The following is my description of how I figured out how to decode the D-Link settings file (aka decrypt gws). If you don’t care how I figured it out, skip to the end for VB.Net code samples and an executable.
I have a DIR-628 wireless router that is having issues. There is a firmware update available, but my issue is not mentioned in the readme for the firmware.
Normally when I upgrade the firmware, I will dump out a settings file, perform the upgrade, reload the settings file, and rejoice in the time saved not having to reconfigure. This time, though, I think I would like to have a clean slate – but there are some options that include passwords I don’t recall offhand, so I figure I can just dump out the settings file, and take a look at it to get all that info…
Wrong. The settings file is binary gobbledeygook.
The default file name is gateway_settings.gws, and the file is about 175k.
I gave Google a thorough searching, and had no luck – it looks like other people are searching for GWS format, or GWS file, but there were no meaningful pages that I could find.
Next I downloaded trid_w32 – a neat little utility for identifying file types. I thought maybe it was compressed or something…
So I decided to use the reverse engineering method – make some changes, and observe the result in the file.
I created a firewall rule named “AAAAAAAAAAAA”, and saved the settings; then renamed the rule to “BBBBBBBBBBBB”, and use a nice binary comparison tool (HexCmp in this case) to see what my changes did.
The A’s within the file had become “78 79 7A 7B 7C 7D 7E…” – they were shifted, but that offset increased by 1 for each character. This I can fix!
I then decoded the character before the first A – it was a “>”. Could it be? Could this file really be XML??
Worked backwards a couple more characters and had “name>AAAA…” – yes indeed! The decoded file will be XML!!
The next question was where to begin – what will be the shift of the first character? If the file is xml, I can be pretty sure the first character is a “<” – and this is the first character of the .gws file.
After much fooling around in VB.net, and battling with modulus math, I had the encoder formula:
encodedByte = (positionNbr + CharacterCode) mod 256
Decoding was a bit trickier, because as long as (position mod 256) + characterCode is less than 256, you can just subtract. If it is greater than 256, you have to work a bit harder. If I had more time, I bet there is a way to write a single formula to restore the character code, but I was able to do it with an IF statement.
Here is the VB.net function for decoding a byte array containing the .gws file
[sourcecode language=”vbnet” wraplines=”false”] Function decodeGWS(ByRef encodedGWS As Byte()) As String
Dim chrMax As UInteger
Dim decodedGWS As Char()
chrMax = encodedGWS.GetUpperBound(0)
For i As UInteger = 0 To chrMax
If encodedGWS(i) < (i Mod 256) Then
decodedGWS(i) = Chr((256 + encodedGWS(i)) – (i Mod 256))
decodedGWS(i) = Chr(encodedGWS(i) – (i Mod 256))
And it works like a charm. The file is actually a great big XML containing all the available options.
Here is the little utility I wrote to decode the file:
GWS Decoder Utility
For completeness sake, I included encoder functionality, and I have verified that the output is identical to the original file when no changes are made to the xml file, but I really don’t know what would happen if you tried to make changes to the XML and load it back onto your router. If you want to try it, don’t come crying to me when your router gives up it’s magic smoke, or your house burns down.
Hopefully somebody finds this helpful!
There are a couple comments from people saying the utility doesn’t work with some different routers. The only way I could even try to fix it is to get sample files. Nobody has responded to my requests for samples yet.
A user has commented that Norton is reporting the file as containing malware. I checked the file on virustotal.com as well as virusscan.jotti.org and it came back 100% clean. When I can find the source I will try to rewrite it in C# (for self respect purposes) but until then if you don’t trust me, you can feel free to decompile the contained executable – or check it yourself with multiple scanners.