ZqdK4jd6Rdze1k18GBiEYRJAxpwXoYvPJ61nvU/4jOdsQRmSeQHeXxMwFj2tG06VCBq9yV4ab8HQJ2LJAEEBgABCYErAAcLAQABIwMBAQVdAAABAAyC7AAICgEW1oyeAAAFAREFAGEA AAAUCgEA6uiOSNEf0QEVBgEAICAAAAAA

Kayaker
November 16th, 2015, 23:19
Bad Evil blabberer. This is real?

Not Base64 - regions of low entropy (randomness of characters), no trailing padding characters (=) that would be present from a 532 character result
Not Base64 with custom index table - non-randomness of characters seems to preclude that

Didier Stevens XORSearch ("http://blog.didierstevens.com/programs/xorsearch/")- no results given for common words (the, and, http)

Custom job then. Is there a way to guess possible bitwise operations used in the algo by focussing on certain characters? For example, what operations (xor,shl,shr,rol,ror) keep the first character (N) as a capital letter, and convert the second character (3) to a small letter (ASS-uming this is an encrypted sentence)?

What other strategies could one use on a random encrypted string totally devoid of context?

blabberer
November 17th, 2015, 02:34
all i know is that a glutonion dwarf captured this tring when it was trying to impress itself into a hovulan crater which supposedly contains a hordeload of zuper cekret gilica zell centerfusing treactors the dwarf sold this tring as a jeero night to hyest bedder and lo every badbug and its cousins now have a copy of this tring and is go ogling for more
yours truly is a distant cousin of a distant cousin of a distant .........tingering the tring