Reverse Engineering Asked by Sanders on April 27, 2021
I have a dll file that makes an http post request to a webserver , request looks something like this :
UmdUsFrEB3wGMuuAz1Znywuedx6+ee9cHDyzqM3Gc0FW8TxKFitPfkoC23aJeW39rPhAIpkg7vyzYzRwsloEfUM3y1LnehrJVR5tQuoZ8EUa6uFgzFauuaiP1Ea9+lRg5OU
i am not much of an expert but to me it looks like Base64 , but when i try and decode it using online decoders , most of them just gives an error that its not base64 format , and other decoders gives out Chinese characters,
and some gives results like this:
RgT°ZÄ|2ë€ÏVgËžw¾yï<³¨ÍÆsAVñ<J+O~JÛv‰ymý¬ø@"™ îü³c4p²Z}C7ËRçzÉUmBêðEêá`ÌV®¹¨ÔF½úT`äå
I am assuming that its been encrypted and then encoded ?
if so then is there a way to decrypt it ? i opened the dll file in JustDecompile and it does give me readable code , but i am not sure where to look for the encryption method or key in the code
i did find out a certain part of decompiled code somewhat interesting though :
private byte[] (byte[] u0002, byte[] u0003)
{
byte[] numArray;
byte[] numArray1 = new byte[89];
((Array)u0003).CopyTo((Array)numArray1, 0);
((Array)u0002).CopyTo((Array)numArray1, 16);
if (0 == 0)
{
((Array)Encoding.ASCII.GetBytes("MTRandom")).CopyTo(numArray1, 80);
}
do
{
numArray = (new MD5CryptoServiceProvider()).ComputeHash(numArray1);
}
while (3 == 0);
return numArray;
}
private new unsafe void (byte[] u0002)
{
void* length = (void*)stackalloc IntPtr[9];
this. = (ulong)0;
*(length + 4) = this. <= 1101;
if ((sbyte)(*(length + 4)) == 0)
{
. _u0001 = new .();
byte[] numArray = base.(8);
_u0001. = BitConverter.ToUInt16(numArray, 0);
_u0001. = BitConverter.ToUInt16(numArray, 2);
_u0001. = BitConverter.ToUInt16(numArray, 4);
_u0001. = BitConverter.ToUInt16(numArray, 6);
byte[] numArray1 = base.((int)_u0001.);
byte[] numArray2 = this.(numArray1, u0002, _u0001);
*length = null;
while (true)
{
if (((int)(*length) >= (int)numArray2.Length ? true : (int)numArray2.Length - (int)(*length) < 8))
{
return;
}
byte[] numArray3 = new byte[8];
Array.Copy(numArray2, (int)(*length), numArray3, 0, 8);
*length = (int)(*length) + 8;
_u0001 = this.(numArray3, u0002);
*(length + 5) = (int)numArray2.Length - (int)(*length) < _u0001.;
if ((sbyte)(*(length + 5)) != 0)
is it possible that this part of the code is responsible for encryption or is it the case of barking at the wrong tree?
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP