View Full Version : decrypting an unknown file type

March 5th, 2002, 11:52
This looked like a forum made just for this question I want to be able to take a file that is "encrypted" and convert it to readable format. Then "reencrypt" it. I am working on a game by NovaLogic that encodes files using cbin format, that is the first 4 letters in the files are cbin. I have a not encrypted template (its just a text file) that I can edit and the game will accept it and use it unencrypted. But i would like to be able to decrypt the files to read them and even more important i would like to reencrypt them. any way thats the background. I need to know where I can find information on breaking new file formats.

March 5th, 2002, 16:33
Stream ciphers usually work by XORing the plaintext with a pseudo-random byte stream. This means that if you XOR the ciphertext with some byte, the decrypted plaintext will be XORed with the same byte.

How do the ciphertexts corresponding to similar plaintexts compare?

Unless you have to type in a password, the file could be called "obscured" or "obfuscated", since there's no secret information other than the algorithm.

Except for VERY simple ciphers, it's almost impossible to figure out the encryption just by looking at the plaintext and ciphertext. Set breakpoints on function calls and/or API's that access the file. Then watch what happens to the buffer.

March 6th, 2002, 00:23
actualy thrte is little corospondence in the template and the other file, im thinking that it may be some sort of compresion\encryption the ecnrypted file is 7k the text is 12k also there is part where the encoded files are similar at the beginning of the file.
here are 2 sample headers

43 42 49 4E 30 0C 00 00 E6 07 00 00 A2 00 00 00
CE 77 E1 01 1A 78 2E 7C 71 07 C2 77 EE 80 3C 17
BC 38 03 E1 BA F3 C0 1E 08 DF 9C 01 F7 5D F9 E0
0B 85 EF CE 02 78 2E 7C 75 07 C2 77 E2 80 3C 17
B8 38 03 E1 BA F3 C0 1E 0C DF 9C 01 F7 5D F9 EO

43 42 49 4E 70 13 00 00 43 09 00 00 BB 00 00 00
CE 77 E1 01 29 78 2E 7C 71 07 C2 77 EE 80 3C 17
BC 38 03 E1 BA F3 C0 1E 08 DF 9C 01 FC 5D F9 E0
0B 85 EF CE 02 78 2E 7C 75 07 C2 77 E2 80 3C 17
B8 38 03 E1 BA F3 C0 1E 0C DF 9C 01 F7 5D F9 EO

Manny other places in the program, they use "]" (5D) to seperate things so i was thinking that the part before that could be some sort of "key" or important in some way.

also no password, the game decrypts the files on its own when it needs them.

ill try useing SI on it but I am not good with that program. I can use it to make trainers and junk, but I never could get BPX to work right.

thanks for the idea.

also, any sites/tutorial on the subject would be good.

March 8th, 2002, 14:41
Hey Dionysus, if you look at the two heads you can see that there are similar patterns which make me believe that the structure and layout of these files are similar. You said the program uses ] to seperate things, could it be that it uses [ ] which will be used in INI files to identify sections and keys. Does it use the INI APIs for anything ?
Try also bpx CreateFileA do "d *(esp+4)" and check to see when it open these encoded files and trace on from there. Also try ReadFile, etc.

Once you find where the game opens the file and starts reading from it you should be able to locate how it decodes it pretty easily since games normaly don't hide these sort of routines.