Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 09-25-2009, 07:00 AM
oxxomoon oxxomoon is offline
Member
 
Join Date: May 2008
Posts: 26
Default NoName.txt convert to Q and A table

Hello Friends

I want to ask a quactions I hava NoName.txt log file from hasploger and How I convert "QTable"=hex:\ and "ATable"=hex:\
I use haSploGer K-Di and have error can not convert I'm waiting your answer
Thanks
Reply With Quote
  #2  
Old 09-25-2009, 11:56 AM
SonofabiT SonofabiT is offline
Senior Member
 
Join Date: Dec 2008
Posts: 351
Default

@oxxomoon - The answer for your unclear description is start to see the following image :



Also find and read a file called Manual.txt of multikey emulator.

BR
SonofabiT

Last edited by SonofabiT : 09-27-2009 at 01:33 PM.
Reply With Quote
  #3  
Old 09-26-2009, 07:26 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

Lol!

Git
Reply With Quote
  #4  
Old 09-27-2009, 01:30 AM
gnerogeem gnerogeem is offline
Senior Member
 
Join Date: Aug 2009
Location: Kalimdor
Posts: 553
Thumbs up Great!

Nice one there SonofabiT!

__________________
Pink is the new black.
Reply With Quote
  #5  
Old 10-02-2009, 05:50 AM
besoeso besoeso is offline
Senior Member
 
Join Date: Dec 2008
Posts: 118
Default @luzhmu

Share your experience with us,
Reply With Quote
  #6  
Old 10-02-2009, 06:52 AM
oxxomoon oxxomoon is offline
Member
 
Join Date: May 2008
Posts: 26
Default

Problem is finished I find How I convert thanks for funny answers
Reply With Quote
  #7  
Old 10-02-2009, 07:17 AM
SonofabiT SonofabiT is offline
Senior Member
 
Join Date: Dec 2008
Posts: 351
Default

@oxxomoon - Then, you may share your new experience to besoeso

@ all - I still don't understand the meaning of a pair Table(single), 2 pair(s) Table, .... 5 pair(s) Table.

Let says that we have one pair table below :
Code:
... regfile
"QTable"=hex:\
42,84,... 84,AD,A4,\
"ATable"=hex:\
82,22,C2 ... 84,AD,A4,\
1. Then, am i right if we will write more than one(single) pair(s) Table like below ?
Let says 2 pair(s) Table for instance.
Code:
... regfile
"QTable"=hex:\
42,84,... 84,AD,A4,\
"ATable"=hex:\
82,22,C2 ... 84,AD,A4,\

"QTable"=hex:\
12,34,... 9A,BC,DE,\
"ATable"=hex:\
11,22,33 ... 44,55,55,\
2. If there are 5 max pair(s) Table, Does't it mean we should write 5 "QTable" and 5 "ATable" notations ?

3. Could anyone please explain a little bit clear about "Master Pair(s) Table" ?

I am sory for my funny questions because i 've been confused.

P.S. i 've refered to : http://reteam.org/board/showpost.php?p=5246&postcount=1

Last edited by SonofabiT : 10-02-2009 at 11:30 PM.
Reply With Quote
  #8  
Old 10-02-2009, 08:23 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

We are talking about the earlier format that MultiKey does NOT use any more. "QTable" and "ATable" are the names of that segment of the registry file and each must only appear ONCE only. The emulator knows that each entry after the name is 16, 32 or 48 bytes long, but becuase of the way the encryption is used, it reads the entries as 16 bytes each. So, 5 pairs means there would be 80 values under QTable and 80 values under ATable. a 'pair' is 16 byes from the same line number from each table. The QTable and ATable are for decryption. For encryption it used QEncTable and AEncTable

At version 18, MultiKey changed to a new form of entry, where each pair is on one line

"0123456789ABCDEF0123456789ABCDEF"=hex:12,34,56,78 ,90,AB,CD,EF,12,34,56,78,90,AB,CD,EF

The left side is the 16 bytes from QTable and the right side is the 16 bytes from ATable. They appear together under the registry entry name 'DTable'. The D is for Decryption. So, DTable is the old QTable and ATable. ETable is the old QEncTable and AEncTable.

Summary. Let's say we have a log which has 2 entries :

Code:
==================================================================
2008/01/13  07:37:21.281	 <== Application: Advisor.exe
2008/01/13  07:37:21.281	 <== HaspHL_decrypt: Pass1 = 0x29D7 (10711), Pass2 = 0x414F (16719)
2008/01/13  07:37:21.296	 <== HaspHL_decrypt: Length = 0x10
2008/01/13  07:37:21.296	 <== HaspHL_decrypt: Input Data = 
2008/01/13  07:37:21.296	
  39 73 42 B0 | 4D F2 76 F1 | E2 04 16 90 | 99 D2 1E 60 	[9sB.M.v........`]

2008/01/13  07:37:21.343	 ==> HaspHL_decrypt: Output Data = 
2008/01/13  07:37:21.343	
  00 0B 95 AD | 06 37 B8 BF | 4F 73 88 31 | 42 16 7F 8E 	[.....7..Os.1B..]

2008/01/13  07:37:21.343	 ==> HaspHL_decrypt: Status = 0x00
==================================================================
2008/01/13  07:37:21.406	 <== Application: Advisor.exe
2008/01/13  07:37:21.406	 <== HaspHL_decrypt: Pass1 = 0x29D7 (10711), Pass2 = 0x414F (16719)
2008/01/13  07:37:21.421	 <== HaspHL_decrypt: Length = 0x10
2008/01/13  07:37:21.421	 <== HaspHL_decrypt: Input Data = 
2008/01/13  07:37:21.421	
  6F 5F EF 0D | 38 0F 77 61 | 07 FA 89 1C | D8 CD 22 D7 	[o_..8.wa......".]

2008/01/13  07:37:21.468	 ==> HaspHL_decrypt: Output Data = 
2008/01/13  07:37:21.468	
  C8 BF 21 FD | BA D5 8E B3 | 9E CA 61 CF | EF 6B 50 F8 	[..!.......a..kP.]

2008/01/13  07:37:21.593	 ==> HaspHL_decrypt: Status = 0x00
==================================================================
The first entry tells you that the hasphl_decrypt function is being called with Question data :
39 73 42 B0 4D F2 76 F1 E2 04 16 90 99 D2 1E 60 (call it Q1)

And it replies with Answer :
00 0B 95 AD 06 37 B8 BF 4F 73 88 31 42 16 7F 8E (call it A1)

The second entry call hasphl_decrypt with Question :
6F 5F EF 0D 38 0F 77 61 07 FA 89 1C D8 CD 22 D7 (call it Q2)

And it replies with Answer :
C8 BF 21 FD BA D5 8E B3 9E CA 61 CF EF 6B 50 F8 (call it A2)

MultiKey V17 and other emulators would expect these registry entries :

Code:
"QTable"=hex:\
   39,73,42,B0,4D,F2,76,F1,E2,04,16,90,99,D2,1E,60,\ 
   6F,5F,EF,0D,38,0F,77,61,07,FA,89,1C,D8,CD,22,D7

"ATable"=hex:\
   00,0B,95,AD,06,37,B8,BF,4F,73,88,31,42,16,7F,8E,\
   C8,BF,21,FD,BA,D5,8E,B3,9E,CA,61,CF,EF,6B,50,F8
So QTable has Q1 and Q2. ATable has A1 and A2.

In MultiKey V18, the format changed. The same 2 pairs would now be expressed like this :

Code:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiKey\Dumps\12345678\DTable]
"10:397342B04DF276F1E204169099D21E60"=hex:00,0B,95,AD,06,37,B8,BF,4F,73,88,31,42,16,7F,8E
"10:6F5FEF0D380F77610 FA891CD8CD22D7"=hex:C8,BF,21,FD,BA,D5,8E,B3,9E,CA,61,CF,EF,6B,50,F8
The 10: at the start tells the emulator that the entry is 0x10 hexadecimal = 16 bytes long. It could be 32 or 48 also, which would then have 20: or 30: at the start. The Question becomes the name of the entry and it's matching Answer becomes the data. This way, Q and matching A are kept together. Earlier, people would individually sort the Q list and the A list and suddenly it would not work, because a given line did not have a matching pair.

If your log contains also hasphl_encrypt entries, then it is just the same.QTable is replaced by QEncTable, ATable replaced by AEncTable. For V18,

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiK ey\Dumps\12345678\DTable]
is replaced by :
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiK ey\Dumps\12345678\ETable]

One other small point to make this post worth coming back to. The '\' backslash at the end of a line. It is nothing more than a separator or continuation marker. A very big line can be split into multiple lines as long as every line EXCEPT the LAST ends in a \ . Also look at the use of commas. Even data at the end of a line has a comma EXCPET the very data entry. So a comma separates individual data elements in a registry value.

Git

Search Tags : HaspHL Hasp HL Log pairs Table Tables pair
Reply With Quote
  #9  
Old 10-03-2009, 05:18 AM
vaingum vaingum is offline
Member
 
Join Date: Sep 2009
Posts: 10
Default

Everybody think I'm Stupid man if i said this question.


"How to use Multikey to make a reg file I don't know what command to use it?

I need reg file like "GIT" Show from Multikey 18 How I can do like that??"

I think everybody right because I'm stupid man really

Tell me please I try it all 48 hours past (no sleep)
Reply With Quote
  #10  
Old 10-03-2009, 06:00 AM
y8y8y8y y8y8y8y is offline
Senior Member
 
Join Date: Sep 2007
Posts: 210
Default

2vaingum

There is nothing stupid in learning. First ask more specific questions. For your one the answer is:
dump -> convert -> collect Q/A if necessary -> REG.

In any case, here is latest MultiKey 18.1 from Elite_r with samples and Q/A converting tool.
Pass: ru-board
__________________
Saving the drowning is a job for the drowning themselves.

Last edited by y8y8y8y : 10-03-2009 at 06:04 AM.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.