Zone Alarm Antivirus - what I found out about it's zllictbl.dat file.

Discussion in 'Scripting' started by kattekop, May 11, 2016.

  1. kattekop

    kattekop MDL Novice

    Apr 23, 2010
    38
    5
    0
    #1 kattekop, May 11, 2016
    Last edited by a moderator: May 13, 2016
    Prechecks, postchecks.. Thus your unencrypted file contains a little bit check stuff, then the TRIAL days left, that's '1Eh' (=30days) then the Trial key. That's all.

    Some people revoke ownership from everything for the file, so the program doesn't descend trials anymore.

    The encryption method on 'zllictbl.dat' is called BlowFish. It was an algorithm invented by Bruce Schneier, and it's symmetric. All you need is the encryption/decryption secret which is 10h bytes long ;)

    You can decrypt back and forth.


    Tools used on VSDATA.DLL:
    Ida Pro/PEiD Kanal Plugin/IDA code ripper & MASM32

    grtz x7a - apologies but I'm having a hard time removing the attachment.
     
  2. Enthousiast

    Enthousiast MDL Tester

    Oct 30, 2009
    12,475
    13,556
    340
    Shouldn't this be posted on another forum section or has this something specific to do with windows 10?
     
  3. Michaela Joy

    Michaela Joy MDL Crazy Lady

    Jul 26, 2012
    3,438
    3,578
    120
    I believe this is reverse engineering. If that's a crack, it might be enough for a DMCA takedown.

    A MOD should look at this, just to be sure.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. pisthai

    pisthai Imperfect Human

    Jul 29, 2009
    6,644
    1,922
    210
    This is pure 'hacking' and against the Forum Rules of MDL (as I read them!)!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Flipp3r

    Flipp3r MDL Expert

    Feb 11, 2009
    1,477
    628
    60
    I've no idea what he's unpacked or it's purpose.
    Is it really that different to decrypting ESD's or UEFI?
     
  6. SpeedDream

    SpeedDream MDL Addicted

    Feb 20, 2012
    620
    121
    30
    mods close/delete thread to avoid DMCA takedown
     
  7. EFA11

    EFA11 Avatar Guru

    Oct 7, 2010
    8,796
    6,746
    270
    MS uses blowfish for the SDC encrypted files for MSDNAA. unpacksdc worked until they changed over to blowfish. IF this does anything, it would be interesting and academic to see if it can be used on the sdc files. I smell challenge and knowledge in one plate? :D

    This should be moved to scripting or something other than Win10 section though.
     
  8. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    10,938
    10,479
    340
    I have to agree with EFA11 at least for now...it can change depending on the final purpose, though... decrypt SDC proof of concept yes.....remove trial periods and the like no...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. kattekop

    kattekop MDL Novice

    Apr 23, 2010
    38
    5
    0
    #9 kattekop, May 12, 2016
    Last edited: May 12, 2016
    (OP)
    Sorry to hear. I felt kind of boring that's why I made up this piece of code. I have two EXEs, one decrypts, one encrypts. But it's uselesss....

    If anyone can delete my attachment, please do.
    I don't intend making any harm and was just local, ZoneAlarm Trial was sent to me as a gift.

    Move along, nothing to see here. :)
     
  10. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    10,938
    10,479
    340
    Have deleted it.
    Thanks anyway for the idea....
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Michaela Joy

    Michaela Joy MDL Crazy Lady

    Jul 26, 2012
    3,438
    3,578
    120
    @kattekop: Please don't be discouraged by this. We've already had a DMCA takedown, so we're extremely cautious.
    By all means continue to post your work, but check with a mod or staff before posting any attachments.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. kattekop

    kattekop MDL Novice

    Apr 23, 2010
    38
    5
    0
    #12 kattekop, May 15, 2016
    Last edited: May 15, 2016
    (OP)
    Yen, EFA11, I think it's not possible to decrypt SDC files anymore. And because of this, correct me if I'm wrong:
    The .SDX file, is a text file containing an URL to a webstore, together with some stuff like it seems to me as hashed credentials..
    When you get past that, the Securse Download Manager (ehe), reads the downloaded SDC file and CRC checks it, no prob, then decrypts it using the algo BFCool (BlowFish yes), taking it's symmetric private key.
    But..To get that symmetric key, that part must have come from the server and is different for files.. You get it, they aren't dumb over there.
    So far story of SDM_EN.msi ;)

    Edit, I could be wrong here.. One key Could be obfuscated in the EXE, but it would harm their whole cryptosystem...

    I don't get it why they're out for SDC files, I mean they aren't many such files around anymore and.. If you like software, we buy it.

    Thanks for the appreciation, ppl.