ZenHAX http://zenhax.com/ 

How to guess basic obfuscations: xor and sum/rot http://zenhax.com/viewtopic.php?f=4&t=719 
Page 1 of 1 
Author:  aluigi [ Fri Mar 13, 2015 10:35 am ] 
Post subject:  How to guess basic obfuscations: xor and sum/rot 
I just noticed that a very simple tool of mine wasn't indexed on my homepage, probably because it's really very basic findxor is useful to know if a file has been obfuscated with a XOR or SUM (the so called ROT/ROT13). It visualizes the hex dump of the first 64 bytes of the input file by XORing and SUMming them with all the 256 values: file[0] ^ 0x00 file[0] ^ 0x01 file[0] ^ 0x02 ... file[0] ^ 0xff file[0] + 0x00 file[0] + 0x01 file[0] + 0x02 ... file[0] + 0xff Example of a file obfuscated with xor 0x64: Code: XOR: 0x00 Very simple and sometimes also very useful: http://aluigi.org/testz.htm#findxor This method is valid only for files that use an obfuscation of 1 byte (a key of 1 byte). For keys of multiple bytes you should check if the key is visible in the zeroes that are part of the format. This is very common when are used 32bit fields that have only the low part occupied by the number so the number 0x12 will be stored as "12 00 00 00" leaving 3 bytes to guess the key. Example of the Visionaire engine in which is possible to restore the full key just from the file without having the executable: Code: 56 49 53 33 00 00 02 7f 71 7c 36 31 61 31 66 31 VIS3....q61a1f1Why is it possible to guess the full 16 bytes key in these archives? Because the format helps us with its fields: OFFSET, ZSIZE, SIZE and TYPE. Most of the files are not compressed so we have the possibility to work with the fields that contain expected values that we can guess and allow us to find the whole key: ZSIZE is the same of SIZE OFFSET[next] = OFFSET + ZSIZE Easy This method is the same used to guess also the keys of the FSB files but there the funny part is that we can see these bytes due to a weakness of the encryption algorithm. 
Author:  puggsoy [ Fri Mar 13, 2015 11:37 am ] 
Post subject:  Re: How to guess basic obfuscations: xor and sum/rot 
I was actually planning to ask about obfuscation and how to know if something is XORed Thanks a lot! 
Author:  StreamThread [ Sat Apr 22, 2017 5:19 pm ] 
Post subject:  Re: How to guess basic obfuscations: xor and sum/rot 
Say, please, it's Xor or something else? Source string: Code: 64 61 74 61 5C 63 75 74 73 65 71 75 65 6E 63 65 data\cutsequence Code: 19 58 1D 58 CB D8 5D 1D DC 59 5C 5D 59 9B D8 59 XXËØ]ÜY\]Y›ØY Seems like chars just replaced. But i can't figure the order. 
Author:  aluigi [ Sat Apr 22, 2017 5:32 pm ] 
Post subject:  Re: How to guess basic obfuscations: xor and sum/rot 
It doesn't seem rot or xor and it's not an obfuscation algorithm so it seems just a charset replacement, for example '\' is 0xcb, 'a' is 0x58, 'b' is 0x68, 'c' 0xd8 and so on. 
Author:  aluigi [ Sat Apr 22, 2017 5:37 pm ] 
Post subject:  Re: How to guess basic obfuscations: xor and sum/rot 
Found, it's rotation of 6 bits. This is the decoder: Code: encryption rotate 6 8 
Author:  StreamThread [ Sat Apr 22, 2017 6:03 pm ] 
Post subject:  Re: How to guess basic obfuscations: xor and sum/rot 
thanks 
Author:  coredevel [ Tue May 30, 2017 2:23 am ] 
Post subject:  Re: How to guess basic obfuscations: xor and sum/rot 
How to tell the difference between compression and encryption? 
Author:  aluigi [ Tue May 30, 2017 4:11 pm ] 
Post subject:  Re: How to guess basic obfuscations: xor and sum/rot 
If you refer to debugging the software that uses compression/encryption: In compression the input and output buffers are different and the output buffer will have more written bytes than those in the original input, while in encryption the input and output buffer is the same. If you refer to just looking at the input data and guessing if it's a compression or encryption, it depends by the algorithm because many compression algorithms store some parts of the original data so you can see some of the original content, other algorithms like deflate don't allow it, while encryption is just like random data (high entropy) that may be aligned to 8 or 16 bytes if it's a block cipher algorithm. If the entropy is low (like sequences of the same byte) then it may be a simple obfuscation algorithm like the "rotate" I posted 2 posts above. 
Author:  rdlady [ Tue Jun 06, 2017 10:35 pm ] 
Post subject:  Re: How to guess basic obfuscations: xor and sum/rot 
What about this one: Code: 00000000 C1 83 2A 9E 5E 03 07 00 A9 E4 01 00 05 00 00 00 Áƒ*ž^...©ä...... How do I know if this is decryption/decompression? 
Author:  aluigi [ Wed Jun 07, 2017 6:58 am ] 
Post subject:  Re: How to guess basic obfuscations: xor and sum/rot 
That's an Unreal engine asset 
Page 1 of 1  All times are UTC 
Powered by phpBB® Forum Software © phpBB Limited https://www.phpbb.com/ 