#1
|
|||
|
|||
Help with AES 128 encrypted file
Hi,
I'm trying to decode a file encoded with DEC 3.0 library (Delphi Encryption Compedium Part I). The key is a SHA256 hash: HTML Code:
d90cwjipoybs3usoh6bs0yn53jk0nlijyy3eocr1lmp0hbdv8o1u3fer7m8bgcpz No matter how I try, I can't decrypt the file. I know that its a simples XML file. Looking into the code, I suspect that it is using: CTS Cipher Text Stealing, a Variant from CBC, but relaxes the restriction that the DataSize must be a mulitply from BufSize, this is the Defaultmode The encrypted files are here: hxxps://mega.nz/#F!EgRVxCjY!ouEuDqOomGT3hesB1rl_Cg Does anyone have a clue? I can use any high level language: C#, Delphi, PHP, Python, Perl, etc. Thanks |
The Following User Says Thank You to phroyt For This Useful Post: | ||
Indigo (07-19-2019) |
#2
|
|||
|
|||
Key can be unicode, include trailing 0, plaintext can be compressed etc etc.
|
The Following User Says Thank You to ketan For This Useful Post: | ||
Indigo (07-19-2019) |
#4
|
|||
|
|||
After some time, I got this solved.
The DEC 3.0 library (Delphi Encryption Compedium Part I), allow you to inform one Key in the object creation with any length. PHP Code:
And the Initialization of Cipher is done too. I mislead to think that the AES code was wrong, because the result text still scrambled. But after taking a little more debugging I found a nasty XOR with a fixed key. Voilá! Below is the correct code, that has no dependency on DEC Version. Compiles on D7 to D10.2, only need to change DEC unit names: PHP Code:
|
The Following User Gave Reputation+1 to phroyt For This Useful Post: | ||
niculaita (03-28-2020) |
#5
|
|||
|
|||
Although it compiles on Delphi 10.2 Tokyo, the computed values are messed up.
Using this port works fine: https://github.com/luizvaz/DelphiEncryptionCompendium |
#6
|
|||
|
|||
Respected sir phroyt,
Your research work is admirable & highly appreciate-able. Very informative for keen researcher of decryption. I am working on a ransomware encrypted data files to decrypt back, your this article give a track to work on. Regards & respects. |
The Following User Says Thank You to ziapcland For This Useful Post: | ||
phroyt (04-28-2020) |
#7
|
|||
|
|||
If you need help, post the target malware in a new thread.
I am sure that some curious minds would help. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Encrypted video file | yologuy | General Discussion | 15 | 10-07-2021 18:40 |
Reversing obfuscated and encrypted JAR file | Chuck954 | General Discussion | 8 | 10-11-2019 10:04 |
Is it possible to crack encrypted file? | wenij | General Discussion | 8 | 02-19-2005 20:20 |
Help..Anyone know if this is encrypted?? | bunion | General Discussion | 16 | 08-01-2003 21:48 |