5 Replies - 315 Views - Last Post: 22 August 2018 - 01:09 PM Rate Topic: -----

#1 iubianca   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 4
  • Joined: 25-July 18

Decrypt picture

Posted 22 August 2018 - 07:54 AM

Below I have the code that crypts the content of in.png, I do not have this file, I have out.crypted at hand and I need too write the reversed code in C++ in order to get the picture, but what I wrote doesn't decrypt the content well, I don't know why, could you please help me? After the code in assembly is what I wrote in C++.

00401110 sub_401110      proc near               ; CODE XREF: start+51p
.text:00401110                                         ; start+64p
.text:00401110
.text:00401110 nrOfBytes_0     = dword ptr  8
.text:00401110 nrOfBytes_4     = dword ptr  0Ch
.text:00401110
.text:00401110                 push    ebp
.text:00401111                 mov     ebp, esp
.text:00401113                 imul    eax, dword_403000, 3 ; eax=dword*3
.text:0040111A                 mov     ecx, [ebp+nrOfBytes_4] ; ecx=nrOfBytes
.text:0040111D                 and     ecx, 0FFh       ; ecx=nrOfBytes&0xFF
.text:00401123                 lea     edx, [eax+ecx+1] ; edx=ecx+eax+1=dword*3+nrOfBytes&0xFF+1
.text:00401127                 and     edx, 0FFFFFFh   ; edx=(dword*3+nrOfBytes&0xFF+1)&0xFFFFFF
.text:0040112D                 mov     dword_403000, edx ; dword=(dword*3+nrOfBytes&0x0FF+1)&0x0FFFFFF
.text:00401133                 mov     eax, dword_403000 ; eax=dword
.text:00401138                 xor     edx, edx
.text:0040113A                 div     [ebp+nrOfBytes_0]
.text:0040113D                 mov     eax, edx        ; index=((dword*3+nrOfBytes&0x0FF+1)&0x0FFFFFF)%nrOfBytes
.text:0040113F                 pop     ebp
.text:00401140                 retn
.text:00401140 sub_401110      endp
.text:00401140
.text:00401140 ; ---------------------------------------------------------------------------
.text:00401141                 align 10h
.text:00401150
.text:00401150 ; =============== S U B R O U T I N E =======================================
.text:00401150
.text:00401150 ; Attributes: bp-based frame
.text:00401150
.text:00401150                 public start
.text:00401150 start           proc near
.text:00401150
.text:00401150 temp            = dword ptr -14h
.text:00401150 index2          = dword ptr -10h
.text:00401150 index1          = dword ptr -0Ch
.text:00401150 contor          = dword ptr -8
.text:00401150 nrOfBytes       = dword ptr -4
.text:00401150
.text:00401150                 push    ebp
.text:00401151                 mov     ebp, esp
.text:00401153                 sub     esp, 14h
.text:00401156                 push    0F4240h         ; int
.text:0040115B                 push    offset byte_403008 ; lpBuffer
.text:00401160                 push    offset FileName ; "in.png"
.text:00401165                 call    ReadFILE
.text:0040116A                 add     esp, 0Ch
.text:0040116D                 mov     [ebp+nrOfBytes], eax
.text:00401170                 cmp     [ebp+nrOfBytes], 0
.text:00401174                 jnz     short loc_40117D
.text:00401176                 xor     eax, eax
.text:00401178                 jmp     loc_401208
.text:0040117D ; ---------------------------------------------------------------------------
.text:0040117D
.text:0040117D loc_40117D:                             ; CODE XREF: start+24j
.text:0040117D                 mov     [ebp+contor], 0
.text:00401184                 jmp     short loc_40118F
.text:00401186 ; ---------------------------------------------------------------------------
.text:00401186
.text:00401186 loc_401186:                             ; CODE XREF: start+9Aj
.text:00401186                 mov     eax, [ebp+contor]
.text:00401189                 add     eax, 1
.text:0040118C                 mov     [ebp+contor], eax
.text:0040118F
.text:0040118F loc_40118F:                             ; CODE XREF: start+34j
.text:0040118F                 mov     ecx, [ebp+nrOfBytes]
.text:00401192                 shl     ecx, 1          ; nrOfBytes<<1
.text:00401194                 cmp     [ebp+contor], ecx
.text:00401197                 jnb     short loc_4011EC ; if (contor<nrOfBytes<<1) se executa ce e mai jos else writeFile
.text:00401199                 mov     edx, [ebp+nrOfBytes]
.text:0040119C                 push    edx
.text:0040119D                 mov     eax, [ebp+nrOfBytes]
.text:004011A0                 push    eax
.text:004011A1                 call    sub_401110      ; returneaza un index
.text:004011A1                                         ; index=((dword*3+nrOfBytes&0x0FF+1)&0x0FFFFFF)%nrOfBytes
.text:004011A6                 add     esp, 8
.text:004011A9                 mov     [ebp+index1], eax
.text:004011AC                 mov     ecx, [ebp+nrOfBytes]
.text:004011AF                 push    ecx
.text:004011B0                 mov     edx, [ebp+nrOfBytes]
.text:004011B3                 push    edx
.text:004011B4                 call    sub_401110      ; returneaza un index
.text:004011B4                                         ; index=((dword*3+nrOfBytes&0x0FF+1)&0x0FFFFFF)%nrOfBytes
.text:004011B9                 add     esp, 8
.text:004011BC                 mov     [ebp+index2], eax
.text:004011BF                 mov     eax, [ebp+index1]
.text:004011C2                 movzx   ecx, byte_403008[eax]
.text:004011C9                 mov     [ebp+temp], ecx
.text:004011CC                 mov     edx, [ebp+index1]
.text:004011CF                 mov     eax, [ebp+index2]
.text:004011D2                 mov     cl, byte_403008[eax]
.text:004011D8                 mov     byte_403008[edx], cl
.text:004011DE                 mov     edx, [ebp+index2]
.text:004011E1                 mov     al, byte ptr [ebp+temp]
.text:004011E4                 mov     byte_403008[edx], al
.text:004011EA                 jmp     short loc_401186
.text:004011EC ; ---------------------------------------------------------------------------
.text:004011EC
.text:004011EC loc_4011EC:                             ; CODE XREF: start+47j
.text:004011EC                 mov     ecx, [ebp+nrOfBytes]
.text:004011EF                 push    ecx             ; nNumberOfBytesToWrite
.text:004011F0                 push    offset byte_403008 ; lpBuffer
.text:004011F5                 push    offset aOut_crypted ; "out.crypted"
.text:004011FA                 call    WriteFILE
.text:004011FF                 add     esp, 0Ch
.text:00401202                 jmp     short loc_401206
.text:00401204 ; ---------------------------------------------------------------------------
.text:00401204                 jmp     short loc_401208
.text:00401206 ; ---------------------------------------------------------------------------
.text:00401206
.text:00401206 loc_401206:                             ; CODE XREF: start+B2j
.text:00401206                 xor     eax, eax
.text:00401208
.text:00401208 loc_401208:                             ; CODE XREF: start+28j
.text:00401208                                         ; start+B4j
.text:00401208                 mov     esp, ebp
.text:0040120A                 pop     ebp
.text:0040120B                 retn
.text:0040120B start           endp


