Hello,

I'm analyzing a code that was made in Delphi. At start I know that the code generate it:

I input | Program Generate
-----------------------------------------------
69911130 | bhpSiBSTcfU=
69911280 | bhpSiBSQd1k=
69900570 | bhpSiYIvOJk=
57050820 | bWtW7lxL+18=
57017210 | bWtW6itkCb8=

Based on it, i startd to analyze the code, it was generated with Delphi and use a library for encryption called DCPcrypt2 that is avaible at http://www.cityinthesky.co.uk/files/dcpcrypt2.zip

The description of this library is

DCPcrypt is an open source library of cryptographic components (encryption and hash algorithms) for Borland Delphi 4, 5, 6, C++ Builder (3?), 4, 5, 6 and Kylix 1, 2 for Linux.
The idea behind DCPcrypt is that it should be possible to "drop in" any algorithm implementation to replace another with minimum or no code changes. To aid in this goal all cryptographic components are descended from one of several base classes, TDCP_cipher for encryption algorithms and TDCP_hash for message digest algorithms.

DCPcrypt v2 contains full implementations of the following algorithms:

Blowfish, Twofish
Cast-128, Cast-256
DES, 3DES
Ice, Thin Ice, Ice2
IDEA
Mars
Misty1
RC2, RC4, RC5, RC6
Rijndael (the new AES)
Serpent
TEA
Haval
MD4, MD5
RipeMD-128, RipeMD-160
SHA-1, SHA-256, SHA-384, SHA-512
Tiger

The code appear to use twofish to encrypt data (but it have some entrys for SHA-1, and i don't imaginate it, since it should encrypt and not hash). At code i can see this entrys referent to librarys...

debian:/w/tmp/code# strings GPprog.exe |grep -A 3 -B 3 -i algorithm|more
TDCP_hash
TDCP_hash
DCPcrypt2
Algorithml
HashSize
EDCP_cipher
TDCP_cipher
TDCP_cipher
DCPcrypt2
Algorithml
MaxKeySize
TDCP_ciphermode
cmCBC cmCFB8bit
--
Font.Style
Left
TDCP_sha1 DCP_sha11
Algorithm
SHA1
HashSize
Left
TDCP_twofish
DCP_twofish
Algorithm
Twofish
MaxKeySize
BlockSize
--
TipoLogradouro
Size
TDCP_sha1 DCP_sha11
Algorithm
SHA1
HashSize
Left
TDCP_twofish
DCP_twofish
Algorithm
Twofish
MaxKeySize
BlockSize
--
Left
TDCP_twofish
DCP_twofish
Algorithm
Twofish
MaxKeySize
BlockSize
Left
TDCP_sha1 DCP_sha11
Algorithm
SHA1
HashSize
Left


Well, so I started to look at the code, I downloaded DeDe and obtained some good information with dede + ollydb

Crypt Function
offset start: 0050B31C
offset end: 0050B414

Intersting data thougth debugation:

at offset: 0050B329
ECX=00DBF040, {ASCII "aVqT0Q/wHIc="}
Stack [SS:0012F8C0]=00DB4F40

other offsets:
EAX=0050B4DC {GPprog.0050B4DC}, ASCII "GPprog"
EDX=00DBF054, {ASCII, "acqua"}
ESI=00DBF054, {ASCII, "acqua"}
0012E9C4 | 00DBFA10 ASCII "evilacqua"

Here is the code showed in DeDe when click in the event CriptoString in the Unit Form gpbConsultaZGRP that is the "screen I input values and it encrypt".

