how do i encrypt mrs?
how do i encrypt mrs?
<sarcasm>
1. get a gun
2. shoot yourself in the head.
</sarcasm>
Wizkid said to PM him for encryptions in another thread.
mmk?
Oke listen i can't do it but i know how to.
You need to edit a mrs.exe (To pack and unpack)
You need to edit runnable (on 3 places)
You need to know asm for sure (only some people know it around here)
And dont forget you have to repack all your files i had help with it from Oncle W
The MRS file format is exactly the same as a ZIP file. Meaning, if you take an unencrypted MRS file and change its extension to ".zip" you can open it with WinZIP, WinRAR, etc. The neat thing is that gunz can actually read .zip files and use them(which is really good when your developing).
Now the ZIP file format(which is inherently MRS) has directory headers which list file information for each of the files contained in the ZIP archive, these are located at the beginning of each file. There is also a central header which lists information for the entire archive.
Now to protect their files MAIET used the ZIP file format but encrypted above said headers. When Gunz starts it enumerates all .ZIP and .MRS files. If it's a ZIP it unpacks the files into memory. If it's MRS it goes to a routine called RecoveryChar() which decrypts the data(I.E. the headers) and proceeds like a zip file.
Now to create your own MRS encryption you have two options:
1) Create your own File System and have Gunz use that
2) Edit Gunz.exe and Mrs.exe to slightly change the encryption
For simplicity sake let's do number two.
Let's take a look at where Gunz decrypts headers(Warning: ASM):
First open Ollydbg and load gunz.exe
Hit the Find Sequence of Commands menu button(CTRL + S) and type in
This should bring you to the first function you'll need to change. I'll go ahead and paste it here for viewing purposes.Code:SHR dl,3 SHL al,5
Hit Find Next(CTRL + L) and it should bring you inside another function which also has the decryption routine.Code:00538680 /$ 8B4C24 04 MOV ECX,DWORD PTR SS:[ESP+4] 00538684 |. 85C9 TEST ECX,ECX 00538686 |. 74 1E JE SHORT Gunz.005386A6 00538688 |. 56 PUSH ESI 00538689 |. 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+C] 0053868D |. 85F6 TEST ESI,ESI 0053868F |. 7E 14 JLE SHORT Gunz.005386A5 00538691 |> 8A01 /MOV AL,BYTE PTR DS:[ECX] 00538693 |. 8AD0 |MOV DL,AL 00538695 |. C0EA 03 |SHR DL,3 00538698 |. C0E0 05 |SHL AL,5 0053869B |. 0AD0 |OR DL,AL 0053869D |. F6D2 |NOT DL 0053869F |. 8811 |MOV BYTE PTR DS:[ECX],DL 005386A1 |. 41 |INC ECX 005386A2 |. 4E |DEC ESI 005386A3 |.^ 75 EC \JNZ SHORT Gunz.00538691 005386A5 |> 5E POP ESI 005386A6 \> C3 RETN
Now let's look at the encryption routines in Mrs.exe. Find it the same way as Gunz.exe only switch the "3" and "5".Code:... 005389B0 |. 8B46 14 MOV EAX,DWORD PTR DS:[ESI+14] 005389B3 |. 83C4 1C ADD ESP,1C 005389B6 |. 83F8 02 CMP EAX,2 005389B9 |. 7C 1D JL SHORT Gunz.005389D8 005389BB |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C] 005389BF |. BF 1E000000 MOV EDI,1E 005389C4 |> 8A01 /MOV AL,BYTE PTR DS:[ECX] 005389C6 |. 8AD0 |MOV DL,AL 005389C8 |. C0EA 03 |SHR DL,3 005389CB |. C0E0 05 |SHL AL,5 005389CE |. 0AD0 |OR DL,AL 005389D0 |. F6D2 |NOT DL 005389D2 |. 8811 |MOV BYTE PTR DS:[ECX],DL 005389D4 |. 41 |INC ECX 005389D5 |. 4F |DEC EDI 005389D6 |.^ 75 EC \JNZ SHORT Gunz.005389C4 005389D8 |> 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C] 005389DC |. 3D 504B0304 CMP EAX,4034B50 005389E1 |. 74 12 JE SHORT Gunz.005389F5 005389E3 |. 3D 00008485 CMP EAX,85840000 005389E8 |. 74 0B JE SHORT Gunz.005389F5 005389EA |> 5F POP EDI ...
