TransWikia.com

Reverse engineering a "Crypto++/CryptoPP" Windows Service using Ghidra

Reverse Engineering Asked by Baeleigh Harris on September 2, 2020

I’m new the reversing scene (and this site!). I recently got interested in seeing how Windows Services tick, and discovered a weird encryption scheme. The binary isn’t obfuscated at all (at least, it doesn’t seem to be), and I was able to restore the WinMain signature, and the ServiceMain entry point. Upon investigation, I found loads of references to Zlib (my guess is it gets inflated once decrypted) and CryptoPP (an open-source C++ encryption library); yet I could not find any way to locate a decrypt function. I know it loads the file to decrypt and it’s an XML file (there’s fragments that reference this), but I was wondering if anyone had any experience/pointers on how to bust it open and maybe find a decryption key? My suspicion is that it’s a binary key of some description, since it’s not in the string table anywhere.

Thanks heaps!

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP