Fire 3 Posted November 6, 2010 (edited) Hallo .I just curios about one thingOk about my problemI have program (300 kb executable) it works throught win32 regedit.I trace all changes to regedit which done by this program and boom i'm surprised.It writes values by type REG_EXPAND_SZ(2) and after write operation successfull theris nothing plaintext in that value.If my input for that programm Fragment1C:\Documents and Settings\Администратор\Рабочий стол\test.exeOutput from programm will be writed to regedit somehing like this:Fragment210947D7482A645E05A25753DCE816957683ADE5FB484A4E4DC6C6D4AB696BA72FCE93A1F40AD4CC2895D333F44D594E4722F5EDB46C83A3600CCAD040A5AB5CB54190E7752DB7702B6CF9DC954326E938095F2976D1217B04F0F0EAE7A26A298C56BCF90AD5DC6066BF486F744F393F9DC076E9D45498DAB5F9A Theris somethink logic i think.Like this:Fragment1=SomeDecryptionAlgo?(Fragment2)I cannot "decrypt" it throught Autoit.I mean i can'not get right result.My question:May be that programm encrypts it ?Or is it standart REG_EXPAND_SZ(2) string?Export from regedit gives me:REGEDIT4 [HKEY_LOCAL_MACHINE\SOMEPATH] "Path"=hex(2):31,30,39,34,37,44,37,34,38,32,41,36,34,35,45,30,35,41,32,35,37,\ 35,33,44,43,45,38,31,36,39,35,37,36,38,33,41,44,45,35,46,42,34,\ 38,34,41,34,45,34,44,43,36,43,36,44,34,41,42,36,39,36,42,41,37,\ 32,46,43,45,39,33,41,31,46,34,30,41,44,34,43,43,32,38,39,35,44,\ 33,33,33,46,34,34,44,35,39,34,45,34,37,32,32,46,35,45,44,42,34,\ 36,43,38,33,41,33,36,30,30,43,43,41,44,30,34,30,41,35,41,42,35,\ 43,42,35,34,31,39,30,45,37,37,35,32,44,42,37,37,30,32,42,36,43,\ 46,39,44,43,39,35,34,33,32,36,45,39,33,38,30,39,35,46,32,39,37,\ 36,44,31,32,31,37,42,30,34,46,30,46,30,45,41,45,37,41,32,36,41,\ 32,39,38,43,35,36,42,43,46,39,30,41,44,35,44,43,36,30,36,36,42,\ 46,34,38,36,46,37,34,34,46,33,39,33,46,39,44,43,30,37,36,45,39,\ 44,34,35,34,39,38,44,41,42,35,46,39,41,00I try many ways throught AutoIT to figure it out to know whats going.But all operation unsucessfull for me:(Can'not get right result.Please advice me.Thanks in advance. Edited November 6, 2010 by Fire [size="5"] [/size] Share this post Link to post Share on other sites
Enforcer 4 Posted November 7, 2010 Чёта мало чё понял из твоего поста, ну разве что ты что-то пытаешся сделать с хекс строкой из реестра... Объясни по русски в привате чтоли... Ибо мало чё понял... Может смогу чем-то помочь ) [RU] Zone Share this post Link to post Share on other sites