ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Sun Apr 30, 2017 12:57 pm

All times are UTC




Post new topic  Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Fri Mar 13, 2015 10:35 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 5858
I just noticed that a very simple tool of mine wasn't indexed on my homepage, probably because it's really very basic :)
findxor is useful to know if a file has been obfuscated with a XOR or SUM (the so called ROT/ROT13).
It visualizes the hex dump of the first 64 bytes of the input file by XORing and SUMming them with all the 256 values:
file[0] ^ 0x00
file[0] ^ 0x01
file[0] ^ 0x02
...
file[0] ^ 0xff
file[0] + 0x00
file[0] + 0x01
file[0] + 0x02
...
file[0] + 0xff

Example of a file obfuscated with xor 0x64:
Code:
XOR: 0x00
     46 30 0c 0d 17 44 0d 17 44 05 44 10 01 17 10 4a   F0...D..D.D....J
     44 3d 0b 11 44 07 05 0a 43 10 44 17 01 01 44 10   D=..D...C.D...D.
     0c 0d 17 44 09 01 17 17 05 03 01 45 45 55 44 5e   ...D.......EEUD^
     20 46 44 69 6e                                     FDin
...
XOR: 0x64
     22 54 68 69 73 20 69 73 20 61 20 74 65 73 74 2e   "This is a test.
     20 59 6f 75 20 63 61 6e 27 74 20 73 65 65 20 74    You can't see t
     68 69 73 20 6d 65 73 73 61 67 65 21 21 31 20 3a   his message!!1 :
     44 22 20 0d 0a                                    D" ..
...
ROT: 0xff
     45 2f 0b 0c 16 43 0c 16 43 04 43 0f 00 16 0f 49   E/...C..C.C....I
     43 3c 0a 10 43 06 04 09 42 0f 43 16 00 00 43 0f   C<..C...B.C...C.
     0b 0c 16 43 08 00 16 16 04 02 00 44 44 54 43 5d   ...C.......DDTC]
     1f 45 43 68 6d                                    .EChm


Very simple and sometimes also very useful:
http://aluigi.org/testz.htm#findxor

This method is valid only for files that use an obfuscation of 1 byte (a key of 1 byte).

For keys of multiple bytes you should check if the key is visible in the zeroes that are part of the format.
This is very common when are used 32bit fields that have only the low part occupied by the number so the number 0x12 will be stored as "12 00 00 00" leaving 3 bytes to guess the key.
Example of the Visionaire engine in which is possible to restore the full key just from the file without having the executable:
Code:
  56 49 53 33 00 00 02 7f 71 7c 36 31 61 31 66 31   VIS3....q|61a1f1
  32 11 36 38 63 44 67 35 39 38 6c 31 61 10 34 31   2.68cDg598l1a.41
  32 2e 0e 38 63 7b 5f 35 39 38 6c 31 61 0e da 31   2..8c{_598l1a..1
  32 73 9d 38 63 26 cc 35 39 38 6c 31 61 b2 d3 31   2s.8c&.598l1a..1
  32 19 4d 38 63 4c 1c 35 39 38 6c 31 61 9d b8 31   2.M8cL.598l1a..1
  37 6f 0e 38 66 3a 5f 35 39 38 64 31 67 3d 2e 31   7o.8f:_598d1g=.1
  32 27 53 38 63 72 02 35 39 38 6c 31 67 12 19 31   2'S8cr.598l1g..1
Why is it possible to guess the full 16 bytes key in these archives?
Because the format helps us with its fields: OFFSET, ZSIZE, SIZE and TYPE.
Most of the files are not compressed so we have the possibility to work with the fields that contain expected values that we can guess and allow us to find the whole key:
ZSIZE is the same of SIZE
OFFSET[next] = OFFSET + ZSIZE
Easy :)

This method is the same used to guess also the keys of the FSB files but there the funny part is that we can see these bytes due to a weakness of the encryption algorithm.


Top
   
PostPosted: Fri Mar 13, 2015 11:37 am 
User avatar

Joined: Sat Dec 13, 2014 1:01 am
Posts: 161
I was actually planning to ask about obfuscation and how to know if something is XORed :D Thanks a lot!


Top
   
PostPosted: Sat Apr 22, 2017 5:19 pm 

Joined: Fri May 27, 2016 2:28 pm
Posts: 28
Say, please, it's Xor or something else?

Source string:
Code:
64 61 74 61 5C 63 75 74 73 65 71 75 65 6E 63 65   data\cutsequence
73 5C 63 75 74 73 65 71 75 65 6E 63 65 5F 66 69   s\cutsequence_fi
6E 61 6C 5C 75 6B 5F 6D 6D 30 37 35 5F 30 33 30   nal\uk_mm075_030
5F 68 62 5C 75 6B 5F 6D 6D 30 37 35 5F 30 33 30   _hb\uk_mm075_030
5F 68 62 5F 70 63 5F 6C 6F 72 65 73 2E 62 69 6B   _hb_pc_lores.bik



Code:
19 58 1D 58 CB D8 5D 1D DC 59 5C 5D 59 9B D8 59   XXËØ]ÜY\]Y›ØY
DC CB D8 5D 1D DC 59 5C 5D 59 9B D8 59 D7 99 5A   ÜËØ]ÜY\]Y›ØY×™Z
9B 58 1B CB 5D DA D7 5B 5B 0C CD 4D D7 0C CC 0C   ›XË]Ú×[[ ÍM× Ì
D7 1A 98 CB 5D DA D7 5B 5B 0C CD 4D D7 0C CC 0C   ×˜Ë]Ú×[[ ÍM× Ì
D7 1A 98 D7 1C D8 D7 1B DB 9C 59 DC 8B 98 5A DA   ×˜×Ø×ÛœYÜ‹˜ZÚ

Seems like chars just replaced. But i can't figure the order.


Last edited by StreamThread on Sat Apr 22, 2017 7:39 pm, edited 1 time in total.

Top
   
PostPosted: Sat Apr 22, 2017 5:32 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 5858
It doesn't seem rot or xor and it's not an obfuscation algorithm so it seems just a charset replacement, for example '\' is 0xcb, 'a' is 0x58, 'b' is 0x68, 'c' 0xd8 and so on.


Top
   
PostPosted: Sat Apr 22, 2017 5:37 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 5858
Found, it's rotation of 6 bits.
This is the decoder:
Code:
encryption rotate 6 8
get SIZE asize
log "output.txt" 0 SIZE


Top
   
PostPosted: Sat Apr 22, 2017 6:03 pm 

Joined: Fri May 27, 2016 2:28 pm
Posts: 28
thanks


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 6 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited