Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Help with AES 128 encrypted file (https://forum.exetools.com/showthread.php?t=19002)

phroyt 10-24-2018 16:44

Help with AES 128 encrypted file
 
Hi,

I'm trying to decode a file encoded with DEC 3.0 library (Delphi Encryption Compedium Part I).

The key is a SHA256 hash:
HTML Code:

  d90cwjipoybs3usoh6bs0yn53jk0nlijyy3eocr1lmp0hbdv8o1u3fer7m8bgcpz
It's croped to 16, to fit the maximum 128 key size.

No matter how I try, I can't decrypt the file.
I know that its a simples XML file.

Looking into the code, I suspect that it is using:
CTS Cipher Text Stealing, a Variant from CBC, but relaxes
the restriction that the DataSize must be a mulitply from BufSize,
this is the Defaultmode

The encrypted files are here:
hxxps://mega.nz/#F!EgRVxCjY!ouEuDqOomGT3hesB1rl_Cg

Does anyone have a clue?
I can use any high level language: C#, Delphi, PHP, Python, Perl, etc.

Thanks

ketan 10-25-2018 06:34

Key can be unicode, include trailing 0, plaintext can be compressed etc etc.

phroyt 06-27-2019 03:45

Nope,

It's a 32bits Delphi XE7 Executable.
I checked that.

phroyt 03-06-2020 16:06

After some time, I got this solved.

The DEC 3.0 library (Delphi Encryption Compedium Part I), allow you to inform one Key in the object creation with any length.

PHP Code:

Key := 'd90cwjipoybs3usoh6bs0yn53jk0nlijyy3eocr1lmp0hbdv8o1u3fer7m8bgcpz';
Cipher := TCipher_Rijndael.Create(Keynil); 

Behind the TCipher.Create method, it is used a THash_RipeMD256 to create a DigestKey, 32 bytes long.
And the Initialization of Cipher is done too.

I mislead to think that the AES code was wrong, because the result text still scrambled.
But after taking a little more debugging I found a nasty XOR with a fixed key.

Voilá!

Below is the correct code, that has no dependency on DEC Version.
Compiles on D7 to D10.2, only need to change DEC unit names:

PHP Code:

implementation

{$R *.dfm}

uses
  Cipher
Cipher1Hash;

procedure SimpleXOR(VPAnsiStringXPAnsiString);
var
  
I,J,K,LInteger;
begin
  L 
:= 0;
  
:= Length(V^);
  if (
1then
  begin
    K 
:= Length(X^);
    for 
:= 1 to J do
    
begin
      Inc
(L);
      if (
L>Kthen
        L 
:= 1;
      
V^[I] := AnsiChar(Ord(V^[I]) xor Ord(X^[L]));
    
end;
  
end;
end;

function 
DecodeFile(FilenameString): AnsiString;
const
  
CodeAnsiString =
    
#$CE#$E1#$FB#$BF#$E8#$AE#$F1#$83+
    #$23#$24#$25#$26#$3F#$7D#$2A#$28+
    #$3C#$3E#$5E#$3B#$B4;
  
KeyAnsiString =
    
'd90cwjipoybs3usoh6bs0yn53jk0nli'+
    
'jyy3eocr1lmp0hbdv8o1u3fer7m8bgcpz';
var
  
CipherTCipher_Rijndael;
  
HashTHash_RipeMD256;
  
KString;
  
F1TFileStream;
  
S1TStringStream;
  
DataAnsiString;

begin
  Result 
:= '';
  if 
FileExists(Filenamethen
  begin
    F1 
:= TFileStream.Create(FilenamefmOpenRead+fmShareDenyNone);
    
S1 := TStringStream.Create('');

    
//DEC 3.0
    
Cipher := TCipher_Rijndael.Create(''nil);
    
Hash := THash_RipeMD256.Create(nil);
    
Hash.Init;
    
Hash.Calc(PAnsiChar(Key)^, Length(Key));
    
Hash.Done;
    
Cipher.Init(Hash.DigestKey^, Hash.DigestKeySizenil);
    
Cipher.EncodeBuffer(Hash.DigestKey^, Hash.DigestKey^, Hash.DigestKeySize);
    
Cipher.Done;

    
F1.Position := 0;
    
S1.Size := F1.Size;
    
S1.Position := 0;
    
Cipher.DecodeStream(F1S1F1.Size);
    
FreeAndNil(Cipher);

    
S1.Position := 0;
    
SetLength(DataS1.Size);
    
Data := S1.DataString;
    
FreeAndNil(F1);
    
FreeAndNil(S1);

    
SimpleXOR(PAnsiString(@Data), PAnsiString(@Code));
    
Result := Data;
  
end;
end;

procedure TForm1.btn1Click(SenderTObject);
var
  
FPString;
  
F1TFileStream;
begin
  P 
:= ExtractFilePath(ParamStr(0));
  
:= P+'somefile.bin';
  
mmo1.Text := DecodeFile(F);
end


:D

phroyt 03-28-2020 15:17

Although it compiles on Delphi 10.2 Tokyo, the computed values are messed up.

Using this port works fine:
https://github.com/luizvaz/DelphiEncryptionCompendium

ziapcland 04-13-2020 04:00

Respected sir phroyt,
Your research work is admirable & highly appreciate-able. Very informative for keen researcher of decryption. I am working on a ransomware encrypted data files to decrypt back, your this article give a track to work on.
Regards & respects.

phroyt 04-28-2020 09:57

If you need help, post the target malware in a new thread.

I am sure that some curious minds would help.


All times are GMT +8. The time now is 17:28.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX