Monday, October 4, 2010

Cracking Cleanersoft Free Hide Folder Security


Cleanersoft Free Hide Folder is a "security" tool used to hide your folders. The program uses a simple interface that is protected by a password that lets you hides and unhides selected folders. Our target objectives here will be to find where it is hiding the information about what folders are hidden and recover the password.

Finding where the folder information is stored

Well, We will use the easiest approach, see what files and registry keys the program (fhide.exe) writes to using Process Monitor while hiding a folder (in this case C:\test). This should show us where it is writing to and it seems this approach worked out well.

Well, What have we here. We see a file operation on my C:\test folder, it renamed the folder "CHKDSK.100ÿÿ" and that is followed by a registry key creation at "HKCU\Software\Microsoft\Windows\CurrentVersion\Namespace\getPrefix0".

First let's confirm the folder was renamed. since it is hidden I will run the command line command "DIR /A:SH CHKDSK.*" (the /A:SH will show hidden and system files and folders). Wow... It's right there, great hiding trick.... is it accessible? Run a "cd CHKDSK.100ÿÿ". Looks like we can.

Okay, Let's see whats hidden here with a "Dir" command and we see private.txt. Okay, well it should be encrypted right? guess again... "Type private.txt".

Well We are off a bad start for security. But how do we know where these are hidden if we didn't hide them? How can we find them? Well lets check out that registry key. Okay. Let's take a look at the keys here.
  • getPrefix0 = E
  • Declaration0 = X:*XSPWHP.377ÿÿ
  • Javax0 = X:*gvhg
Hmmm.... Declaration0 and Javax0 both start with X:*, interesting. well. Lets make another hidden folder called C:\test123 which becomes CHKDSK.101ÿÿ. Well, now we have 3 new keys. they are the same names as above but instead we have a one at the end instead of zero.
  • getPrefix1 = E
  • Declaration1 = X:*XSPWHP.373ÿÿ
  • Javax1 = X:*gvhg321
Okay, Starting to see a pattern. It looks like Declaration is for the new hidden file name. Javax is for what it's unhidden name. getPrefix stayed the same. It appears to be a simple substitution cipher. The easy way to figure it out? Well, Let make a folder called C:\abcdefghijklmnopqrstuvwxyz1234567890 and put it side by side with encrypted value and we have a key chart ;-).
  • C:\abcdefghijklmnopqrstuvwxyz1234567890
  • X:*zyxwvutsrqponmlkjihgfedcba3215894067
Looks like the alphabet is just backwards. "/" becomes "*". The only thing different is the numbers but not that big of a deal, since we now see the key above anyways. So now we can decrypt the Declaration and Javax keys. they point to the folders, both hidden and unhidden names, just as we thought.

The last is the getPrefix key. I had one folder unhidden when I was working and the key value changed to "W". So it seems that "E" means it is hidden, "W" means not hidden. So I'd Say we have this down now.

Finding The Password

Last thing to attack is the password for the program (in this case it is "Password"). Let's check more into the registry. There is one more key here:
  • BAR - Kzhhdliw
Surprise. my password and this key are both the same length. the 3rd and 4th characters repeat. Let's just try to decrypt it with our key chart above and... yep, that's our password... So with this information I was able to code a little tool that can exploit this to prove concept for academic reasons (And to only be used for that). I call the tool "Free Unhide Folder" (original huh?).