Since my last post, I tried finding a correct value to use as the xor key.
That didn't go as well as I expected, so I started thinking about a way to bruteforce it. I tried creating 255 files, with the corresponding byte as content, patch the binary such that the jz after the addition-test became jmp, and check each file, but this was way to slow. As an alternative I tried coding a small program that could test all the combinations of the variables, so the addition test would succeed. If this worked, then at least I would have to test only a subset of all the 255 files, should the system have more than one solution, but again, this would take an enormous ammount of time.
So ... I'm left with an alternative, probably the one I should have started with.
I have an IDC script coded that will XOR the bytes in the binary, now all I have to do is patch the binary (so that the binary won't run the xor-cycle again) and try each value.
No comments:
Post a Comment