Now we need to think of a decent way to change the encryption. For this example I'll use my encryption method as I don't support it anymore and don't care.Code:00401120 /$ 57 PUSH EDI 00401121 |. 8B7C24 0C MOV EDI,DWORD PTR SS:[ESP+C] 00401125 |. 33C9 XOR ECX,ECX 00401127 |. 85FF TEST EDI,EDI 00401129 |. 76 1E JBE SHORT mrs.00401149 0040112B |. 56 PUSH ESI 0040112C |. 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+C] 00401130 |> 8A0431 /MOV AL,BYTE PTR DS:[ECX+ESI] 00401133 |. 8AD0 |MOV DL,AL 00401135 |. C0EA 05 |SHR DL,5 00401138 |. C0E0 03 |SHL AL,3 0040113B |. 0AD0 |OR DL,AL 0040113D |. 41 |INC ECX 0040113E |. F6D2 |NOT DL 00401140 |. 885431 FF |MOV BYTE PTR DS:[ECX+ESI-1],DL 00401144 |. 3BCF |CMP ECX,EDI 00401146 |.^ 72 E8 \JB SHORT mrs.00401130 00401148 |. 5E POP ESI 00401149 |> 5F POP EDI 0040114A \. C3 RETN
First I'll break down the decryption function(First one listed otherwise known as RecoveryChar() ). Windows calculator in scientific view can do some of the bitwise operators, OR/NOT etc.
ECX is the pointer to the header data
ESI is the length of said data
MOV AL,BYTE PTR DS:[ECX] Move the first byte of data into AL
MOV DL,AL Copy AL to DL
SHR DL,3 Shift DL 3 bytes right
SHL AL,5 Shift AL 5 bytes left
OR DL,AL DL = DL Or AL || It's a bitwise thing
NOT DL Basically an inverse byte of DL
MOV BYTE PTR DS:[ECX],DL Replace the original byte with the encrypted one
INC ECX Go to the next byte in the header
DEC ESI Subtract ESI(header length) by one
JNZ SHORT <<TO TOP>> Jump if ESI isn't 0 to the beginning
Alright now here is how I edited it to change the encryption:
ECX is the pointer to the header data
ESI is the length of said data
32 represents 50 in hex which comprises the code 2 and 25 multiplied together
SUB BYTE PTR DS:[ECX],32 Subtract 0x32 from ecx(first byte of data)
MOV AL,BYTE PTR DS:[ECX] Move the first byte of data into AL
MOV DL,ALCopy AL to DL
SHR DL,3 Shift DL 3 bytes right
SHL AL,5 Shift AL 5 bytes left
OR DL,AL DL = DL Or AL || It's a bitwise thing
NOT DL Basically an inverse byte of DL
MOV BYTE PTR DS:[ECX],DL Replace the original byte with the encrypted one
INC ECX Go to the next byte in the header
DEC ES ISubtract ESI(header length) by one
JNZ SHORT <<TO TOP>> Jump if ESI isn't 0 to the beginning
Now for Mrs.exe(I'm not going to explain how it works, just what to change):
MOV AL,BYTE PTR DS:[ECX+ESI]
MOV DL,AL
SHR DL,5
SHL AL,3
OR DL,AL
INC ECX
NOT DL
ADD DL,32
MOV BYTE PTR DS:[ECX+ESI-1],DL
CMP ECX,EDI
JB SHORT <<TO TOP>>
Alright now let's get down to actually editing the two since that's a little different. Oooo, I know, let's do pictures.
Let's go ahead and edit our first finding in Gunz.exe:
Our second edit will be a code cave for simplicities sake. So it will come in two parts:
and...
Now for MRS.exe:
And time to save it all. Start encrypting your folders to .MRS files with the new MRS.exe and keep a back up of the folders at all times =). This example could be done a little more optimized but it works. Also, don't use the encryption method here as everyone know knows about it. Your encryptions are as good as how well you hide them and how complex they are.
