![\"\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2012\/08\/1277327753072.jpg\" "\\"1277327753072\\"")
<\/a><\/p>\nUnlike most companies, I assume SmarterTools doesn’t know how to encrypt or obfuscate its binaries, instead, they store all of their code in a managed assembly DLL and call it with an exe. That said, reversing it was rather simple since I only needed a decent decompiler and grep to find its hashing algorithm. And here it is:<\/p>\n
\nusing System;\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text;\nusing System.IO;\nusing System.Security.Cryptography;\nnamespace TicketCounter\n{\npublic class CryptographyHelper\n{\nprotected internal byte[] salt = new byte[4]\n{\n(byte) 155,\n(byte) 26,\n(byte) 93,\n(byte) 86\n};\nprotected SymmetricAlgorithm Coder;\nprotected byte[] Key;\nprotected byte[] IV;\nprotected int Method;\nprotected CryptographyHelper()\n{\n}\npublic CryptographyHelper(int methodIn)\n{\nthis.Method = methodIn;\nif (this.Method == 0)\nthis.Coder = (SymmetricAlgorithm) DES.Create();\nelse\nthis.Coder = (SymmetricAlgorithm) RC2.Create();\n}\npublic void SetKey(string key)\n{\nint cb = this.Method != 0 ? 5 : 8;\nPasswordDeriveBytes passwordDeriveBytes = new PasswordDeriveBytes(key, this.salt);\nthis.Key = passwordDeriveBytes.GetBytes(cb);\nthis.IV = passwordDeriveBytes.GetBytes(cb);\n}\npublic void SetKey(ref Random rnd)\n{\nint length = this.Method != 0 ? 5 : 8;\nthis.Key = new byte[length];\nthis.IV = new byte[length];\nrnd.NextBytes(this.Key);\nrnd.NextBytes(this.IV);\n}\npublic void SetKey(byte[] keyIn, byte[] ivIn)\n{\nint length = this.Method != 0 ? 5 : 8;\nthis.Key = new byte[length];\nthis.IV = new byte[length];\nArray.Copy((Array) keyIn, 0, (Array) this.Key, 0, length);\nArray.Copy((Array) ivIn, 0, (Array) this.IV, 0, length);\n}\npublic string EncodeToBase64(string val)\n{\nif (val.Length == 0)\nreturn val;\nelse\nreturn Convert.ToBase64String(this.Encode(Encoding.UTF8.GetBytes(val)));\n}\npublic string DecodeFromBase64(string val)\n{\nif (val.Length == 0)\nreturn val;\nelse\nreturn Encoding.UTF8.GetString(this.Decode(Convert.FromBase64String(val)));\n}\npublic static string EncodeToBase64(int method, int key, string val)\n{\nif (val.Length == 0)\nreturn val;\nCryptographyHelper cryptographyHelper = new CryptographyHelper(method);\nRandom rnd = new Random(key);\ncryptographyHelper.SetKey(ref rnd);\nreturn cryptographyHelper.EncodeToBase64(val);\n}\npublic static string DecodeFromBase64(int method, int key, string val)\n{\nif (val.Length == 0)\nreturn val;\nCryptographyHelper cryptographyHelper = new CryptographyHelper(method);\nRandom rnd = new Random(key);\ncryptographyHelper.SetKey(ref rnd);\nreturn cryptographyHelper.DecodeFromBase64(val);\n}\npublic static string EncodeToBase64(int method, string key, string val)\n{\nif (val.Length == 0)\nreturn val;\nCryptographyHelper cryptographyHelper = new CryptographyHelper(method);\ncryptographyHelper.SetKey(key);\nreturn cryptographyHelper.EncodeToBase64(val);\n}\npublic static string DecodeFromBase64(int method, string key, string val)\n{\nif (val.Length == 0)\nreturn val;\nCryptographyHelper cryptographyHelper = new CryptographyHelper(method);\ncryptographyHelper.SetKey(key);\nreturn cryptographyHelper.DecodeFromBase64(val);\n}\npublic byte[] Encode(byte[] buf)\n{\nreturn