Exetools - Functions within a Dll

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - Functions within a Dll (https://forum.exetools.com/showthread.php?t=5086)

Functions within a Dll

Hey members..I have a dilemma...I have a dll (semcomn.dll) and I
dont know anything of the dll other than it has a few functions
inside of it..two functions mainly I'm interested in the Decrypt and
Encrypt functions.

The dilemma is I dont know what are the parameters that are being
passed to these two functions...

Here's the code for the program

Code:



#include <stdio.h>

#include <windows.h>



//        Compile with:

//

//                cl /c agent_pwd.c

//                link agent_pwd.obj



//        Run in ...\Program Files\Microsoft SQL Server\80\Tools\Binn OR place SEMCOMN.RLL in Resources\<LANGID>\ dir below current



// This is host_login_password from msdb.dbo.sp_get_sqlagent_properties

#define EncStr "\x7c\x3b\x57\x65\xee\xe0\x7c\x11\x3a\x5a\xe0\x41\xf8\xa3\x21\x16\x63\xb8\xf6\xbe\xf7\xd6\xfd\x3f\xb5\x19\x4b\xbe\x6b\xc0\xd9\x53"



int main(int argc, char * argv[])

{



BYTE Buff[100];

FARPROC pDecrypt;

HINSTANCE hSEMCOMN;

DWORD dwSize, i;



hSEMCOMN = LoadLibrary("SEMCOMN.DLL");



if(hSEMCOMN!=NULL){

        pDecrypt = GetProcAddress(hSEMCOMN, "Decrypt");



        if(pDecrypt!=NULL){



                dwSize = sizeof(Buff);



                // Actually, I do not know format of this function, but beleive that it is:

                // Decrypt(EncryptedData, EncryptedDataSize, ClearData, SizeOfClearData)

                // Last two params are pointers, as usual

                (pDecrypt)(EncStr, sizeof(EncStr), Buff, &dwSize);



                printf("PASSWORD: ");

                for(i=0;i<dwSize;i++)

                        printf("%c", Buff[i]);

                printf("\n");



        } else {

                printf("Cannot get address of Decrypt(...), %d\n", GetLastError());

        }



} else {

        printf("Cannot load SEMCOMN.DLL, %d\n", GetLastError());

}



if(hSEMCOMN)

        FreeLibrary(hSEMCOMN);



return 0;

}

This is not my code...I have emailed the creator and waitin for a
reply...but any assistance from any of the members here will be
great help!!

Thnx in advance
SOLAR ;)

the decrypt function not uses a password! :confused:
is it a generic decrypt function?
I think that normally every decrypt/encrypt functions have a password argument...

Have you tried to use IDA in the DLL with the signature of the compiler of the dll? (to know the compiler uses PEid or another compiler detector)
Ida can reveals a lot of information about arguments...

The code is clear about what parameters are passed to those two functions. It's a MSSQL password decoder. The value of EncSTR is taken from the registry or trough SQL Profiler.

hxxp://www.blackhat.com/presentations/win-usa-03/bh-win-03-cerrudo/bh-win-03-cerrudo.ppt
hxxp://hosteddocs.ittoolbox.com/Protecting_MSSQL_Databases.pdf
hxxp://hosteddocs.ittoolbox.com/Database_Security.pdf
hxxp://jimmers.russia.webmatrixhosting.net/software.aspx

Do a Google search: agent_pwd SEMCOMN.DLL and you'll find all that.

ENCSTR = encrypted password
sizeof(EncStr) = len of encrypted password
Buff = buffer to store decrypted password
dwSize = len of Buff

I'll recommend you reading a c tutor. :rolleyes:

Hi
Inorder to use functions of a dll you must know the parameters, if you do not have the function proto in some header file then you should find out the parameters by debugging and/or disassembling the dll, reading the code will help to find the number of parameters and what they should be while passing to the function. a useful hint is to look at the return point of the function, there should be some ADD esp,n where n maybe the number of bytes pushed into stack before calling the function, and n is a multiple of 4.

Thanks
--Ali

light shadow is perfectly right, the dll exposes a decryption (encryption too?) routine for the sql server password.
So I think this is not what you were looking for.
I would go a bit OffTopic if I suggested you some other sources for enc/dec routines, so I stop here, but if you need something about this topic, just call me back :)

Thanx for the input everyone..really needed it. :)

I found the program and information by searching for the near identical string u didn in google. I've compiled(In VC++ 0 errors 0 warnings) the program...created the exe. But when ran it go the error(see attachment)

Did the program in debug mode and find out there was a problem with the arguments being passed to the functions are incorrect (?). The guy who wrote the code if read completely isn't very sure either about what parameters are passed to functions. So I figured many skilled coders here Versed in C, C++ and ASM could assist me with finding out what parameters are passed to the function.

Thnx again for u
��OLAR

Google "semcomn.dll" gives you a number of places to download the file.
I use this one -- hxxp://203.64.35.73/OFFICE10/SHAREPT/SQL/X86/BINN/ .
It seems to be a part of SQL server that comes with Office 2000, anyway
it's somewhat old, 1998 or 1999. Search "semcomn.lib" or "semcomn.h" yields
nothing, so the best way is IDA. In fact functions Encrypt() and Decrypt()
are fairly short, I'll list them below.

BTW, where is SOLAR's attachment?

Here is an attached text file of IDA disassembly of semcomn.dll!Encrypt()

Here is an attached text file of IDA disassembly of semcomn.dll!Decrypt()

Look for those arg_0, arg_4 ... they are the parameters passed to the
functions. So Encrypt() has 3 arguments and Decrypt() has 4. You can
read the assemblies directly, it's not very hard, but the two functions
all call some other subroutines.

