How do I tell if something is compressed or encrypted?
-
Garo
- Posts: 20
- Joined: Wed Nov 18, 2020 5:54 pm
How do I tell if something is compressed or encrypted?
I'm a bit new to game modding
-
aluigi
- Site Admin
- Posts: 12984
- Joined: Wed Jul 30, 2014 9:32 pm
Re: How do I tell if something is compressed or encrypted?
Very quickly:
If it's compressed with an algorithm like lzss, lz4, and many others, the data will look like if the text strings are truncated or with some characters in the middle and the 32bit fields no longer have a recognizable structure.
Example: hello -> helylo or this_is_a_string -> this_.is.stri
If it's compressed with a bitfields oriented algorithm like deflate, the data will just look garbage.
Usually it's zlib or deflate for which it's easy to try a tool like offzip (https://aluigi.altervista.org/mytoolz.htm#offzip) for checking the data.
If it's encrypted with XOR using a password, you may see the original password repeated in the data (because the 0x00 bytes return the original key).
If it's encrypted with XOR using a one-byte password, you can notice a certain "sense" in the data and it's easy to scan it with a tool like findxor (https://aluigi.altervista.org/testz.htm).
If it's encrypted with a block cipher algorithm like AES (the simple ECB implementation) you will notice a sort of patterns of 16 bytes each, these patterns are identical if the bytes in the original file are the same (like a sequence of zeroes in the original file).
Blowfish has patterns of 8 bytes.
This is the quickest explanation that I thought about
Other users will provide more examples.
Ah, if you are interested in the identification of compression algorithms take a look here viewtopic.php?f=4&t=27
If it's compressed with an algorithm like lzss, lz4, and many others, the data will look like if the text strings are truncated or with some characters in the middle and the 32bit fields no longer have a recognizable structure.
Example: hello -> helylo or this_is_a_string -> this_.is.stri
If it's compressed with a bitfields oriented algorithm like deflate, the data will just look garbage.
Usually it's zlib or deflate for which it's easy to try a tool like offzip (https://aluigi.altervista.org/mytoolz.htm#offzip) for checking the data.
If it's encrypted with XOR using a password, you may see the original password repeated in the data (because the 0x00 bytes return the original key).
If it's encrypted with XOR using a one-byte password, you can notice a certain "sense" in the data and it's easy to scan it with a tool like findxor (https://aluigi.altervista.org/testz.htm).
If it's encrypted with a block cipher algorithm like AES (the simple ECB implementation) you will notice a sort of patterns of 16 bytes each, these patterns are identical if the bytes in the original file are the same (like a sequence of zeroes in the original file).
Blowfish has patterns of 8 bytes.
This is the quickest explanation that I thought about
Other users will provide more examples.
Ah, if you are interested in the identification of compression algorithms take a look here viewtopic.php?f=4&t=27