Log inRegister an accountBrowse CSDbHelp & documentationFacts & StatisticsThe forumsAvailable RSS-feeds on CSDbSupport CSDb Commodore 64 Scene Database
You are not logged in - nap
CSDb User Forums


Forums > C64 Coding > EOR file coders
2008-02-22 04:42
The Shadow

Registered: Oct 2007
Posts: 304
EOR file coders

Someone once told me that it is impossible to open a file which was coded with an EOR coder. With todays machines, is there any conceivable way that an EOR coded file can be placed into a PC and descrambled?
2008-02-22 04:47
Ymgve

Registered: May 2002
Posts: 84
Could you explain a bit more what an EOR coded file is, or provide examples? Unless it's some strange form of one-time-pad, you should be able to analyze and possibly decrypt the data (And I'd gladly help you out just for the challenge of it).
2008-02-22 05:11
Ymgve

Registered: May 2002
Posts: 84
After some quick digging I've found one tool that does EOR (EOR Maker V1.0), and also it seems like Turbo Assembler has support for EORing source files. In both cases only a single byte is used as the EOR value, so even brute forcing should be easy to do.
2008-02-22 07:00
Marauder/GSS
Account closed

Registered: Jul 2006
Posts: 224
If you just pack your files with a simple RLE-packer, it's still possible to change bytes in the file, so a lamer still could alter text in the file - like it was done in some releases *g*
That's the reason why I have put a EOR-code into some of my old crunchers, like Marauder Cruncher-Coder-Linker V2.0
Ofcoz breaking a file EORed with a single value is very easy... (c;

If you use more EOR values it's ofcoz "harder" to break, but still possible to do if you find/know the decrypt-routine, hehe
2008-02-22 07:37
AlexC

Registered: Jan 2008
Posts: 299
If you consider EOR loops in some protection software than most of code I've seen is based on 1 byte value (key to be correct with cryptography theory) so bruteforcing it is not a problem but usually finding the key by analyzing loader is also easy.

Another case is when you have just data file without any decryption code. If the encryption key is the same length as input file than it is not possible to decrypt it. However most c64 tools I've seen either were based on 1 byte key or key based on user input (password) with limited length. This means that you can use trivial attacks to decrypt file and recover key.

2008-02-22 07:37
Zyron

Registered: Jan 2002
Posts: 2381
tlr made De-Coder that can decode files protected by some programs.
2008-02-22 07:44
Marauder/GSS
Account closed

Registered: Jul 2006
Posts: 224
if you know/have some bytes of the original (decrypted) content, then I guess you could find out the keys... if you don't know I think it's hard to find out if the key uses more than one value...

*edit: last question was a silly one...*LOL* where's that black 'n hot brew... coffeeeeee (c;

does that 'Vigenère variants' work also on non-alphabetic text ? I guess so, then it's maybe possible to do...
2008-02-22 08:50
Quetzal

Registered: Jul 2002
Posts: 71
EOR encoded with a single byte would be no problem to break, encoded with a password gets tougher, but still very possible.
One game preview I cracked was encrypted with a password, which from memory was "GLORIOUS", but the programmer made a silly mistake in crunching both the viewable first part and the encrypted game with the same cruncher. Made my job so much easier having that known bit of data to work from.
2008-02-22 19:38
The Shadow

Registered: Oct 2007
Posts: 304
The good file coders I remember use an 8 byte system (The length of the password). If say someone were to 8 byte EOR code a file and remove the decoder, is there any possible way that a PC could crack it?
2008-02-22 19:52
tlr

Registered: Sep 2003
Posts: 1790
Quote: The good file coders I remember use an 8 byte system (The length of the password). If say someone were to 8 byte EOR code a file and remove the decoder, is there any possible way that a PC could crack it?

Yes, probably. Especially if the file is in the normal ordering except for EOR:ing with a sequence of 8 bytes repeated.

