9.1. PRIMITIVE XOR-ENCRYPTION
9.1.4 Simple encryption using XOR mask.
I’ve found an old interactive fiction game while diving deep intoif-archive^3 :
The New Castle v3.5 - Text/Adventure Game
in the style of the original Infocom (tm)
type games, Zork, Collosal Cave (Adventure),
etc. Can you solve the mystery of the
abandoned castle?
Shareware from Software Customization.
Software Customization [ASP] Version 3.5 Feb. 2000
It’s downloadable here: https://github.com/DennisYurichev/RE-for-beginners/blob/master/ff/
XOR/mask_1/files/newcastle.tgz.
There is a file inside (namedcastle.dbf) which is clearly encrypted, but not by a real crypto algorithm,
nor it’s compressed, this is something rather simpler. I wouldn’t even measure entropy level (9.2 on
page 948) of the file, because I’m sure it’s low. Here is how it looks like in Midnight Commander:
Figure 9.8:Encrypted file in Midnight CommanderTheencryptedfilecanbedownloadedhere:https://github.com/DennisYurichev/RE-for-beginners/
blob/master/ff/XOR/mask_1/files/castle.dbf.bz2.
Will it be possible to decrypt it without accessing to the program, using just this file?
There is a clearly visible pattern of repeating string. If a simple encryption by XOR mask was applied, such
repeating strings is a prominent signature, because, probably, there were a long lacunas^4 of zero bytes,
which, in turn, are present in many executable files as well as in binary data files.
Here I’ll dump the file’s beginning usingxxdUNIX utility:
...
0000030: 09 61 0d 63 0f 77 14 69 75 62 67 76 01 7e 1d 61 .a.c.w.iubgv.~.a
0000040: 7a 11 0f 72 6e 03 05 7d 7d 63 7e 77 66 1e 7a 02 z..rn..}}c~wf.z.
0000050: 75 50 02 4a 31 71 31 33 5c 27 08 5c 51 74 3e 39 uP.J1q13\'.\Qt>9
0000060: 50 2e 28 72 24 4b 38 21 4c 09 37 38 3b 51 41 2d P.(r$K8!L.78;QA-
0000070: 1c 3c 37 5d 27 5a 1c 7c 6a 10 14 68 77 08 6d 1a .<7]'Z.|j..hw.m.
(^3) http://www.ifarchive.org/
(^4) As inhttps://en.wikipedia.org/wiki/Lacuna_(manuscripts)