News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Encrypt/decrypt text

Started by skywalker, March 29, 2006, 02:23:55 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions

skywalker

#15
April 01, 2006, 04:36:51 PM
Quote from: PBrennick on April 01, 2006, 06:31:33 AM
Skywalker,
The following code assembles correctly but really doe not do what you want without some additional work.

hth,
Paul


I am using Ollydbg and I figured that at this point the string is decrypted
and I should be able to see the decrypted string. I don't see anything in the hex dump.

What does the 13 represent in DecryptString.

I also saw that there is no ExitProcess statement, is the prog ended some other way ?

I couldn't find RtlZeroMemory in my SDK stuff, where is it ?

Thanks.


    invoke  RtlZeroMemory, ADDR KSRegKey, sizeof KSRegKey
    invoke  DecryptString, OFFSET cryptdata, 152715150, ADDR KSRegKey, 13
    int 3

MichaelW

#16
April 01, 2006, 07:10:43 PM Last Edit: April 01, 2006, 09:06:40 PM by MichaelW
MSDN: RtlZeroMemory

In my February 2003 version of the PSDK, RtlZeroMemory actually links to an entry for a ZeroMemory function that is defined as the RtlZeroMemory function in Winbase.h:
Code Select

#define MoveMemory RtlMoveMemory
#define CopyMemory RtlCopyMemory
#define FillMemory RtlFillMemory
#define ZeroMemory RtlZeroMemory
#define SecureZeroMemory RtlSecureZeroMemory


So you would normally expect to use ZeroMemory only from a C/C++ program. From a MASM32 program you should probably use the RtlZeroMemory function exported from kernel32.dll (prototyped in the MASM32 kernel32.inc), which (at least for the Windows 2000 version of kernel32.dll) forwards the call to ntdll.dll, as shown in the kernel32.dll exports:
Code Select

00058E23  25B   604 RtlFillMemory (forwarder -> NTDLL.RtlFillMemory)
00058E45  25C   605 RtlMoveMemory (forwarder -> NTDLL.RtlMoveMemory)
00058E63  25D   606 RtlUnwind (forwarder -> NTDLL.RtlUnwind)
00058E81  25E   607 RtlZeroMemory (forwarder -> NTDLL.RtlZeroMemory)

eschew obfuscation

PBrennick

#17
April 01, 2006, 07:23:22 PM
Michael,
I agree with you.  I guess I just looked for something to substitute for whatever Edgar was using which I could not find anywhere.  I just wanted to give skywalker a working conversion.

Andy,
You drive me crazy to the point that I do not want to help you anymore.  WHERE did I EVER say that I was giving you a working program.  All I gave you was a test bed that proves the conversion will assemble.  NOTHING MORE.  I seriously wonder about you.

Paul
The GeneSys Project is available from:
The Repository or My crappy website

skywalker

#18
April 01, 2006, 08:47:48 PM
Quote from: MichaelW on April 01, 2006, 07:10:43 PM
MSDN: RtlZeroMemory

In my February 2003 version of the PSDK, RtlZeroMemory actually links to an entry for a ZeroMemory function that is defined as the RtlZeroMemory function in Winbase.h:


Thanks Michael. I'll stop the questions for a while. I can hear some lassos swirling thru the air.

Andy

PBrennick

#19
April 01, 2006, 09:22:48 PM
Andy,
It's allright, just stop driving us crazy and think.  Okay?  I know you can do that.

Paul
The GeneSys Project is available from:
The Repository or My crappy website

skywalker

#20
April 05, 2006, 06:23:21 PM Last Edit: April 06, 2006, 04:07:51 PM by P1
If this will drive anyone crazy, please exit now. :-)

Since I am getting my message box saying the key was sucessfully created,
where did the key go? Ollydbg isn't showing any error messages.

I don't see cryptdata being decrypted anywhere when I run this. Where is it
being stored ?

I have a learned a lot and I know that I'll get it figured out.

Thanks.

