{"id":1133,"date":"2020-12-06T16:57:13","date_gmt":"2020-12-06T16:57:13","guid":{"rendered":"https:\/\/cybersecthreat.com\/?p=1133"},"modified":"2024-04-01T13:47:08","modified_gmt":"2024-04-01T05:47:08","slug":"retrieve-password-from-exe-part3","status":"publish","type":"post","link":"https:\/\/cybersecthreat.com\/zh\/2020\/12\/06\/retrieve-password-from-exe-part3\/","title":{"rendered":"Retrieve password from exe(3)"},"content":{"rendered":"<p>This article is part three of &#8220;Extract\/Dump\/Retrieve password from exe&#8221; series. Previously, we have discussed unpack\/decompile an executable back to script in <a href=\"https:\/\/cybersecthreat.com\/zh\/extract-password-from-exe-part1\/\">part one<\/a> and dumping connection string credentials in <a href=\"https:\/\/cybersecthreat.com\/zh\/dump-password-from-exe-part2\/\">part two<\/a>. In this article, we will explore how we can retrieve passwords from exe using other techniques and tools such as <a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/procmon\">Process Monitor from Sysinternals<\/a> and debugger <a href=\"https:\/\/x64dbg.com\/#start\">x64dbg<\/a>.<\/p>\n\n\n\n<p>In short, we are going to examine a sample application named <code>LaunchProgram.exe<\/code> developed in Delphi, which aimed to perform a similar function as <strong>runas<\/strong> with embedded credentials. <\/p>\n\n\n<style>.kadence-column1133_0d3eca-fb > .kt-inside-inner-col{display:flex;}.kadence-column1133_0d3eca-fb > .kt-inside-inner-col,.kadence-column1133_0d3eca-fb > .kt-inside-inner-col:before{border-top-left-radius:0px;border-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px;}.kadence-column1133_0d3eca-fb > .kt-inside-inner-col{column-gap:var(--global-kb-gap-sm, 1rem);}.kadence-column1133_0d3eca-fb > .kt-inside-inner-col{flex-direction:column;align-items:center;}.kadence-column1133_0d3eca-fb > .kt-inside-inner-col > .kb-image-is-ratio-size{align-self:stretch;}.kadence-column1133_0d3eca-fb > .kt-inside-inner-col > .wp-block-kadence-advancedgallery{align-self:stretch;}.kadence-column1133_0d3eca-fb > .kt-inside-inner-col > .aligncenter{width:100%;}.kadence-column1133_0d3eca-fb > .kt-inside-inner-col:before{opacity:0.3;}.kadence-column1133_0d3eca-fb{position:relative;}@media all and (max-width: 1024px){.kadence-column1133_0d3eca-fb > .kt-inside-inner-col{flex-direction:column;justify-content:center;align-items:center;}}@media all and (max-width: 767px){.kadence-column1133_0d3eca-fb > .kt-inside-inner-col{flex-direction:column;justify-content:center;align-items:center;}}<\/style>\n<div class=\"wp-block-kadence-column kadence-column1133_0d3eca-fb\"><div class=\"kt-inside-inner-col\"><style>.kb-table-of-content-nav.kb-table-of-content-id1133_0fe92d-80 .kb-table-of-content-wrap{padding-top:var(--global-kb-spacing-sm, 1.5rem);padding-right:var(--global-kb-spacing-sm, 1.5rem);padding-bottom:var(--global-kb-spacing-sm, 1.5rem);padding-left:0px;background-color:rgba(255,255,255,0.99);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;box-shadow:0px 0px 14px 0px #abb8c3;}.kb-table-of-content-nav.kb-table-of-content-id1133_0fe92d-80 .kb-table-of-contents-title-wrap{padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.kb-table-of-content-nav.kb-table-of-content-id1133_0fe92d-80 .kb-table-of-contents-title{font-size:var(--global-kb-font-size-lg, 2rem);font-weight:bold;font-style:normal;}.kb-table-of-content-nav.kb-table-of-content-id1133_0fe92d-80 .kb-table-of-content-wrap .kb-table-of-content-list{color:#d65a02;font-size:var(--global-kb-font-size-md, 1.25rem);font-weight:regular;font-style:normal;margin-top:var(--global-kb-spacing-sm, 1.5rem);margin-right:0px;margin-bottom:0px;margin-left:0px;}.kb-table-of-content-nav.kb-table-of-content-id1133_0fe92d-80 .kb-toggle-icon-style-basiccircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id1133_0fe92d-80 .kb-toggle-icon-style-basiccircle .kb-table-of-contents-icon-trigger:before, .kb-table-of-content-nav.kb-table-of-content-id1133_0fe92d-80 .kb-toggle-icon-style-arrowcircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id1133_0fe92d-80 .kb-toggle-icon-style-arrowcircle .kb-table-of-contents-icon-trigger:before, .kb-table-of-content-nav.kb-table-of-content-id1133_0fe92d-80 .kb-toggle-icon-style-xclosecircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id1133_0fe92d-80 .kb-toggle-icon-style-xclosecircle .kb-table-of-contents-icon-trigger:before{background-color:rgba(255,255,255,0.99);}@media all and (max-width: 1024px){.kb-table-of-content-nav.kb-table-of-content-id1133_0fe92d-80 .kb-table-of-content-wrap{margin-left:var(--global-kb-spacing-auto, auto);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;}}@media all and (max-width: 767px){.kb-table-of-content-nav.kb-table-of-content-id1133_0fe92d-80 .kb-table-of-content-wrap{margin-left:var(--global-kb-spacing-auto, auto);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;}}<\/style><\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-did-this-sample-application-work\">How did this sample application work?<\/h2>\n\n\n\n<p>The workflow of this application is described as follows:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Firstly, this software will read several encrypted parameters including <strong>password<\/strong> from a file named <strong><code>config.ini<\/code><\/strong>.<\/li>\n\n\n\n<li>Secondly, the program will rebuild the decryption key, which is further broken down into 4 parts inside the source code.  2 of them are plain text, and another 2 of them are encrypted internally. For instance, the full encryption key used is <strong><code>AAAAA_BBBBB_CCCCC_DDDDD<\/code><\/strong>.\n<ul class=\"wp-block-list\">\n<li><code>AAAAA_ &amp; _CCCCC_<\/code> is defined as plain text inside the source code<\/li>\n\n\n\n<li><code>BBBBB &amp; DDDDD<\/code> is encrypted inside the source code<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Thirdly, this application will decrypt all needed parameters including the password.<\/li>\n\n\n\n<li>Finally, the software will call another process under the context of another user using either <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/winbase\/nf-winbase-createprocesswithlogonw\"><code>CreateProcessWithLogon API call<\/code><\/a> or <a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/psexec\"><code>PsExec from Sysinternals<\/code><\/a>. <\/li>\n<\/ul>\n\n\n\n<p>The following table shows the <strong>initial value<\/strong> for this application, but that credential information is <strong>NOT<\/strong> what we actually need. <\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-columns alignwide is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<figure class=\"wp-block-table is-style-stripes\"><table><thead><tr><th><code>Parameters<\/code><\/th><th><code>Default Values<\/code><\/th><\/tr><\/thead><tbody><tr><td><code>system_user<\/code><\/td><td><code>K-Sec_Default_User<\/code><\/td><\/tr><tr><td><code>system_domain<\/code><\/td><td><code>K-Sec_Default_Domain<\/code><\/td><\/tr><tr><td><code>system_password<\/code><\/td><td><code>K-Sec_Default_Password<\/code><\/td><\/tr><tr><td><code>system_currentDirectory<\/code><\/td><td><code>C:\\tools\\SysinternalsSuite<\/code><\/td><\/tr><tr><td><code>system_program<\/code><\/td><td><code>C:\\tools\\SysinternalsSuite\\PsExec.exe<\/code><\/td><\/tr><tr><td><code>system_program_parameters<\/code><\/td><td><code>C:\\windows\\system32\\calc.exe<\/code><\/td><\/tr><tr><td><code>UseShellExecute_And_PsExec<\/code><\/td><td><code>1<\/code><\/td><\/tr><\/tbody><\/table><figcaption class=\"wp-element-caption\">Default value of different parameters hardcoded in source code<\/figcaption><\/figure>\n<\/div>\n<\/div>\n\n\n\n<p><\/p>\n<\/div><\/div>\n<\/div>\n<\/div>\n\n\n\n<p>In fact, the developer has some sense of security and he\/she is trying to protect the credential by encrypting those values using <strong>AES<\/strong>. <\/p>\n\n\n\n<p>We have also uploaded the source code of the sample application to our Git Hub <a href=\"https:\/\/github.com\/cybersecthreat\/Code_Samples\/tree\/master\/RunAs_Program_Demo\">\u7db2\u5740<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-detect-it-easy\">Detect it easy<\/h2>\n\n\n\n<p>As usual, we will check the executable using Detect it Easy first. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Detect_it_Easy_LaunchProgram_original.png\"><img loading=\"lazy\" decoding=\"async\" width=\"817\" height=\"471\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Detect_it_Easy_LaunchProgram_original.png\" alt=\"Detect it Easy LaunchProgram original\" class=\"wp-image-1196\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Detect_it_Easy_LaunchProgram_original.png 817w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Detect_it_Easy_LaunchProgram_original-300x173.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Detect_it_Easy_LaunchProgram_original-768x443.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Detect_it_Easy_LaunchProgram_original-600x346.png 600w\" sizes=\"auto, (max-width: 817px) 100vw, 817px\" \/><\/a><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-retrieve-password-from-exe\">Retrieve password from exe<\/h2>\n\n\n\n<p>So, we will start the actual work to retrieve the password from exe. In our first example, the program will launch another executable using <strong><code>ShellExecute<\/code><\/strong> function. In the second example, the program will launch another executable using <code>CreateProcessWithLogon API call<\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-evaluate-shellexecute-function\">Evaluate <strong><code>ShellExecute<\/code><\/strong> function<\/h3>\n\n\n\n<p>In order to give more visualization of how this application works, a screenshot of another executable named <code>LaunchProgram_Config.exe<\/code> is shown below.  Please also note &#8220;<strong>Use ShellExecute and PsExec<\/strong>&#8221; checkbox option. Later on, we will examine both option and its difference. In our exercise, we will assume <code>LaunchProgram_Config.exe<\/code> is protected by the developer and therefore we do not have a copy of it.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"711\" height=\"477\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/LaunchProgram_Config.png\" alt=\"LaunchProgram_Config\" class=\"wp-image-1160\" style=\"width:580px;height:389px\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/LaunchProgram_Config.png 711w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/LaunchProgram_Config-300x201.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/LaunchProgram_Config-600x403.png 600w\" sizes=\"auto, (max-width: 711px) 100vw, 711px\" \/><\/figure>\n\n\n\n<p>So, the actual configuration in plain text format is listed below:<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<div class=\"wp-block-group alignwide\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<figure class=\"wp-block-table alignwide\"><table><thead><tr><th><strong><code>Parameters<\/code><\/strong><\/th><th>Values<\/th><\/tr><\/thead><tbody><tr><td><code>system_user<\/code><\/td><td><code>K-Sec_User<\/code><\/td><\/tr><tr><td><code>system_domain<\/code><\/td><td><code>.\\<\/code><\/td><\/tr><tr><td><code>system_password<\/code><\/td><td><code>K-Sec_Password<\/code><\/td><\/tr><tr><td><code>system_currentDirectory<\/code><\/td><td><code>C:\\tools\\SysinternalsSuite<\/code><\/td><\/tr><tr><td><code>system_program<\/code><\/td><td><code>C:\\tools\\SysinternalsSuite\\PsExec.exe<\/code><\/td><\/tr><tr><td><code>system_program_parameters<\/code><\/td><td><code>notepad.exe<\/code><\/td><\/tr><tr><td><code>UseShellExecute_And_PsExec<\/code><\/td><td><code>1<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n<\/div><\/div>\n<\/div>\n<\/div>\n\n\n\n<p>In brief, <code>LaunchProgram_Config.exe<\/code> will encrypt those parameters and save those encrypted values into the file <code>config.ini<\/code> as shown below. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;SYS_UserInfo]\nsystem_user=JiqPyt5ljy2oGvcUYEZRFKB3JYs=\nsystem_domain=QzX\/ZQ==\nsystem_password=JiqPyt5ljy2oGvcUZcZ7zxUuQWRPHBp85VemXg==\nsystem_currentDirectory=LsJaz8lpRl1\/R9Y9GVDZqstqA31Uv5LfXBl89IjSZOkL7oXuH2JaC\/X\/GJaXqeWlEewoYdNJ\nsystem_program=LsJaz8lpRl1\/R9Y9GVDZqstqA31Uv5LfXBl89IjSZOkL7oXuH2JaC\/X\/GJaXqeWlEewoYdNJkAF4He0eMtrUD3s4jvQQlMPcxb4=\nsystem_program_parameters=AyqdX7sgUjEpdIuYYh7nrJRRJjh62w==\nUseShellExecute_And_PsExec=1<\/code><\/pre>\n\n\n\n<p>Firstly, we are going examine the process using <strong>Process Monitor<\/strong>. After launch <strong>Process Monitor<\/strong>, we applied a filter to examine only &#8220;Command Line&#8221; contains <code>LaunchProgram<\/code>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_CommandLine_LaunchProgram.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"668\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_CommandLine_LaunchProgram-1024x668.png\" alt=\"Process Monitor Filter CommandLine LaunchProgram\" class=\"wp-image-1146\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_CommandLine_LaunchProgram-1024x668.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_CommandLine_LaunchProgram-300x196.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_CommandLine_LaunchProgram-768x501.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_CommandLine_LaunchProgram-600x392.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_CommandLine_LaunchProgram.png 1057w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p>Then, we started <code>LaunchProgram.exe<\/code> and saw there are too many results. Therefore, we decided to further filter the results using Operation is &#8220;<strong>Process Create<\/strong>&#8220;. This technique is also useful when performing malware analysis.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_Operation_ProcessCreate.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"551\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_Operation_ProcessCreate-1024x551.png\" alt=\"Process Monitor Filter Operation ProcessCreate\" class=\"wp-image-1147\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_Operation_ProcessCreate-1024x551.