kingbowser
01-25-2010, 02:40 AM
Hi, I'm an Italian user. I came here redirected by rongchaua. I have a program (mind workstation (http://www.transparentcorp.com/products/mindws/)) of which I would like to find the serial number for my computer, but I'm a n00b in this sector.
From which I could understand the executable is obfuscated with Xenocode, while some DLLs are packed with Armadillo.
With PEtools I dumped the files while running, so I got an EXE in which strings and procedures are encrypted (Xenocode). I couldn't manage to deobfuscate it with the rongchaua and libx tools. Can you help me?
As I mostly design harware (electronic engineer) I'm not so trained in programming/hacking/cracking :D
Thank you for your time and support
[and sorry for my Engrish lol]
I know I shouldn't make double posts ...
[Then why do it ?!?!?!. Just use the Edit button]
...but I extracted with LordPE and Reflector something useful: Xenocode postbuild (2008 or 2009 I don't know) string decryption algorithm
Here it is (in C#)
public static string decrypt(string enc_string, int key)
{
char[] chArray;
ushort num3;
bool flag;
ushort num = (ushort) key;
if ((((uint) flag) - num3) >= 0)
{
flag = ((uint) key) > uint.MaxValue;
if (flag)
{
goto Label_00EA;
}
chArray = new char[enc_string.Length / 4];
}
else if ((num | 1) != 0)
{
goto Label_0091;
}
int index = 0;
goto Label_00F4;
Label_007A:
if (!flag)
{
index++;
goto Label_00F4;
}
Label_0083:
do
{
num3 = (ushort) (num3 - num);
chArray[index] = (char) num3;
num = (ushort) (num + 0x6fd);
}
while ((((uint) flag) + ((uint) key)) < 0);
goto Label_012A;
Label_0091:
num3 = (ushort) ((((enc_string[4 * index] - 'a') + ((enc_string[(4 * index) + 1] - 0x61) << 4)) + ((enc_string[(4 * index) + 2] - 0x61) << 8)) + ((enc_string[(4 * index) + 3] - 0x61) << 12));
if (((uint) index) > uint.MaxValue)
{
goto Label_012A;
}
if ((num + num) <= uint.MaxValue)
{
goto Label_0083;
}
goto Label_007A;
Label_00EA:
return new string(chArray);
Label_00F4:
if (index < (enc_string.Length / 4))
{
goto Label_0091;
}
goto Label_00EA;
Label_012A:
flag = (((uint) key) + ((uint) key)) > uint.MaxValue;
goto Label_007A;
}
Now I'm going to clean it from garbage code and rewrite it in a little "string decrypter" program. Bye
From which I could understand the executable is obfuscated with Xenocode, while some DLLs are packed with Armadillo.
With PEtools I dumped the files while running, so I got an EXE in which strings and procedures are encrypted (Xenocode). I couldn't manage to deobfuscate it with the rongchaua and libx tools. Can you help me?
As I mostly design harware (electronic engineer) I'm not so trained in programming/hacking/cracking :D
Thank you for your time and support
[and sorry for my Engrish lol]
I know I shouldn't make double posts ...
[Then why do it ?!?!?!. Just use the Edit button]
...but I extracted with LordPE and Reflector something useful: Xenocode postbuild (2008 or 2009 I don't know) string decryption algorithm
Here it is (in C#)
public static string decrypt(string enc_string, int key)
{
char[] chArray;
ushort num3;
bool flag;
ushort num = (ushort) key;
if ((((uint) flag) - num3) >= 0)
{
flag = ((uint) key) > uint.MaxValue;
if (flag)
{
goto Label_00EA;
}
chArray = new char[enc_string.Length / 4];
}
else if ((num | 1) != 0)
{
goto Label_0091;
}
int index = 0;
goto Label_00F4;
Label_007A:
if (!flag)
{
index++;
goto Label_00F4;
}
Label_0083:
do
{
num3 = (ushort) (num3 - num);
chArray[index] = (char) num3;
num = (ushort) (num + 0x6fd);
}
while ((((uint) flag) + ((uint) key)) < 0);
goto Label_012A;
Label_0091:
num3 = (ushort) ((((enc_string[4 * index] - 'a') + ((enc_string[(4 * index) + 1] - 0x61) << 4)) + ((enc_string[(4 * index) + 2] - 0x61) << 8)) + ((enc_string[(4 * index) + 3] - 0x61) << 12));
if (((uint) index) > uint.MaxValue)
{
goto Label_012A;
}
if ((num + num) <= uint.MaxValue)
{
goto Label_0083;
}
goto Label_007A;
Label_00EA:
return new string(chArray);
Label_00F4:
if (index < (enc_string.Length / 4))
{
goto Label_0091;
}
goto Label_00EA;
Label_012A:
flag = (((uint) key) + ((uint) key)) > uint.MaxValue;
goto Label_007A;
}
Now I'm going to clean it from garbage code and rewrite it in a little "string decrypter" program. Bye