Here's the second part of my essay about Calypso reverse engineering. In this text file we will study the way Calypso encrypts its mailbox files, and write a little program which decrypts them. Our next step will be to write a program able to read these mailbox files and get all the information inside them (so, maybe, we will be able to write, who knows, a "Calypso -> Eudora converter"). Of course, if you want to work on this, you just have to mail me and I'll give you some info to start your work! The most important thing you will learn from this tute is... NEVER TRUST ready made programs, check them until you're sure that they do what you want! I thought an additional encryption would have been useful for my mailboxes, but an algo like this can be really reversed by anyone... so now the only thing I want to do is convert my mailbox and start to use another software :)
To learn how Calypso encodes its mailbox files (and, of course, how to reverse it!) we have to disassemble one of its DLL files. Its name is mailDB32.dll and it's quite easy to guess that's the right one. Once disassembled, you can see these two lines in the export list: Addr:1000F7D0 Ord: 48 (0030h) Name: mdbDecrypt Addr:1000F790 Ord: 49 (0031h) Name: mdbEncrypt One of the best thing in reverse engineering (compared to cracking) is that this kind of functions is not hidden, and we have two easy-to-guess names that point us directly to the procedures we want to study. So, we have a ready decrypting procedure that we can easily copy if we want to make our program, but it's better to read the encrypting procedure first: remember, DON'T CHANGE YOUR IDEAS every time you think you've found an easier way, because it's not always true and could lead you to wrong results... if you want to do this, BE SURE of what you're doing so you won't change your ideas again after 5 minutes. As you should guess, this procedure should load some bytes from somewhere (memory, a file, who minds... we just know it HAS to read them!), encrypt them in some way and then save them in another place... So, you'll be easily able to guess that the core of the procedure is in the lines from 1000F7B0 to 1000F7C4. And here they are: :1000F7B0 AD lodsd ; load a value in eax :1000F7B1 F7D0 not eax ; :1000F7B3 2C43 sub al, 43 ; :1000F7B5 80EC43 sub ah, 43 ; sub 43 hex :1000F7B8 C1C010 rol eax, 00000010 ; rol eax of 10 (hex) :1000F7BB 2C43 sub al, 43 ; :1000F7BD 80EC43 sub ah, 43 ; sub again :1000F7C0 C1C010 rol eax, 00000010 ; rol again :1000F7C3 AB stosd ; store the new value :1000F7C4 E2EA loop 1000F7B0 ; loop Terribly easy, as you can see! Now, do you know what these commands do? Let me explain it in a more detailed way: 1) A value is loaded in eax. As this register contains a 32 bit value, we know that in this case it should contain 4 bytes per time. The first two bytes are stored in the "very high" part of eax, the two other ones are stored, respectively, in ah and al. Look at the table if you didn't understand it: |-------------------------EAX--------------------------| |----------AX----------| |--AH--| |--AL--| 00000000 00000000 00000000 00000000 1st byte 2nd byte 3rd byte 4th byte 2) Eax is NOTted, that is its zeros become ones and its ones become zeroes. This operation is done on ALL the bits, so on all the bytes respectively. 3) Value 43 hex is subctracted both from AH and from AL. 4) Eax il ROLled... What is it? Well, ROL (ROtate Left) is an operator very similar to the "shift" one (that is, it moves the bits in a byte) but all the bits that "go out" from the byte "come in" from the other side. For instance, if we have MOV EAX, 14 ROL EAX, 4 We have this configuration: EAX before ROL = 00001110 EAX after ROL = 11100000 On the other side, if we have MOV EAX, 14 ROL EAX, 6 We obtain this configuration: EAX before ROL = 00001110 EAX after ROL = 10000011 So, if we ROL EAX 10 times (10 hex, remember!) we just put the two bytes in eax in the place of the first two ones, and vice versa. At this point, you understand why the sub operations are repeated: the program just takes EVERY byte, invert its bits and then subtract 43hex from each byte... and they call it "encryption"... bah! Now, we're not only ready to understand how the decryption routine works, but we can also guess it: first of all we have to add 43hex to every byte, then NOT it... and the file is decrypted. In fact the code is: :1000F7F0 AD lodsd :1000F7F1 0443 add al, 43 :1000F7F3 80C443 add ah, 43 :1000F7F6 C1C010 rol eax, 00000010 :1000F7F9 0443 add al, 43 :1000F7FB 80C443 add ah, 43 :1000F7FE C1C010 rol eax, 00000010 :1000F801 F7D0 not eax :1000F803 AB stosd :1000F804 E2EA loop 1000F7F0 ...easy, isn't it? :) Now, here's a little source I've made to decrypt a temporary mailbox file. Easy, plain, good old C code: #include#include FILE ; int ; void main (){ if ((f1=fopen (_argv[1],"r+b"))==NULL){ printf ("\nFile not found!\n"); exit (); } f2=fopen ("decoded.box","w+b"); while (!feof(f1)){ c1=~(fgetc(f1)+0x043); fputc (c1,f2); } fclose (f1); fclose (f2); }
(c) .+MaLaTTiA. 1998.
WARNING: this tutorial is published for EDUCATIONAL PURPOSES only! Nobody except you is
responsible for what you do with the things you read here. Also, if you intend to use
shareware programs for a period longer than the allowed one remember that you have to BUY
them!