Luigi Auriemma

Hello Aluigi ,

i have a crypted pass like this way : 6C7E4DDC2D9CB150F63CD4

i'am wondering what encryption is this ?

Thanks

ok cause i'am also interesting on how to know the algo o a password given :p
here you some help : 6C7E4DDC2D9CB150F63CD4 = 3907841

i want to know how come crypted and decrypted password you can know the algo used

cheerz & Thanks

I premise that a sequence of bytes can be anything so your question and your doubt is wrong from the beginning.

anyway there are some rules to have an "idea" of what type or category of algorithm it can be.

for example the string you pasted is probably a sequence of hex chars, so 22 chars which are 11 bytes.
11 bytes is a length not divisible by 16 or 8 so this exclude any algorithm which works with fixed blocks or data like blowfish, aes and so on (otherwise the last bytes were unencrypted).

then it's not a simple xor or rot13 solution or any other byte-per-byte encoding or encryption (for example rc4) because the real password is smaller (7 bytes long).

so it's used a custom algorithm which generates an encoded/encrypted sequence of bytes longer than the original one, job for debugging.

alright i see now Aluigi,

so sometimes when we dont know password algo we go debugging..

i have a question Aluigi if it was AES encryption how i can know the key used ?

here you another string derypted : 6A9D545256E3C50A34 = 12345

Thanks

in that case you need to locate the function which set the AES key and this is a job enough simple because you can retrieve the s-boxes (practically the array with the constants) with my signsrch tool (http://aluigi.org/mytoolz.htm#signsrch) and so with a disassembler you see the function which calls/uses that s-box.

if the key is fixed and you are lucky you could even find the key there in the disassembled code, otherwise you need to use the debugger.
in that case the key can be fixed (like happen almost ever) or it's calculated at runtime using some unique fields of the computer (mac address of the interfaces, productid of windows, volumeid of c: and so on).

hmm nice info Aluigi ,

this will help me a lot of as this is going to be my first decryption

ok here you 3 example fo decrypted and encrypted password

6A9D545256E3C50A34 = 12345
6C7E4DDC2D9CB150F63CD4 = 3907841
C5D3F5979C5710C671B4 = abcdef

so what you suggest me to start from ?

Thanks & much appreciated

the step-by-step is ever the usual:
- find the input string (for example a breakpoint on ReadFile or GetQueryValueA depending by where is located the password)
- follow all the operations performed on it (hardware on-access breakpoints)

you already know that there is a hex2byte conversion somewhere in the program so this is the first operation performed.

then from the encrypted strings you pasted is visible that there is an additional byte for each additional byte in the original password (so if the original is 7 bytes the encrypted one is 11, if it's 8 then it's 12 and so on) which means that there are ever 4 bytes at the beginning of each encrypted string which "could be" (hypothesis) something like a seed (like a mini-key in very poor words) used in the encryption.

been 2 days working on i could not figure it out , tryed many things
damn :s