Unit Form = gpbConsultaZGRP
Class Name = TfrmConsultaZGRP
Event = CriptoString - RVA = 0050B31C - Hint = 0013

0050B31C 55 push ebp
0050B31D 8BEC mov ebp, esp
0050B31F 83C4F4 add esp, -$0C
0050B322 53 push ebx
0050B323 56 push esi
0050B324 33DB xor ebx, ebx
0050B326 895DF4 mov [ebp-$0C], ebx
0050B329 894DF8 mov [ebp-$08], ecx
0050B32C 8955FC mov [ebp-$04], edx
0050B32F 8BD8 mov ebx, eax
0050B331 8B45FC mov eax, [ebp-$04]

* Reference to: system.@LStrAddRef;
|
0050B334 E8978FEFFF call 004042D0
0050B339 8B45F8 mov eax, [ebp-$08]

* Reference to: system.@LStrAddRef;
|
0050B33C E88F8FEFFF call 004042D0
0050B341 8B450C mov eax, [ebp+$0C]

* Reference to: system.@LStrAddRef;
|
0050B344 E8878FEFFF call 004042D0
0050B349 33C0 xor eax, eax
0050B34B 55 push ebp
0050B34C 68ECB35000 push $0050B3EC

***** TRY
|
0050B351 64FF30 push dword ptr fs:[eax]
0050B354 648920 mov fs:[eax], esp

* Reference to field TfrmConsultaZGRP.OFFS_0324
|
0050B357 8B9B24030000 mov ebx, [ebx+$0324]

* Reference to class TDCP_sha1
|
0050B35D 8B0DB81A4F00 mov ecx, [$004F1AB8]
0050B363 8B55FC mov edx, [ebp-$04]
0050B366 8BC3 mov eax, ebx

|
0050B368 E87340FEFF call 004EF3E0
0050B36D 8D45F4 lea eax, [ebp-$0C]
0050B370 8B55F8 mov edx, [ebp-$08]

* Reference to: system.@LStrLAsg;
|
0050B373 E8BC8BEFFF call 00403F34
0050B378 8B450C mov eax, [ebp+$0C]
0050B37B BA04B45000 mov edx, $0050B404

* Reference to: system.@LStrCmp;
|
0050B380 E8A78EEFFF call 0040422C
0050B385 750D jnz 0050B394
0050B387 8D4DF8 lea ecx, [ebp-$08]
0050B38A 8B55F4 mov edx, [ebp-$0C]
0050B38D 8BC3 mov eax, ebx
0050B38F 8B30 mov esi, [eax]
0050B391 FF5654 call dword ptr [esi+$54]
0050B394 8B450C mov eax, [ebp+$0C]
0050B397 BA10B45000 mov edx, $0050B410

* Reference to: system.@LStrCmp;
|
0050B39C E88B8EEFFF call 0040422C
0050B3A1 750D jnz 0050B3B0
0050B3A3 8D4DF8 lea ecx, [ebp-$08]
0050B3A6 8B55F4 mov edx, [ebp-$0C]
0050B3A9 8BC3 mov eax, ebx
0050B3AB 8B30 mov esi, [eax]
0050B3AD FF5658 call dword ptr [esi+$58]
0050B3B0 8BC3 mov eax, ebx
0050B3B2 8B10 mov edx, [eax]
0050B3B4 FF5248 call dword ptr [edx+$48]
0050B3B7 8BC3 mov eax, ebx
0050B3B9 8B10 mov edx, [eax]
0050B3BB FF5244 call dword ptr [edx+$44]
0050B3BE 8B4508 mov eax, [ebp+$08]
0050B3C1 8B55F8 mov edx, [ebp-$08]

* Reference to: system.@LStrAsg;
|
0050B3C4 E8278BEFFF call 00403EF0
0050B3C9 33C0 xor eax, eax
0050B3CB 5A pop edx
0050B3CC 59 pop ecx
0050B3CD 59 pop ecx
0050B3CE 648910 mov fs:[eax], edx

****** FINALLY
|
0050B3D1 68F3B35000 push $0050B3F3
0050B3D6 8D45F4 lea eax, [ebp-$0C]
0050B3D9 BA03000000 mov edx, $00000003

* Reference to: system.@LStrArrayClr;
|
0050B3DE E8DD8AEFFF call 00403EC0
0050B3E3 8D450C lea eax, [ebp+$0C]

* Reference to: system.@LStrClr(String;String);
|
0050B3E6 E8B18AEFFF call 00403E9C
0050B3EB C3 ret


* Reference to: system.@HandleFinally;
|
0050B3EC E9E383EFFF jmp 004037D4
0050B3F1 EBE3 jmp 0050B3D6

