$ strings T-CHE7AUSC/image/exe.img.enc
ct-KLG7CUQC,
KHM7@USCT-CHE7AUz'r
ausct
dect
CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-
CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-
CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-
CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-
CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-
CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-
CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-CHE7AUSCT-
CHE7AUSCT-CHE7AUSCT-CHE7AUSC
[rest of output removed for brevity]Isn’t it interesting to see the string T-CHE7AUSC repeat in a file that is supposedly encryp-
ted? It is especially notable because it is also the name of the root directory, which is created
when the firmware download is unzipped. If the image files are truly encrypted, this string
should not be showing up in clear text. What is going on here? Well, let’s take a moment to
consider what happens when a character is XOR’d with the null ASCII character of decimal
value 0. Null strings are often used to signify the ends of strings in memory and represented
with the escape sequence of \0.
The following C program performs an XOR operation between the character a and the
null character:
#include <stdio.h>
int main()
{
printf("%c\n",'a' ^ '\0');
return 1;
}Let’s compile and run our program to see the output:$ gcc xor_null.c -o xor_null
$ ./xor_null
aSo there we have it. The XOR operation of a character with a null reveals the original
character. This means that if your XOR key is small and if the file you are XOR’ing contains a
series of null characters, the actual key will be revealed in the cyphertext! This is exactly what
happened in the case of the Samsung firmware file we looked at using the strings command.
YOU CALL THAT ENCRYPTION? 133