+---< Title >------------------------------------------------------------------+ | | | Get program access password for "Revealer Free Edition v1.2" | +------------------------------------------------------------------------------+ +---< Description >------------------------------------------------------------+ | | | Revealer Free Edition is a free and reliable keylogger monitoring tool that | | logs everything that is typed on your computer, it records every keystroke | | including passwords and conversations (one side only) in common instant | | messengers. | | http://www.revealerkeylogger.com/Revealer_Free_Edition_1.2.zip | +------------------------------------------------------------------------------+ +---< Tools >------------------------------------------------------------------+ | | | * frhed (http://www.rs.e-technik.tu-darmstadt.de/applets/frhed-v1.1.zip) | | * Filemon (http://download.sysinternals.com/Files/Filemon.zip) | +------------------------------------------------------------------------------+ +---< Tutorial >---------------------------------------------------------------+ | | | Using frhed open the cfg.dat file which is located in the main Revealer dir. | | It's made by the following 38 bytes: | | | | 06 6c ce 9d 3b 8b db 9c 3a bb d7 c2 99 bc f2 4b f9 92 ce 51 3b 8b db 9c 3a | | bb d7 c2 99 bc f2 4b f9 92 ce 51 3b 8b | | | | Let's begin by starting revealer.exe. After that, stop monitoring and go to | | "Options" -> "General settings". If you try, you will notice that you can't | | insert a password longer than 8 digits. I will insert "01234567" w/o quotes. | | Now, before cliking "Ok" run FileMon, start capturing, clik "Ok", stop | | capturing and you will now see that he did write mainly on one file: the | | cfg.dat. Perfect let's open it again w/ frhed: | | | | 06 6c ce 9d 0b 8b ea 9c 08 bb e4 c2 ad bc c7 4b cf 92 f9 51 3b 8b db 9c 3a | | bb d7 c2 99 bc f2 4b f9 92 ce 51 3b 8b | | | | After analysing the two strings of bytes you will notice that exactly 8 | | bytes have been changed. The offsets are: x04, x06, x08, x0a, x0c, x0e, x10 | | and x12. Let's start with the first byte, which has changed... Before it was | | 3b, now it is 0b. XOR this two values: | | 3b XOR 0b = 30 which is 48 in decimal and its value is "0" | | db XOR ea = 31 ("1") | | 3a XOR 08 = 32 ("2") | | d7 XOR e4 = 33 ("3") | | 99 XOR ad = 34 ("4") | | f2 XOR c7 = 35 ("5") | | f9 XOR cf = 36 ("6") | | ce XOR f9 = 37 ("7") | | | | So as you see the bytes are changed only at those offsets. Now let's change | | the password into "pass" w/o quotes. If you do the same procedure as before | | you will see how the bytes are changed again in the cfg.dat file. Now pay | | attention: this time we put a password of only 4 digits. The bytes at offset | | x04, x06, x08 and x0a got other values and the bytes at offset x0c, x0e, | | x10 and x12 become again the default values before any change in the file. | +------------------------------------------------------------------------------+ +---< Conclusion >-------------------------------------------------------------+ | | | * The password lenght is max 8 digits. | | * Revealer stores the password in the cfg.dat file in the main dir. | | * The offsets are always the same, with the default values: | | 0x04 -> 3b | | 0x06 -> db | | 0x08 -> 3a | | 0x0a -> d7 | | 0x0c -> 99 | | 0x0e -> f2 | | 0x10 -> f9 | | 0x12 -> ce | | * The default values are taken to xor the inserted password :) | +------------------------------------------------------------------------------+ +--< Thanks >------------------------------------------------------------------+ | | | I would like to thank all the people who always help me, answer my questions | | and all communities where I am longer than a week ;) | | This is not a great tutorial, but if there is even only one person who liked | | this tutorial I will be happier than what you can think of ;) | | | | Best Regards | | occasus | +------------------------------------------------------------------------------+