9.1. PRIMITIVE XOR-ENCRYPTION
Mathematicanotebookfileisdownloadablehere:https://github.com/DennisYurichev/RE-for-beginners/
blob/master/ff/XOR/mask_1/files/XOR_mask_1.nb.
Summary: XOR encryption like that is not robust at all. It has been intended by game’s developer(s), prob-
ably, just to prevent gamer(s) to peek into internals of game, nothing else more serious. Still, encryption
like that is extremely popular due to its simplicity and many reverse engineers are usually familiar with it.
9.1.5 Simple encryption using XOR mask, case II.
I’ve got another encrypted file, which is clearly encrypted by something simple, like XOR-ing:
Figure 9.13:Encrypted file in Midnight CommanderThe encrypted file can be downloadedhere.
entLinux utility reports about ~ 7 : 5 bits per byte, and this is high level of entropy (9.2 on page 948), close
to compressed or properly encrypted file. But still, we clearly see some pattern, there are some blocks
with size of 17 bytes, and you can see some kind of ladder, shifting by 1 byte at each 16-byte line.
It’s also known that the plain text is just English language text.
Now let’s assume that this piece of text is encrypted by simple XOR-ing with 17-byte key.
I tried to find some repeating 17-byte blocks using Mathematica, like I did before in my previous example
(9.1.4 on page 936):
Listing 9.2: Mathematica