Wow! You’ve actually managed to complete this. Nice!
So is this the original DLL that would be executed after the decryption process? Or perhaps injected after memory is mapped and a suitable process is found to be injected into?
I’m interested to know what this does… And where it calls back.
Further investigation pulls up a few more things. I firstly looking inside the DLL grepped for IP addresses with a regex, and found these
101.3.4.1
1.3.6.1
2.16.840.1
Obviously the last one doesn’t work as an IP, 840 is > 255.
Now the first two appear to be very obscure and simple as IP’s. Since we are not looking in any context, it is impossible to know what they do. A GeoIP lookup of the IP’s maps
101.3.4.1 to Taiwan, Tapei,
1.3.6.1 to Guangdong, Guangdong
Both Asian IP’s, with the same timezone, geographically they’re fairly near. I could be reading too much into this. But it feels a large coincidence that two IP addresses are both located in Asia.
Looking more into those strings I am finding:
w:\3rdparty\TntUnicode\Source\TntClasses.pas
W:\3rdparty\ScreamSec\SecUtils.pas
Some other IP looking things:
2.16.840.1.101.3.4.1.1
2.16.840.1.101.3.4.1.21
2.16.840.1.101.3.4.1.41
What seems to be an opensource licence include...
/* This is an independent implementation of the encryption algorithm: */
/* */
/* RIJNDAEL by Joan Daemen and Vincent Rijmen */
/* */
/* which is a candidate algorithm in the Advanced Encryption Standard */
/* programme of the US National Institute of Standards and Technology. */
/* */
/* Copyright in this implementation is held by Dr B R Gladman but I */
/* hereby give permission for its free direct or derivative use subject */
/* to acknowledgment of its origin and compliance with any conditions */
/* that the originators of the algorithm place on its exploitation. */
/* */
/* Dr Brian Gladman ([email protected]) 14th January 1999 */
Links to trial and activation?
EP_TrialExecutions
EP_TrialExecutionsTotal
EP_TrialExecutionsLeft
EP_TrialDays
EP_TrialDaysTotal
EP_RegEncryptRegistrationInformation
EP_RegDecryptRegistrationInformation
EP_ActivationShowDialog
EP_ActivationActivate
EP_ActivationActivateWithId
EP_ActivationActivateWithIdA
And another link to Enigma...
Software\Enigma Protector\%.8x%.8x-%.8x%.8x
Looking through this. I’d like to run it and see what’s going on in a sandbox. But I am afraid it will escape and/or notice and change it’s behaviour.
Perhaps we need some bare metal with a firewall on a switch… This could get interesting… Who wants to try it? 