De-Coder cracks those by assuming certain statistics of a particular byte value occuring.
I calculated those statistics from several thousands of files.
The length of the key is determined by an incidence check.
Key finding takes only ~15 seconds on a c64. :)

The algorithm used by J-Coder V1.0 and Encoder V1.0 is harder to break. It only does substitution per byte but in a fairly complex way.
Maybe someone with more insight into crypt analysis can break it?

@Marauder: yes, non alphabetic text works too. There is a disc of examples in the release you can try. A few have ctrl-chars in the password.
2008-02-22 21:16
AlexC

Registered: Jan 2008
Posts: 299
Quote: The good file coders I remember use an 8 byte system (The length of the password). If say someone were to 8 byte EOR code a file and remove the decoder, is there any possible way that a PC could crack it?

This is actually one of most basic and simple attacks on ciphers. Take a look here for some info: http://en.wikipedia.org/wiki/XOR_cipher
2008-02-22 21:29
tlr

Registered: Sep 2003
Posts: 1790
Quote: This is actually one of most basic and simple attacks on ciphers. Take a look here for some info: http://en.wikipedia.org/wiki/XOR_cipher

Knowing the length of the key helps a bit.
As the data is byte oriented it's probably easiest to treat this as a Vigenère of length 8.
You then solve this as 8 independent XOR-ciphers starting at bytes 0-7, with the spacing of 8 bytes between each value.
2008-02-22 22:45
The Shadow

Registered: Oct 2007
Posts: 304
Is there any known technique of scrambling which would be impossible to break?
2008-02-22 23:34
Quetzal

Registered: Jul 2002
Posts: 71
Quote: Is there any known technique of scrambling which would be impossible to break?

I've toyed with the idea of converting to 6502 the 6805 version of Twofish found here: http://www.schneier.com/twofish-download.html
This would be more along the lines of what you are seeking, and AFAIK it is still an unbreakable cipher.
2008-02-23 02:27
Ymgve

Registered: May 2002
Posts: 84
The strength of the encryption relies of the length of the keyword, but also on the algorithm if the plaintext is guessable. Especially XOR/EOR algorithms are vulnerable to a known plaintext attack - if you know the final program is getting allocated to 0801, there's a pretty big chance the first bytes will contain the BASIC line for SYS [some number]. Which increases the chance of recovering the key exponentially.
2008-02-23 08:38
tlr

Registered: Sep 2003
Posts: 1790
Quote: The strength of the encryption relies of the length of the keyword, but also on the algorithm if the plaintext is guessable. Especially XOR/EOR algorithms are vulnerable to a known plaintext attack - if you know the final program is getting allocated to 0801, there's a pretty big chance the first bytes will contain the BASIC line for SYS [some number]. Which increases the chance of recovering the key exponentially.

I built individual statistics for the SYS line in my first attempts but it turned out too short to make useful statistics.
If you are using some kind of heuristics (or manual work) it can probably be useful.

What I do is analyze the statistics of the first and last 512 bytes of the file.
This was chosen on the assumption that one of those will contain a chunk of 6502 code. (usually a decruncher)
This turned out quite effective!
Adding special handling of the SYS line doesn't seem to gain enough to make it worth it.
2008-02-24 13:37
tlr

Registered: Sep 2003
Posts: 1790
I got inspired and hacked this up yesterday: Crack me!

Try to find the password. :)

2008-02-24 17:27
Ymgve

Registered: May 2002
Posts: 84
Got it :) I wonder if this is the first time that algorithm has been done on the C64.
2008-02-24 17:39
tlr

Registered: Sep 2003
Posts: 1790
I would think that this is the first, but you never know... :)
2008-02-25 07:58
AlexC

Registered: Jan 2008
Posts: 299
Quote: I would think that this is the first, but you never know... :)


I didn't have time to really look at it but peeking at decryption loop I can confirm that I've never seen it on c64 - at least not in protection code.
2008-02-25 12:22
tlr

Registered: Sep 2003
Posts: 1790
I posted the answer now.
The encryption algorithm implemented is AES-128 (ECB).
2008-02-26 22:18
AlexC

Registered: Jan 2008
Posts: 299
Quote: I posted the answer now.
The encryption algorithm implemented is AES-128 (ECB).


