Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-24-2018, 16:44
phroyt phroyt is offline
Friend
 
Join Date: May 2018
Posts: 77
Rept. Given: 0
Rept. Rcvd 8 Times in 4 Posts
Thanks Given: 35
Thanks Rcvd at 106 Times in 40 Posts
phroyt Reputation: 8
Help with AES 128 encrypted file

Hi,

I'm trying to decode a file encoded with DEC 3.0 library (Delphi Encryption Compedium Part I).

The key is a SHA256 hash:
HTML Code:
  d90cwjipoybs3usoh6bs0yn53jk0nlijyy3eocr1lmp0hbdv8o1u3fer7m8bgcpz
It's croped to 16, to fit the maximum 128 key size.

No matter how I try, I can't decrypt the file.
I know that its a simples XML file.

Looking into the code, I suspect that it is using:
CTS Cipher Text Stealing, a Variant from CBC, but relaxes
the restriction that the DataSize must be a mulitply from BufSize,
this is the Defaultmode

The encrypted files are here:
hxxps://mega.nz/#F!EgRVxCjY!ouEuDqOomGT3hesB1rl_Cg

Does anyone have a clue?
I can use any high level language: C#, Delphi, PHP, Python, Perl, etc.

Thanks
Reply With Quote
The Following User Says Thank You to phroyt For This Useful Post:
Indigo (07-19-2019)
  #2  
Old 10-25-2018, 06:34
ketan ketan is offline
Friend
 
Join Date: Mar 2005
Posts: 154
Rept. Given: 0
Rept. Rcvd 17 Times in 9 Posts
Thanks Given: 8
Thanks Rcvd at 138 Times in 72 Posts
ketan Reputation: 17
Key can be unicode, include trailing 0, plaintext can be compressed etc etc.
Reply With Quote
The Following User Says Thank You to ketan For This Useful Post:
Indigo (07-19-2019)
  #3  
Old 06-27-2019, 03:45
phroyt phroyt is offline
Friend
 
Join Date: May 2018
Posts: 77
Rept. Given: 0
Rept. Rcvd 8 Times in 4 Posts
Thanks Given: 35
Thanks Rcvd at 106 Times in 40 Posts
phroyt Reputation: 8
Nope,

It's a 32bits Delphi XE7 Executable.
I checked that.
Reply With Quote
The Following User Says Thank You to phroyt For This Useful Post:
Indigo (07-19-2019)
  #4  
Old 03-06-2020, 16:06
phroyt phroyt is offline
Friend
 
Join Date: May 2018
Posts: 77
Rept. Given: 0
Rept. Rcvd 8 Times in 4 Posts
Thanks Given: 35
Thanks Rcvd at 106 Times in 40 Posts
phroyt Reputation: 8
Cool

After some time, I got this solved.

The DEC 3.0 library (Delphi Encryption Compedium Part I), allow you to inform one Key in the object creation with any length.

PHP Code:
Key := 'd90cwjipoybs3usoh6bs0yn53jk0nlijyy3eocr1lmp0hbdv8o1u3fer7m8bgcpz';
Cipher := TCipher_Rijndael.Create(Keynil); 
Behind the TCipher.Create method, it is used a THash_RipeMD256 to create a DigestKey, 32 bytes long.
And the Initialization of Cipher is done too.

I mislead to think that the AES code was wrong, because the result text still scrambled.
But after taking a little more debugging I found a nasty XOR with a fixed key.

Voilá!

Below is the correct code, that has no dependency on DEC Version.
Compiles on D7 to D10.2, only need to change DEC unit names:

PHP Code:
implementation

{$R *.dfm}

uses
  Cipher
Cipher1Hash;

procedure SimpleXOR(VPAnsiStringXPAnsiString);
var
  
I,J,K,LInteger;
begin
  L 
:= 0;
  
:= Length(V^);
  if (
1then
  begin
    K 
:= Length(X^);
    for 
:= 1 to J do
    
begin
      Inc
(L);
      if (
L>Kthen
        L 
:= 1;
      
V^[I] := AnsiChar(Ord(V^[I]) xor Ord(X^[L]));
    
end;
  
end;
end;

function 
DecodeFile(FilenameString): AnsiString;
const
  
CodeAnsiString =
    
#$CE#$E1#$FB#$BF#$E8#$AE#$F1#$83+
    #$23#$24#$25#$26#$3F#$7D#$2A#$28+
    #$3C#$3E#$5E#$3B#$B4;
  