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_Operation_ProcessCreate-300x161.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_Operation_ProcessCreate-768x413.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_Operation_ProcessCreate-1536x827.png 1536w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_Operation_ProcessCreate-600x323.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_Operation_ProcessCreate.png 1919w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p>Finally, we get the password as shown below. It is important to realize that the function <strong><code>ShellExecute<\/code><\/strong> actually ask the OS to fork a new process with the requested parameters. Therefore, Process Monitor is able to capture the full Command Line.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Show_Password_in_CommandLine.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"550\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Show_Password_in_CommandLine-1024x550.png\" alt=\"Process Monitor Show Password in CommandLine\" class=\"wp-image-1148\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Show_Password_in_CommandLine-1024x550.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Show_Password_in_CommandLine-300x161.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Show_Password_in_CommandLine-768x413.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Show_Password_in_CommandLine-1536x825.png 1536w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Show_Password_in_CommandLine-600x322.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Show_Password_in_CommandLine.png 1919w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-evaluate-createprocesswithlogon-api-call\">Evaluate <code>CreateProcessWithLogon API call<\/code><\/h3>\n\n\n\n<p>Next, we will de-select the &#8220;<code>Use ShellExecute and PsExec<\/code>&#8221; option. This options effectively make the program to execute notepad using <code>CreateProcessWithLogon API call<\/code>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/LaunchProgram_Config_using_CreateProcessWithLogon.png\"><img loading=\"lazy\" decoding=\"async\" width=\"711\" height=\"477\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/LaunchProgram_Config_using_CreateProcessWithLogon.png\" alt=\"LaunchProgram Config using CreateProcessWithLogon\" class=\"wp-image-1174\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/LaunchProgram_Config_using_CreateProcessWithLogon.png 711w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/LaunchProgram_Config_using_CreateProcessWithLogon-300x201.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/LaunchProgram_Config_using_CreateProcessWithLogon-600x403.png 600w\" sizes=\"auto, (max-width: 711px) 100vw, 711px\" \/><\/a><\/figure>\n\n\n\n<p>So, the actual configuration in plain text format is listed below:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong><code>Parameters<\/code><\/strong><\/th><th>Values<\/th><\/tr><\/thead><tbody><tr><td><code>system_user<\/code><\/td><td><code>K-Sec_User<\/code><\/td><\/tr><tr><td><code>system_domain<\/code><\/td><td><code>.\\<\/code><\/td><\/tr><tr><td><code>system_password<\/code><\/td><td><code>K-Sec_Password<\/code><\/td><\/tr><tr><td><code>system_currentDirectory<\/code><\/td><td><code>C:\\<\/code><\/td><\/tr><tr><td><code>system_program<\/code><\/td><td><code>notepad.exe<\/code><\/td><\/tr><tr><td><code>system_program_parameters<\/code><\/td><td><code>C:\\K-Sec\\Retrieve_password_from_exe\\test.txt<\/code><\/td><\/tr><tr><td><code>UseShellExecute_And_PsExec<\/code><\/td><td><code>0<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>In brief, <code>LaunchProgram_Config.exe<\/code> will encrypt those parameters and save those encrypted values into the file <code>config.ini<\/code> as shown below. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;SYS_UserInfo]\nsystem_user=JiqPyt5ljy2oGvcUYEZRFKB3JYs=\nsystem_domain=QzX\/ZQ==\nsystem_password=JiqPyt5ljy2oGvcUZcZ7zxUuQWRPHBp85VemXg==\nsystem_currentDirectory=DpYG5JHx\nsystem_program=AyqdX7sgUjEpdIuYYh7nrJRRJjh62w==\nsystem_program_parameters=LsJaz8lpeaNbV+DGcxzX5MmWpBfXD01yJMTPFryBWvjF9Ug6BXu9G2lQR4+FTdrlRgKRzyB\/2rt05JnZD5NKOVAiTBo7rUeep1AbwZ1gAj224d2+J61oTw==\nUseShellExecute_And_PsExec=0<\/code><\/pre>\n\n\n\n<p>Again, we will also examine the program using <strong>Process Monitor<\/strong> with the following options:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;Command Line&#8221; contains <code>LaunchProgram<\/code><\/li>\n\n\n\n<li>Operation is &#8220;Process Create&#8221;<\/li>\n<\/ul>\n\n\n\n<p>The following screenshot shown that notepad.exe was launched by LaunchProgram.exe. However, the user is not <code>K-Sec_User<\/code>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_CommandLine_LaunchProgram_and_Operation_ProcessCreate.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"533\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_CommandLine_LaunchProgram_and_Operation_ProcessCreate-1024x533.png\" alt=\"Process Monitor Filter CommandLine LaunchProgram and Operation ProcessCreate\" class=\"wp-image-1176\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_CommandLine_LaunchProgram_and_Operation_ProcessCreate-1024x533.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_CommandLine_LaunchProgram_and_Operation_ProcessCreate-300x156.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_CommandLine_LaunchProgram_and_Operation_ProcessCreate-768x400.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_CommandLine_LaunchProgram_and_Operation_ProcessCreate-1536x800.png 1536w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_CommandLine_LaunchProgram_and_Operation_ProcessCreate-600x313.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_CommandLine_LaunchProgram_and_Operation_ProcessCreate.png 1918w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p>Then, we try to filter by Command Line contains notepad. Afterwards, we now know that <code>LaunchProgram.exe<\/code> will execute notepad under the security context of user <code>K-Sec_User<\/code>. However, the command line do not reveal the actual password.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_CommandLine_contains_notepad.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"535\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_CommandLine_contains_notepad-1024x535.png\" alt=\"Process Monitor Filter CommandLine contains notepad\" class=\"wp-image-1177\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_CommandLine_contains_notepad-1024x535.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_CommandLine_contains_notepad-300x157.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_CommandLine_contains_notepad-768x401.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_CommandLine_contains_notepad-1536x803.png 1536w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_CommandLine_contains_notepad-600x314.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Process_Monitor_Filter_CommandLine_contains_notepad.png 1919w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-debug-using-x64dbg\">Debug using x64dbg<\/h3>\n\n\n\n<p>Now, we will further evaluate our sample program using x64dbg because we cannot find credential from Process Monitor. We can just open the <code>LaunchProgram.exe<\/code> by <code>File -&gt; Open<\/code>. Then, you should see something like below image.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_open_LaunchProgram.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"549\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_open_LaunchProgram-1024x549.png\" alt=\"x64dbg open LaunchProgram\" class=\"wp-image-1189\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_open_LaunchProgram-1024x549.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_open_LaunchProgram-300x161.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_open_LaunchProgram-768x412.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_open_LaunchProgram-1536x824.png 1536w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_open_LaunchProgram-600x322.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_open_LaunchProgram.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p>Secondly, press &#8220;F9&#8221; to reach the <code><strong>EntryPoint<\/strong><\/code> as shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_EntryPoint.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"549\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_EntryPoint-1024x549.png\" alt=\"x64dbg LaunchProgram EntryPoint\" class=\"wp-image-1180\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_EntryPoint-1024x549.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_EntryPoint-300x161.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_EntryPoint-768x412.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_EntryPoint-1536x824.png 1536w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_EntryPoint-600x322.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_EntryPoint.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p>Thirdly, right click the <strong><code>EntryPoint<\/code><\/strong>, go to &#8220;<code><strong>Search for -&gt; Current Module -&gt; String references<\/strong><\/code>&#8220;. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"548\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references-1024x548.png\" alt=\"\" class=\"wp-image-1185\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references-1024x548.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references-300x161.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references-768x411.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references-1536x822.png 1536w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references-600x321.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references.png 1919w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p>Below shown the result of all string in the executable, which should be the same as what we can get from strings.exe.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"549\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results-1024x549.png\" alt=\"x64dbg LaunchProgram Search for Current Module String references results\" class=\"wp-image-1186\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results-1024x549.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results-300x161.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results-768x412.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results-1536x824.png 1536w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results-600x322.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p>Fourthly, we will try to locate some <strong>interesting keyword<\/strong> and insert our breakpoint. Here we need to guess the program logic and workflow. At this point, what we actually know is this program will get the encrypted values from <code>config.ini<\/code> and execute notepad. So, we know that there is a parameter name &#8220;<code>system_password<\/code>&#8221; inside the <code>config.ini<\/code>. Therefore, we will use &#8220;<strong>password<\/strong>&#8221; as our keyword to search.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results_seach_password.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"549\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results_seach_password-1024x549.png\" alt=\"x64dbg LaunchProgram Search for Current Module String references results seach password\" class=\"wp-image-1187\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results_seach_password-1024x549.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results_seach_password-300x161.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results_seach_password-768x412.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results_seach_password-1536x824.png 1536w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results_seach_password-600x322.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results_seach_password.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p>Next, we will toggle breakpoint(s) by pressing &#8220;F2&#8221;. So, why do we only select 2 breakpoints here ? It is because we guess these 2 instruction sets are more closer to what we are looking for. In reality, locating the right breakpoint may involve a lot of trial and error effort. After setting our breakpoint, press &#8220;<strong>F9<\/strong>&#8221; again, and then continue press &#8220;<strong>F8<\/strong>&#8221; (Step over) to see if we can locate the password we are looking for. It is also important to realize that &#8220;Step over&#8221; may not the right choice every time. Sometimes, you may need to &#8220;Step Into&#8221; which will take more time to evaluate the instruction. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results_seach_password_toggle_breakpoint.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"549\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results_seach_password_toggle_breakpoint-1024x549.png\" alt=\"x64dbg LaunchProgram Search for Current Module String references results seach password toggle breakpoint\" class=\"wp-image-1188\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results_seach_password_toggle_breakpoint-1024x549.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results_seach_password_toggle_breakpoint-300x161.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results_seach_password_toggle_breakpoint-768x412.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results_seach_password_toggle_breakpoint-1536x824.png 1536w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results_seach_password_toggle_breakpoint-600x322.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_Search_for_Current_Module_String-references_results_seach_password_toggle_breakpoint.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p>Finally, we have locate our password &#8220;<code>K-Sec_Password<\/code>&#8221; as shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password1.