Damn! I whish I had more time to really take a look at it before you posted the answer. Great challenge BTW :D
2008-02-27 02:42
Quetzal

Registered: Jul 2002
Posts: 71
It seems that there are a number of us who enjoy this sort of challenge, so what I'm wondering is this: Are there any old encrypted productions that still have not had their protection broken yet? And if you know of one, post the link here so it can be seen to.
2008-02-29 18:19
AlexC

Registered: Jan 2008
Posts: 299
Quote: It seems that there are a number of us who enjoy this sort of challenge, so what I'm wondering is this: Are there any old encrypted productions that still have not had their protection broken yet? And if you know of one, post the link here so it can be seen to.


I don't think there is much left to crack - this why new releases are more fixes and crunchning, unless somebody will code a new challenge.
2008-02-29 21:05
tlr

Registered: Sep 2003
Posts: 1790
Quote: I don't think there is much left to crack - this why new releases are more fixes and crunchning, unless somebody will code a new challenge.

Something tells me you can expect one tomorrow... ;)
2008-02-29 22:42
AlexC

Registered: Jan 2008
Posts: 299
Quote: Something tells me you can expect one tomorrow... ;)

Cool - I'm working right now on something different - not encryption based code to crack but some protection based on different tricks.
2008-03-01 13:30
Ymgve

Registered: May 2002
Posts: 84
Shame on you, tlr - you uploaded Crack me too! and didn't post it here :)
2008-03-01 18:15
Ymgve

Registered: May 2002
Posts: 84
nevermind
2008-03-02 18:59
tlr

Registered: Sep 2003
Posts: 1790
Only Ymgve has cracked it.
Are you really going to let him be the only one? ;)
2008-03-03 12:20
enthusi

Registered: May 2004
Posts: 677
dunno if anyone cares.
Well 1 byte EOR arent all too protective for obvious reasons.
A key the size of the data is well-known and some moron is selling it on teh net :)
And any EOR coding is simple to decypher (as in finding the key) if you know part of the original content OR have a non-RLE file and i.e. rows of equal sequences.
Those are likely to have been 00,00,00 etc and will contain the key in RAW format! So EOR only makes real sense when combined with other stuff somehow. I.e. (x-)tea or so.
Ask Hanno :)
2008-03-03 16:18
MagerValp

Registered: Dec 2001
Posts: 1078
As I tried cracking instead of guessing this time, I imported it into my 6502 emulator, and chewed through $212121 to $5f5f5f looking for $08 at $0802 and $9e at $0805 (i.e. your average basic sys line). No love :(
2008-03-03 18:46
tlr

Registered: Sep 2003
Posts: 1790
Quote: As I tried cracking instead of guessing this time, I imported it into my 6502 emulator, and chewed through $212121 to $5f5f5f looking for $08 at $0802 and $9e at $0805 (i.e. your average basic sys line). No love :(


Good work but it needs a little more effort to bring love. :)
Added a hint here: Crack me too!
2008-03-04 13:35
MagerValp

Registered: Dec 2001
Posts: 1078
OK, so I expanded the search to emu_mem[0x0802] == 0x08, 6 <= emu_mem[0x0801] <= 86, emu_mem[(0x0800 | emu_mem[0x0801]) - 1] == 0, aka a proper basic line. Still no love :/

I need to verify that my emu produces the same output as vice.

I wish I had more time to work on this...
2008-03-04 15:47
Ymgve

Registered: May 2002
Posts: 84
Just a small hint: The decryption code sets $0800 to zero, so what that address decrypts to is irrelevant.
2008-03-04 15:57
JackAsser

Registered: Jun 2002
Posts: 2014
Quote: As I tried cracking instead of guessing this time, I imported it into my 6502 emulator, and chewed through $212121 to $5f5f5f looking for $08 at $0802 and $9e at $0805 (i.e. your average basic sys line). No love :(


Cracking vs. Guessing philosophy. Isn't this just automated guessing? :D
2008-03-04 19:03
tlr

Registered: Sep 2003
Posts: 1790
Quote: OK, so I expanded the search to emu_mem[0x0802] == 0x08, 6 <= emu_mem[0x0801] <= 86, emu_mem[(0x0800 | emu_mem[0x0801]) - 1] == 0, aka a proper basic line. Still no love :/

I need to verify that my emu produces the same output as vice.