****** END
|
0050B3F3 5E pop esi
0050B3F4 5B pop ebx
0050B3F5 8BE5 mov esp, ebp
0050B3F7 5D pop ebp
0050B3F8 C20800 ret $0008


----------------------------------------------------------------

In Reference to class TDCP_sha1 the call 004EF3E0 have

004EF3E0 55 push ebp
004EF3E1 8BEC mov ebp, esp
004EF3E3 83C4F8 add esp, -$08
004EF3E6 53 push ebx
004EF3E7 56 push esi
004EF3E8 57 push edi
004EF3E9 894DF8 mov [ebp-$08], ecx
004EF3EC 8955FC mov [ebp-$04], edx
004EF3EF 8BD8 mov ebx, eax
004EF3F1 807B2400 cmp byte ptr [ebx+$24], $00
004EF3F5 7407 jz 004EF3FE
004EF3F7 8BC3 mov eax, ebx
004EF3F9 8B10 mov edx, [eax]
004EF3FB FF5244 call dword ptr [edx+$44]
004EF3FE 33C0 xor eax, eax
004EF400 55 push ebp

* Possible String Reference to: 'é`@ñÿ¹ìôN'
|
004EF401 68BBF44E00 push $004EF4BB

***** TRY
|
004EF406 64FF30 push dword ptr fs:[eax]
004EF409 648920 mov fs:[eax], esp
004EF40C 8B45F8 mov eax, [ebp-$08]

* Possible reference to virtual method TDCP_sha1.OFFS_38
|
004EF40F FF5038 call dword ptr [eax+$38]
004EF412 85C0 test eax, eax
004EF414 7903 jns 004EF419
004EF416 83C007 add eax, +$07
004EF419 C1F803 sar eax, $03

* Reference to: system.@GetMem;
|
004EF41C E80F34F1FF call 00402830
004EF421 8BF0 mov esi, eax
004EF423 8BCB mov ecx, ebx
004EF425 B201 mov dl, $01
004EF427 8B45F8 mov eax, [ebp-$08]

* Possible reference to virtual method TDCP_sha1.OFFS_2C
|
004EF42A FF502C call dword ptr [eax+$2C]
004EF42D 8BF8 mov edi, eax
004EF42F 8BC7 mov eax, edi
004EF431 8B10 mov edx, [eax]

* Possible reference to virtual method TDCP_sha1.OFFS_40
|
004EF433 FF5240 call dword ptr [edx+$40]
004EF436 8B55FC mov edx, [ebp-$04]
004EF439 8BC7 mov eax, edi

|
004EF43B E8B0FEFFFF call 004EF2F0
004EF440 8BD6 mov edx, esi
004EF442 8BC7 mov eax, edi
004EF444 8B08 mov ecx, [eax]

* Possible reference to virtual method TDCP_sha1.OFFS_44
|
004EF446 FF5144 call dword ptr [ecx+$44]
004EF449 8BC7 mov eax, edi

* Reference to: system.TObject.Free(TObject);
|
004EF44B E8243CF1FF call 00403074
004EF450 8BC3 mov eax, ebx
004EF452 8B10 mov edx, [eax]
004EF454 FF5238 call dword ptr [edx+$38]
004EF457 8BF8 mov edi, eax
004EF459 8B45F8 mov eax, [ebp-$08]

* Possible reference to virtual method TDCP_sha1.OFFS_38
|
004EF45C FF5038 call dword ptr [eax+$38]
004EF45F 3BF8 cmp edi, eax
004EF461 7D16 jnl 004EF479
004EF463 6A00 push $00
004EF465 8BC3 mov eax, ebx
004EF467 8B10 mov edx, [eax]
004EF469 FF5238 call dword ptr [edx+$38]
004EF46C 8BC8 mov ecx, eax
004EF46E 8BD6 mov edx, esi
004EF470 8BC3 mov eax, ebx
004EF472 8B18 mov ebx, [eax]
004EF474 FF5340 call dword ptr [ebx+$40]
004EF477 EB13 jmp 004EF48C
004EF479 6A00 push $00
004EF47B 8B45F8 mov eax, [ebp-$08]

