Cracking Cleanersoft Free Hide Folder Security

Cracking Cleanersoft Free Hide Folder Security

Introduction

Cleanersoft Free Hide Folder is a "security" tool used to hide your folders. The program uses a simple interface that is protected by a password that lets you hides and unhides selected folders. Our target objectives here will be to find where it is hiding the information about what folders are hidden and recover the password.

Finding where the folder information is stored

Well, We will use the easiest approach, see what files and registry keys the program (fhide.exe) writes to using Process Monitor while hiding a folder (in this case C: est). This should show us where it is writing to and it seems this approach worked out well.

Well, What have we here. We see a file operation on my C: est folder, it renamed the folder "CHKDSK.100��" and that is followed by a registry key creation at "HKCUSoftwareMicrosoftWindowsCurrentVersionNamespacegetPrefix0".

First lets confirm the folder was renamed. since it is hidden I will run the command line command "DIR /A:SH CHKDSK.*" (the /A:SH will show hidden and system files and folders). Wow... Its right there, great hiding trick.... is it accessible? Run a "cd CHKDSK.100��". Looks like we can.

Okay, Lets see whats hidden here with a "Dir" command and we see private.txt. Okay, well it should be encrypted right? guess again... "Type private.txt".

Well We are off a bad start for security. But how do we know where these are hidden if we didnt hide them? How can we find them? Well lets check out that registry key. Okay. Lets take a look at the keys here.

• getPrefix0 = E
• Declaration0 = X:*XSPWHP.377��
• Javax0 = X:*gvhg

Hmmm.... Declaration0 and Javax0 both start with X:*, interesting. well. Lets make another hidden folder called C: est123 which becomes CHKDSK.101��. Well, now we have 3 new keys. they are the same names as above but instead we have a one at the end instead of zero.

• getPrefix1 = E
• Declaration1 = X:*XSPWHP.373��
• Javax1 = X:*gvhg321

Okay, Starting to see a pattern. It looks like Declaration is for the new hidden file name. Javax is for what its unhidden name. getPrefix stayed the same. It appears to be a simple substitution cipher. The easy way to figure it out? Well, Let make a folder called C:abcdefghijklmnopqrstuvwxyz1234567890 and put it side by side with encrypted value and we have a key chart ;-).

• C:abcdefghijklmnopqrstuvwxyz1234567890
• X:*zyxwvutsrqponmlkjihgfedcba3215894067

Looks like the alphabet is just backwards. "/" becomes "*". The only thing different is the numbers but not that big of a deal, since we now see the key above anyways. So now we can decrypt the Declaration and Javax keys. they point to the folders, both hidden and unhidden names, just as we thought.

The last is the getPrefix key. I had one folder unhidden when I was working and the key value changed to "W". So it seems that "E" means it is hidden, "W" means not hidden. So Id Say we have this down now.

Finding The Password

Last thing to attack is the password for the program (in this case it is "Password"). Lets check more into the registry. There is one more key here:

• BAR - Kzhhdliw

Surprise. my password and this key are both the same length. the 3rd and 4th characters repeat. Lets just try to decrypt it with our key chart above and... yep, thats our password... So with this information I was able to code a little tool that can exploit this to prove concept for academic reasons (And to only be used for that). I call the tool "Free Unhide Folder" (original huh?).

Resources

CleanerSoft Free Hide Folder:
http://www.cleanersoft.com/hidefolder/free_hide_folder.htm

Substitution cipher:
http://en.wikipedia.org/wiki/Substitution_cipher

Substitution cipher solver:
http://www.purplehell.com/riddletools/applets/cryptogram.htm

Free Unhide Folder (Source[vb.net 2008] and Binary):
http://packetstormsecurity.org/1010-exploits/FreeUnHideFolder.zip

download
alternative link download