[Conceptl] MRS Encryption Concept

[ThievingSix]

The MRS file format is exactly the same as a ZIP file. Meaning, if you take an unencrypted MRS file and change its extension to ".zip" you can open it with WinZIP, WinRAR, etc. The neat thing is that gunz can actually read .zip files and use them(which is really good when your developing).

Now the ZIP file format(which is inherently MRS) has directory headers which list file information for each of the files contained in the ZIP archive, these are located at the beginning of each file. There is also a central header which lists information for the entire archive.

Now to protect their files MAIET used the ZIP file format but encrypted above said headers. When Gunz starts it enumerates all .ZIP and .MRS files. If it's a ZIP it unpacks the files into memory. If it's MRS it goes to a routine called RecoveryChar() which decrypts the data(I.E. the headers) and proceeds like a zip file.

Now to create your own MRS encryption you have two options:

1) Create your own File System and have Gunz use that

2) Edit Gunz.exe and Mrs.exe to slightly change the encryption

For simplicity sake let's do number two.

Let's take a look at where Gunz decrypts headers(Warning: ASM):

First open Ollydbg and load gunz.exe

Hit the Find Sequence of Commands menu button(CTRL + S) and type in

Code:

SHR dl,3
SHL al,5

This should bring you to the first function you'll need to change. I'll go ahead and paste it here for viewing purposes.

Code:

00538680  /$  8B4C24 04     MOV ECX,DWORD PTR SS:[ESP+4]
00538684  |.  85C9          TEST ECX,ECX
00538686  |.  74 1E         JE SHORT Gunz.005386A6
00538688  |.  56            PUSH ESI
00538689  |.  8B7424 0C     MOV ESI,DWORD PTR SS:[ESP+C]
0053868D  |.  85F6          TEST ESI,ESI
0053868F  |.  7E 14         JLE SHORT Gunz.005386A5
00538691  |>  8A01          /MOV AL,BYTE PTR DS:[ECX]
00538693  |.  8AD0          |MOV DL,AL
00538695  |.  C0EA 03       |SHR DL,3
00538698  |.  C0E0 05       |SHL AL,5
0053869B  |.  0AD0          |OR DL,AL
0053869D  |.  F6D2          |NOT DL
0053869F  |.  8811          |MOV BYTE PTR DS:[ECX],DL
005386A1  |.  41            |INC ECX
005386A2  |.  4E            |DEC ESI
005386A3  |.^ 75 EC         \JNZ SHORT Gunz.00538691
005386A5  |>  5E            POP ESI
005386A6  \>  C3            RETN

Hit Find Next(CTRL + L) and it should bring you inside another function which also has the decryption routine.

Code:

...

005389B0  |.  8B46 14       MOV EAX,DWORD PTR DS:[ESI+14]
005389B3  |.  83C4 1C       ADD ESP,1C
005389B6  |.  83F8 02       CMP EAX,2
005389B9  |.  7C 1D         JL SHORT Gunz.005389D8
005389BB  |.  8D4C24 0C     LEA ECX,DWORD PTR SS:[ESP+C]
005389BF  |.  BF 1E000000   MOV EDI,1E
005389C4  |>  8A01          /MOV AL,BYTE PTR DS:[ECX]
005389C6  |.  8AD0          |MOV DL,AL
005389C8  |.  C0EA 03       |SHR DL,3
005389CB  |.  C0E0 05       |SHL AL,5
005389CE  |.  0AD0          |OR DL,AL
005389D0  |.  F6D2          |NOT DL
005389D2  |.  8811          |MOV BYTE PTR DS:[ECX],DL
005389D4  |.  41            |INC ECX
005389D5  |.  4F            |DEC EDI
005389D6  |.^ 75 EC         \JNZ SHORT Gunz.005389C4
005389D8  |>  8B4424 0C     MOV EAX,DWORD PTR SS:[ESP+C]
005389DC  |.  3D 504B0304   CMP EAX,4034B50
005389E1  |.  74 12         JE SHORT Gunz.005389F5
005389E3  |.  3D 00008485   CMP EAX,85840000
005389E8  |.  74 0B         JE SHORT Gunz.005389F5
005389EA  |>  5F            POP EDI

...

Now let's look at the encryption routines in Mrs.exe. Find it the same way as Gunz.exe only switch the "3" and "5".

Code:

00401120  /$  57            PUSH EDI
00401121  |.  8B7C24 0C     MOV EDI,DWORD PTR SS:[ESP+C]
00401125  |.  33C9          XOR ECX,ECX
00401127  |.  85FF          TEST EDI,EDI
00401129  |.  76 1E         JBE SHORT mrs.00401149
0040112B  |.  56            PUSH ESI
0040112C  |.  8B7424 0C     MOV ESI,DWORD PTR SS:[ESP+C]
00401130  |>  8A0431        /MOV AL,BYTE PTR DS:[ECX+ESI]
00401133  |.  8AD0          |MOV DL,AL
00401135  |.  C0EA 05       |SHR DL,5
00401138  |.  C0E0 03       |SHL AL,3
0040113B  |.  0AD0          |OR DL,AL
0040113D  |.  41            |INC ECX
0040113E  |.  F6D2          |NOT DL
00401140  |.  885431 FF     |MOV BYTE PTR DS:[ECX+ESI-1],DL
00401144  |.  3BCF          |CMP ECX,EDI
00401146  |.^ 72 E8         \JB SHORT mrs.00401130
00401148  |.  5E            POP ESI
00401149  |>  5F            POP EDI
0040114A  \.  C3            RETN

Now we need to think of a decent way to change the encryption. For this example I'll use my encryption method as I don't support it anymore and don't care.

