ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Fri Apr 27, 2018 6:34 am

All times are UTC




Post new topic  Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Wed Nov 11, 2015 12:26 pm 

Joined: Sun Nov 08, 2015 8:37 pm
Posts: 32
Hi! I've seen on Internet a C code to descramble a binary data file:

Code:
uint8_t descramble(uint8_t s) {
uint8_t a = (s + 0xFF) & 0xFF;
uint8_t b = a ^ MAGIC;
uint8_t p := b & 0x7E | b >> 7 & 0x01 | b << 7 & 0x80;
return p; }


Can I do this on QuickBMS for a entire file (byte by byte)?


Top
   
PostPosted: Wed Nov 11, 2015 12:56 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 7947
Yes, complex math operations can be accomplished with the xmath command:
Code:
xmath a "(s + 0xFF) & 0xFF"
xmath b "a ^ MAGIC"
xmath p "(b & 0x7E) | (b >> 7 & 0x01) | ((b << 7) & 0x80)"

Quickbms has also support for functions, but they don't return values.
They can be called as sort of inline where every variable changed in the function is visible also outside or as stand-alone (by default) where all the variables are restored when they finish.
In this case I think that the first type is perfect:
Code:
math s = 0x11223344
callfunction descramble 1
print "%p|x%"

startfunction descramble
  xmath a "(s + 0xFF) & 0xFF"
  xmath b "a ^ MAGIC"
  xmath p "(b & 0x7E) | (b >> 7 & 0x01) | ((b << 7) & 0x80)"
endfunction


Top
   
PostPosted: Wed Nov 11, 2015 1:45 pm 

Joined: Sun Nov 08, 2015 8:37 pm
Posts: 32
How can I descramble the entire file?

This
Code:
for
    get s BYTE
    xmath a "(s + 0xFF) & 0xFF"
    xmath b "a ^ MAGIC"
    xmath p "(b & 0x7E) | (b >> 7 & 0x01) | ((b << 7) & 0x80)"
    print "%p%"
next I


works well, but instead of printing the descrambled bytes in decimal, I want to parse again the descrambled file.

Example:

Code:
##  Descramble:
for
    get s BYTE
    xmath a "(s + 0xFF) & 0xFF"
    xmath b "a ^ MAGIC"
    xmath p "(b & 0x7E) | (b >> 7 & 0x01) | ((b << 7) & 0x80)"
    DoSomeMagicToAppend %p% ContentsIntoATemporalMemoryToReprocessAgain
next I
## Now parse the descrambled data:
for
    get TMP BYTE
    print "Value: %TMP%"
next I


Top
   
PostPosted: Wed Nov 11, 2015 3:02 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 7947
There are some ways to do that but those byte-per-byte operations are very slow in quickbms.
It has also an xmath encryption algorithm that allows to perform those types of operations in one line but that's not possible here because it's a 2-stage math operation.
The following is one of the ways to do the job with some comments:
Code:
get SIZE asize                      # size of the file
putvarchr MEMORY_FILE SIZE 0        # pre-allocation (unnecessary but it's faster)
log MEMORY_FILE 0 0                 # reset the memory file
for OFFSET = 0 < SIZE
    get s byte                      # read the byte
    xmath b "(s + 0xFF) ^ MAGIC"
    xmath p "(b & 0x7E) | (b >> 7 & 0x01) | ((b << 7) & 0x80)"
    put p byte MEMORY_FILE          # write the byte in the memory file
next OFFSET
log "dump.dat" 0 SIZE MEMORY_FILE   # dump the memory file in dump.dat
An alternative way is to load the file in a memory file and using getvarchr/putvarchr for reading/writing the byte but doesn't change much.


Top
   
PostPosted: Fri Nov 13, 2015 2:27 pm 

Joined: Sun Nov 08, 2015 8:37 pm
Posts: 32
Thanks! However I'm traveling and I can't test it now.

I'll reply you later with my experience.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 5 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited