PDA

View Full Version : Recover Key from encryption

markh51
September 22nd, 2005, 09:06
Is it possible to recover the key for the de/encryption if you knew what the encryted and decrypted strings were ?

V++|z;U9&t#3-r
Valid Until -

This is the routine it uses:

Code:
CODE:0044F3AA                 mov     eax, [ebp+var_4] <- Sets the address to output string to

CODE:0044F3AD                 movzx   esi, byte ptr [eax+ebx-1] <- Hex value of encrypted character

CODE:0044F3B2                 mov     eax, [ebp+var_4]

CODE:0044F3B5                 movzx   eax, byte ptr [eax+ebx-2] <- Hex value of last character (Thats why first char of string is plain text)

CODE:0044F3BA                 add     esi, eax

CODE:0044F3BC                 sub     esi, 20h

CODE:0044F3BF                 cmp     esi, 7Eh

CODE:0044F3C2                 jle     short loc_44F3C7

CODE:0044F3C4                 sub     esi, 5Fh

CODE:0044F3C7 

CODE:0044F3C7 loc_44F3C7:                             ; CODE XREF: sub_44F370+52j

CODE:0044F3C7                 lea     eax, [ebp+var_4]

CODE:0044F3CA                 call    sub_404764

CODE:0044F3CF                 mov     edx, esi

CODE:0044F3D1                 mov     [eax+ebx-1], dl

CODE:0044F3D5                 inc     ebx

CODE:0044F3D6                 dec     edi

CODE:0044F3D7                 jnz     short loc_44F3AA


I have commented the first few lines as this is really as much as I know. If anyone can tell me if this is a 'commercial' form of enryption or is it just 'home cooked' ?

Thanks.
HaRdLoCk
September 22nd, 2005, 10:16
please post

call sub_404764

:-)
markh51
September 22nd, 2005, 10:22
404764 goes to a JMP which points to:

Code:
CODE:00404718                 mov     edx, [eax]

CODE:0040471A                 test    edx, edx

CODE:0040471C                 jz      short loc_404756

CODE:0040471E                 mov     ecx, [edx-8]

CODE:00404721                 dec     ecx

CODE:00404722                 jz      short loc_404756

CODE:00404724                 push    ebx

CODE:00404725                 mov     ebx, eax

CODE:00404727                 mov     eax, [edx-4]

CODE:0040472A                 call    sub_404310

CODE:0040472F                 mov     edx, eax

CODE:00404731                 mov     eax, [ebx]

CODE:00404733                 mov     [ebx], edx

CODE:00404735                 push    eax

CODE:00404736                 mov     ecx, [eax-4]

CODE:00404739                 call    sub_402990

CODE:0040473E                 pop     eax

CODE:0040473F                 mov     ecx, [eax-8]

CODE:00404742                 dec     ecx

CODE:00404743                 jl      short loc_404753

CODE:00404745                 lock dec     dword ptr [eax-8]

CODE:00404749                 jnz     short loc_404753

CODE:0040474B                 lea     eax, [eax-8]

CODE:0040474E                 call    sub_402704

CODE:00404753 

CODE:00404753 loc_404753:                             ; CODE XREF: CODE:00404743j

CODE:00404753                                         ; CODE:00404749j

CODE:00404753                 mov     edx, [ebx]

CODE:00404755                 pop     ebx

CODE:00404756 

CODE:00404756 loc_404756:                             ; CODE XREF: CODE:0040471Cj

CODE:00404756                                         ; CODE:00404722j

CODE:00404756                 mov     eax, edx

CODE:00404758                 retn
Admiral
September 22nd, 2005, 13:03
Mmm... I'm not sure how long we're going to stay interested in playing cat-and mouse. There may be an intimidating concentration of intellectuality on this board, but even the most legendary reversers can't say what 'call sub_402990' does if they can't see the code at 402990.

How about you take the shortest of peeks at the code and identify any CALLs, JMPs and Jccs that follow outside of your pasted code and either give us a complete listing to work with or, even better, do some work for yourself and determine what some of these functions do.

I'm guessing that not many modern serial-check routines will fit in a couple of dozen lines of disassembly, so I wouldn't be surprised if that one CALL contains lots more CALLs, to the point where you're posting so much uncommented code that nobody on this board will be prepared to do the work for you.

I know I speak for a large population of this board when I say I don't like 'giving a man a fish', so how about you have a go at fishing then come back when you get stuck?
LLXX
September 22nd, 2005, 21:06
Even better alternative to straight listings would be a flow graph like the one IDA produces. Make sure to include all the subroutines down to the leaves of the tree.
Woodmann
September 22nd, 2005, 21:36
POST THE CODE............

Do not worry .

Woodmann
bilbo
September 26th, 2005, 11:11
Quote:
[Originally Posted by Woodmann]POST THE CODE............

Please do not post any more code :-), we already have all we need!

HaRdLoCk, sub_404764 is some library function, it takes an object pointer in input and returns a pointer in output (by the way, markh51, it would be very useful to apply IDA signatures to the code...).


Quote:
[Originally Posted by markh51]Is it possible to recover the key for the de/encryption if you knew what the encryted and decrypted strings were ?
I do not understand what you mean by "key". We have a simple algorithm, perfectly reversable, which, given the encrypted string, find the decrypted one and viceversa. No other input is required.

Here is a C transcription for the decryption/encryption:
Code:


#include <stdio.h>



void

main(void)

{

    int i;

    char *e="V++|z;U9&t#3-r";

    char c, d[80]={0}, e1[80]={0};



    for (d[0]=e[0], i=1; e[I]; i++) {

        c = d[i-1] + e[I] - 0x20;

        d[I] = (unsigned char)c>0x7E ? c-0x5F : c;

        }

    printf("after decryption: \"%s\"\n", d);



    for (e1[0]=d[0], i=1; d[I]; i++) {

        c = d[I] - d[i-1] + 0x20;

        e1[I] = c<0x1E ? c+0x5F : c;

        }

    printf("after encryption: \"%s\"\n", e1);

}


Here is the commented assembly (the decryption is performed overwriting the encrypted string):
Code:


    ; loop

CODE:0044F3AA                 mov     eax, [ebp+var_4]  ; pointer to E[]

CODE:0044F3AD                 movzx   esi, byte ptr [eax+ebx-1]  ; E[I]

CODE:0044F3B2                 mov     eax, [ebp+var_4]

CODE:0044F3B5                 movzx   eax, byte ptr [eax+ebx-2]  ; D[i-1]

CODE:0044F3BA                 add     esi, eax

CODE:0044F3BC                 sub     esi, 20h  ; C = E[I]+D[i-1]-0x20

CODE:0044F3BF                 cmp     esi, 7Eh

CODE:0044F3C2                 jle     short loc_44F3C7

CODE:0044F3C4                 sub     esi, 5Fh  ; C = C-0x5F if C>0x7E



CODE:0044F3C7                 lea     eax, [ebp+var_4]

CODE:0044F3CA                 call    sub_404764  ; restore pointer to E[]

CODE:0044F3CF                 mov     edx, esi

CODE:0044F3D1                 mov     [eax+ebx-1], dl  ; D[I] = C

    ; continue

CODE:0044F3D5                 inc     ebx  ; i = i+1 

CODE:0044F3D6                 dec     edi  ; length = length -1

CODE:0044F3D7                 jnz     short loc_44F3AA


Best regards, bilbo
markh51
September 26th, 2005, 12:40
Well what can I say... bilbo, your the man !