#include<iostream>
#include<conio.h>
#include<Windows.h>

using namespace std;

#define MAX 777480 
#define MAX2 1554960

BYTE bufferOut[MAX];
DWORD swap1[MAX2];
DWORD swap2[MAX2];

void error(const char* msg)
{
	cout << msg << endl;
	system("PAUSE");
}

int main(void) {

	HANDLE hFileCryped = CreateFile("out.crypted", GENERIC_READ, 0, 0, OPEN_EXISTING, 0, 0);
	if (hFileCryped == INVALID_HANDLE_VALUE)
	{
		error("INVALID_HANDLE_VALUE crypted.out");
		return 1;
	}
	DWORD bytesRead;
	if (ReadFile(hFileCryped, bufferOut, MAX, &bytesRead, 0) == 0) 
	{
		error("Error ReadFile crypted.out");
		return 1;
	}
	if (bytesRead != MAX)
	{
		error("Error bytesRead");
		return 1;
	}
	DWORD index1;
	DWORD index2;
	BYTE temp;
	DWORD dword=0;
	DWORD i = 0;

	for (DWORD contor = 0; contor < 1554960; contor++)
	{
		dword = ((dword * 3) + (777480 & 0xff) + 1 ) & 0x00ffffff;
		index1 = (((dword * 3) + (777480 & 0xff) + 1) & 0x00ffffff) % 777480;
		
		dword = ((dword * 3) + (777480 & 0xff) + 1) & 0x00ffffff;
		index2 = (((dword * 3) + (777480 & 0xff) + 1) & 0x00ffffff) % 777480;
		
		swap1[i] = index1;
		swap2[i] = index2;
		i++;	
	}

	for (int k = 1554959; k >= 0; --k) {
		
		temp = bufferOut[swap1[k]];
		bufferOut[swap1[k]] = bufferOut[swap2[k]];
		bufferOut[swap2[k]] = temp;
	}

