Reverse Engineering Team Board

Reverse Engineering Team Board (http://www.reteam.org/board/index.php)
-   Steganography + Cryptography (http://www.reteam.org/board/forumdisplay.php?f=25)
-   -   well a simple text... (http://www.reteam.org/board/showthread.php?t=3059)

McBigMac 10-14-2010 11:21 AM

well a simple text...
 
Hi,

I realize there's about 99% chance, i shall be ridiculed and not helped, but nonetheless i'm in the beginning stages of my RE "venture" - and am thus not capable for many things.

I do however have a simple text file(yes, i know with certainty it's text).

It is however crypted or compressed in some way - and i've been unable to undo it - wether it's a symmetric/asymmetric key or just some less standard.

It's a fairly simple piece of text file(304 bytes) and i of course have interest in figuring out what it is encrypted with.

I uploaded it - since i see no attachments even small are availeble.


http://www.2shared.com/file/SjYQq3k0/text.html



Now fire the cannons of mocking me - but the question is - if you can reverse it or tell what it is.

kao 10-14-2010 02:03 PM

dklasfv dfjak dadfsda. Can you tell me what the previous sentence mean?

It's virtually impossible to answer such questions without knowing context. Where did you get that text, what language it probably uses, what it is about, are these numbers or letters?

Your file consists of several parts:
3 bytes - purpose unknown
0x2EC byte - block of encrypted text? 1st and 2nd byte is the same, so is 3rd and 4th, 5th and 6th, etc, etc..
0x15 bytes - purpose unknown

Let's take a look at the big block. There are 108 different symbols, certain symbols are more common than others.

If text was compressed, we'd have more or less even distribution of all symbols and all 256 different symbols. We don't.

If it was a substitution cypher, the text was would have no more than 2*26 (english letters) +10 (numbers) +20 (punctuation, space, linebreaks, @%^&, etc..) = 82 different symbols. We have much more.

If it was sub/add/xor/not operation with a word/dword-sized key, we'd see some pattern (every 2nd/4th symbol is in certain range). We don't.

All symbols are less than 0x80 (most significant bit is 0). Some 7bit encoding?

Summary: if you have the software the produces (or uses) such text files, reverse the software and find out the algo. It's much faster than stare at the encrypted text and try to guess what algo was used there.. ;)

McBigMac 10-14-2010 03:45 PM

Sadly no, i don't hence my desperate bargain plea here.


The text would look like configuration files, and static data to be loaded for a game.


This is one of the files - i don't suppose a similar one with very little text would help?



But yea, i guess this would require someone with much experience and knowledge - for some odd ball reason donate free time to figure it out.

I geuss i can only hope to recieve the .pe that loads these files and decrypts them into readeble format.


Would another very small file with the same encryption/encoding rather perhaps?
Help give a hint?



I've found an earlier version of a file (it's text) without the encoding.
They're nearly identical size wise, so not much should have changed - perhaps this would help sharing both?

Git 10-14-2010 05:09 PM

Using Chrome browser, I can see no way of even downloading the file!. I'll try again with IE

Git

McBigMac 11-02-2010 07:08 AM

For anyone interested, it was so bloody simple.


for (int i=0; i<len; i++)
file[i] ^= file[i+1];



Good ol xor!

TehAvatar 12-04-2010 05:55 AM

Heres the text:

Code:

onepiece_factor=150
bonus_grade_none={0;0;0;4;8;16;16;16;16;16;16;16;16;16;16;16;16;16;16;16}
bonus_grade_d={0;0;0;9;26;52;86;130;181;242;311;389}
bonus_grade_c={0;0;0;12;36;71;118;178;249;332;426;533}
bonus_grade_b={0;0;0;14;42;84;139;209;293;390;502;627}
bonus_grade_a={0;0;0;16;47;94;157;235;329;439;564;705}
bonus_grade_s={0;0;0;17;52;104;173;259;363;484;623;778}

For what game is this? It looks interesting :P


All times are GMT -4. The time now is 04:45 PM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.