Friday, April 10, 2020

Gilisoft USB Encryption 10.0.0: Lies About Encryption

Gilisoft USB Encryption v10.0.0 is a popular product that is marketed as a USB/flash drive encryption solution. It appears to be a continuation of the now discontinued Wondershare USB Drive Encryption product. According to Gilisoft's product description, it claims to be using AES-256 on-the-fly encryption to secure your files. However, after diving into the methodologies employed by this application, as well as the former Wondershare USB Drive Encryption product, I came to discover that no actual file encryption occurs, making the aforementioned statement a blatant lie. Furthermore, your password is stored as plain text along side of your unencrypted files in the application's hidden data store(NTFS Alternate Data Stream) on the NTFS file system.

In this short article, I'm going to show you not only how to recover your password, but how this application stores your files. To begin, I have prepared an 8gb flash drive and have created a 65mb secure section to store files. I used the provided agent.exe, which was placed on the drive, to access the secure section with my specified password. I placed a simple text file named SecretStuff.txt in this section to be encrypted.

Afterwards, I followed the manufacturer's guidelines to correctly close this "secure area".

After this, most consumers would be under the belief that their files have been securely encrypted. Let's dive a little deeper and take a look at how this is simply not the case.

NTFS Alternate Data Streams

Alternate Data Streams(ADS for short) is a file attribute in the NTFS file system that was originally created for compatibility with the Macitosh file system. It allows for the use of more than one stream of data, which enables you to essentially store multiple files in a single record. This is a feature not commonly needed today. Because of this, most file viewers, including Windows Explorer, do not include a method for reading these files.  This has enabled this tool as well as many strains of malware to exploit this to effectively hide files on a particular drive or partition, completely unbeknownst to the user. With this knowledge, we can use a special tool from Nirsoft called AlternateStreamView to views these streams/files. Let's take a look at our flash drive and see.

It appears to have located several files with this attribute. While most of the files appear to be libraries used by the Agent.exe program, the most interesting file appears to be the data.img file which is approximately the 65mb size that I specified for secure storage. Let's use this tool to extract this file and take a closer look at it in a hex editor.

After opening the extracted file in HxD, I immediately saw my chosen password stored in plain text near the beginning of the file:

 After scrolling down a bit, I noticed the start of an NTFS file system at offset 0x800. The system appears to run the full remaining length of the file.

Knowing this, we can simply delete the first 0x800 bytes and save the output so that it can be opened in an appropriate viewer.

My viewer of choice for this is 7-zip. After opening this, I immediately see my file "SecretStuff.txt". Upon extraction and opening, it becomes clear that this file is not encrypted.

This is proof that all the claims by Wondershare and Gilisoft that this product employs encryption are completely false. This is false advertising and completely deceitful to their customers who have chosen this product because they believed it was secure. I hope that this article has helped to expose these fraudulent claims and helps you make a more enlightened decision when choosing your security products. Until next time, happy reversing.

Saturday, July 7, 2018

Inline Empty Byte Finder

Inline Empty Byte Finder is a tool designed to help you find a location inside an executable or dll file to create an inline patch or code cave. It can check for specific section flags to meet the requirements for your inline. Inline finder searches for areas the meet the size that you specify, but also lists how many extra bytes are available at that offset.

  • Drag and Drop Support
  • Command line Support
  • Define Empty Byte Value
  • Define needed Section Flags
1.0 Download:

1.3 Update:

New Features:
  • Follow Offset or RVA in Hiew
  • Added Column Sorting
1.3 Download:

Tuesday, September 19, 2017

PE Appended Data Viewer 1.02

PE Appended Data Viewer is a tool designed to view and save the overlay of a PE file.

  • x86 and x64 support
  • Save Data or Data Selection
  • Xor Decryption
  • Begin and End Selection
  • Data Interpreter

New in 1.02:
  • Added Entropy Testing
  • Added Hashing/CRC-32
  • Added Ability to Register Shell Extension
  • Added Hex Values to Data Interpreter
  • Added Select Range Form
  • Added Ability to Load Appended Data Using Virtual Size
  • Fixed Memory Leak on Drag and Drop of New File



Monday, July 31, 2017

JexePack Unpacker

JexePack Unpacker is a freeware utility that unpacks JexePack wrapped java applications.


Download Version 2:

exe4j Unpacker

exe4j Unpacker is a freeware utility that unpacks exe4j wrapped java applications.

Please consider making a donation if used within a commercial environment.

Thursday, July 13, 2017

Launch4J Unpacker: Updated 07/26/2017

Launch4J Unpacker is a free utility to extract the embedded jar archive from a Launch4J wrapped java program.

07/26/2017: Version 1.01 Released:
  • Added Support for Launch4j applications signed with sign4j.

Version 1.01:

Version: 1.0:

Clicklocker Unpacker/Removal Tool

Clicklocker Unpacker is a free DRM removal utility which automatically extracts the original unprotected file from a Clicklocker protected application, ebook, image, or video.