成功解密的秘诀
我有一个可执行文件,可以解密用户输入的二进制数据。我的任务是在不查看可执行文件的源代码的情况下恢复解密算法。我已经进行了大约 50 次解密尝试,从结果来看,该算法显然很简单(类似 XOR,但更改输入数据的一个字节通常会影响输出的两个字节),并且密钥的长度肯定是 16字节,但我仍然无法恢复它。
所以,我的问题是:有什么成功恢复解密算法的技巧吗?一些指导方针或任何其他帮助将不胜感激。
这是一些真实的例子,我可以看到那里的规律性,但我无法理解整个算法。如果我输入超过 16 个字节(例如 17 个零字节),则输出字节序列会重复。左边是我输入的内容,右边是我得到的内容(一切都是十六进制):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -> 73 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 AA 65
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 -> 94 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 AA 66
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 -> 93 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 AA 75
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 -> 83 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 AA 76
00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 -> 83 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 A9 64
00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 -> 94 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 BA 55
00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 00 -> 94 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 B9 54
00 00 00 00 00 00 00 00 00 00 00 00 00 01 01 00 -> 94 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 75 A8 64
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 -> 73 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 AA 63
PS 这不是常识中的“黑客”。我正在为一种不知名的格式 (.bmd) 编写 3D 模型查看器,但某些模型已加密,因此我想实现自己的内部解密器,而不是使用外部可执行文件。
I have an executable that decrypts binary data input by user. My task is restoring the decryption algorithm without seeing the source code of the executable. I've already done about 50 attempts of decrypting, and judging by results the algorithm is obviously easy (XOR-like, but changing a byte of the input data usually affects two bytes of the output), and length of the key is definitely 16 bytes, but I still cannot restore it.
So, my question is: Are there any tips of successful restoring the decryption algorithm? Some guidelines or any other help will be greatly appreciated.
Here are some real examples, I can see the regularity there, but I cannot understand the whole algorithm. If I enter more than 16 bytes (e.g. 17 zero bytes), the output byte sequence repeats. The left part is what I enter, the right is what I get (everything is hex):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -> 73 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 AA 65
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 -> 94 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 AA 66
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 -> 93 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 AA 75
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 -> 83 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 AA 76
00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 -> 83 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 A9 64
00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 -> 94 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 BA 55
00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 00 -> 94 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 B9 54
00 00 00 00 00 00 00 00 00 00 00 00 00 01 01 00 -> 94 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 75 A8 64
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 -> 73 36 15 B9 95 5D 8E EA 01 72 1C F4 FA 76 AA 63
P.S. This is not a "hacking" in the common sense. I'm writing a 3D model viewer for an unfamous format (.bmd), but some of the models are encrypted, so I want to implement my own internal decrypter instead of using an external executable.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
你的做法非常正确。如果我们假设它是一个 16 字节块加密并且它确实是一个异或代码,您可以按如下方式进行(注意所有计算均以模 2 完成):
编辑:我检查了您给出的示例是否符合假设。如果它是一个普通的 XOR 代码,我们在输入和输出上将有 XOR[第 1 行,第 2 行,第 3 行,第 4 行] = 0。与 XOR[第 1 行、第 5 行、第 6 行、第 7 行] = 0 相同。在提供的有限数据中,它对除输出中的前 8 位之外的所有位都成立(这并不能说明太多,因为无论如何只有少数位受到影响) )。不幸的是,由于可用数据有限,我目前无法告诉您更多信息。
Your approach is quite correct. If we assume that it is a 16 byte block encryption and that it indeed is a xor code you can proceed as follows (note all calculations are done modulo 2):
Edit: I checked whether the example you gave fits into the assumptions. If it was a plain XOR code we would have XOR[1st line, 2nd line, 3rd line, 4th line] = 0 on input and output. Same for XOR[1st line, 5th line, 6th line, 7th line] = 0. In the limited data provided it holds true for all bits but the first 8 in the output (which does not tell much since only few bits are affected anyway). Unfortunately I cannot tell you more at the moment with such limited data available.
可执行文件有多大——你能反汇编它并从中逆向工程解密吗?
也许发布一些例子来说明为什么你认为它按照你的想法工作——其他人可能会发现一些东西......
How big is the executable - can you disassemble it and reverse engineer the decryption from that?
Maybe post some examples that show why you think it works the way you think - someone else may spot something...
您想要的很可能是使用格雷码来解密文件。格雷码可以通过一些异或操作来解密,如下所示: http://www.morkalork .com/mork/article/74/How_to_understand_and_use_Gray_code.htm
What you want is most likely to use a gray code to decrypt the file. A gray code can be decrypt with some xors like this: http://www.morkalork.com/mork/article/74/How_to_understand_and_use_Gray_code.htm