Sign in to follow this  
Followers 0
Fire

Please advice me.

2 posts in this topic

#1 ·  Posted (edited)

Hallo .

I just curios about one thing

Ok about my problem

I have program (300 kb executable) it works throught win32 regedit.

I trace all changes to regedit which done by this program and boom i'm surprised.

It writes values by type REG_EXPAND_SZ(2) and after write operation successfull theris nothing plaintext in that value.

If my input for that programm

Fragment1

C:\Documents and Settings\Администратор\Рабочий стол\test.exe

Output from programm will be writed to regedit somehing like this:

Fragment2

10947D7482A645E05A25753DCE816957683ADE5FB484A4E4DC6C6D4AB696BA72FCE93A1F40AD4CC2895D333F44D594E4722F5EDB46C83A3600CCAD040A5AB5CB54190E7752DB7702B6CF9DC954326E938095F2976D1217B04F0F0EAE7A26A298C56BCF90AD5DC6066BF486F744F393F9DC076E9D45498DAB5F9A

Theris somethink logic i think.Like this:

Fragment1=SomeDecryptionAlgo?(Fragment2)

I cannot "decrypt" it throught Autoit.I mean i can'not get right result.

My question:

May be that programm encrypts it ?

Or is it standart REG_EXPAND_SZ(2) string?

Export from regedit gives me:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOMEPATH]
"Path"=hex(2):31,30,39,34,37,44,37,34,38,32,41,36,34,35,45,30,35,41,32,35,37,\
  35,33,44,43,45,38,31,36,39,35,37,36,38,33,41,44,45,35,46,42,34,\
  38,34,41,34,45,34,44,43,36,43,36,44,34,41,42,36,39,36,42,41,37,\
  32,46,43,45,39,33,41,31,46,34,30,41,44,34,43,43,32,38,39,35,44,\
  33,33,33,46,34,34,44,35,39,34,45,34,37,32,32,46,35,45,44,42,34,\
  36,43,38,33,41,33,36,30,30,43,43,41,44,30,34,30,41,35,41,42,35,\
  43,42,35,34,31,39,30,45,37,37,35,32,44,42,37,37,30,32,42,36,43,\
  46,39,44,43,39,35,34,33,32,36,45,39,33,38,30,39,35,46,32,39,37,\
  36,44,31,32,31,37,42,30,34,46,30,46,30,45,41,45,37,41,32,36,41,\
  32,39,38,43,35,36,42,43,46,39,30,41,44,35,44,43,36,30,36,36,42,\
  46,34,38,36,46,37,34,34,46,33,39,33,46,39,44,43,30,37,36,45,39,\
  44,34,35,34,39,38,44,41,42,35,46,39,41,00

I try many ways throught AutoIT to figure it out to know whats going.But all operation unsucessfull for me:(Can'not get right result.

Please advice me.

Thanks in advance.

Edited by Fire

[size="5"] [/size]

Share this post


Link to post
Share on other sites



:graduated: Чёта мало чё понял из твоего поста, ну разве что ты что-то пытаешся сделать с хекс строкой из реестра... Объясни по русски в привате чтоли... Ибо мало чё понял... Может смогу чем-то помочь )

[RU] Zone

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0