Descrambling file on QuickBMS

[crushedice2000]

Hi! I've seen on Internet a C code to descramble a binary data file:

Code: Select all

uint8_t descramble(uint8_t s) {
uint8_t a = (s + 0xFF) & 0xFF;
uint8_t b = a ^ MAGIC;
uint8_t p := b & 0x7E | b >> 7 & 0x01 | b << 7 & 0x80;
return p; }

Can I do this on QuickBMS for a entire file (byte by byte)?

[aluigi]

Yes, complex math operations can be accomplished with the xmath command:

Code: Select all

xmath a "(s + 0xFF) & 0xFF"
xmath b "a ^ MAGIC"
xmath p "(b & 0x7E) | (b >> 7 & 0x01) | ((b << 7) & 0x80)"

Quickbms has also support for functions, but they don't return values.
They can be called as sort of inline where every variable changed in the function is visible also outside or as stand-alone (by default) where all the variables are restored when they finish.
In this case I think that the first type is perfect:

Code: Select all

math s = 0x11223344
callfunction descramble 1
print "%p|x%"

startfunction descramble
  xmath a "(s + 0xFF) & 0xFF"
  xmath b "a ^ MAGIC"
  xmath p "(b & 0x7E) | (b >> 7 & 0x01) | ((b << 7) & 0x80)"
endfunction

[crushedice2000]

How can I descramble the entire file?

This

Code: Select all

for
    get s BYTE
    xmath a "(s + 0xFF) & 0xFF"
    xmath b "a ^ MAGIC"
    xmath p "(b & 0x7E) | (b >> 7 & 0x01) | ((b << 7) & 0x80)"
    print "%p%"
next I

works well, but instead of printing the descrambled bytes in decimal, I want to parse again the descrambled file.

Example:

Code: Select all

##  Descramble:
for
    get s BYTE
    xmath a "(s + 0xFF) & 0xFF"
    xmath b "a ^ MAGIC"
    xmath p "(b & 0x7E) | (b >> 7 & 0x01) | ((b << 7) & 0x80)"
    DoSomeMagicToAppend %p% ContentsIntoATemporalMemoryToReprocessAgain
next I
## Now parse the descrambled data:
for
    get TMP BYTE
    print "Value: %TMP%"
next I

[aluigi]

There are some ways to do that but those byte-per-byte operations are very slow in quickbms.
It has also an xmath encryption algorithm that allows to perform those types of operations in one line but that's not possible here because it's a 2-stage math operation.
The following is one of the ways to do the job with some comments:

Code: Select all

get SIZE asize                      # size of the file
putvarchr MEMORY_FILE SIZE 0        # pre-allocation (unnecessary but it's faster)
log MEMORY_FILE 0 0                 # reset the memory file
for OFFSET = 0 < SIZE
    get s byte                      # read the byte
    xmath b "(s + 0xFF) ^ MAGIC"
    xmath p "(b & 0x7E) | (b >> 7 & 0x01) | ((b << 7) & 0x80)"
    put p byte MEMORY_FILE          # write the byte in the memory file
next OFFSET
log "dump.dat" 0 SIZE MEMORY_FILE   # dump the memory file in dump.dat

An alternative way is to load the file in a memory file and using getvarchr/putvarchr for reading/writing the byte but doesn't change much.

[crushedice2000]

Thanks! However I'm traveling and I can't test it now.

I'll reply you later with my experience.