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"549\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password1-1024x549.png\" alt=\"x64dbg LaunchProgram find password1\" class=\"wp-image-1181\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password1-1024x549.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password1-300x161.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password1-768x412.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password1-1536x824.png 1536w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password1-600x322.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password1.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p>If you miss the first one, we may still find the password when we continue our Step Over evaluation.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password2.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"549\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password2-1024x549.png\" alt=\"x64dbg LaunchProgram find password2\" class=\"wp-image-1182\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password2-1024x549.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password2-300x161.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password2-768x412.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password2-1536x824.png 1536w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password2-600x322.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password2.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p>If we keep Step Over, we will reach a point that the memory stack stored almost all decrypted parameters. At this point, it is more easier to discover the password.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password3.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"549\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password3-1024x549.png\" alt=\"x64dbg LaunchProgram find password3\" class=\"wp-image-1183\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password3-1024x549.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password3-300x161.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password3-768x412.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password3-1536x824.png 1536w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password3-600x322.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password3.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-upx-packer\">UPX Packer<\/h2>\n\n\n\n<p><a href=\"https:\/\/upx.github.io\/\">UPX Packer<\/a> is one of packer aimed at compress an executable file. In fact, it is not an anti-debugging technique, but the compressed executable cannot be directly debugged by debugger. Let&#8217;s check our sample executable packed by UPX using Detect it Easy. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"817\" height=\"471\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Detect_it_Easy_LaunchProgram_upx.png\" alt=\"Detect it Easy LaunchProgram upx\" class=\"wp-image-1199\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Detect_it_Easy_LaunchProgram_upx.png 817w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Detect_it_Easy_LaunchProgram_upx-300x173.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Detect_it_Easy_LaunchProgram_upx-768x443.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/Detect_it_Easy_LaunchProgram_upx-600x346.png 600w\" sizes=\"auto, (max-width: 817px) 100vw, 817px\" \/><\/figure>\n\n\n\n<p>Let&#8217;s checkout the <code>EntryPoint<\/code> of upx packed executable, but the EntryPoint becomes <code>pushad<\/code>. What we have to do is find out the <strong>Original EntryPoint (OEP)<\/strong>. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_upx_packed_EntryPoint.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"549\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_upx_packed_EntryPoint-1024x549.png\" alt=\"\" class=\"wp-image-1201\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_upx_packed_EntryPoint-1024x549.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_upx_packed_EntryPoint-300x161.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_upx_packed_EntryPoint-768x412.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_upx_packed_EntryPoint-1536x824.png 1536w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_upx_packed_EntryPoint-600x322.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_upx_packed_EntryPoint.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p>So, what we are looking for is the jmp\/call instruction after <strong>popad<\/strong> instruction. In general, that jmp instruction will jump into a memory location far away, and it should be the original EntryPoint. Now, we have set a breakpoint to that jmp instruction. After press &#8220;F9&#8221; to run, then press &#8220;F7&#8221; (Step Into), and finally, we will go back to the Original EntryPoint.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_upx_packed_popad.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"549\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_upx_packed_popad-1024x549.png\" alt=\"x64dbg LaunchProgram upx packed popad\" class=\"wp-image-1202\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_upx_packed_popad-1024x549.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_upx_packed_popad-300x161.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_upx_packed_popad-768x412.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_upx_packed_popad-1536x824.png 1536w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_upx_packed_popad-600x322.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_upx_packed_popad.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-summary\">Summary<\/h2>\n\n\n\n<p>With right skill and knowledge of reverse engineering, we are able to retrieve all the decrypted content inside memory. Therefore, we should not assume any executable file can protect our secrets. Think about the executable file is the encryption key and the configuration file (config.ini) is the encrypted content. With this in mind, you definitely need to deploy some more compensating control if you have a program logic similar to this. <\/p>","protected":false},"excerpt":{"rendered":"<p>This article is part three of &#8220;Extract\/Dump\/Retrieve password from exe&#8221; series. Previously, we have discussed unpack\/decompile an executable back to script in part one and dumping connection string credentials in part two. In this article, we will explore how we can retrieve passwords from exe using other techniques and tools such as Process Monitor from&#8230;<\/p>","protected":false},"author":2,"featured_media":1183,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_uf_show_specific_survey":0,"_uf_disable_surveys":false,"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","footnotes":""},"categories":[42,40,57],"tags":[21,77,17,60],"class_list":["post-1133","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blue-team","category-red-team","category-reverse-engineering","tag-blue-team","tag-delphi","tag-red-team","tag-reverse-engineering"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Retrieve password from exe(3) - CyberSecThreat<\/title>\n<meta name=\"description\" content=\"explore how we can retrieve password from exe using other techniques and tools such as Process Monitor from Sysinternals and debugger x64dbg.