Identifying Encryption/Compression [Archive] - RCE Messageboard's Regroupment

View Full Version : Identifying Encryption/Compression

-MIPs-

January 18th, 2007, 21:15

Are there any more ways to tell if a file is using Encryption/Compression other than the obvious way of not being able to see any readable strings?

Also, if I'm being restricted to only using Hex workshop to view the file(non PC) and the file maybe encrypted/compressed. Is there any hope for reversing this file? Or would I need the code that actually created the file?

naides

January 19th, 2007, 00:07

Quote:

[Originally Posted by -MIPs-;63859]Are there any more ways to tell if a file is using Encryption/Compression other than the obvious way of not being able to see any readable strings?

This question is ambiguous. If you were talking about a windows executable, PEID and other tools like it may START to tell you part of the answer. A plug-in KANAL finds signatures that may suggest one of a few encryption algos

Also, if I'm being restricted to only using Hex workshop to view the file(non PC)

Now things are a little more touchy. If it is an executable, try disassembly with IDA, it may recognize at least some executable code necessary for auto-unpacking/decryption and tell you info about the compiler etc.

and the file maybe encrypted/compressed. Is there any hope for reversing this file?
If it is data or overlay file, well, I do not know. sounds tough
Or would I need the code that actually created the file?

The point of RCE is deciphering the file structure and function without the source code, but sometimes even having the code does not take you very far

In blue

-MIPs-

January 19th, 2007, 01:05

Well the source would still need some investigation because its in MIPs assembly.

Thnx for the quick and informative reply. I'm gonna have to get my hands on IDA.

LLXX

January 19th, 2007, 04:07

It's hard to explain, but when data is compressed or encrypted, its entropy increases, and what you see is a different "texture" to it. It helps to use ASCII mode as looking at hex bytes isn't as effective.

If you know what MIPS Asm usually looks like, when you see compressed/encrypted sections you'll unconsciously notice the difference even though you cannot explain why.

fr33ke

January 19th, 2007, 04:47

Entropy can be checked by trying to compress it.

If the compressed file is almost as big as the source -> high entropy -> probably encrypted/compressed

If the compressed file is a lot smaller -> low entropy -> not compressed or no encryption or crappy encryption (like single-byte XOR)