To build a test program, you need more than just semcomn.dll due to
dependencies. This is what I downloaded

08/24/2004 14:45 90,112 SEMCOMN.DLL
08/24/2004 15:26 24,576 SQLRESLD.DLL
08/24/2004 15:30 147,456 SFC.DLL
08/24/2004 15:35 364,544 SQLGUI.DLL
08/24/2004 15:37 32,768 W95SCM.DLL
08/24/2004 15:38 94,208 SQLSVC.DLL
6 File(s) 753,664 bytes

08/24/2004 15:43 53,248 SQLGUI.RLL
08/24/2004 15:43 24,576 SQLSVC.RLL
08/24/2004 15:44 24,576 SFC.RLL
08/24/2004 15:44 24,576 SEMCOMN.RLL
4 File(s) 126,976 bytes

Then create two programs, here called en.c and de.c

Code:

C:>type en.c



#include <stdio.h>

#include <windows.h>



#define PlainStr "This is a test."



int main(int argc, char * argv[])

{

  BYTE Buff[100];

  FARPROC pEncrypt;

  HINSTANCE hSEMCOMN;

  DWORD dwSize, i;



  hSEMCOMN = LoadLibrary("SEMCOMN.DLL");



  if (hSEMCOMN != NULL)

  {

    pEncrypt = GetProcAddress(hSEMCOMN, "Encrypt");



    if (pEncrypt != NULL)

    {

      dwSize = sizeof(Buff);

      (pEncrypt)(PlainStr, Buff, &dwSize);



      printf("EncStr: ");

      for(i = 0; i < dwSize; i++)

        printf("%c", Buff[i]);

      printf("\n");



      printf("EncStr: ");

      for(i = 0; i < dwSize; i++)

        printf("%x ", Buff[i]);

      printf("\n");

    }

  }



  if (hSEMCOMN)

    FreeLibrary(hSEMCOMN);



  return 0;

}



C:\>type de.c



#include <stdio.h>

#include <windows.h>



#define EncStr1 "\x5b\x06\x86\x01\x26\x7b\xfd\x79\

\x21\x73\xe2\x48\x8f\x79\x8e\xbb\xb4\x2d\xb6\xbb\

\xf2\xe7\x99\x62\xba\x58\x91\xc9\x04\xca\x79\x33"



#define EncStr2 "\x7c\x3b\x57\x65\xee\xe0\x7c\x11\

\x3a\x5a\xe0\x41\xf8\xa3\x21\x16\x63\xb8\xf6\xbe\

\xf7\xd6\xfd\x3f\xb5\x19\x4b\xbe\x6b\xc0\xd9\x53"



int main(int argc, char * argv[])

{



  BYTE Buff1[100], Buff2[100];

  FARPROC pDecrypt;

  HINSTANCE hSEMCOMN;

  DWORD dwSize1, dwSize2, i;



  hSEMCOMN = LoadLibrary("SEMCOMN.DLL");



  if(hSEMCOMN!=NULL)

  {

    pDecrypt = GetProcAddress(hSEMCOMN, "Decrypt");



    if(pDecrypt!=NULL)

    {

      dwSize1 = sizeof(Buff1);

      dwSize2 = sizeof(Buff2);

      (pDecrypt)(EncStr1, sizeof(EncStr1), Buff1, &dwSize1);

      (pDecrypt)(EncStr2, sizeof(EncStr2), Buff2, &dwSize2);



      printf("PlainStr1: ");

      for(i = 0; i < dwSize1; i++)

        printf("%c", Buff1[i]);

      printf("\n");



      printf("PlainStr2: ");

      for(i = 0; i < dwSize2; i++)

        printf("%c", Buff2[i]);

      printf("\n");

    }

  }



  if (hSEMCOMN)

    FreeLibrary(hSEMCOMN);



  return 0;

}

Here are the results

Quote:

C:\>cl en.c
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 13.10.3077 for 80x86
Copyright (C) Microsoft Corporation 1984-2002. All rights reserved.

en.c
Microsoft (R) Incremental Linker Version 7.10.3077
Copyright (C) Microsoft Corporation. All rights reserved.

/out:en.exe
en.obj

C:\>en.exe
EncStr: [♠å☺&{²y!s��HÅyÄ�[��-�f�[�ݦ�Öb�UXæ�X♦�my3
EncStr: 5b 6 86 1 26 7b fd 79 21 73 e2 48 8f 79 8e bb b4 2d b6 bb f2 e7 99 62 ba 58 91 c9 4 ca 79 33

C:\>cl de.c
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 13.10.3077 for 80x86
Copyright (C) Microsoft Corporation 1984-2002. All rights reserved.

de.c
Microsoft (R) Incremental Linker Version 7.10.3077
Copyright (C) Microsoft Corporation. All rights reserved.

/out:de.exe
de.obj

C:\>de.exe
PlainStr1: This is a test.
PlainStr2: s e c u r i t y

It should be quite straight-forward. Note EncStr1 in de.c is the output of
en.exe, and EncStr2 comes from SOLAR's original code. The first output of
en.exe is distorted because of HTML char settings, but the second is fine.
Run it yourself and you'll see. :)

[EDIT JMI: truth- You were trying to be and were very helpful for solar, but we really do not need pages and pages of IDA printout displayed on the forum, nor should you post four posts in a row. I've consolidated your posts and made the IDA printouts text attachments. If this was a discussion of more general nature, rather than about this one dll, it might have been more appropriate to leave all that code, but it is better to use attached text files.]

Thank u everyone for ur assistance esp u truth.

I got the code work. :D. Initially I tried compiling the source with M$ VC++ compiler and it gave errors..However compiling the same source with another compiler line GCC or other it works perfectly...Apparently this is a problem with M$'s compiler...it's unable to handle ESP.

Thanx again everyone!

Problem solved...thread closed(on my side)

��OLAR :)