this.PassThrough(buf, this.Coder.CreateEncryptor(this.Key, this.IV));\n}\npublic byte[] Decode(byte[] buf)\n{\nreturn this.PassThrough(buf, this.Coder.CreateDecryptor(this.Key, this.IV));\n}\nprotected byte[] PassThrough(byte[] buf, ICryptoTransform transformation)\n{\nMemoryStream memoryStream = new MemoryStream();\nCryptoStream cryptoStream = new CryptoStream((Stream) memoryStream, transformation, CryptoStreamMode.Write);\ncryptoStream.Write(buf, 0, buf.Length);\ncryptoStream.FlushFinalBlock();\nmemoryStream.Seek(0L, SeekOrigin.Begin);\nbyte[] buffer = new byte[memoryStream.Length];\nmemoryStream.Read(buffer, 0, (int) memoryStream.Length);\ncryptoStream.Close();\nmemoryStream.Close();\nreturn buffer;\n}\n}\n}\n<\/code><\/pre>\nSee the key?\u00a0 No you don’t because the key was elsewhere in the app – specifically in the config area that deals with description:<\/p>\n
\n\/\/namespace SmarterMail.Config\npublic class SystemAdminLogin\n{\npublic static string PasswordKey = 03a8ur98qhfa9h; \/\/ assume quotes\npublic string ID { get; set; }\npublic string Username { get; set; }\npublic List<IpAccess> IpAccessRestrictions { get; private set; }\npublic bool IsPrimaryAdmin { get; set; }\npublic bool EnableIpAccessRestriction { get; set; }\npublic DateTime DateCreated { get; set; }\npublic string Description { get; set; }\npublic string Password\n{\nget\n{\nreturn CryptographyHelper.\nDecodeFromBase64(0,SystemAdminLogin.PasswordKey, this.get_EncryptedPassword());\n}\nset\n{\nthis.set_EncryptedPassword(CryptographyHelper.EncodeToBase64(0,SystemAdminLogin.PasswordKey, value));\n}\n}static SystemAdminLogin()\n{\n}public SystemAdminLogin()\n{\nthis.IpAccessRestrictions = new List<IpAccess>();\nthis.DateCreated = DateTime.Now;\nthis.ID = string.Empty;\n}public void ToXml(XmlWriter writer)\n{\nwriter.WriteStartElement(“SystemAdmin”);\nwriter.WriteElementString(“ID”, this.ID);\nwriter.WriteElementString(“Username”, this.Username);\n\/\/ ISSUE: reference to a compiler-generated method\nwriter.WriteElementString(“Password”, this.get_EncryptedPassword());\nwriter.WriteElementString(“EnableIpAccessRestriction”,\nthis.EnableIpAccessRestriction.ToString());\nwriter.WriteElementString(“DateCreated”,\nthis.DateCreated.ToString((IFormatProvider)\nCultureInfo.InvariantCulture));\nwriter.WriteElementString(“Description”, this.Description);\nif (this.IpAccessRestrictions.Count > 0)\n{\nwriter.WriteStartElement(“IpAccess”);\nforeach (IpAccess ipAccess in this.IpAccessRestrictions)\n{\nwriter.WriteStartElement(“Allowed”);\nwriter.WriteElementString(“Description”, ipAccess.Description);\nwriter.WriteElementString(“StartIp”, ipAccess.StartIP);\nif (System_ExtensionMethods7BCA73B06BAB478aA3AC6AC60979BA25.HasValue(ipAccess.EndIP))\nwriter.WriteElementString(“EndIp”, ipAccess.EndIP);\nwriter.WriteElementString(“Type”, ((int) ipAccess.Type).ToString());\nwriter.WriteEndElement();\n}\nwriter.WriteEndElement();\n}\nwriter.WriteEndElement();\n}\npublic void FromXml(XmlReader reader)\n{\nstring str = string.Empty;\nlabel_27:\nwhile (reader.Read())\n{\nint num = (int) reader.MoveToContent();\nif (reader.NodeType == XmlNodeType.EndElement &&\nreader.Name.ToLowerInvariant() == “systemadmin”)\nbreak;\nif (reader.NodeType == XmlNodeType.Element &&\nreader.Name.ToLowerInvariant() == “ipaccess”)\n{\nIpAccess ipAccess = new IpAccess();\nbool flag = false;\nwhile (true)\n{\ndo\n{\nif (reader.Read() && (reader.NodeType !