Hello.
This is more of a an education type question. 888 Poker (old client) uses a few files for client operation (.cxm and .cqs). QuickBMS has a script to decrypt this here:
https://aluigi.altervista.org/bms/888.bms
I have written an open source script using this Xor Byte Key and I am able to get the contents of the files to match both an executable that does the same thing, and the output of quickbms. However, my question becomes, how was this key discovered? Here are links to two files that are decrypted with the xor byte key:
Theme files:
https://1drv.ms/u/s!AjR_Gb6uQ7I9gmAHuFv ... G?e=jFHwMy
https://1drv.ms/u/s!AjR_Gb6uQ7I9gmEylWc ... a?e=FaOZft
If we need the executable, I can upload as well. Since the XOR Byte key is known, I'm more interested in the process, as there are numerous other poker clients I'd like to try and mod. Thanks!
Old Poker (888) file conversion
-
aluigi
- Site Admin
- Posts: 12984
- Joined: Wed Jul 30, 2014 9:32 pm
Re: Old Poker (888) file conversion
I guess I already replied by email.
It was found by debugging the software, when the program tries to read the file it first decrypt it and it's easy to intercept the decryption function.
Even statical analysis work, moreover with simple encryptions like this.
It was found by debugging the software, when the program tries to read the file it first decrypt it and it's easy to intercept the decryption function.
Even statical analysis work, moreover with simple encryptions like this.
-
3fb6601e-f154
- Posts: 2
- Joined: Wed May 13, 2020 10:24 pm
Re: Old Poker (888) file conversion
aluigi,
Correct. I just wanted to make a public post that details this in case anyone else was curious and so we wouldn't go back and forth in email. I cracked open the software in IDA Pro but I was very confused following the program logic, especially when it starts to thread. Should I attach the disassembler to the actual PID? do I even need to run the software to see this in action?
I attempted to crack open cxmConverter.exe (a program written by the author of 888caption), and I set a breakpoint on readfile/writeFile functions. however, all I see is assembly commands, the file descriptor opening, and then the file is written. This is my first attempt at reverse engineering a binary so please bear with me. Are there any other tips you can recommend?
Correct. I just wanted to make a public post that details this in case anyone else was curious and so we wouldn't go back and forth in email. I cracked open the software in IDA Pro but I was very confused following the program logic, especially when it starts to thread. Should I attach the disassembler to the actual PID? do I even need to run the software to see this in action?
I attempted to crack open cxmConverter.exe (a program written by the author of 888caption), and I set a breakpoint on readfile/writeFile functions. however, all I see is assembly commands, the file descriptor opening, and then the file is written. This is my first attempt at reverse engineering a binary so please bear with me. Are there any other tips you can recommend?
-
aluigi
- Site Admin
- Posts: 12984
- Joined: Wed Jul 30, 2014 9:32 pm
Re: Old Poker (888) file conversion
Just a note is that maybe now the software use anti debugging protections, obfuscation and so on, so doing the job years ago is definitely more easy.
Usually the procedure is the one you mention with a breakpoint on the memory read via ReadFile and then following the operations performed on it.
For this work may also be useful to use a tool of mine called offbreak that automatize most of the work and it does a good job even with software adopting anti debugging techniques.
Usually the procedure is the one you mention with a breakpoint on the memory read via ReadFile and then following the operations performed on it.
For this work may also be useful to use a tool of mine called offbreak that automatize most of the work and it does a good job even with software adopting anti debugging techniques.