I wish I had more time to work on this...


Added another hint: Crack me too!

And when you solve it, it does bring some love! :)
Ymgve knows the secret. ;)
2008-03-04 19:09
Quetzal

Registered: Jul 2002
Posts: 71
Been working along similar lines to Magervalp, and as he says, no love. Using VICE have scanned all possible password combinations ranging from #$202020 to #$5f5f5f, checking for results where $0801 is equal to #$08. Now I've come to conclude the following possibilities in order from least to most likely.
A) The BASIC line is very non-standard and $0801 is something other than #$08.
B) I need to expand the range of my search.
or
C) My password scanning program completely sucks.

[EDIT] Wrote the above before I saw the latest hint, looks like I may need to re-think which is most likely. :)

2008-03-04 19:22
Oswald

Registered: Apr 2002
Posts: 5094
wouldnt it be faster to crack it instead of guessing?
2008-03-04 19:45
Quetzal

Registered: Jul 2002
Posts: 71
Another edit, I really was checking $0802, not $0801. It's early morning here...
Oswald: To me it seems that in the case of strong encryption like this, but with a relatively weak password that the brute force approach would be the fastest (and most likely the only) way to get results. Provided that is you know something that will be in the resulting decrypted code, which appears to be the problem I'm having now.
2008-03-04 20:47
JackAsser

Registered: Jun 2002
Posts: 2014
Quote: Another edit, I really was checking $0802, not $0801. It's early morning here...
Oswald: To me it seems that in the case of strong encryption like this, but with a relatively weak password that the brute force approach would be the fastest (and most likely the only) way to get results. Provided that is you know something that will be in the resulting decrypted code, which appears to be the problem I'm having now.


Not that I've checked this thoroughly but wouldn't it be smarter to try to exploit the bad-key check as a comparator for knowing if you got correct data or not in the brute force scan?
2008-03-04 20:59
MagerValp

Registered: Dec 2001
Posts: 1078
Quote: Not that I've checked this thoroughly but wouldn't it be smarter to try to exploit the bad-key check as a comparator for knowing if you got correct data or not in the brute force scan?

The bad key check is implemented properly, so it doesn't confirm or deny :) It's a timer IRQ that fires if the program crashes. I assume that the decrypted program disables the IRQ on startup.

TLR: munged basic? Truly evil. That makes it hard to write a function that decides if the decryption worked - I guess I have to execute the code and see if it disables the IRQ, but that means adding a lot more stuff to my barebones emulator...
2008-03-05 18:57
tlr

Registered: Sep 2003
Posts: 1790
Added todays hint: Crack me too!

@MagerValp: I didn't know code could be evil... ;)
2008-03-05 20:53
MagerValp

Registered: Dec 2001
Posts: 1078
Sadly I haven't had time to work on it. I confirmed that my emulator produces the same output as VICE though, which is good.
2008-03-06 20:35
tlr

Registered: Sep 2003
Posts: 1790
Added another hint...
2008-03-09 08:17
tlr

Registered: Sep 2003
Posts: 1790
I guess most gave up on this so I'm giving the pw this evening unless someone says they are still trying. :)

It's apparent that Ymgve chose a really good strategy for cracking it!
When I got the correct answer reported only 5 hours after release I thought I might had accidentally made the challenge way too easy. ;)
2008-03-09 18:39
tlr

Registered: Sep 2003
Posts: 1790
Posted the answer: Crack me too!
2008-03-10 00:46
Quetzal

Registered: Jul 2002
Posts: 71
Tried brute force attack myself and failed, since searching for #$08 at $0802 gave far too many results to sort through (have just confirmed "2,4" was in my list of results, damn!). Also tried looking for POKE565xx in the decrypted code (for disabling CIA timer), but TLR cleverly hid that, as I suspected when no results were found.
I'll be interested to hear a report from Ymgve as to what his method of attack was.
2008-03-10 05:18
Ymgve

Registered: May 2002
Posts: 84
I actually found it by doing a bit of statistics. One of my ideas was to count the number of digit characters in the first 128 bytes, and then the "2,4" combination showed up with 45 out of 128 bytes being digits.
2008-03-10 09:50
MagerValp

Registered: Dec 2001
Posts: 1078
Nice work Ymgve!