Code Select

; crypt3.asm In progress..
;           
    mark1       db "Start" ; see where this is at and what's in here
                    ; 52 characters
    cryptdata   DB  05Ah,04Fh,0C4h,0D8h,052h,053h,0ECh,0FAh,044h,04Bh
                DB  09Ah,0B6h,018h,00Fh,0AEh,0AEh,030h,039h,0F0h,0DEh
                DB  02Eh,00Dh,080h,0AEh,012h,037h,0F0h,0F6h,016h,035h
                DB  0ACh,0BAh,020h,039h,0E4h,0BAh,018h,037h,09Ah,0AEh
                DB  020h,0D1h,0E8h,094h,022h,019h,0A2h,0B6h,014h,043h
                DB  080h,070h

    mark2       db "End"
    ValueOK     db "Registry key added OK",0 
    Sample      db "BOX",0
.CODE

start:

call    GetKey
invoke  ExitProcess,0

GetKey PROC

    LOCAL   KSRegKey[256] :BYTE
    LOCAL   KeyString[64] :BYTE
    LOCAL   hRegKey :DWORD
    LOCAL   Disposition :DWORD
    LOCAL   uDataCode :DWORD
    LOCAL   cbRead :DWORD

    ;invoke  RtlSecureZeroMemory, ADDR KSRegKey, sizeof KSRegKey
    invoke  RtlZeroMemory, ADDR KSRegKey, sizeof KSRegKey
    invoke  DecryptString, OFFSET cryptdata, 152715150, ADDR KSRegKey, 13
    ;int 3

     ; Key we're trying to make
     ; HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion",0,"ProductId

    invoke  RegCreateKeyEx, HKEY_LOCAL_MACHINE, ADDR KSRegKey, NULL, NULL,\
            REG_OPTION_NON_VOLATILE, KEY_READ, NULL, ADDR hRegKey, ADDR Disposition

  .IF EAX == ERROR_SUCCESS
   invoke MessageBox, 0, ADDR ValueOK, ADDR Sample,MB_ICONINFORMATION
  .ENDIF

    ;int 3
    or      eax, eax
    jz      @F
    xor     eax, eax
    dec     eax
    ret
@@:
    mov     DWORD PTR [cbRead], 64

    ; what is this doing ?
    invoke  RegQueryValueEx, [hRegKey], ADDR KSRegKey+42, NULL, ADDR uDataCode,\
            ADDR KeyString, ADDR cbRead

    invoke  RegCloseKey, [hRegKey]
    invoke  GenKey, ADDR KeyString
    ;int 3
    xor     eax, eax
    RET

GetKey ENDP

P1

#21
April 05, 2006, 07:00:23 PM
This post has been reported.

What is about to happen is his registry is about to get all messed up by this wild steer bucking through the registry.  He's going to mess it up.  His computer was due for a reload anyway.   :dazzled:   We have done a post on Backup/Restore Point, It will come to good use now.  Test Everything!!!  Good for code development.

I am going to ride this little doggy out, and go for the record.  Yahoo  :dance:   Now, where did I put that Read only Key???  I need it to get out of the gate.

See translated code by Paul ( Donkey's code was in GoAsm format ), then look at what has happen to it. Try not to let the moment get to you.

Regards,  P1  :P

skywalker

#22
April 05, 2006, 11:09:21 PM Last Edit: April 06, 2006, 09:37:45 PM by skywalker
Quote from: P1 on April 05, 2006, 07:00:23 PM
This post has been reported.

What is about to happen is his registry is about to get all messed up by this wild steer bucking through the registry.  He's going to mess it up.  His computer was due for a reload anyway.   :dazzled:   We have done a post on Backup/Restore Point, It will come to good use now.  Test Everything!!!  Good for code development.

I am going to ride this little doggy out, and go for the record.  Yahoo  :dance:   Now, where did I put that Read only Key???  I need it to get out of the gate.

See translated code by Paul ( Donkey's code was in GoAsm format ), then look at what has happen to it. Try not to let the moment get to you.

Regards,  P1  :P


Since EncryptString is NEVER used, I chopped it out and now I get  this:
O 0  LastErr ERROR_ACCESS_DENIED (00000005)

I also found an entry in Dr. Watson showing it was trying to make the key. Is ProductId a reserved key maybe ?
:-)




P1

#23
April 06, 2006, 01:09:42 PM
Quote from: skywalker on April 05, 2006, 11:09:21 PMMy registry is armor plated, so I am not worried. :-)
Does not protect you from being branded. 

Regards,  P1  :8)

evlncrn8

#24
April 06, 2006, 04:38:24 PM
Quote from: P1 on April 06, 2006, 01:09:42 PM
Quote from: skywalker on April 05, 2006, 11:09:21 PMMy registry is armor plated, so I am not worried. :-)
Does not protect you from being branded. 

Regards,  P1  :8)

heh now that is classic, and totally true
Print
Go Up Pages 1 2
User actions