Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-17-2005, 22:22
wenij wenij is offline
Friend
 
Join Date: Mar 2004
Posts: 13
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 2 Times in 2 Posts
wenij Reputation: 0
Is it possible to crack encrypted file?

Hi all,
Recently I got one install file its content seems encrypt by its password. And even I can jump to force to install it,it will have corrupt file ...
I know it seems very hard to crack it. And may just using brute force method or have enough good luck.

Can any one suggest me one solution to crack it if possible ?
Reply With Quote
  #2  
Old 02-17-2005, 22:35
Asus Asus is online now
VIP
 
Join Date: Feb 2005
Posts: 563
Rept. Given: 107
Rept. Rcvd 27 Times in 13 Posts
Thanks Given: 103
Thanks Rcvd at 61 Times in 28 Posts
Asus Reputation: 28
wenij, is it Installshield or Wise? If it is one of them, you can brute force to get the correct pwd, but it takes you long time to have the fine result.
Reply With Quote
  #3  
Old 02-17-2005, 23:39
mihaliczaj
 
Posts: n/a
I have to tell I am not that experienced in such things. My first intuitive thoughts for this problem:
1. Somehow (identifying the program used or simply debugging) determine the decryption method used. You don't have to rev.eng. it completely, it is enough if you know how the first some bytes of a file are decrypted having a password given.
2. Find some files where you know what the content should be. Just an example: .exe files should begin with MZ.
3. Examine what matters in the passwd. Sometimes case doesn't matter, look for such things.
4. Write a small prog that tries all different passwds (different in the sense of 3.) to decrypt just those some special files/bytes and check their content (does the decrypted .exe starts with MZ?). This way you will have some passwd candidates.
5. Iterate this method till you will have only few passwd candidates.

Most encryption methods use one-way calculations that means though it is simple to calculate the result having the pass, it is practically impossible to retrieve the pass having the result.

(Once I was given a crypted dBase V file, I had to retrieve the pass. It turned out that only the lower 4 bits of the characters did matter, and there were lots of tricky calculations with the data where sometimes data were lost because of overflows. These calculations were iterated a lot of times so it was practically impossible to create the inverse.
I cut the decrypt part and put it in a small prog that tried the possibilities and it reported the good pass in some hours. (I just had to correct the upper bits in some letters and I had the word 'shoelace'.))

HTH
Reply With Quote
  #4  
Old 02-18-2005, 00:02
kubik kubik is offline
Friend
 
Join Date: Oct 2004
Posts: 9
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
kubik Reputation: 0
I think that you, wenij, speak about InstallShield... then for research you need decompiler, in received listing you will find password check or call of check from library (dll).
Some decompilers that i know:
1. Installshield 6/7 script decompiler by sn00pee
2. Install Shield script decompiler 1.00 beta 15 by NEKOSUKI
3. isDcc v2.10 by Mr. Smith
Reply With Quote
  #5  
Old 02-18-2005, 21:50
wenij wenij is offline
Friend
 
Join Date: Mar 2004
Posts: 13
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 2 Times in 2 Posts
wenij Reputation: 0
Hi all,
Thanks for your reply ,first.
I don't know what install tool it use. When install start ,it ask the password for Next step. I can skip this step and I reverse its code. And got the decrypt part's code. It seems one way encrypt.
So,What I think is just to using the brute force method to crack it.
But it really wast time ..... .
So ,may be someone can give me more efficiency method to do it.
Reply With Quote
  #6  
Old 02-19-2005, 01:15
mihaliczaj
 
Posts: n/a
Could you send an url to the prog?
It would be easier to talk about it if I saw the exact details.
Reply With Quote
  #7  
Old 02-19-2005, 07:04
tbone
 
Posts: n/a
Yeah, the first thing you need to do is gather as much information about the target as you can. Check the version tab of the file's properties first. Usually that will tell you what installer is being used. If that doesn't work, try looking at it with a hex editor or loading it into Olly or IDA. Check for string references from there that might tell you what installer they used.

It's always possible that they used some homemade installer, but the much greater possibility is that they used a common installer like Installshield, Vbox, WISE, etc. Once you know what installer is used, I'm sure you can find tutorials and/or decompilers and/or password crackers for that installer. I mean, you could just start trying to reverse it like any other program. And I'm not saying that isn't a worthy pursuit if you just want to figure out how to reverse it without using any tuts or tools. But if your goal is just to get the installer open so you can work on the payload, there may not be a lot of point in reinventing the wheel.

At any rate, it's really hard for anyone else to give you meaningful advice if they don't know what installer you're working on.
Reply With Quote
  #8  
Old 02-19-2005, 08:15
wenij wenij is offline
Friend
 
Join Date: Mar 2004
Posts: 13
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 2 Times in 2 Posts
wenij Reputation: 0
Thanks all.
The Program I try to decrypt should got at
[fxp]://ftp*forth*com/pub/SwiftX/SwiftX-Pro-xxxx.exe
with anonymous account.
I never used the tools or installer before. (I will try to study it )
Is the homemade installer will also encrypt the content files using its algorithm ? Or user can add its algorithm ?
Reply With Quote
  #9  
Old 02-19-2005, 20:20
Cobi Cobi is offline
Friend
 
Join Date: Sep 2004
Location: Germany
Posts: 55
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Cobi Reputation: 0
It is "Inno Setup" with the ISCrypt Module, there is a unpacking Plugin for TotalCommander but i dunno if it helps you with the encrypted Files.
http://www.jrsoftware.org/isdl.php
http://www.totalcmd.net/plugring/InnoSetupAddon.html

Other unpacking Project:
http://innounp.sourceforge.net/
"Install Explorer" Plugin for the "FAR Manager" that should unpack it too:
ftp://ftp.sac.sk/pub/sac/utilfile/instexpl.rar

Äh, and the ISCrypt Module is Open Source and just a couple of Lines long, so it shouldn't be that hard to figure out if its possible to bruteforce this before the Sun is burning out

Last edited by Cobi; 02-19-2005 at 20:47.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Encrypted video file yologuy General Discussion 15 10-07-2021 18:40
Help with AES 128 encrypted file phroyt General Discussion 6 04-28-2020 09:57
Reversing obfuscated and encrypted JAR file Chuck954 General Discussion 8 10-11-2019 10:04


All times are GMT +8. The time now is 17:25.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2022 )