Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-24-2018, 16:44
phroyt phroyt is offline
Friend
 
Join Date: May 2018
Posts: 39
Rept. Given: 0
Rept. Rcvd 7 Times in 3 Posts
Thanks Given: 9
Thanks Rcvd at 65 Times in 25 Posts
phroyt Reputation: 7
Help with AES 128 encrypted file

Hi,

I'm trying to decode a file encoded with DEC 3.0 library (Delphi Encryption Compedium Part I).

The key is a SHA256 hash:
HTML Code:
  d90cwjipoybs3usoh6bs0yn53jk0nlijyy3eocr1lmp0hbdv8o1u3fer7m8bgcpz
It's croped to 16, to fit the maximum 128 key size.

No matter how I try, I can't decrypt the file.
I know that its a simples XML file.

Looking into the code, I suspect that it is using:
CTS Cipher Text Stealing, a Variant from CBC, but relaxes
the restriction that the DataSize must be a mulitply from BufSize,
this is the Defaultmode

The encrypted files are here:
hxxps://mega.nz/#F!EgRVxCjY!ouEuDqOomGT3hesB1rl_Cg

Does anyone have a clue?
I can use any high level language: C#, Delphi, PHP, Python, Perl, etc.

Thanks
Reply With Quote
The Following User Says Thank You to phroyt For This Useful Post:
Indigo (07-19-2019)
  #2  
Old 10-25-2018, 06:34
ketan ketan is offline
Friend
 
Join Date: Mar 2005
Posts: 94
Rept. Given: 0
Rept. Rcvd 11 Times in 4 Posts
Thanks Given: 4
Thanks Rcvd at 81 Times in 45 Posts
ketan Reputation: 11
Key can be unicode, include trailing 0, plaintext can be compressed etc etc.
Reply With Quote
The Following User Says Thank You to ketan For This Useful Post:
Indigo (07-19-2019)
  #3  
Old 06-27-2019, 03:45
phroyt phroyt is offline
Friend
 
Join Date: May 2018
Posts: 39
Rept. Given: 0
Rept. Rcvd 7 Times in 3 Posts
Thanks Given: 9
Thanks Rcvd at 65 Times in 25 Posts
phroyt Reputation: 7
Nope,

It's a 32bits Delphi XE7 Executable.
I checked that.
Reply With Quote
The Following User Says Thank You to phroyt For This Useful Post:
Indigo (07-19-2019)
  #4  
Old 03-06-2020, 16:06
phroyt phroyt is offline
Friend
 
Join Date: May 2018
Posts: 39
Rept. Given: 0
Rept. Rcvd 7 Times in 3 Posts
Thanks Given: 9
Thanks Rcvd at 65 Times in 25 Posts
phroyt Reputation: 7
Cool

After some time, I got this solved.

The DEC 3.0 library (Delphi Encryption Compedium Part I), allow you to inform one Key in the object creation with any length.

PHP Code:
Key := 'd90cwjipoybs3usoh6bs0yn53jk0nlijyy3eocr1lmp0hbdv8o1u3fer7m8bgcpz';
Cipher := TCipher_Rijndael.Create(Keynil); 
Behind the TCipher.Create method, it is used a THash_RipeMD256 to create a DigestKey, 32 bytes long.
And the Initialization of Cipher is done too.

I mislead to think that the AES code was wrong, because the result text still scrambled.
But after taking a little more debugging I found a nasty XOR with a fixed key.

Voilá!

Below is the correct code, that has no dependency on DEC Version.
Compiles on D7 to D10.2, only need to change DEC unit names:

PHP Code:
implementation

{$R *.dfm}

uses
  Cipher
Cipher1Hash;

procedure SimpleXOR(VPAnsiStringXPAnsiString);
var
  
I,J,K,LInteger;
begin
  L 
:= 0;
  
:= Length(V^);
  if (
1then
  begin
    K 
:= Length(X^);
    for 
:= 1 to J do
    
begin
      Inc
(L);
      if (
L>Kthen
        L 
:= 1;
      
V^[I] := AnsiChar(Ord(V^[I]) xor Ord(X^[L]));
    
end;
  
end;
end;

function 
DecodeFile(FilenameString): AnsiString;
const
  
CodeAnsiString =
    
#$CE#$E1#$FB#$BF#$E8#$AE#$F1#$83+
    #$23#$24#$25#$26#$3F#$7D#$2A#$28+
    #$3C#$3E#$5E#$3B#$B4;
  
KeyAnsiString =
    
'd90cwjipoybs3usoh6bs0yn53jk0nli'+
    
'jyy3eocr1lmp0hbdv8o1u3fer7m8bgcpz';
var
  
CipherTCipher_Rijndael;
  
HashTHash_RipeMD256;
  
KString;
  
F1TFileStream;
  
S1TStringStream;
  
DataAnsiString;

begin
  Result 
:= '';
  if 
FileExists(Filenamethen
  begin
    F1 
:= TFileStream.Create(FilenamefmOpenRead+fmShareDenyNone);
    
S1 := TStringStream.Create('');

    
//DEC 3.0
    
Cipher := TCipher_Rijndael.Create(''nil);
    
Hash := THash_RipeMD256.Create(nil);
    
Hash.Init;
    
Hash.Calc(PAnsiChar(Key)^, Length(Key));
    
Hash.Done;
    
Cipher.Init(Hash.DigestKey^, Hash.DigestKeySizenil);
    
Cipher.EncodeBuffer(Hash.DigestKey^, Hash.DigestKey^, Hash.DigestKeySize);
    
Cipher.Done;

    
F1.Position := 0;
    
S1.Size := F1.Size;
    
S1.Position := 0;
    
Cipher.DecodeStream(F1S1F1.Size);
    
FreeAndNil(Cipher);

    
S1.Position := 0;
    
SetLength(DataS1.Size);
    
Data := S1.DataString;
    
FreeAndNil(F1);
    
FreeAndNil(S1);

    
SimpleXOR(PAnsiString(@Data), PAnsiString(@Code));
    
Result := Data;
  
end;
end;

procedure TForm1.btn1Click(SenderTObject);
var
  
FPString;
  
F1TFileStream;
begin
  P 
:= ExtractFilePath(ParamStr(0));
  
:= P+'somefile.bin';
  
mmo1.Text := DecodeFile(F);
end

Reply With Quote
The Following User Gave Reputation+1 to phroyt For This Useful Post:
niculaita (03-28-2020)
The Following 3 Users Say Thank You to phroyt For This Useful Post:
Abaddon (03-06-2020), chants (03-06-2020), niculaita (03-07-2020)
  #5  
Old 03-28-2020, 15:17
phroyt phroyt is offline
Friend
 
Join Date: May 2018
Posts: 39
Rept. Given: 0
Rept. Rcvd 7 Times in 3 Posts
Thanks Given: 9
Thanks Rcvd at 65 Times in 25 Posts
phroyt Reputation: 7
Although it compiles on Delphi 10.2 Tokyo, the computed values are messed up.

Using this port works fine:
https://github.com/luizvaz/DelphiEncryptionCompendium
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Reversing obfuscated and encrypted JAR file Chuck954 General Discussion 8 10-11-2019 10:04
Is it possible to crack encrypted file? wenij General Discussion 8 02-19-2005 20:20
Help..Anyone know if this is encrypted?? bunion General Discussion 16 08-01-2003 21:48


All times are GMT +8. The time now is 00:28.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )