How to guess basic obfuscations: xor and sum/rot

[aluigi]

I just noticed that a very simple tool of mine wasn't indexed on my homepage, probably because it's really very basic
findxor is useful to know if a file has been obfuscated with a XOR or SUM (the so called ROT/ROT13).
It visualizes the hex dump of the first 64 bytes of the input file by XORing and SUMming them with all the 256 values:
file[0] ^ 0x00
file[0] ^ 0x01
file[0] ^ 0x02
...
file[0] ^ 0xff
file[0] + 0x00
file[0] + 0x01
file[0] + 0x02
...
file[0] + 0xff

Example of a file obfuscated with xor 0x64:

Code: Select all

XOR: 0x00
     46 30 0c 0d 17 44 0d 17 44 05 44 10 01 17 10 4a   F0...D..D.D....J
     44 3d 0b 11 44 07 05 0a 43 10 44 17 01 01 44 10   D=..D...C.D...D.
     0c 0d 17 44 09 01 17 17 05 03 01 45 45 55 44 5e   ...D.......EEUD^
     20 46 44 69 6e                                     FDin
...
XOR: 0x64
     22 54 68 69 73 20 69 73 20 61 20 74 65 73 74 2e   "This is a test.
     20 59 6f 75 20 63 61 6e 27 74 20 73 65 65 20 74    You can't see t
     68 69 73 20 6d 65 73 73 61 67 65 21 21 31 20 3a   his message!!1 :
     44 22 20 0d 0a                                    D" ..
...
ROT: 0xff
     45 2f 0b 0c 16 43 0c 16 43 04 43 0f 00 16 0f 49   E/...C..C.C....I
     43 3c 0a 10 43 06 04 09 42 0f 43 16 00 00 43 0f   C<..C...B.C...C.
     0b 0c 16 43 08 00 16 16 04 02 00 44 44 54 43 5d   ...C.......DDTC]
     1f 45 43 68 6d                                    .EChm

Very simple and sometimes also very useful:
http://aluigi.org/testz.htm#findxor

This method is valid only for files that use an obfuscation of 1 byte (a key of 1 byte).

For keys of multiple bytes you should check if the key is visible in the zeroes that are part of the format.
This is very common when are used 32bit fields that have only the low part occupied by the number so the number 0x12 will be stored as "12 00 00 00" leaving 3 bytes to guess the key.
Example of the Visionaire engine in which is possible to restore the full key just from the file without having the executable:

Code: Select all

  56 49 53 33 00 00 02 7f 71 7c 36 31 61 31 66 31   VIS3....q|61a1f1
  32 11 36 38 63 44 67 35 39 38 6c 31 61 10 34 31   2.68cDg598l1a.41
  32 2e 0e 38 63 7b 5f 35 39 38 6c 31 61 0e da 31   2..8c{_598l1a..1
  32 73 9d 38 63 26 cc 35 39 38 6c 31 61 b2 d3 31   2s.8c&.598l1a..1
  32 19 4d 38 63 4c 1c 35 39 38 6c 31 61 9d b8 31   2.M8cL.598l1a..1
  37 6f 0e 38 66 3a 5f 35 39 38 64 31 67 3d 2e 31   7o.8f:_598d1g=.1
  32 27 53 38 63 72 02 35 39 38 6c 31 67 12 19 31   2'S8cr.598l1g..1

Why is it possible to guess the full 16 bytes key in these archives?
Because the format helps us with its fields: OFFSET, ZSIZE, SIZE and TYPE.
Most of the files are not compressed so we have the possibility to work with the fields that contain expected values that we can guess and allow us to find the whole key:
ZSIZE is the same of SIZE
OFFSET[next] = OFFSET + ZSIZE
Easy

This method is the same used to guess also the keys of the FSB files but there the funny part is that we can see these bytes due to a weakness of the encryption algorithm.

[puggsoy]

I was actually planning to ask about obfuscation and how to know if something is XORed Thanks a lot!

[StreamThread]

Say, please, it's Xor or something else?

Source string:

Code: Select all

64 61 74 61 5C 63 75 74 73 65 71 75 65 6E 63 65   data\cutsequence
73 5C 63 75 74 73 65 71 75 65 6E 63 65 5F 66 69   s\cutsequence_fi
6E 61 6C 5C 75 6B 5F 6D 6D 30 37 35 5F 30 33 30   nal\uk_mm075_030
5F 68 62 5C 75 6B 5F 6D 6D 30 37 35 5F 30 33 30   _hb\uk_mm075_030
5F 68 62 5F 70 63 5F 6C 6F 72 65 73 2E 62 69 6B   _hb_pc_lores.bik

Code: Select all

19 58 1D 58 CB D8 5D 1D DC 59 5C 5D 59 9B D8 59   XXËØ]ÜY\]Y›ØY
DC CB D8 5D 1D DC 59 5C 5D 59 9B D8 59 D7 99 5A   ÜËØ]ÜY\]Y›ØY×™Z
9B 58 1B CB 5D DA D7 5B 5B 0C CD 4D D7 0C CC 0C   ›XË]Ú×[[ÍM×Ì
D7 1A 98 CB 5D DA D7 5B 5B 0C CD 4D D7 0C CC 0C   ×˜Ë]Ú×[[ÍM×Ì
D7 1A 98 D7 1C D8 D7 1B DB 9C 59 DC 8B 98 5A DA   ×˜×Ø×ÛœYÜ‹˜ZÚ

Seems like chars just replaced. But i can't figure the order.

[aluigi]

It doesn't seem rot or xor and it's not an obfuscation algorithm so it seems just a charset replacement, for example '\' is 0xcb, 'a' is 0x58, 'b' is 0x68, 'c' 0xd8 and so on.

[aluigi]

Found, it's rotation of 6 bits.
This is the decoder:

Code: Select all

encryption rotate 6 8
get SIZE asize
log "output.txt" 0 SIZE

[StreamThread]

thanks

[coredevel]

How to tell the difference between compression and encryption?

[aluigi]

If you refer to debugging the software that uses compression/encryption:
In compression the input and output buffers are different and the output buffer will have more written bytes than those in the original input, while in encryption the input and output buffer is the same.

If you refer to just looking at the input data and guessing if it's a compression or encryption, it depends by the algorithm because many compression algorithms store some parts of the original data so you can see some of the original content, other algorithms like deflate don't allow it, while encryption is just like random data (high entropy) that may be aligned to 8 or 16 bytes if it's a block cipher algorithm. If the entropy is low (like sequences of the same byte) then it may be a simple obfuscation algorithm like the "rotate" I posted 2 posts above.

[rdlady]

What about this one:

Code: Select all

00000000  C1 83 2A 9E 5E 03 07 00 A9 E4 01 00 05 00 00 00  Áƒ*ž^...©ä......
00000010  4E 6F 6E 65 00 49 00 88 02 E8 03 00 00 29 03 00  None.I.ˆ.è...)..
00000020  00 67 04 00 00 73 78 00 00 5B 00 00 00 7F 6E 00  .g...sx..[....n.
00000030  00 9F A4 01 00 9F A4 01 00 00 00 00 00 00 00 00  .Ÿ¤..Ÿ¤.........
00000040  00 00 00 00 00 06 4B 1F 7A 11 71 8D 4F 8B 97 0F  ......K.z.q.O‹—.
00000050  38 67 E1 37 24 01 00 00 00 67 04 00 00 E8 03 00  8gá7$....g...è..
00000060  00 00 00 00 00 06 28 00 00 88 00 00 00 01 00 00  ......(..ˆ......
00000070  00 00 00 00 00 CA 5D E5 2C 00 00 00 00 12 00 00  .....Ê]å,.......
00000080  00 40 00 00 00 08 00 00 00 07 00 00 00 05 00 00  .@..............

How do I know if this is decryption/decompression?

[aluigi]

That's an Unreal engine asset