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cybersecthreat.com\/zh\/2020\/12\/06\/retrieve-password-from-exe-part3\/\" \/>\n<meta property=\"og:locale\" content=\"zh_TW\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Retrieve password from exe(3)\" \/>\n<meta property=\"og:description\" content=\"This article is part three of &quot;Extract\/Dump\/Retrieve password from exe&quot; series. Previously, we have discussed unpack\/decompile an executable back to\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cybersecthreat.com\/zh\/2020\/12\/06\/retrieve-password-from-exe-part3\/\" \/>\n<meta property=\"og:site_name\" content=\"CyberSecThreat\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cybersecthreat\" \/>\n<meta property=\"article:published_time\" content=\"2020-12-06T16:57:13+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-01T05:47:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password3.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1030\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kelvin Yip\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@cybersecthreat\" \/>\n<meta name=\"twitter:site\" content=\"@cybersecthreat\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005:\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kelvin Yip\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9810\u4f30\u95b1\u8b80\u6642\u9593\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 \u5206\u9418\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/12\\\/06\\\/retrieve-password-from-exe-part3\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/12\\\/06\\\/retrieve-password-from-exe-part3\\\/\"},\"author\":{\"name\":\"Kelvin Yip\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#\\\/schema\\\/person\\\/4787dde06da74fa66cb5e92e481b0f98\"},\"headline\":\"Retrieve password from exe(3)\",\"datePublished\":\"2020-12-06T16:57:13+00:00\",\"dateModified\":\"2024-04-01T05:47:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/12\\\/06\\\/retrieve-password-from-exe-part3\\\/\"},\"wordCount\":1141,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/12\\\/06\\\/retrieve-password-from-exe-part3\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/12\\\/x64dbg_LaunchProgram_find_password3.png\",\"keywords\":[\"Blue Team\",\"Delphi\",\"Red Team\",\"Reverse Engineering\"],\"articleSection\":[\"Blue Team\",\"Red Team\",\"Reverse Engineering\"],\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/12\\\/06\\\/retrieve-password-from-exe-part3\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/12\\\/06\\\/retrieve-password-from-exe-part3\\\/\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/12\\\/06\\\/retrieve-password-from-exe-part3\\\/\",\"name\":\"Retrieve password from exe(3) - CyberSecThreat\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/12\\\/06\\\/retrieve-password-from-exe-part3\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/12\\\/06\\\/retrieve-password-from-exe-part3\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/12\\\/x64dbg_LaunchProgram_find_password3.png\",\"datePublished\":\"2020-12-06T16:57:13+00:00\",\"dateModified\":\"2024-04-01T05:47:08+00:00\",\"description\":\"explore how we can retrieve password from exe using other techniques and tools such as Process Monitor from Sysinternals and debugger x64dbg.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/12\\\/06\\\/retrieve-password-from-exe-part3\\\/#breadcrumb\"},\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/12\\\/06\\\/retrieve-password-from-exe-part3\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/12\\\/06\\\/retrieve-password-from-exe-part3\\\/#primaryimage\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/12\\\/x64dbg_LaunchProgram_find_password3.png\",\"contentUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/12\\\/x64dbg_LaunchProgram_find_password3.png\",\"width\":1920,\"height\":1030,\"caption\":\"x64dbg LaunchProgram find password3\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/12\\\/06\\\/retrieve-password-from-exe-part3\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Red Team\",\"item\":\"https:\\\/\\\/cybersecthreat.com\\\/category\\\/red-team\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Retrieve password from exe(3)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#website\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/\",\"name\":\"CyberSecThreat\",\"description\":\"CyberSecurity Solutions\",\"publisher\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/cybersecthreat.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-TW\"},{\"@type\":[\"Organization\",\"Place\"],\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\",\"name\":\"CyberSecThreat Corporation Limited.\",\"alternateName\":\"CyberSecThreat\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/\",\"logo\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/12\\\/06\\\/retrieve-password-from-exe-part3\\\/#local-main-organization-logo\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/12\\\/06\\\/retrieve-password-from-exe-part3\\\/#local-main-organization-logo\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/cybersecthreat\",\"https:\\\/\\\/x.com\\\/cybersecthreat\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/cybersecthreat-corporation-limited\"],\"description\":\"CyberSecThreat, headquartered in Taiwan, is a Cybersecurity solutions provider that offers cutting-edge Cybersecurity solutions including Cyber Threat Intelligence (CTI), Security Orchestration, Automation, and Response (SOAR), UBA\\\/UEBA, DFIR, and CyberSecurity consulting. CyberSecThreat was awarded as Top 10 Cyber Security Companies of 2022 in APAC CIO Outlook\u2019s Cyber Security Edition. We position ourselves as one of the most comprehensive players in the most advanced high-end marketplace with our highly customizable cybersecurity solutions. CyberSecThreat has been committed to contributing to the CyberSecurity industry and assisting our global clients to improve their CyberSecurity posture. With our global partners and experts, we can deliver a wide range of world-class services to our global clients including vCISO, SOC consulting, Splunk consulting, red team, blue team, and AppSec consulting. CyberSecThreat Research Lab, which is led by our founder Kelvin Yip, is a subdivision that focuses on researching Cyber Warfare, Cyber Influence Operation\\\/Cognitive Domain Warfare (including Disinformation, Propaganda, and psychological manipulation), the latest Cybersecurity trends, and threats that organizations face today as well as technology innovation. With decades of Cybersecurity and technology experience, our teams of experts carry out research and experiment, bringing it to the real world. When things come to the real world and production environment, it is more complicated than our imagination. Let us worry about it because this is our mission! Our vision: NextGen safe digital life, and our mission is to Transform Security Into Real World.