Results 1 to 5 of 5

Thread: Identifying Encryption/Compression

  1. #1
    -MIPs-
    Guest

    Identifying Encryption/Compression

    Are there any more ways to tell if a file is using Encryption/Compression other than the obvious way of not being able to see any readable strings?

    Also, if I'm being restricted to only using Hex workshop to view the file(non PC) and the file maybe encrypted/compressed. Is there any hope for reversing this file? Or would I need the code that actually created the file?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by -MIPs- View Post
    Are there any more ways to tell if a file is using Encryption/Compression other than the obvious way of not being able to see any readable strings?

    This question is ambiguous. If you were talking about a windows executable, PEID and other tools like it may START to tell you part of the answer. A plug-in KANAL finds signatures that may suggest one of a few encryption algos

    Also, if I'm being restricted to only using Hex workshop to view the file(non PC)


    Now things are a little more touchy. If it is an executable, try disassembly with IDA, it may recognize at least some executable code necessary for auto-unpacking/decryption and tell you info about the compiler etc.

    and the file maybe encrypted/compressed. Is there any hope for reversing this file?
    If it is data or overlay file, well, I do not know. sounds tough
    Or would I need the code that actually created the file?

    The point of RCE is deciphering the file structure and function without the source code, but sometimes even having the code does not take you very far
    In blue

  3. #3
    -MIPs-
    Guest
    Well the source would still need some investigation because its in MIPs assembly.

    Thnx for the quick and informative reply. I'm gonna have to get my hands on IDA.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    It's hard to explain, but when data is compressed or encrypted, its entropy increases, and what you see is a different "texture" to it. It helps to use ASCII mode as looking at hex bytes isn't as effective.

    If you know what MIPS Asm usually looks like, when you see compressed/encrypted sections you'll unconsciously notice the difference even though you cannot explain why.

  5. #5
    King of Redonda
    Join Date
    Jul 2006
    Posts
    109
    Blog Entries
    4
    Entropy can be checked by trying to compress it.

    If the compressed file is almost as big as the source -> high entropy -> probably encrypted/compressed

    If the compressed file is a lot smaller -> low entropy -> not compressed or no encryption or crappy encryption (like single-byte XOR)
    <[TN]FBMachine> i got kicked out of barnes and noble once for moving all the bibles into the fiction section

Similar Threads

  1. Identifying library functions
    By lborup in forum The Newbie Forum
    Replies: 3
    Last Post: January 31st, 2009, 10:53
  2. Identifying SDK APIs without a library?
    By 5aLIVE in forum The Newbie Forum
    Replies: 12
    Last Post: January 2nd, 2009, 08:08
  3. Identifying crypto algorithm
    By DaBookshah in forum The Newbie Forum
    Replies: 9
    Last Post: July 13th, 2007, 02:50
  4. Identifying a protection
    By kaotix in forum The Newbie Forum
    Replies: 3
    Last Post: March 9th, 2005, 02:56
  5. Identifying Protection
    By xollox in forum The Newbie Forum
    Replies: 22
    Last Post: May 25th, 2004, 03:27

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •