How to find Private Key & Passphrase in a Programe

[m4j1d]

Hi Dears,
1- There are some files(drivers) that are encrypted, and these files(drivers) are working in a "Program" that is installed in my computer. I am sure that the "Private Key" and "passphrase" are stored in the "Program" in my computer. Meanwhile there is no file for private key !!! every thing is stored inside the "Program".
2- I know that the Program for decrypting those files(drivers) is using Openssl librares (Libeay32.dll).

Q: How can I capture "passphrase" & "Private Key" that are stored in the "Program" ??


tnx in advance

[psycr0n]

1 Look for imported functions from the openssl dll
2 Look for what's passed to thru buffer or temp file to the function call (could be address on the heap, resource in exe, in the data section as raw data)
3 Copy it to a file
4 Attempt to decrypt with dumped key file. If no passphrase was used, it'll work. If not, guess it. If I were in your shoes, I'd assume that the programmer used a terrible passphrase like 'password' or '$program_name'. I've guessed the CERT.RSA of an android app before. XD My cracked version was recognized as official lmfao

[m4j1d]

1 Look for imported functions from the openssl dll
2 Look for what's passed to thru buffer or temp file to the function call (could be address on the heap, resource in exe, in the data section as raw data)
3 Copy it to a file
4 Attempt to decrypt with dumped key file. If no passphrase was used, it'll work. If not, guess it. If I were in your shoes, I'd assume that the programmer used a terrible passphrase like 'password' or '$program_name'. I've guessed the CERT.RSA of an android app before. XD My cracked version was recognized as official lmfao

tnx but:
1- how to find which function is used for Decryption !!!

I use "Api Monitor" to find which function is used when program is running but could not find any function from Libeay32.dll !!!

tnx

[m4j1d]

1 Look for imported functions from the openssl dll
2 Look for what's passed to thru buffer or temp file to the function call (could be address on the heap, resource in exe, in the data section as raw data)
3 Copy it to a file
4 Attempt to decrypt with dumped key file. If no passphrase was used, it'll work. If not, guess it. If I were in your shoes, I'd assume that the programmer used a terrible passphrase like 'password' or '$program_name'. I've guessed the CERT.RSA of an android app before. XD My cracked version was recognized as official lmfao

I can not find exactly which function is for reading private key and passphrase ? I would be thankful if a person can explain a way to find that function.
tnx

[psycr0n]

Why don't you post a list of imported functions from libeay32.dll for said executable from its IAT, like from CFF Explorer.

We'll do this together, bro. Once you get me that list, we can peruse the openssl api documentation. These calls will be in a subroutine. That subroutine(s) will do its mojo by calling the openssl api.

[m4j1d]

These are all functions that are imported, I used IDA to find these functions.

tnx bro

[psycr0n]

These are all functions that are imported, I used IDA to find these functions.

tnx bro

That's the entire OpenSSL API. Use CFF Explorer on ur EXE and pull up the imports. Get it here.

EDIT: Why don't you just upload the EXE? (=

[m4j1d]

That's the entire OpenSSL API. Use CFF Explorer on ur EXE and pull up the imports. Get it here.

EDIT: Why don't you just upload the EXE? (=

CFF Explorer can not help me! The program(main program "cp.exe") will run another small program("D.exe") that is my question. the goal is to find passphrase that is stored in the small program. The small program will not work alone properly. It should be called by the main program.
Is there any other way ??

tnx

[m4j1d]

Why don't you post a list of imported functions from libeay32.dll for said executable from its IAT, like from CFF Explorer.

We'll do this together, bro. Once you get me that list, we can peruse the openssl api documentation. These calls will be in a subroutine. That subroutine(s) will do its mojo by calling the openssl api.

These are all functions that are imported, I used Windbg to find these functions.

tnx