Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Sunday, October 24 2021 @ 03:53 AM CEST
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Getting registry info and configuration files

 
Post new topic   Reply to topic    www.reversing.be Forum Index -> Code Reversing
View previous topic :: View next topic  
Author Message
mustanger
Frequent poster
Frequent poster


Joined: 13 Sep 2005
Posts: 64

PostPosted: Fri Jun 06, 2008 4:02 pm    Post subject: Getting registry info and configuration files Reply with quote

I've got two questions related to the same program. The sneaky authors of the program have planted an expiration notice in my computer---I assume in the registry. I've tried breaking on RegQueryInfoKeyA, RegQueryValueExA and RegQueryValueExW. These are the only Registry Query calls I can find. Are there any other intermodular calls that could be used to fetch an expiration value in the registry?

Question 2;
This program runs with a configuration file. You get a demo configuration file to evaluate the program and if you buy it, you get another configuration file that never expires. If you open the configuration file in NOTEPAD, some of it is encrypted. I'll paste below:


 TPF0TProgramConfig doLogging RegisteredTo
My NAME InstitutionMy institution SerialNum6772
ExpiryDate @ ExecutePlace
ep_standAloneNetUsers ProgConfigMode cfgm_demo LastBuild 3.00.0315NeedCountercodeAfter @CountercodeMode cm_standard
doSecurity AllowAlerts ValidationModevm_countercodeHasTemporaryConfigModeMaxSecurityUsers TempConfigModecfgm_pro
editionStringResearch


I've changed my name and institution, but as you can see there are some squares and funny characters that presumably are making the program expire.

Does anybody know anything about the use of encrypted configuration files and how to decrypyt them and alter them to our evil advantage?
Back to top
View user's profile Send private message
Nacho_dj
Frequent poster
Frequent poster


Joined: 03 Jan 2006
Posts: 52

PostPosted: Sun Jun 08, 2008 10:05 am    Post subject: Reply with quote

Hello mustanger:

I'm afraid there is no encrypted data in your file. The squares and other strange symbols could be only numerical quantities, not having a direct correspondence in ASCII code.

Try to open in an hex editor to find which quantities do have the strange symbols. Have in mind that they could be hexa values, so translating them to decimal maybe will provide you some sense to them...

You only need to trace in your target from CreateFileA function, when this file is open, and see what happens with these strange values.

Good luck

Nacho_dj

_________________
http://arteam.accessroot.com
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    www.reversing.be Forum Index -> Code Reversing All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
 Copyright © 2021 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.71 seconds