I have both PGP Self Decrypting Archive EXE file and their password. It is my understanding that correspond to an EXE header and the encrypted message.
How can I separate the encrypted message for further processing?
I'm trying to use PEReader, but I have no idea how identify neither the content not the EXE header.
You began with
horrible.exeplus the"secret-password"key, which you used to produceclear.bin.You know the encryption algorithm and can use key plus
clear.binto producecipher.bin. Assume the self-extractor did not do any annoying XOR or other trivial transform ofcipher.bin.At this point, your task is to identify a substring of
horrible.exethat matches some or all ofcipher.bin, modulo perhaps some header details such as timestamps. So pick several bytes from the middle ofcipher.binand go searching. Then verify that extending the cipher byte range will readily give you a bigger match of self-extractor bytes.The end result is you want file offsets or some simple copying algorithm that lets you turn an untrusted self-extracting .EXE into
cipher.bin, suitable for subsequent decryption in the usual way.You may find it convenient to produce a small
$ echo Hello world > clear.bindocument, turn that into bothcipher.binplus a self-extracting .EXE, and work through the details until you're confident you can do it for arbitrary cleartext documents and are ready to graduate to the big one. And then describe your findings.@CharlesDuffy comments that the IV may be sand in the Vaseline. So definitely encrypt "Hello world" at least twice using same key, and note the differences.
@SamMason observes that e.g. diff'ing SEA executables for cleartext "Hell" and cleartext "Hello" would likely reveal the common x86 preamble. Knowing how many prefix bytes to ignore would bring you a little closer to your goal.