\",\"legalName\":\"CyberSecThreat Corporation Limited.\",\"foundingDate\":\"2021-01-23\",\"address\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/12\\\/06\\\/retrieve-password-from-exe-part3\\\/#local-main-place-address\"},\"geo\":{\"@type\":\"GeoCoordinates\",\"latitude\":\"25.0600452\",\"longitude\":\"121.4594381\"},\"telephone\":[\"(+886) 02 - 77527628\"],\"openingHoursSpecification\":[{\"@type\":\"OpeningHoursSpecification\",\"dayOfWeek\":[\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\",\"Sunday\"],\"opens\":\"09:00\",\"closes\":\"18:00\"}],\"email\":\"info@cybersecthreat.com\",\"areaServed\":\"Taiwan\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#\\\/schema\\\/person\\\/4787dde06da74fa66cb5e92e481b0f98\",\"name\":\"Kelvin Yip\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"caption\":\"Kelvin Yip\"},\"sameAs\":[\"https:\\\/\\\/cybersecthreat.com\"],\"knowsAbout\":[\"CyberSecurity\"],\"knowsLanguage\":[\"English\",\"Chinese\"],\"jobTitle\":\"Founder, CEO\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/zh\\\/author\\\/kelvinyip-m\\\/\"},{\"@type\":\"PostalAddress\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/12\\\/06\\\/retrieve-password-from-exe-part3\\\/#local-main-place-address\",\"streetAddress\":\"9 F.-A6, No. 601, Siyuan Rd., Xinzhuang Dist., New Taipei City 242032, Taiwan (R.O.C.)\",\"addressLocality\":\"New Taipei City\",\"postalCode\":\"242032\",\"addressRegion\":\"Taiwan\",\"addressCountry\":\"TW\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/12\\\/06\\\/retrieve-password-from-exe-part3\\\/#local-main-organization-logo\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/CyberSecThreat_website-site-logo-_164x164-min.png\",\"contentUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/CyberSecThreat_website-site-logo-_164x164-min.png\",\"width\":164,\"height\":164,\"caption\":\"CyberSecThreat Corporation Limited.\"}]}<\/script>\n<meta name=\"geo.placename\" content=\"New Taipei City\" \/>\n<meta name=\"geo.position\" content=\"25.0600452;121.4594381\" \/>\n<meta name=\"geo.region\" content=\"Taiwan\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Retrieve password from exe(3) - CyberSecThreat","description":"explore how we can retrieve password from exe using other techniques and tools such as Process Monitor from Sysinternals and debugger x64dbg.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cybersecthreat.com\/zh\/2020\/12\/06\/retrieve-password-from-exe-part3\/","og_locale":"zh_TW","og_type":"article","og_title":"Retrieve password from exe(3)","og_description":"This article is part three of \"Extract\/Dump\/Retrieve password from exe\" series. Previously, we have discussed unpack\/decompile an executable back to","og_url":"https:\/\/cybersecthreat.com\/zh\/2020\/12\/06\/retrieve-password-from-exe-part3\/","og_site_name":"CyberSecThreat","article_publisher":"https:\/\/www.facebook.com\/cybersecthreat","article_published_time":"2020-12-06T16:57:13+00:00","article_modified_time":"2024-04-01T05:47:08+00:00","og_image":[{"width":1920,"height":1030,"url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password3.png","type":"image\/png"}],"author":"Kelvin Yip","twitter_card":"summary_large_image","twitter_creator":"@cybersecthreat","twitter_site":"@cybersecthreat","twitter_misc":{"\u4f5c\u8005:":"Kelvin Yip","\u9810\u4f30\u95b1\u8b80\u6642\u9593":"10 \u5206\u9418"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cybersecthreat.com\/2020\/12\/06\/retrieve-password-from-exe-part3\/#article","isPartOf":{"@id":"https:\/\/cybersecthreat.com\/2020\/12\/06\/retrieve-password-from-exe-part3\/"},"author":{"name":"Kelvin Yip","@id":"https:\/\/cybersecthreat.com\/#\/schema\/person\/4787dde06da74fa66cb5e92e481b0f98"},"headline":"Retrieve password from exe(3)","datePublished":"2020-12-06T16:57:13+00:00","dateModified":"2024-04-01T05:47:08+00:00","mainEntityOfPage":{"@id":"https:\/\/cybersecthreat.com\/2020\/12\/06\/retrieve-password-from-exe-part3\/"},"wordCount":1141,"commentCount":0,"publisher":{"@id":"https:\/\/cybersecthreat.com\/#organization"},"image":{"@id":"https:\/\/cybersecthreat.com\/2020\/12\/06\/retrieve-password-from-exe-part3\/#primaryimage"},"thumbnailUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password3.png","keywords":["Blue Team","Delphi","Red Team","Reverse Engineering"],"articleSection":["Blue Team","Red Team","Reverse Engineering"],"inLanguage":"zh-TW","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/cybersecthreat.com\/2020\/12\/06\/retrieve-password-from-exe-part3\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/cybersecthreat.com\/2020\/12\/06\/retrieve-password-from-exe-part3\/","url":"https:\/\/cybersecthreat.com\/2020\/12\/06\/retrieve-password-from-exe-part3\/","name":"Retrieve password from exe(3) - CyberSecThreat","isPartOf":{"@id":"https:\/\/cybersecthreat.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cybersecthreat.com\/2020\/12\/06\/retrieve-password-from-exe-part3\/#primaryimage"},"image":{"@id":"https:\/\/cybersecthreat.com\/2020\/12\/06\/retrieve-password-from-exe-part3\/#primaryimage"},"thumbnailUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password3.png","datePublished":"2020-12-06T16:57:13+00:00","dateModified":"2024-04-01T05:47:08+00:00","description":"explore how we can retrieve password from exe using other techniques and tools such as Process Monitor from Sysinternals and debugger x64dbg.","breadcrumb":{"@id":"https:\/\/cybersecthreat.com\/2020\/12\/06\/retrieve-password-from-exe-part3\/#breadcrumb"},"inLanguage":"zh-TW","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cybersecthreat.com\/2020\/12\/06\/retrieve-password-from-exe-part3\/"]}]},{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/cybersecthreat.com\/2020\/12\/06\/retrieve-password-from-exe-part3\/#primaryimage","url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password3.png","contentUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password3.png","width":1920,"height":1030,"caption":"x64dbg LaunchProgram find password3"},{"@type":"BreadcrumbList","@id":"https:\/\/cybersecthreat.com\/2020\/12\/06\/retrieve-password-from-exe-part3\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Red Team","item":"https:\/\/cybersecthreat.com\/category\/red-team\/"},{"@type":"ListItem","position":2,"name":"Retrieve password from exe(3)"}]},{"@type":"WebSite","@id":"https:\/\/cybersecthreat.com\/#website","url":"https:\/\/cybersecthreat.com\/","name":"\u5947\u8cc7\u5b89","description":"\u7db2\u8def\u5b89\u5168\u65b9\u6848","publisher":{"@id":"https:\/\/cybersecthreat.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cybersecthreat.