How the USB flash drive encryption tool is encrypted

After using a USB flash drive or a mobile hard drive encryption tool to encrypt folders, I cannot use the File sniffer tool to see the encrypted files. When I use the KingSoft Antivirus tool, it seems that these files are hidden and saved in Thumbs. dn7. medium (where 7. 7 is sometimes another number), but I still cannot access it directly, so I have studied this encryption tool specially. Next I will share some of my experiences.
We first create a folder such as lskr on disk D, that is, the address is D: folder.

In "my computer-tools-Folder Options-View", we checked "show all files and folders" and "Hide protected operating system files (recommended) ". Check" Display System Folder content ". Two other hidden files are displayed. dn and desktop. ini, In the desktop. the content in ini is :[. shellClassInfo] InfoTip = folder IconIndex = 2 iconfile#addpass.exe ConfirmFileOp = 1. It seems useless to us. You don't have to worry about it. Let's look at Thumbs again. the dn size is 850KB, which is similar to the total size of the two files. You don't have to worry about it. The two files must be hidden in it. Double-click them to access Thumbs. dn, found there is a "Add Printer" and "Microsoft Office Document Image Writer", did not find the file we are looking for, where are the two files?

We are at start-run-Enter cmd, OK and enter MS-DOS, enter "cd" press Enter C:, enter "D:" press Enter enter D:, enter "cd d: lskrThumbs. dn "to go to Thumbs. dn, and then enter "dir/a". At this time, we found several files: 117789687,117 789687LIST. men, 1.mem, 2. mem and desktop. ini, we found 1.mem, 2. mem is about the same size as the two files that were first put in. Therefore, they should be encrypted custom format files. We can copy them directly, run the command "copy 1.mem D:" and "copy 2.mem D: copy the two files to the D drive, and then change their Suffix from .memto .exe. At this time, we are surprised to find that all of them are cost-effective, which is the same as the files when they are put, except the files, it seems that this so-called USB flash drive encryption is just a simple change to the suffix, and then hide it.

　　

But even though we can find the encrypted file, can we crack the encrypted password next? We found another file 117789687LIST. this file is probably used to save the password. Run the command "copy 117789687LIST. men D: "and" start 117789687LIST. the system prompts that the specified file cannot be found. In this case, we use "attrib 117789687LIST. mem-s-h-r, delete the shr attribute of the file, and then run the command "start 117789687LIST. mem ", opened in a text document, found that it is a long string of characters, originally thought this is the code after the password is encrypted, and then I changed the password to re-encryption, I found that the content of the Code has not changed, but when I increase or decrease the number of files to be encrypted, the content will change.

So I guess this is to store the encrypted file name and other information, and I read another file desktop. ini, which contains [. shellClassInfo] CLSID =, there is also a file 117789687 with the content of 343636303032. When the encryption password is changed, the Code also changes. For example, when the password is changed to 123, the Code becomes 343636, so I decided this was the real password storage file, but I had no idea what encryption method it used.

However, we can use the replacement method to solve the problem. If we forget the password during encryption or view others' encrypted files, we can replace the encryption code that we know the password, so we can use the known password to decrypt the encrypted folder. For example, we can replace code 343636303032 with the code of other encrypted files, and then the decryption password will become 123456.

In this way, our cracking will come to an end. It seems that this encryption does not simply encrypt the file data using an encryption algorithm, but simply hides the file information with a suffix, this prevents the average person from browsing the file content easily. When the software is encrypted, a Thumbs is automatically created. dn folder, convert the original file to 1, 2, 3... is the file name,. mem files are hidden in Thumbs. in the dn folder, create 117789687LIST. men saves the file name, location, and other information. 117789687 saves the password and associates it with the USB flash drive encryption tool. Once you double-click the tool again, the pop-up dialog box requires the password to be confirmed. If the password is correct, restore those files, otherwise they will be rejected.