From: Paul <nospam@needed.invalid>
Apd wrote:
> "Paul" wrote:
>> When you look at the klr.enc1 files, what's the first
>> thing you notice ? There's a couple of groups of 0xCF hex
>> bytes. "Real" encryption would have high entropy.
>> This smells funny...
>>
>> CF CF CF CF CF CF CF CF CF CF CF CF
>
> It smells like spaces!
>
> XOR the base64 with 0xEF and you have plain text with a single
> linefeed terminating each line. It's an XML report. Here's a line from
> your second example, krdeicar.txt (wrapped for ease of reading):
>
> <Event1 Action="Detect" Time="132042218823887019"
>
Object="@Filesystem[65ba0377-31a7-52e4-8e5b-5415b3a73f12]/Downloads/EICARAntiVi
rusTestFile.com"
> Info="EICAR-Test-File" />
Yup. Even when the problem switched from "encryption"
to "encoding", I still couldn't see it. And I've had
trouble spotting XOR() related patterns before too.
It's a disease.
*******
I tried to implement the function in gawk, but the conversion
from substr() to number insisted on doing the wrong thing when the
msb of a character is set. So I had to punt and use C instead.
For which, somebody already wrote our program for us. Just change
the XORBYTE constant, and it's ready to compile.
It required a little touch-up here and there though.
https://stackoverflow.com/questions/35734572/...
output-to-a-new-file
#include <stdio.h>
#include <string.h>
#include <errno.h>
/* gcc -o xorfile.exe xorfile.c */
int main(int argc, char *argv[]) {
FILE *fpi, *fpo;
int c;
if (argc != 3) {
fprintf(stderr, "usage: xorfile input_file output_file\n" ;
return -1 ;
}
if ((fpi = fopen(argv[1], "rb") == NULL) {
fprintf(stderr,"cannot open input file %s\n", argv[1]);
return 1;
}
if ((fpo = fopen(argv[2], "wb") == NULL) {
fprintf(stderr,"cannot open output file %s\n", argv[2]);
fclose(fpi);
return 2;
}
while ( (c = getc(fpi)) != EOF ) {
if (c == (0x0a ^ 0xEF)) putc( 0x0d, fpo ); /* convert LF to CR LF */
putc(c ^ 0xEF, fpo);
}
fclose(fpi);
fclose(fpo);
return 0;
}
In MinGW, for example
gcc -o xorfile.exe xorfile.c
xorfile report_2019.06.05_15.15.24.klr.enc1 readable.txt
Looks like this. At first, it had the squares in it, because
the line endings weren't the best. So I quickly bodged in
enough of a fix so you wouldn't need Wordpad to read it.
<Report>
<Metadata Version="1" PCID="{B47CF509-3A3B-3F43-B782-9C05D74106FD}"
LastModification="2019.06.05 15:37:17.135" />
<EventBlocks>
<Block0 Type="Scan" Processed="18204" Found="1" Neutralized="0">
<Event0 Action="Scan" Time="132042217819347678" Object=""
Info="Started" />
<Event1 Action="Detect" Time="132042218823887019"
Object="@Filesystem[65ba0377-31a7-52e4-8e5b-5415b3a73f12]/Downloads/EICARAntiVi
rusTestFile.com" Info="EICAR-Test-File" />
<Event2 Action="Scan" Time="132042226096655583" Object=""
Info="Finished" />
<Event3 Action="Select action" Time="132042226311598366"
Object="@Filesystem[65ba0377-31a7-52e4-8e5b-5415b3a73f12]/Downloads/EICARAntiVi
rusTestFile.com" Info="Quarantine" />
<Event4 Action="Disinfection" Time="132042226311607367" Object=""
Info="Started" />
<Event5 Action="Quarantined" Time="132042226311647998"
Object="@Filesystem[65ba0377-31a7-52e4-8e5b-5415b3a73f12]/Downloads/EICARAntiVi
rusTestFile.com" Info="" />
<Event6 Action="Disinfection" Time="132042226311706514" Object=""
Info="Finished" />
</Block0>
</EventBlocks>
</Report>
HTH,
Paul
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
|
[GNG] Gated, Filtered alt.comp.a... 