I go into tutorial rants when I get bored XD.............
Woow T6.
That's damnt good to be honest, that you're releasing it...
damn im going to have to find time to read that wall of textOriginally Posted by ThievingSix
The MRS file format is exactly the same as a ZIP file. Meaning, if you take an unencrypted MRS file and change its extension to ".zip" you can open it with WinZIP, WinRAR, etc. The neat thing is that gunz can actually read .zip files and use them(which is really good when your developing).
Now the ZIP file format(which is inherently MRS) has directory headers which list file information for each of the files contained in the ZIP archive, these are located at the beginning of each file. There is also a central header which lists information for the entire archive.
Now to protect their files MAIET used the ZIP file format but encrypted above said headers. When Gunz starts it enumerates all .ZIP and .MRS files. If it's a ZIP it unpacks the files into memory. If it's MRS it goes to a routine called RecoveryChar() which decrypts the data(I.E. the headers) and proceeds like a zip file.
Now to create your own MRS encryption you have two options:
1) Create your own File System and have Gunz use that
2) Edit Gunz.exe and Mrs.exe to slightly change the encryption
For simplicity sake let's do number two.
Let's take a look at where Gunz decrypts headers(Warning: ASM):
First open Ollydbg and load gunz.exe
Hit the Find Sequence of Commands menu button(CTRL + S) and type in
This should bring you to the first function you'll need to change. I'll go ahead and paste it here for viewing purposes.Code:SHR dl,3 SHL al,5
Hit Find Next(CTRL + L) and it should bring you inside another function which also has the decryption routine.Code:00538680 /$ 8B4C24 04 MOV ECX,DWORD PTR SS:[ESP+4] 00538684 |. 85C9 TEST ECX,ECX 00538686 |. 74 1E JE SHORT Gunz.005386A6 00538688 |. 56 PUSH ESI 00538689 |. 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+C] 0053868D |. 85F6 TEST ESI,ESI 0053868F |. 7E 14 JLE SHORT Gunz.005386A5 00538691 |> 8A01 /MOV AL,BYTE PTR DS:[ECX] 00538693 |. 8AD0 |MOV DL,AL 00538695 |. C0EA 03 |SHR DL,3 00538698 |. C0E0 05 |SHL AL,5 0053869B |. 0AD0 |OR DL,AL 0053869D |. F6D2 |NOT DL 0053869F |. 8811 |MOV BYTE PTR DS:[ECX],DL 005386A1 |. 41 |INC ECX 005386A2 |. 4E |DEC ESI 005386A3 |.^ 75 EC \JNZ SHORT Gunz.00538691 005386A5 |> 5E POP ESI 005386A6 \> C3 RETN
Now let's look at the encryption routines in Mrs.exe. Find it the same way as Gunz.exe only switch the "3" and "5".Code:... 005389B0 |. 8B46 14 MOV EAX,DWORD PTR DS:[ESI+14] 005389B3 |. 83C4 1C ADD ESP,1C 005389B6 |. 83F8 02 CMP EAX,2 005389B9 |. 7C 1D JL SHORT Gunz.005389D8 005389BB |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C] 005389BF |. BF 1E000000 MOV EDI,1E 005389C4 |> 8A01 /MOV AL,BYTE PTR DS:[ECX] 005389C6 |. 8AD0 |MOV DL,AL 005389C8 |. C0EA 03 |SHR DL,3 005389CB |. C0E0 05 |SHL AL,5 005389CE |. 0AD0 |OR DL,AL 005389D0 |. F6D2 |NOT DL 005389D2 |. 8811 |MOV BYTE PTR DS:[ECX],DL 005389D4 |. 41 |INC ECX 005389D5 |. 4F |DEC EDI 005389D6 |.^ 75 EC \JNZ SHORT Gunz.005389C4 005389D8 |> 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C] 005389DC |. 3D 504B0304 CMP EAX,4034B50 005389E1 |. 74 12 JE SHORT Gunz.005389F5 005389E3 |. 3D 00008485 CMP EAX,85840000 005389E8 |. 74 0B JE SHORT Gunz.005389F5 005389EA |> 5F POP EDI ...
Now we need to think of a decent way to change the encryption. For this example I'll use my encryption method as I don't support it anymore and don't care.Code:00401120 /$ 57 PUSH EDI 00401121 |. 8B7C24 0C MOV EDI,DWORD PTR SS:[ESP+C] 00401125 |. 33C9 XOR ECX,ECX 00401127 |. 85FF TEST EDI,EDI 00401129 |. 76 1E JBE SHORT mrs.00401149 0040112B |. 56 PUSH ESI 0040112C |. 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+C] 00401130 |> 8A0431 /MOV AL,BYTE PTR DS:[ECX+ESI] 00401133 |. 8AD0 |MOV DL,AL 00401135 |. C0EA 05 |SHR DL,5 00401138 |. C0E0 03 |SHL AL,3 0040113B |. 0AD0 |OR DL,AL 0040113D |. 41 |INC ECX 0040113E |. F6D2 |NOT DL 00401140 |. 885431 FF |MOV BYTE PTR DS:[ECX+ESI-1],DL 00401144 |. 3BCF |CMP ECX,EDI 00401146 |.^ 72 E8 \JB SHORT mrs.00401130 00401148 |. 5E POP ESI 00401149 |> 5F POP EDI 0040114A \. C3 RETN
First I'll break down the decryption function(First one listed otherwise known as RecoveryChar() ). Windows calculator in scientific view can do some of the bitwise operators, OR/NOT etc.
ECX is the pointer to the header data
ESI is the length of said data
MOV AL,BYTE PTR DS:[ECX] Move the first byte of data into AL
MOV DL,AL Copy AL to DL
SHR DL,3 Shift DL 3 bytes right
SHL AL,5 Shift AL 5 bytes left
OR DL,AL DL = DL Or AL || It's a bitwise thing
NOT DL Basically an inverse byte of DL
MOV BYTE PTR DS:[ECX],DL Replace the original byte with the encrypted one
INC ECX Go to the next byte in the header
DEC ESI Subtract ESI(header length) by one
JNZ SHORT <<TO TOP>> Jump if ESI isn't 0 to the beginning
Alright now here is how I edited it to change the encryption:
ECX is the pointer to the header data
ESI is the length of said data
32 represents 50 in hex which comprises the code 2 and 25 multiplied together
SUB BYTE PTR DS:[ECX],32 Subtract 0x32 from ecx(first byte of data)
MOV AL,BYTE PTR DS:[ECX] Move the first byte of data into AL
MOV DL,ALCopy AL to DL
SHR DL,3 Shift DL 3 bytes right
SHL AL,5 Shift AL 5 bytes left
OR DL,AL DL = DL Or AL || It's a bitwise thing
NOT DL Basically an inverse byte of DL
MOV BYTE PTR DS:[ECX],DL Replace the original byte with the encrypted one
INC ECX Go to the next byte in the header
DEC ES ISubtract ESI(header length) by one
JNZ SHORT <<TO TOP>> Jump if ESI isn't 0 to the beginning
Now for Mrs.exe(I'm not going to explain how it works, just what to change):
MOV AL,BYTE PTR DS:[ECX+ESI]
MOV DL,AL
SHR DL,5
SHL AL,3
OR DL,AL
INC ECX
NOT DL
ADD DL,32
MOV BYTE PTR DS:[ECX+ESI-1],DL
CMP ECX,EDI
JB SHORT <<TO TOP>>
Alright now let's get down to actually editing the two since that's a little different. Oooo, I know, let's do pictures.
Let's go ahead and edit our first finding in Gunz.exe:
Our second edit will be a code cave for simplicities sake. So it will come in two parts:
and...
Now for MRS.exe:
And time to save it all. Start encrypting your folders to .MRS files with the new MRS.exe and keep a back up of the folders at all times =). This example could be done a little more optimized but it works. Also, don't use the encryption method here as everyone know knows about it. Your encryptions are as good as how well you hide them and how complex they are.
I go into tutorial rants when I get bored XD.............
EDIT:
Interesting and you even included pictures! yay xD
I can understand it without pics though :P
Reply With Quote
