Reverse Engineer a File Format

Question

This is my first attempt at reverse engineering, and really, I don't know how to go about it. I have a procedural kind of mind and no foundation of knowledge on popular encryption methods.

But, it seems to me, if I have the very minimum data in the correct format, and know that there is an occurrence in the data of a certain word, or words, and where that word begins and ends in the data - that I could somehow discover the method of decrypting the entire file.

----- ENCRYPTED -------------------------------------------
HEX     44 5E 12 47 55 5E 53 17 4C 5C 49 4F 4F
ACII    D  ^  ?  G  U  ^  S  ?  L  \  I  O  O
DEC     68 94 63 71 85 94 83 63 76 92 73 79 79 
BIN     01000100 01011110 00111111 01000111 01010101 01011110 01010011 00111111    01001100 01011100 01001001 01001111 01001111
----- DECRYPTED -------------------------------------------
HEX     74 6F 20 74 61 6B 65 20 74 65 73 74 73
ASCII   t  o     t  a  k  e     t  e  s  t  s
DEC     116 111 32 116 97 107 101 32 116 101 115 116 115 
BIN     01110100 01101111 00100000 01110100 01100001 01101011 01100101 00100000 01110100 01100101 01110011 01110100 01110011

This is just a sample of data. I know where the title information starts and ends because I examined two files with different titles - so I know these translate to the correct words - but where do I go from here to identifying the encryption process?

*I know people will ask why: This is from a VCE (exam) file format and I want to translate this into XML or JSON. This would make it easy for me to write a program that compares questions and answers from multiple exam files, append, remove duplicates, and create new ones. *

I guess what you read is the *ENCRYPTED* part from above? But where did you get that *DECRYPTED* part from, when it actually isn't decrypted? Thanks — Niklas R, Feb 09 '12 at 21:00
@NiklasR I was able to compare multiple files that I knew were 100% identical, except for a single value that I created. Therefor I know the text above would be 'to take tests' after decryption. — Markus, Feb 14 '12 at 21:09
How did you fare doing this? I was looking into doing something similar. — WernerCD, Nov 28 '12 at 04:26
@WernerCD sorry for the late reply but over the course of me working on this project they made some updates to their software. I never got the questions / answers / any image data decrypted. Everyone was very helpful though, and there are a few links below that give examples of encryption algorithms and methodology. Best of luck! — Markus, Jan 02 '13 at 16:38
Did you find the way? I see it changes the whole file every time you save it. Even if you dont change anything. — Kamrul Khan, Aug 28 '15 at 10:07

score 5 · Accepted Answer · answered Feb 03 '12 at 17:06

5

Try XORing the two strings together. What you get is

HEX     30 31 32 33 34 35 36 37 38 39 3A 3B 3C
ASCII   0  1  2  3  4  5  6  7  8  9  :  ;  <

See a pattern yet?

answered Feb 03 '12 at 17:06

Ilmari Karonen

49,047
9
93
153

Yeah bit operations, had that in the back of my mind but didn't look at it. How'd you know that so fast? I've been staring at this a while! – Markus Feb 03 '12 at 17:20
1

@Markus: It was the first thing I tried. (The second thing would've been addition and subtraction modulo 256.) Also, comparing the encrypted and decrypted data sort of suggests something like that, since nearby ASCII codes (such as the two spaces in the decrypted text) clearly map to nearby (but not identical) values. – Ilmari Karonen Feb 03 '12 at 17:24
@IlmariKaronen thanks! Looks like I have a few more steps to go in this process. The title of the exam seems to be the only thing encoded in this manner, other data in the file turns to gibberish when using the same rule, but I'm able to detect the exam title for every vce file. – Markus Feb 03 '12 at 21:05
1

Could you tell us what "two strings" you xored in order to get the restult? How should that result be intepreted: is it already the searched xor key? Some details would make this answer even more valuable. – omni Jun 08 '14 at 08:55
1

@masi: The question above contains two byte strings (labeled "encrypted" and "decrypted"), each shown in several representations (hex, ASCII, decimal, binary). Those are the strings I XORed together. And, yes, this directly gives the keystream that, when XORed with the plaintext, yields the ciphertext, and vice versa. Of course, since the example strings in the question were only 12 bytes long, we only get the first 12 bytes of the keystream, but those bytes already suggest a fairly obvious pattern. – Ilmari Karonen Jun 08 '14 at 14:53

score 2 · Answer 2 · answered Mar 13 '12 at 03:00

2

The Question Field XOR value starts with 19 and then it's every second character.

ENCRYPTED:

6D 1A 74 1C 3D 1E 6B 20 40 22 48 24 40 26 07 28 5D 2A 4E 2C 5E 2E 5B 30 42 32

XOR:

19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32

DECRYPTED:

t?o? ?t?a?k?e? ?t?e?s?t?s?

answered Mar 13 '12 at 03:00

Adam Reviczky

21
1

2

Maybe it's encoded as UTF-16 and not just ASCII with "every other character"? – danfuzz Oct 29 '12 at 06:31

score 1 · Answer 3 · answered Feb 07 '12 at 08:54

Always try XOR'ing (Bit-wise operation) first when you have a hex file and you think it is encrypted..
There are many reasons for it.

Once you apply the encryption by XOR you can de-crypt it by applying the XOR again
Thus it is very simple way to encrypt something.
You can go through the following wiki page for more detail:
XOR_wiki
Also if you have access to the Art of Programming (and also time to refer to that :D) go through the bit-wise operations section.
It is very well explained. Worth reading mate :)

Check out the following Question. It answers your query. [Why Xor is used in cryptography](http://stackoverflow.com/questions/1379952/why-is-xor-used-on-cryptography) — kidd0, Feb 07 '12 at 08:59

Reverse Engineer a File Format

3 Answers3

Linked