	HANDLE hFileIn = CreateFile("in.png", GENERIC_WRITE, 0, 0, 2, 0, 0);
	WriteFile(hFileIn, bufferOut, MAX,0,0);
	system("PAUSE");
	return 0;
}
:code:

This post has been edited by modi123_1: 22 August 2018 - 07:59 AM
Reason for edit:: In the future, please highlight the text that is code and click the [code] button in the editor.


Is This A Good Question/Topic? 0
  • +

Replies To: Decrypt picture

#2 Skydiver   User is online

  • Code herder
  • member icon

Reputation: 6665
  • View blog
  • Posts: 22,757
  • Joined: 05-May 12

Re: Decrypt picture

Posted 22 August 2018 - 08:22 AM

Why do you only have the assembly for the encryption? It looks like you actually disassembled the encryption code based on various attributes I see on the assembly code.

Is this for a game?
Was This Post Helpful? 0
  • +
  • -

#3 iubianca   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 4
  • Joined: 25-July 18

Re: Decrypt picture

Posted 22 August 2018 - 11:09 AM

No, it's not for a game. It's something that I do at school.

This post has been edited by Skydiver: 22 August 2018 - 01:01 PM
Reason for edit:: Removed unnecessary quote. No need to quote the post above yours.

Was This Post Helpful? 0
  • +
  • -

#4 Salem_c   User is offline

  • void main'ers are DOOMED
  • member icon

Reputation: 2279
  • View blog
  • Posts: 4,362
  • Joined: 30-May 10

Re: Decrypt picture

Posted 22 August 2018 - 11:31 AM

Your C++ code seems to contain a lot of numbers which appear nowhere in your assembler.

My suggested work-flow would be
- Write the C++ equivalent of your asm code, mimicking the structure as close as possible. So containing two functions which look and behave as sub_401110() and start() do. Create small wrapper functions to map ReadFILE() to ReadFile() etc.

- Write the C++ code to decrypt the data based on your understanding of the asm as reconstructed in C++. Aim to shadow the structure of the encrypt side of things. Don't (as you do now) inline everything into a big ball of mud.

- Test both together until you can achieve a round trip encrypt / decrypt on a png file of your choice.

- When your chosen round trip works, test the decrypt step with the png you've been given.

Assuming this doesn't work the first time, analyse the decrypted attempt using a hex editor.

It helps to know that PNG has some structure to it.
https://en.wikipedia...etwork_Graphics
For example, you're expecting the characters "PNG" "IHDR" and "IDAT" at fairly constant positions in the file.
Was This Post Helpful? 1
  • +
  • -

#5 iubianca   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 4
  • Joined: 25-July 18

Re: Decrypt picture

Posted 22 August 2018 - 11:34 AM

Thank you very much for the advice, I will look into it the way you suggested me to and I will let you know how it goes.

This post has been edited by Skydiver: 22 August 2018 - 01:03 PM
Reason for edit:: Removed unnecessary quote. No need to quote the post above yours.

Was This Post Helpful? 0
  • +
  • -

#6 Skydiver   User is online

  • Code herder
  • member icon

Reputation: 6665
  • View blog
  • Posts: 22,757
  • Joined: 05-May 12

Re: Decrypt picture

Posted 22 August 2018 - 01:09 PM

iubianca: There is no need to quote the post above yours. Just use the big Reply button or the Fast Reply area.

If this is for school, why do you have the disassembled version of the encryption functions? You should have been given the raw assembler version if the intent was for you to learn how to read assembly code. Furthermore, these jumps:
.text:00401202                 jmp     short loc_401206
.text:00401204 ; ---------------------------------------------------------------------------
.text:00401204                 jmp     short loc_401208
.text:00401206 ; ---------------------------------------------------------------------------
.text:00401206
.text:00401206 loc_401206:                             ; CODE XREF: start+B2j


is not something a human would have written, but something that a compiler would have generated. That means that you should have been given the original C (or C++, or Pascal) code.

Currently, it looks very fishy to me.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1