The Super Advanced QCRACK ENCRYPT.EXE

it's totally leet

Posted by eric on March 28, 2017

I tried the ENCRYPT.EXE by running it in DOSBOX with various input to see if I can tell what it does.

Just a zero gave a 7

0
7

Two zeroes gave a 7 then an 8, so may not be dependent on length.

00 00
07 08

Continuing shows the value increases then rolls over a byte’s worth.

00 00 ... 00 00 00 00 ...
07 08 ... FE FF 00 01 ...

Adding a non-zero shows it’s either XORing with that starting 7 or subtracts it from 7.

01 00 ... 00 00 00 00 ...
06 08 ... FE FF 00 01 ...

Continuing with more values shows it’s actually XORing.

0F 00 ... 00 00 00 00 ...
08 08 ... FE FF 00 01 ...


00 01 00 ... 00 00 00 00 ...
07 09 09 ... FE FF 00 01 ...

So ENCRYPT.EXE XORes each byte starting with 7, increasing by one each time and rolling over.

Here’s my own qcrypt.c

#include <stdio.h>
#include <stdint.h>

void main(int argc, char* argv[]) {
    if(argc < 3) {
        printf("Usage: %s <source> <destination>\n", argv[0]);
        return;
    }

    FILE* qcrypt_input;
    FILE* qcrypt_output;

    if((qcrypt_input = fopen(argv[1], "r")) == NULL) {
        printf("couldn't open %s for reading\n", argv[1]);
        return;
    }

    if((qcrypt_output = fopen(argv[2], "w")) == NULL) {
        printf("couldn't  open %s for writing\n", argv[2]);
    }

    uint8_t offset = 7;
    int c;

    while((c = fgetc(qcrypt_input)) != EOF) {
        fputc(c ^ offset++, qcrypt_output);
    }
}

I checked if SKU.17 was “encrypted” this way when compared to SKU.TXT, but it wasn’t. QCRACK looks in SKU.17 for a game name, so I know it at least knows how it’s encrypted and I’ll probably have to continue reversing the executable.