8.7. ENCRYPTED DATABASE CASE #1
Argument 3/5
0038BB30: CD CD CD CD CD CD CD CD-CD CD CD CD CD CD CD CD "................"
(0) software.exe!0x4339a0() -> 0x0
Argument 3/5 difference
00000000: 45 00 20 00 4A 00 4F 00-48 00 4E 00 53 00 00 00 "E. .J.O.H.N.S..."
(0) software.exe!0x4339a0(0x38b920, 0x0, 0x38b978, 0x10, 0x0) (called from software.exe!.text+0⤦
Çx33c0d (0x13e4c0d))
Argument 1/5
0038B920: 95 80 27 02 21 D5 2D 1A-0F D9 45 9F 75 EE 24 C4 "..'.!.-...E.u.$."
Argument 3/5
0038B978: 95 80 27 02 21 D5 2D 1A-0F D9 45 9F 75 EE 24 C4 "..'.!.-...E.u.$."
(0) software.exe!0x4339a0() -> 0x0
Argument 3/5 difference
00000000: B1 27 7F E4 9F 01 E3 81-CF C6 12 FB B9 7C F1 BC ".'...........|.."
PID=1984|Process software.exe exited. ExitCode=0 (0x0)
Here we can see inputs to theProcessAndXorBlock()function, and outputs from it.
This is output from the function during first call:
00000000: C7 39 4E 7B 33 1B D6 1F-B8 31 10 39 39 13 A5 5D ".9N{3....1.99..]"
Then theProcessAndXorBlock()is called with zero-length block, but with 8 flag (BT_ReverseDirection).
Second call:
00000000: 45 00 20 00 4A 00 4F 00-48 00 4E 00 53 00 00 00 "E. .J.O.H.N.S..."
Wow, there is some string familiar to us!
Third call:
00000000: B1 27 7F E4 9F 01 E3 81-CF C6 12 FB B9 7C F1 BC ".'...........|.."
The first output is very similar to the first 16 bytes of the encrypted buffer.
Output of the first call ofProcessAndXorBlock():
00000000: C7 39 4E 7B 33 1B D6 1F-B8 31 10 39 39 13 A5 5D ".9N{3....1.99..]"
First 16 bytes of encrypted buffer:
00000000: CA 39 B1 85 75 1B 84 1F F9 31 5E 39 72 13 EC 5D .9..u....1^9r..]
There are too much equal bytes! How come AES encryption result can be very similar to the encrypted
buffer while this is not encryption but rather decryption?!
8.7.5 Cipher Feedback mode.
The answer isCFB^23 : in this mode, AES algorithm used not as encryption algorithm, but as a device which
generates cryptographically secure random data. The actual encryption is happening using simple XOR
operation.
Here is encryption algorithm (images are taken from Wikipedia):
(^23) Cipher Feedback