* Possible reference to virtual method TDCP_sha1.OFFS_38
|
004EF47E FF5038 call dword ptr [eax+$38]
004EF481 8BC8 mov ecx, eax
004EF483 8BD6 mov edx, esi
004EF485 8BC3 mov eax, ebx
004EF487 8B18 mov ebx, [eax]
004EF489 FF5340 call dword ptr [ebx+$40]
004EF48C 8B45F8 mov eax, [ebp-$08]

* Possible reference to virtual method TDCP_sha1.OFFS_38
|
004EF48F FF5038 call dword ptr [eax+$38]
004EF492 8BD0 mov edx, eax
004EF494 85D2 test edx, edx
004EF496 7903 jns 004EF49B
004EF498 83C207 add edx, +$07
004EF49B C1FA03 sar edx, $03
004EF49E 8BC6 mov eax, esi
004EF4A0 B9FF000000 mov ecx, $000000FF

* Reference to: system.@FillChar;
|
004EF4A5 E81638F1FF call 00402CC0
004EF4AA 8BC6 mov eax, esi

* Reference to: system.@FreeMem;
|
004EF4AC E89733F1FF call 00402848
004EF4B1 33C0 xor eax, eax
004EF4B3 5A pop edx
004EF4B4 59 pop ecx
004EF4B5 59 pop ecx
004EF4B6 648910 mov fs:[eax], edx
004EF4B9 EB20 jmp 004EF4DB

* Reference to: system.@HandleAnyExZGRPtion;
|
004EF4BB E96040F1FF jmp 00403520

* Possible String Reference to: 'Unable to allocate sufficient memor
| y for hash digest'
|
004EF4C0 B9ECF44E00 mov ecx, $004EF4EC
004EF4C5 B201 mov dl, $01

* Reference to class EDCP_cipher
|
004EF4C7 A108EF4E00 mov eax, dword ptr [$004EEF08]

* Reference to: axctrls.TOleStream.Create(TOleStream;boolean;IStream);
|
004EF4CC E8EBDAF1FF call 0040CFBC

* Reference to: system.@RaiseExZGRPt;
|
004EF4D1 E8F643F1FF call 004038CC

* Reference to: system.@DoneExZGRPt;
|
004EF4D6 E86144F1FF call 0040393C

****** END
|
004EF4DB 5F pop edi
004EF4DC 5E pop esi
004EF4DD 5B pop ebx
004EF4DE 59 pop ecx
004EF4DF 59 pop ecx
004EF4E0 5D pop ebp
004EF4E1 C3 ret

I'm supposing that it's using twofish and the key "aVqT0Q/wHIc=" or some of the other ascii colected in offsets above.

Any idea ? Tip ? Help ?

Regards,

Why the hell would you believe we would want to have you post lines and lines and lines of code you don't understand and then be asked how to solve your problem???? Didn't you bother to read the FAQ at all?

Regards,

Hello JMI,

Thks for reply. I had read the FAQ, I tryed to post the maximum information that I have, not with the intention that someone WILL make the job for me, but that some members of forum give-me suggestions in your experiences...

Thks a lot and sorry if I was unclean...

Regards,

I don't really know whether you may not a bathed recently, but just posting lines and lines and lines of code for someone else to solve for you is not how things are expected to be done here. Apparently, while you were reading the FAQ, you missed that part about "doing some of your own work" and "showing you have done some of your own work." You've only "shown" that you can display a bunch of code you don't understand, and you want "someone else" to do the work. The only information you provided was that you don't know how to interpret this code.

What you did instead simply adds unnecessary and unwanted volumne to the database.

DO NOT DO THIS AGAIN.

Regards,

Hello JMI,

Ok, I understood my post isn't appreciated here.

Sorry and thks.

Regards

zgrp:

Perhaps we are having a language problem and a failure to communicate. It is not "a post" that is not appreciated, it is a post which just displays a long, long, long string of code without your having shown any work of your own which is not in compliance with our rules. This is not a place to just post a bunch of code and ask someone else to tell you how it works if you do not show that you have done anything to help yourself solve YOUR problem. If you had shown such an effort and still not figured out some part of the code, posting a part of it and asking a specific question would have been OK.

Regards,