=\nXmlNodeType.EndElement || !(reader.Name.ToLowerInvariant() ==\n“ipaccess”)))\n{\nif (reader.NodeType == XmlNodeType.EndElement &&\nreader.Name.ToLowerInvariant() == “allowed” && flag)\n{\nthis.IpAccessRestrictions.Add(ipAccess);\nflag = false;\nipAccess = new IpAccess();\n}\nif (reader.NodeType == XmlNodeType.Element)\ngoto label_8;\n}\nelse\ngoto label_27;\n}\nwhile (reader.NodeType != XmlNodeType.Text);\ngoto label_10;\nlabel_8:\nstr = reader.Name.ToLowerInvariant();\ncontinue;\nlabel_10:\nswitch (str)\n{\ncase “description”:\nflag = true;\nipAccess.Description = reader.Value;\ncontinue;\ncase “startip”:\nflag = true;\nipAccess.StartIP = reader.Value;\ncontinue;\ncase “endip”:\nflag = true;\nipAccess.EndIP = reader.Value;\ncontinue;\ncase “type”:\nflag = true;\nipAccess.Type = (IPType) int.Parse(reader.Value);\ncontinue;\ndefault:\ncontinue;\n}\n}\n}\nelse if (reader.NodeType == XmlNodeType.Element)\nstr = reader.Name.ToLowerInvariant();\nelse if (reader.NodeType == XmlNodeType.Text)\n{\nswitch (str)\n{\ncase “id”:\nthis.ID = reader.Value;\ncontinue;\ncase “enableipaccessrestriction”:\nthis.EnableIpAccessRestriction = bool.Parse(reader.Value);\ncontinue;\ncase “username”:\nthis.Username = reader.Value;\ncontinue;\ncase “password”:\n\/\/ ISSUE: reference to a compiler-generated method\nthis.set_EncryptedPassword(reader.Value);\ncontinue;\ncase “datecreated”:\nthis.DateCreated = DateTime.Parse(reader.Value,\n(IFormatProvider) CultureInfo.InvariantCulture);\ncontinue;\ncase “description”:\nthis.Description = reader.Value;\ncontinue;\ndefault:\ncontinue;\n}\n}\n}\n}\n}\n<\/code><\/pre><\/wbr><\/wbr><\/wbr><\/wbr><\/wbr><\/p>\n<\/wbr><\/wbr><\/wbr><\/div>\n
That’s what we’re going to use to decrypt the binary.<\/p>\n
I borrowed their code to make my own little decrypter app kind of like how a cracker makes a keygen – same principle really, except in this case, they include a function for decrypting so I don’t need much:<\/p>\n
\nusing System;\nusing System.Collections.Generic;\nusing System.ComponentModel;\nusing System.Data;\nusing System.Drawing;\nusing System.Text;\nusing System.Windows.Forms;\nnamespace TicketCounter\n{\npublic partial class Form1 : Form\n{\npublic Form1()\n{\nInitializeComponent();\n}\npublic static string PasswordKey = “03a8ur98qhfa9h”;\nprivate void btnDecode_Click(object sender, EventArgs e)\n{\nstring enc = this.tbEnc.Text;\nthis.tbDec.Text = DecodeFromBase64(0, PasswordKey, enc);\n}\npublic static string DecodeFromBase64(int method, string key, string val)\n{\nif (val.Length == 0)\nreturn val;\nCryptographyHelper cryptographyHelper = new CryptographyHelper(method);\ncryptographyHelper.SetKey(key);\nreturn cryptographyHelper.DecodeFromBase64(val);\n}\n}\n}\n<\/code><\/pre>\nCreate the object and use it. Keep it simple. The project includes the class I ripped in the project.<\/p>\n
And there you have it. Next time you take control of a Smarter Mail server, you can now decrypt the passwords with ease.<\/p>\n
![\"\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2012\/08\/smartermail_decryter.png\" "\\"smartermail_decryter\\"")
<\/a><\/p>\nFor those of you who are lazy, you can download the project here.<\/a> <\/p>\nHappy hacking \ud83d\ude42<\/p>\n