The Cracking of File Locker

by

CASIMIR

Other Essays by Casimir
  • Cracking of Crypt-o-Text v1.21 & v1.24
  • Correspondence From Casimir On Reversing Turbo Encrypto
  • Cracking of Encrypt-It For Windows
  • Cracking of WinXFiles
  • The Cracking of Keeper
    		•
  • The Cracking of Gregory Braun's Crypto v3.5
  • The Cracking of SecurityPlus!
    		•
  • The Cracking of MasterKey v1.02/1.05

    • Hi Joe I have an other Xmas present for you! (File Locker, see below) Happy Newyear day Caz A 2 minutes crack... 

                           
      +++++                  +++          +       +
     +            +++       +   +   +++   ++     ++         ++++ 
by  +            +   +       +       +    + +   + +   +++   +   +
    +          +++++++++      +      +    +  +++  +    +    +   +
     +         +       +       +     +    +   +   +    +    ++++   
      +++++   +         +   +   +   +++   +   +   +    +    +  +
                             +++                      +++   +   +
    Victim: File Locker v1.11 by Microsort CA [flocker.exe : 212992 bytes] Get it at: Microsort CA

    Tools:

           -a system-level debugger -> Winice by Nu-mega 
       -a disassembler          -> W32dasm by URSoftware
       -an hexadecimal editor   -> HexWorkshop by BreakPoint Software
    NEVER decrypt original password, for God sake! If you do it, a casual cracker will just have to locate the COMPARE sequence in code to find out what correct pwd is. Even worse, you used a *standard* VB function to compare correct pwd to pwd entered. How lazy!

    Crack steps:

    1. Disassemble flocker.exe. Look at the beginning of listing (IMPORTED FUNCTIONS section). Huumm... This program importes functions from a Visual Basic module: MSVBVM50.dll. MSVBVM50.dll module is located in your c:\windows\system\ directory. Some of those functions may raise our interest, so we'll need to be able to monitor them. To do that, we modify Winice configuration file (winice.dat) so it will load VB functions at startup: add following line to EXP list:

    Ok, now we can start Winice, it'll work fine. Before doing it, encrypt a file with pwd: 666666.

    2. A VB function is specifically designed to compare strings: __vbastrcmp, so we'll survey it, just in case... {;-) Inside Flocker, start decryption process with pwd: 7777777 but just before double-clicking on file you want to decrypt, enter Winice and set a break-point on this function: __vbastrcmp. Leave Winice and double-click...

    3. ...BINGO! Winice pops up at the beginning of __vbastrcmp function. Press F11 to execute and return from function. Here's what we see (type "code on" to display hexadecimal values):

    
137:42BA0A  8B 8D 30 FE FF FF  mov ecx , [ebp - 1D0] <- good password
137:42BA10  51                 push ecx 
137:42BA11  8B 95 2C FE FF FF  mov edx , [ebp - 1D2] <- what we entered
137:42BA17  52                 push edx 
137:42BA18  FF 15 14 23 43 00  call [msvbvm50!__vbastrcmp]
    Flocker puts good pwd and what we entered on stack, then it calls Compare function. If strings are the same: OK, file is decrypted; otherwise we get an error message.

    4. Let's patch program, so it lets you decrypt file even if you enter a wrong pwd! To do so, we substitute "push eDx" (52) by "push eCx" (51), so Compare function will compare good pwd to itself {:-)

    Open flocker.exe in your hexadecimal editor.

    5. We're done!

    If you need more info, contact me at: Casimir

    Converted to hypertext by Joe Peschel December 27, 1998.