ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Tue Mar 28, 2017 2:24 am

All times are UTC




Post new topic  Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Fri Mar 13, 2015 10:35 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 5700
I just noticed that a very simple tool of mine wasn't indexed on my homepage, probably because it's really very basic :)
findxor is useful to know if a file has been obfuscated with a XOR or SUM (the so called ROT/ROT13).
It visualizes the hex dump of the first 64 bytes of the input file by XORing and SUMming them with all the 256 values:
file[0] ^ 0x00
file[0] ^ 0x01
file[0] ^ 0x02
...
file[0] ^ 0xff
file[0] + 0x00
file[0] + 0x01
file[0] + 0x02
...
file[0] + 0xff

Example of a file obfuscated with xor 0x64:
Code:
XOR: 0x00
     46 30 0c 0d 17 44 0d 17 44 05 44 10 01 17 10 4a   F0...D..D.D....J
     44 3d 0b 11 44 07 05 0a 43 10 44 17 01 01 44 10   D=..D...C.D...D.
     0c 0d 17 44 09 01 17 17 05 03 01 45 45 55 44 5e   ...D.......EEUD^
     20 46 44 69 6e                                     FDin
...
XOR: 0x64
     22 54 68 69 73 20 69 73 20 61 20 74 65 73 74 2e   "This is a test.
     20 59 6f 75 20 63 61 6e 27 74 20 73 65 65 20 74    You can't see t
     68 69 73 20 6d 65 73 73 61 67 65 21 21 31 20 3a   his message!!1 :
     44 22 20 0d 0a                                    D" ..
...
ROT: 0xff
     45 2f 0b 0c 16 43 0c 16 43 04 43 0f 00 16 0f 49   E/...C..C.C....I
     43 3c 0a 10 43 06 04 09 42 0f 43 16 00 00 43 0f   C<..C...B.C...C.
     0b 0c 16 43 08 00 16 16 04 02 00 44 44 54 43 5d   ...C.......DDTC]
     1f 45 43 68 6d                                    .EChm


Very simple and sometimes also very useful:
http://aluigi.org/testz.htm#findxor

This method is valid only for files that use an obfuscation of 1 byte (a key of 1 byte).

For keys of multiple bytes you should check if the key is visible in the zeroes that are part of the format.
This is very common when are used 32bit fields that have only the low part occupied by the number so the number 0x12 will be stored as "12 00 00 00" leaving 3 bytes to guess the key.
Example of the Visionaire engine in which is possible to restore the full key just from the file without having the executable:
Code:
  56 49 53 33 00 00 02 7f 71 7c 36 31 61 31 66 31   VIS3....q|61a1f1
  32 11 36 38 63 44 67 35 39 38 6c 31 61 10 34 31   2.68cDg598l1a.41
  32 2e 0e 38 63 7b 5f 35 39 38 6c 31 61 0e da 31   2..8c{_598l1a..1
  32 73 9d 38 63 26 cc 35 39 38 6c 31 61 b2 d3 31   2s.8c&.598l1a..1
  32 19 4d 38 63 4c 1c 35 39 38 6c 31 61 9d b8 31   2.M8cL.598l1a..1
  37 6f 0e 38 66 3a 5f 35 39 38 64 31 67 3d 2e 31   7o.8f:_598d1g=.1
  32 27 53 38 63 72 02 35 39 38 6c 31 67 12 19 31   2'S8cr.598l1g..1
Why is it possible to guess the full 16 bytes key in these archives?
Because the format helps us with its fields: OFFSET, ZSIZE, SIZE and TYPE.
Most of the files are not compressed so we have the possibility to work with the fields that contain expected values that we can guess and allow us to find the whole key:
ZSIZE is the same of SIZE
OFFSET[next] = OFFSET + ZSIZE
Easy :)

This method is the same used to guess also the keys of the FSB files but there the funny part is that we can see these bytes due to a weakness of the encryption algorithm.


Top
   
PostPosted: Fri Mar 13, 2015 11:37 am 
User avatar

Joined: Sat Dec 13, 2014 1:01 am
Posts: 161
I was actually planning to ask about obfuscation and how to know if something is XORed :D Thanks a lot!


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 2 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited