Help with AES 128 encrypted file
Hi,
I'm trying to decode a file encoded with DEC 3.0 library (Delphi Encryption Compedium Part I). The key is a SHA256 hash: HTML Code:
d90cwjipoybs3usoh6bs0yn53jk0nlijyy3eocr1lmp0hbdv8o1u3fer7m8bgcpz No matter how I try, I can't decrypt the file. I know that its a simples XML file. Looking into the code, I suspect that it is using: CTS Cipher Text Stealing, a Variant from CBC, but relaxes the restriction that the DataSize must be a mulitply from BufSize, this is the Defaultmode The encrypted files are here: hxxps://mega.nz/#F!EgRVxCjY!ouEuDqOomGT3hesB1rl_Cg Does anyone have a clue? I can use any high level language: C#, Delphi, PHP, Python, Perl, etc. Thanks |
Key can be unicode, include trailing 0, plaintext can be compressed etc etc.
|
Nope,
It's a 32bits Delphi XE7 Executable. I checked that. |
After some time, I got this solved.
The DEC 3.0 library (Delphi Encryption Compedium Part I), allow you to inform one Key in the object creation with any length. PHP Code:
And the Initialization of Cipher is done too. I mislead to think that the AES code was wrong, because the result text still scrambled. But after taking a little more debugging I found a nasty XOR with a fixed key. Voilá! Below is the correct code, that has no dependency on DEC Version. Compiles on D7 to D10.2, only need to change DEC unit names: PHP Code:
:D |
Although it compiles on Delphi 10.2 Tokyo, the computed values are messed up.
Using this port works fine: https://github.com/luizvaz/DelphiEncryptionCompendium |
Respected sir phroyt,
Your research work is admirable & highly appreciate-able. Very informative for keen researcher of decryption. I am working on a ransomware encrypted data files to decrypt back, your this article give a track to work on. Regards & respects. |
If you need help, post the target malware in a new thread.
I am sure that some curious minds would help. |
All times are GMT +8. The time now is 17:28. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX