6

Everyday I receive SDA files for whom I have the passphrase. The decryption is done by running the file and manually entering a passphrase in the program window that pops up. I'd like to avoid this manual step, and turn it into a step of an automated process.

The way this would work is the following: As soon as my daemon detects that a new file has arrived to my inbox, my program would download, decrypt and save it. I know how to do all these with code, except the decryption part.

Instead of running the .exe file, and manually entering the passphrase, I want to read it's contents, and with the passphrase, decrypt the data contained within it, which looks like this:

4d5a 9000 0300 0000 0400 0000 ffff 0000
b800 0000 0000 0000 4000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 f000 0000
0e1f ba0e 00b4 09cd 21b8 014c cd21 5468
...etc

The language I'm currently using is PHP, but taking a look at an implementation in any language will help.

Any ideas?

Diego Saa
  • 1,426
  • 1
  • 13
  • 23
  • What would you rather happen? Are you wanting your password cached for some period of time? – Duncan Jones Dec 20 '12 at 08:13
  • You say "programmatically" in your title, so are you expecting to write code to fix this behaviour? – Duncan Jones Dec 20 '12 at 09:53
  • @Duncan Jones I edited my question to be clearer. – Diego Saa Dec 20 '12 at 16:11
  • So basically you want to extract the encrypted envelope from the .exe. What did you try/research regarding the removal of the executable code? The first couple of bytes probably are the .exe header. – Maarten Bodewes Dec 20 '12 at 18:04
  • Are you certain this is a pgp or gpg encrypted file? Perhaps it is a password-protected self-extracting zip executable. I've never heard of a gpg "executable". – BellevueBob Dec 21 '12 at 00:51
  • @owlstead I came across a really nice program called PE Explorer that lets me analyze the structure of the file and even disassemble it. – Diego Saa Dec 21 '12 at 16:31
  • @DiegoSaa that's good, though you may want to read up on the .exe format using standardized documents, in case something suddenly changes the current format (adds an optional field, memory location etc.). Those kind of tools are good for initial understanding and/or debugging. – Maarten Bodewes Dec 21 '12 at 16:35
  • @owlstead I think I know where the data is by how it looks, but I just don't know what algorithm to apply to it to decrypt it. – Diego Saa Dec 21 '12 at 16:38
  • @BobDuell The files I receive are pgp SDAs. You are right, there are no such things as gpg SDAs, because SDAs are not a good idea. – Diego Saa Dec 21 '12 at 16:39
  • 1
    @DiegoSaa Never heard of SDAs before. According to Symantec, they are encrypted using AES256 by default. See if this previous answer is helpful: http://stackoverflow.com/q/1628138/1275871. If it was my problem, I'd try to get the data provider to give me a file encrypted with my own key. – BellevueBob Dec 21 '12 at 17:10
  • PGP/GPG uses a container format. If you know where that starts then you should be able to parse it regularly (or even easier, move the container to another file, and decrypt it using the regular tools). – Maarten Bodewes Dec 21 '12 at 17:53

1 Answers1

1

PGP self-decrypting archives is just EXE stub + PGP message inside of this file. You should parse EXE headers, and found where this data is stored, extract it, and decrypt using GnuPG or any other PGP library.

Nickolay Olshevsky
  • 13,706
  • 1
  • 34
  • 48