kramer
August 22nd, 2005, 21:06
(Whoops, I mentioned the target last time, I only skimmed through the FAQ and missed that part.
),
Anyway, say that there's a file produced by a certain program. The program stores certain kinds of data under one or more user names, with "administrator" as the default. The file produced is somehow encrypted or obfuscated in order to prevent tampering. Also, in this program the registration scheme goes with the file instead of the program, so that any files you create with the trial version will expire and become read-only after a period of time unless you apply the registration key to it. However, the files I'm looking at have been registered already.
So, how to unravel the data file and be able to modify it? the registration key complicates matters, I don't know if it goes on top of the encryption or around it (if that makes any sense... e.g. it could have a checksum stored in the file somewhere to prevent tampering, and also have the "is it registered" stuff somewhere else, OR the whole thing is encrypted).
Come to think of it, I don't think it's encrypted at all (or it's stored in some sort of raw format, or parts of it are encrypted or obfuscated). If you look at the file in a text editor, about 50 percent of it consists of "FF", 25 percent is "00", and then there are some lines of data that are repeated over and over. there are tiny snippets here and there that look fairly arbitrary, but there are also lots of plaintext things that refer to () accounts, transactions and userIDs.
To make the problem a bit simpler, say we want to change the name of a userID in the file (so that all transactions by that person will appear under a different name)
One thing I'm interested in is whether I can change the UserID (e.g. the username is "fred", when you change the username it either changes the name displayed in all associated transactions, or only changes that particular name). Interestingly, there are multiple instances of the username in the dat file (in plain text if I change one instance it says "this is not a valid myob file", if I change all instances it crashes. maybe because the username I changed it to doesn't exist. I'll check that out).
I'd prefer not to reverse the actual prog because the code drove me nuts when I tried looking at this software in ollydbg (i'm not really an asm programmer, i sort of know the basics but really it drives me nuts). but I'm sure looking at the actual program is a sure way to get bits of code that will unravel the file. Only problem is that I'm not an expert at these things, I normally just open data files and see if I can change obvious things, like user names. And maybe knock things up a notch by making sure that I don't change the file length or anything. Bam!
So really I think I'll just try a few obvious things and then give up (like, if I add characters at the end of the file, how will that affect the checksum? What is a checksum anyway? All I know about it is that you add together some bits in the file to get a number). maybe I can do a frequency analysis to see if it's a direct substitution thing.
The file's really odd, there are these lines of data that repeat over and over, but maybe one or two characters will differ from one line to the next. It could be telling the program "here's a list of things all from the same customer/supplier, today he ordered 2, tomorrow he orders 1, and the date's changed". It looks all ordered and repetitive, not random, so my intuition's saying that it's not complex encryption, it's either direct substitution of english, or lists of numbers and codes that tell the program something, or that there's an obfuscator function that replaces a character here and there at random.
Also there's a number in the data file which looks something similar to "{DC3BF49C-6638-4F52-ACB1-D68033331A66}" (that's not the actual number but it looks like that), it looks out of place and seems to be hex. {4-2-2-2-6} groups of chars? I can't see it in the registered file but it's hard to spot (it's in the middle of the file somewhere, seemingly arbitrary) if it were in the registered file it may be a different number, but I can't seem to find it.
I wouldn't have a clue about what to do with that, in ascii it's just randomn chars, so it's probably some sort of number. Not a folder in the windows registry, either.
Hang on chaps, I've just had a breakthrough. I'll rant some more gibberish later.

Anyway, say that there's a file produced by a certain program. The program stores certain kinds of data under one or more user names, with "administrator" as the default. The file produced is somehow encrypted or obfuscated in order to prevent tampering. Also, in this program the registration scheme goes with the file instead of the program, so that any files you create with the trial version will expire and become read-only after a period of time unless you apply the registration key to it. However, the files I'm looking at have been registered already.
So, how to unravel the data file and be able to modify it? the registration key complicates matters, I don't know if it goes on top of the encryption or around it (if that makes any sense... e.g. it could have a checksum stored in the file somewhere to prevent tampering, and also have the "is it registered" stuff somewhere else, OR the whole thing is encrypted).
Come to think of it, I don't think it's encrypted at all (or it's stored in some sort of raw format, or parts of it are encrypted or obfuscated). If you look at the file in a text editor, about 50 percent of it consists of "FF", 25 percent is "00", and then there are some lines of data that are repeated over and over. there are tiny snippets here and there that look fairly arbitrary, but there are also lots of plaintext things that refer to () accounts, transactions and userIDs.
To make the problem a bit simpler, say we want to change the name of a userID in the file (so that all transactions by that person will appear under a different name)
One thing I'm interested in is whether I can change the UserID (e.g. the username is "fred", when you change the username it either changes the name displayed in all associated transactions, or only changes that particular name). Interestingly, there are multiple instances of the username in the dat file (in plain text if I change one instance it says "this is not a valid myob file", if I change all instances it crashes. maybe because the username I changed it to doesn't exist. I'll check that out).
I'd prefer not to reverse the actual prog because the code drove me nuts when I tried looking at this software in ollydbg (i'm not really an asm programmer, i sort of know the basics but really it drives me nuts). but I'm sure looking at the actual program is a sure way to get bits of code that will unravel the file. Only problem is that I'm not an expert at these things, I normally just open data files and see if I can change obvious things, like user names. And maybe knock things up a notch by making sure that I don't change the file length or anything. Bam!

So really I think I'll just try a few obvious things and then give up (like, if I add characters at the end of the file, how will that affect the checksum? What is a checksum anyway? All I know about it is that you add together some bits in the file to get a number). maybe I can do a frequency analysis to see if it's a direct substitution thing.
The file's really odd, there are these lines of data that repeat over and over, but maybe one or two characters will differ from one line to the next. It could be telling the program "here's a list of things all from the same customer/supplier, today he ordered 2, tomorrow he orders 1, and the date's changed". It looks all ordered and repetitive, not random, so my intuition's saying that it's not complex encryption, it's either direct substitution of english, or lists of numbers and codes that tell the program something, or that there's an obfuscator function that replaces a character here and there at random.
Also there's a number in the data file which looks something similar to "{DC3BF49C-6638-4F52-ACB1-D68033331A66}" (that's not the actual number but it looks like that), it looks out of place and seems to be hex. {4-2-2-2-6} groups of chars? I can't see it in the registered file but it's hard to spot (it's in the middle of the file somewhere, seemingly arbitrary) if it were in the registered file it may be a different number, but I can't seem to find it.
I wouldn't have a clue about what to do with that, in ascii it's just randomn chars, so it's probably some sort of number. Not a folder in the windows registry, either.
Hang on chaps, I've just had a breakthrough. I'll rant some more gibberish later.