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-TW"},{"@type":["Organization","Place"],"@id":"https:\/\/cybersecthreat.com\/#organization","name":"\u5947\u8cc7\u8a0a\u4fdd\u5b89\u53ca\u7db2\u7d61\u6709\u9650\u516c\u53f8","alternateName":"CyberSecThreat","url":"https:\/\/cybersecthreat.com\/","logo":{"@id":"https:\/\/cybersecthreat.com\/2020\/12\/06\/retrieve-password-from-exe-part3\/#local-main-organization-logo"},"image":{"@id":"https:\/\/cybersecthreat.com\/2020\/12\/06\/retrieve-password-from-exe-part3\/#local-main-organization-logo"},"sameAs":["https:\/\/www.facebook.com\/cybersecthreat","https:\/\/x.com\/cybersecthreat","https:\/\/www.linkedin.com\/company\/cybersecthreat-corporation-limited"],"description":"CyberSecThreat, headquartered in Taiwan, is a Cybersecurity solutions provider that offers cutting-edge Cybersecurity solutions including Cyber Threat Intelligence (CTI), Security Orchestration, Automation, and Response (SOAR), UBA\/UEBA, DFIR, and CyberSecurity consulting. CyberSecThreat was awarded as Top 10 Cyber Security Companies of 2022 in APAC CIO Outlook\u2019s Cyber Security Edition. We position ourselves as one of the most comprehensive players in the most advanced high-end marketplace with our highly customizable cybersecurity solutions. CyberSecThreat has been committed to contributing to the CyberSecurity industry and assisting our global clients to improve their CyberSecurity posture. With our global partners and experts, we can deliver a wide range of world-class services to our global clients including vCISO, SOC consulting, Splunk consulting, red team, blue team, and AppSec consulting. CyberSecThreat Research Lab, which is led by our founder Kelvin Yip, is a subdivision that focuses on researching Cyber Warfare, Cyber Influence Operation\/Cognitive Domain Warfare (including Disinformation, Propaganda, and psychological manipulation), the latest Cybersecurity trends, and threats that organizations face today as well as technology innovation. With decades of Cybersecurity and technology experience, our teams of experts carry out research and experiment, bringing it to the real world. When things come to the real world and production environment, it is more complicated than our imagination. Let us worry about it because this is our mission! Our vision: NextGen safe digital life, and our mission is to Transform Security Into Real World.","legalName":"CyberSecThreat Corporation Limited.","foundingDate":"2021-01-23","address":{"@id":"https:\/\/cybersecthreat.com\/2020\/12\/06\/retrieve-password-from-exe-part3\/#local-main-place-address"},"geo":{"@type":"GeoCoordinates","latitude":"25.0600452","longitude":"121.4594381"},"telephone":["(+886) 02 - 77527628"],"openingHoursSpecification":[{"@type":"OpeningHoursSpecification","dayOfWeek":["Monday","Tuesday","Wednesday","Thursday","Friday","Saturday","Sunday"],"opens":"09:00","closes":"18:00"}],"email":"info@cybersecthreat.com","areaServed":"Taiwan"},{"@type":"Person","@id":"https:\/\/cybersecthreat.com\/#\/schema\/person\/4787dde06da74fa66cb5e92e481b0f98","name":"Kelvin Yip","image":{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","caption":"Kelvin Yip"},"sameAs":["https:\/\/cybersecthreat.com"],"knowsAbout":["CyberSecurity"],"knowsLanguage":["English","Chinese"],"jobTitle":"Founder, CEO","url":"https:\/\/cybersecthreat.com\/zh\/author\/kelvinyip-m\/"},{"@type":"PostalAddress","@id":"https:\/\/cybersecthreat.com\/2020\/12\/06\/retrieve-password-from-exe-part3\/#local-main-place-address","streetAddress":"9 F.-A6, No. 601, Siyuan Rd., Xinzhuang Dist., New Taipei City 242032, Taiwan (R.O.C.)","addressLocality":"New Taipei City","postalCode":"242032","addressRegion":"Taiwan","addressCountry":"TW"},{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/cybersecthreat.com\/2020\/12\/06\/retrieve-password-from-exe-part3\/#local-main-organization-logo","url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2023\/12\/CyberSecThreat_website-site-logo-_164x164-min.png","contentUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2023\/12\/CyberSecThreat_website-site-logo-_164x164-min.png","width":164,"height":164,"caption":"CyberSecThreat Corporation Limited."}]},"geo.placename":"New Taipei City","geo.position":{"lat":"25.0600452","long":"121.4594381"},"geo.region":"Taiwan"},"taxonomy_info":{"category":[{"value":42,"label":"Blue Team"},{"value":40,"label":"Red Team"},{"value":57,"label":"Reverse Engineering"}],"post_tag":[{"value":21,"label":"Blue Team"},{"value":77,"label":"Delphi"},{"value":17,"label":"Red Team"},{"value":60,"label":"Reverse Engineering"}]},"featured_image_src_large":["https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/12\/x64dbg_LaunchProgram_find_password3-1024x549.png",1024,549,true],"author_info":{"display_name":"Kelvin Yip","author_link":"https:\/\/cybersecthreat.com\/zh\/author\/kelvinyip-m\/"},"comment_info":3,"category_info":[{"term_id":42,"name":"Blue Team","slug":"blue-team","term_group":0,"term_taxonomy_id":42,"taxonomy":"category","description":"","parent":0,"count":14,"filter":"raw","cat_ID":42,"category_count":14,"category_description":"","cat_name":"Blue Team","category_nicename":"blue-team","category_parent":0},{"term_id":40,"name":"Red Team","slug":"red-team","term_group":0,"term_taxonomy_id":40,"taxonomy":"category","description":"","parent":0,"count":6,"filter":"raw","cat_ID":40,"category_count":6,"category_description":"","cat_name":"Red Team","category_nicename":"red-team","category_parent":0},{"term_id":57,"name":"Reverse Engineering","slug":"reverse-engineering","term_group":0,"term_taxonomy_id":57,"taxonomy":"category","description":"","parent":0,"count":3,"filter":"raw","cat_ID":57,"category_count":3,"category_description":"","cat_name":"Reverse Engineering","category_nicename":"reverse-engineering","category_parent":0}],"tag_info":[{"term_id":21,"name":"Blue Team","slug":"blue-team","term_group":0,"term_taxonomy_id":21,"taxonomy":"post_tag","description":"","parent":0,"count":13,"filter":"raw"},{"term_id":77,"name":"Delphi","slug":"delphi","term_group":0,"term_taxonomy_id":77,"taxonomy":"post_tag","description":"","parent":0,"count":2,"filter":"raw"},{"term_id":17,"name":"Red Team","slug":"red-team","term_group":0,"term_taxonomy_id":17,"taxonomy":"post_tag","description":"","parent":0,"count":6,"filter":"raw"},{"term_id":60,"name":"Reverse Engineering","slug":"reverse-engineering","term_group":0,"term_taxonomy_id":60,"taxonomy":"post_tag","description":"","parent":0,"count":3,"filter":"raw"}],"_links":{"self":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts\/1133","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/comments?post=1133"}],"version-history":[{"count":0,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts\/1133\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/media\/1183"}],"wp:attachment":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/media?parent=1133"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/categories?post=1133"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/tags?post=1133"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}