First I'll break down the decryption function(First one listed otherwise known as RecoveryChar() ). Windows calculator in scientific view can do some of the bitwise operators, OR/NOT etc.

ECX is the pointer to the header data
ESI is the length of said data
MOV AL,BYTE PTR DS:[ECX] Move the first byte of data into AL
MOV DL,AL Copy AL to DL
SHR DL,3 Shift DL 3 bytes right
SHL AL,5 Shift AL 5 bytes left
OR DL,AL DL = DL Or AL || It's a bitwise thing
NOT DL Basically an inverse byte of DL
MOV BYTE PTR DS:[ECX],DL Replace the original byte with the encrypted one
INC ECX Go to the next byte in the header
DEC ESI Subtract ESI(header length) by one
JNZ SHORT <<TO TOP>> Jump if ESI isn't 0 to the beginning

Alright now here is how I edited it to change the encryption:

ECX is the pointer to the header data
ESI is the length of said data
32 represents 50 in hex which comprises the code 2 and 25 multiplied together
SUB BYTE PTR DS:[ECX],32 Subtract 0x32 from ecx(first byte of data)
MOV AL,BYTE PTR DS:[ECX] Move the first byte of data into AL
MOV DL,ALCopy AL to DL
SHR DL,3 Shift DL 3 bytes right
SHL AL,5 Shift AL 5 bytes left
OR DL,AL DL = DL Or AL || It's a bitwise thing
NOT DL Basically an inverse byte of DL
MOV BYTE PTR DS:[ECX],DL Replace the original byte with the encrypted one
INC ECX Go to the next byte in the header
DEC ES ISubtract ESI(header length) by one
JNZ SHORT <<TO TOP>> Jump if ESI isn't 0 to the beginning

Now for Mrs.exe(I'm not going to explain how it works, just what to change):

MOV AL,BYTE PTR DS:[ECX+ESI]
MOV DL,AL
SHR DL,5
SHL AL,3
OR DL,AL
INC ECX
NOT DL
ADD DL,32
MOV BYTE PTR DS:[ECX+ESI-1],DL
CMP ECX,EDI
JB SHORT <<TO TOP>>

Alright now let's get down to actually editing the two since that's a little different. Oooo, I know, let's do pictures.

Let's go ahead and edit our first finding in Gunz.exe:



Our second edit will be a code cave for simplicities sake. So it will come in two parts:



and...



Now for MRS.exe:




And time to save it all. Start encrypting your folders to .MRS files with the new MRS.exe and keep a back up of the folders at all times =). This example could be done a little more optimized but it works. Also, don't use the encryption method here as everyone know knows about it. Your encryptions are as good as how well you hide them and how complex they are.


I go into tutorial rants when I get bored XD.............

[MentaL]

[wesman2232]

awesome copy+paste skills xD

[death4u2]

lol wesman r u sure he copy and paste?

[CrashPoint]

weeee great TUT

[eele]

Man, TYVM!!!! You own :D

[theodor2005]

tnx ill need this when ill finnaly make myself release my p server to the pulbic.

[faytman]

Very nice TuT

[eele]

we cant use this for theduel.exe filelist runnable by maxteam?

[Solaire]

It's good, but face the fact that if Gunz.exe opens it, most of us can.

[ThievingSix]

It's good, but face the fact that if Gunz.exe opens it, most of us can.

Which is why solution 1 > solution 2 XD

[Demantor]

Very nicce, T6.. you are a profi....

[bounty-hunter]

T6 make a tut for option 1 :P

[KillerStefan]

I likez I likez!

[ThievingSix]

Solution 1 requires programming knowledge. Basically you do a WinAPI hook on CreateFile(), ReadFile(), SetFilePointer(), and CloseHandle().

[XZeenon]

T6 what programming do you use for mrs?

[ThievingSix]

Delphi(Object Pascal)

[Kosiguru]

Isn't there some way to have the client use .zip files instead of .mrs, and then just put a complex password on the archive?

Not sure if it's possible but it'd sure make it near impossible to tamper with.

Edit: May sound crazy but I believe it was evil gunz that had man and woman.mrs as .zip files that were 'damaged.' Most likely over my head but it seems that is much more effective than an easy to break encryption.

[ThievingSix]

Gunz can't open passworded zip files.

[cerealnp]

(Warning: ASM)

LMAO

The same way you added and subtracted 32 you can add and subtract any other number?

[ThievingSix]

Yes.

[cerealnp]

Nice =D. I have just one more question =D. At the text part you wrote the command "SUB BYTE PTR DS:[ECX],32" and at the images you have used "SUB BYTE PTR DS:[ECX],36". Its any kinda conversion or just a mistake? Thanks

[ThievingSix]

typo, should be 36.

[Rotana]

Nice tutorial,

[eele]

I had a question ;s,, I cant find with ctrl-s SHR dl,3
SHL al,5 lol im doing something wrong lol ;sXD i use theduel.exe and not gunz.exe :P i use the Maxteam theduel.exe filelistskip..

[ThievingSix]

theduel.exe is gunz. And yes, to answer you question in the most sarcastic way possible, you are doing something wrong.