KeyAnsiString =
    
'd90cwjipoybs3usoh6bs0yn53jk0nli'+
    
'jyy3eocr1lmp0hbdv8o1u3fer7m8bgcpz';
var
  
CipherTCipher_Rijndael;
  
HashTHash_RipeMD256;
  
KString;
  
F1TFileStream;
  
S1TStringStream;
  
DataAnsiString;

begin
  Result 
:= '';
  if 
FileExists(Filenamethen
  begin
    F1 
:= TFileStream.Create(FilenamefmOpenRead+fmShareDenyNone);
    
S1 := TStringStream.Create('');

    
//DEC 3.0
    
Cipher := TCipher_Rijndael.Create(''nil);
    
Hash := THash_RipeMD256.Create(nil);
    
Hash.Init;
    
Hash.Calc(PAnsiChar(Key)^, Length(Key));
    
Hash.Done;
    
Cipher.Init(Hash.DigestKey^, Hash.DigestKeySizenil);
    
Cipher.EncodeBuffer(Hash.DigestKey^, Hash.DigestKey^, Hash.DigestKeySize);
    
Cipher.Done;

    
F1.Position := 0;
    
S1.Size := F1.Size;
    
S1.Position := 0;
    
Cipher.DecodeStream(F1S1F1.Size);
    
FreeAndNil(Cipher);

    
S1.Position := 0;
    
SetLength(DataS1.Size);
    
Data := S1.DataString;
    
FreeAndNil(F1);
    
FreeAndNil(S1);

    
SimpleXOR(PAnsiString(@Data), PAnsiString(@Code));
    
Result := Data;
  
end;
end;

procedure TForm1.btn1Click(SenderTObject);
var
  
FPString;
  
F1TFileStream;
begin
  P 
:= ExtractFilePath(ParamStr(0));
  
:= P+'somefile.bin';
  
mmo1.Text := DecodeFile(F);
end

Reply With Quote
The Following User Gave Reputation+1 to phroyt For This Useful Post:
niculaita (03-28-2020)
The Following 5 Users Say Thank You to phroyt For This Useful Post:
Abaddon (03-06-2020), chants (03-06-2020), niculaita (03-07-2020), ontryit (04-13-2020), ziapcland (04-13-2020)
  #5  
Old 03-28-2020, 15:17
phroyt phroyt is offline
Friend
 
Join Date: May 2018
Posts: 77
Rept. Given: 0
Rept. Rcvd 8 Times in 4 Posts
Thanks Given: 35
Thanks Rcvd at 106 Times in 40 Posts
phroyt Reputation: 8
Although it compiles on Delphi 10.2 Tokyo, the computed values are messed up.

Using this port works fine:
https://github.com/luizvaz/DelphiEncryptionCompendium
Reply With Quote
The Following 2 Users Say Thank You to phroyt For This Useful Post:
ontryit (04-13-2020), ziapcland (04-13-2020)
  #6  
Old 04-13-2020, 04:00
ziapcland ziapcland is offline
Friend
 
Join Date: Apr 2020
Location: Rawalpindi, Pakistan
Posts: 4
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 22
Thanks Rcvd at 1 Time in 1 Post
ziapcland Reputation: 0
Respected sir phroyt,
Your research work is admirable & highly appreciate-able. Very informative for keen researcher of decryption. I am working on a ransomware encrypted data files to decrypt back, your this article give a track to work on.
Regards & respects.
Reply With Quote
The Following User Says Thank You to ziapcland For This Useful Post:
phroyt (04-28-2020)
  #7  
Old 04-28-2020, 09:57
phroyt phroyt is offline
Friend
 
Join Date: May 2018
Posts: 77
Rept. Given: 0
Rept. Rcvd 8 Times in 4 Posts
Thanks Given: 35
Thanks Rcvd at 106 Times in 40 Posts
phroyt Reputation: 8
Talking

If you need help, post the target malware in a new thread.

I am sure that some curious minds would help.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Encrypted video file yologuy General Discussion 15 10-07-2021 18:40
Reversing obfuscated and encrypted JAR file Chuck954 General Discussion 8 10-11-2019 10:04
Is it possible to crack encrypted file? wenij General Discussion 8 02-19-2005 20:20
Help..Anyone know if this is encrypted?? bunion General Discussion 16 08-01-2003 21:48


All times are GMT +8. The time now is 16:43.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )