成功解密的秘诀

发布于 2024-10-26 18:04:53 字数 1354 浏览 6 评论 0原文

我有一个可执行文件,可以解密用户输入的二进制数据。我的任务是在不查看可执行文件的源代码的情况下恢复解密算法。我已经进行了大约 50 次解密尝试,从结果来看,该算法显然很简单(类似 XOR,但更改输入数据的一个字节通常会影响输出的两个字节),并且密钥的长度肯定是 16字节,但我仍然无法恢复它。

所以,我的问题是:有什么成功恢复解密算法的技巧吗?一些指导方针或任何其他帮助将不胜感激。

这是一些真实的例子,我可以看到那里的规律性,但我无法理解整个算法。如果我输入超过 16 个字节(例如 17 个零字节),则输出字节序列会重复。左边是我输入的内容,右边是我得到的内容(一切都是十六进制):

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -> 73 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 AA 65
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 -> 94 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 AA 66
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 -> 93 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 AA 75
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 -> 83 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 AA 76
00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 -> 83 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 A9 64
00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 -> 94 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 BA 55
00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 00 -> 94 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 B9 54
00 00 00 00 00 00 00 00 00 00 00 00 00 01 01 00 -> 94 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 75 A8 64
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 -> 73 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 AA 63

PS 这不是常识中的“黑客”。我正在为一种不知名的格式 (.bmd) 编写 3D 模型查看器,但某些模型已加密,因此我想实现自己的内部解密器,而不是使用外部可执行文件。

I have an executable that decrypts binary data input by user. My task is restoring the decryption algorithm without seeing the source code of the executable. I've already done about 50 attempts of decrypting, and judging by results the algorithm is obviously easy (XOR-like, but changing a byte of the input data usually affects two bytes of the output), and length of the key is definitely 16 bytes, but I still cannot restore it.

So, my question is: Are there any tips of successful restoring the decryption algorithm? Some guidelines or any other help will be greatly appreciated.

Here are some real examples, I can see the regularity there, but I cannot understand the whole algorithm. If I enter more than 16 bytes (e.g. 17 zero bytes), the output byte sequence repeats. The left part is what I enter, the right is what I get (everything is hex):

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -> 73 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 AA 65
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 -> 94 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 AA 66
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 -> 93 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 AA 75
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 -> 83 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 AA 76
00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 -> 83 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 A9 64
00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 -> 94 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 BA 55
00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 00 -> 94 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 B9 54
00 00 00 00 00 00 00 00 00 00 00 00 00 01 01 00 -> 94 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 75 A8 64
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 -> 73 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 AA 63

P.S. This is not a "hacking" in the common sense. I'm writing a 3D model viewer for an unfamous format (.bmd), but some of the models are encrypted, so I want to implement my own internal decrypter instead of using an external executable.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

铁轨上的流浪者 2024-11-02 18:04:53

你的做法非常正确。如果我们假设它是一个 16 字节块加密并且它确实是一个异或代码,您可以按如下方式进行(注意所有计算均以模 2 完成):

  • 输入块是 128 位,输出块也是
  • 加密可以通过以下方式完成128x128 二进制矩阵 E: out = e(in) = E*in + e(0)
  • E 中的每一行基本上告诉您,如果更改输入中的相应位,则输出中的哪些位将被翻转。
  • 您可以使用您的方法获得 E 和 e(0),并分别设置一位并计算输出。这样你就可以逐行得到矩阵E,即你需要128个输入值来收集完整的矩阵。 e(0) 只是零字符串的编码。
  • 然后,解密由 d(out) = D*(out-e(0)) 和矩阵 D 定义。
  • 如果我们将两者插在一起,我们会得到 in = d(out) = D*(E*in+e(0 )-e(0)) = D*E*in。
  • 因此,我们必须计算加密矩阵 E 的二进制逆矩阵。这个问题有已知的算法(参见例如 http://en.literateprograms.org/Binary_matrix_%28Java%29)。

编辑:我检查了您给出的示例是否符合假设。如果它是一个普通的 XOR 代码,我们在输入和输出上将有 XOR[第 1 行,第 2 行,第 3 行,第 4 行] = 0。与 XOR[第 1 行、第 5 行、第 6 行、第 7 行] = 0 相同。在提供的有限数据中,它对除输出中的前 8 位之外的所有位都成立(这并不能说明太多,因为无论如何只有少数位受到影响) )。不幸的是,由于可用数据有限,我目前无法告诉您更多信息。

Your approach is quite correct. If we assume that it is a 16 byte block encryption and that it indeed is a xor code you can proceed as follows (note all calculations are done modulo 2):

  • The input block is 128 bits and output block also
  • Encryption can be done described by a 128x128 binary matrix E: out = e(in) = E*in + e(0)
  • Each row in E basically tells you which bits will be flipped in output if you change the corresponding bit in the input.
  • You can get E and e(0) using your approach and set one bit each and calculate the output. Thus you get matrix E row by row, i.e. you need 128 input values to gather the complete matrix. e(0) is simply encoding of the zero-string.
  • The decryption is then defined by d(out) = D*(out-e(0)) with a matrix D.
  • If we plug together both we get in = d(out) = D*(E*in+e(0)-e(0)) = D*E*in.
  • Thus we have to calculate the binary inverse of the encryption matrix E. There are known algorithms for this problem (see e.g. http://en.literateprograms.org/Binary_matrix_%28Java%29).

Edit: I checked whether the example you gave fits into the assumptions. If it was a plain XOR code we would have XOR[1st line, 2nd line, 3rd line, 4th line] = 0 on input and output. Same for XOR[1st line, 5th line, 6th line, 7th line] = 0. In the limited data provided it holds true for all bits but the first 8 in the output (which does not tell much since only few bits are affected anyway). Unfortunately I cannot tell you more at the moment with such limited data available.

爱格式化 2024-11-02 18:04:53

可执行文件有多大——你能反汇编它并从中逆向工程解密吗?

也许发布一些例子来说明为什么你认为它按照你的想法工作——其他人可能会发现一些东西......

How big is the executable - can you disassemble it and reverse engineer the decryption from that?

Maybe post some examples that show why you think it works the way you think - someone else may spot something...

想念有你 2024-11-02 18:04:53

您想要的很可能是使用格雷码来解密文件。格雷码可以通过一些异或操作来解密,如下所示: http://www.morkalork .com/mork/article/74/How_to_understand_and_use_Gray_code.htm

What you want is most likely to use a gray code to decrypt the file. A gray code can be decrypt with some xors like this: http://www.morkalork.com/mork/article/74/How_to_understand_and_use_Gray_code.htm

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文