Red and black tricks WinRAR to crack "disk encryption King"

Early in the morning, I turned on my office computer and suddenly got dumb. All the folders and files on other disks except drive C are missing, each disk contains only one "disk encryption King" and one "Technical Support" Text Document (figure 1 ). However, I have never used the "disk encryption King" software, nor handed over my computer to others. What is the problem? Double-click "disk encryption King" in drive F. The "Mobile decryption" dialog box is displayed, prompting you that the password is required for full decryption. Open the "Technical Support" text file on the disk and find that a QQ number is left in the file. Contact the file to notify you that you need to pay three hundred yuan for decryption. I installed Windows XP SP2 and rising 2006 Anti-Virus Software on my computer a few days ago. I used the firewall that came with Windows XP. I did not expect hackers to intrude into the internet yesterday.

To solve this problem, I first checked the encrypted disk space and found that the disk space was not reduced compared with the pre-encrypted disk space. I confirm that the disk data is not lost, but it is encrypted by someone with ulterior motives. I started rising 2006 to scan for viruses and found no viruses. When scanning D and E disks with rising 2006, they scanned the folders and files saved by the author on the disk, however, they are all stored in a bucket named "Thumbs. in the "dn" folder. However, you cannot view the folder when you open the corresponding disk on my computer, so you cannot obtain the information stored on the disk.

I used WinRAR to view folders and files hidden on the disk. Can I find the hidden "Thumbs. dn" folder through WinRAR? I open WinRAR and use "Change drive" in the "file" menu to switch to drive F. In the WinRAR main window, all hidden objects including "Thumbs. dn" in drive F are displayed (figure 2 ).

By searching for relevant information, we learned that "disk encryption King" is actually a disk encryption software named "high-strength folder encryption master. It is not affected by the system. If the password is not decrypted, the data is still encrypted even if the system is reinstalled and restored by the Ghost. Therefore, it is generally difficult to crack without a password.

Encryption Principle

After the author's analysis, the "high-strength encryption master" encrypts folders and files in essence by encrypting the names of folders and files. The contents of folders and files have not changed.

When the folder is encrypted, the software changes the name of all the folders in the encrypted path ~ M (m folders) is renamed in order, and the code "." is added after the numerical name of each folder. This code is the code of the printer system folder. Therefore, you must delete this code when decrypting the folder; otherwise, the printer icon is obtained (Figure 3 ).

For file encryption, the software also uses numbers to rename the file name and rename the main names of all file names to "1 ~ N (n files), with the extension changed to ". mem ".

In the "Thumbs. dn" folder, there are two files worth noting: "117789687" and "117789687list. mem", which store password-related information. The "117789687list. mem" file stores the name data of the folder and file before encryption and the correspondence between the encrypted folder and file name. However, the software developer has processed the data of these two files by algorithm. Without the password table provided by the software developer, we cannot obtain the password information. In addition, there is a file named "danine." under "% systemroot % \ system32. dll, which records the disk and Folder Information that the software has encrypted. You can use NotePad to open it directly.

　　Decrypt folder

Open WinRAR, click "File> change drive> F", and switch to the disk to be decrypted. In the WinRAR Main Window, double-click "Thumbs. dn" to open the folder. In this folder, we find all the folders saved on drive F. Delete the "." code after the number of each folder name. Then, select all folders and click the "add" button in the toolbar to compress these folders into one file and store them on the edisk. Finally, decompress the compressed file to obtain all the folders stored in drive F and the files saved in the folder.

　　Decrypt a file

To decrypt the files stored in the root directory of the disk, we need to determine whether the files are RAR files in two cases.

1. RAR files

For this type of files, you only need to directly select it, click "decompress to" in the toolbar, and then select the path to decompress the file and decompress the file for decryption.

2. Non-RAR files

It is difficult to decrypt such files. First, recall the type of the original file based on the file length. If you cannot remember, try "folder sniffing" to sniff all "in the root directory. mem file, click the test file type tool in the toolbar to test the file type. Then, open WinRAR and change the file name extension ". mem" to the original file type extension. Finally, use the "add" button in the toolbar to compress and package the file to a suitable location, and then decompress the package to obtain the original file.