My next step would have been code execution and a breakpoint on the basic SYS command and the error routine, but I didn't have the time to implement it. Would it have worked?
2008-03-10 15:20
Ymgve

Registered: May 2002
Posts: 84
Yeah, detecting changes to the error routine should work. He never actually uses a SYS command. He POKEs a small program into memory, hooks the error message vector, then executes a syntax error. There's also no numbers larger than 3 digits, all addresses are created through obfuscated math.
2008-03-10 17:05
MagerValp

Registered: Dec 2001
Posts: 1078
Nasty! :)
2008-03-10 19:51
tlr

Registered: Sep 2003
Posts: 1790
Quote: Nasty! :)


Thanks. :)

I've added the decrypted payload data for people to check out:
http://noname.c64.org/csdb/getinternalfile.php/55441/payload.prg

One attack vector I thought would be usable was statistics in some form. 6502 instruction statistics for instance.
I tried to make the basic stub hard to identify but the Ymgves digit statistics was a very clever idea... :)
2008-03-13 23:12
Burglar

Registered: Dec 2004
Posts: 1101
I wonder...

Seems the only successful cracks were done using statistics, but what if you make the final correct result look like complete garbage (somewhat even distribution of bytes), wouldn't that be a bitch to crack?
2008-03-14 03:30
The Shadow

Registered: Oct 2007
Posts: 304
Excellent idea!
2008-03-14 08:54
Mace

Registered: May 2002
Posts: 1799
I don't see the use of that.
Part of hacking is getting access to useful data.
It's more than finding the code alone.

What could be a nice solution in between is if the decoded data is raw crunched data that needs to be decrunched.
You can at least test if the data is correct, but you won't find it directly after finding the right code.
2008-03-14 12:43
Frantic

Registered: Mar 2003
Posts: 1648
I am not sure, but I think Burglar didn't seriously suggest that someone make a garbage sequence of bytes hard to crack, but rather than if you for example add series of trash bytes in between wellformed parts of code/data (and then pack it or so) to skew the statistical distribution in various ways, then this might be much harder to crack.

...or perhaps it was my turn to misunderstand now. :)
2008-03-14 13:08
Burglar

Registered: Dec 2004
Posts: 1101
Quote: I am not sure, but I think Burglar didn't seriously suggest that someone make a garbage sequence of bytes hard to crack, but rather than if you for example add series of trash bytes in between wellformed parts of code/data (and then pack it or so) to skew the statistical distribution in various ways, then this might be much harder to crack.

...or perhaps it was my turn to misunderstand now. :)


frantic, you understood it perfectly well ;)
2008-03-14 13:19
Mace

Registered: May 2002
Posts: 1799
Aaaah, ok, now I understand too :)
2008-03-14 19:49
tlr

Registered: Sep 2003
Posts: 1790
Quote: I am not sure, but I think Burglar didn't seriously suggest that someone make a garbage sequence of bytes hard to crack, but rather than if you for example add series of trash bytes in between wellformed parts of code/data (and then pack it or so) to skew the statistical distribution in various ways, then this might be much harder to crack.

...or perhaps it was my turn to misunderstand now. :)


That's the reason I only RLE packed the payload. Otherwise it might have gotten too hard.
As with all obfuscation exercises I left a wide hole somewhere else though, i.e leaving a rather large amount of digits in the basic stub.

A really hard challenge would use a full length password on a packed payload.

If you use a suitable chained cipher mode and shuffle the data (e.g start in the middle and wrap) it will be very hard to identify the plain text without decoding a lot of the data.
RefreshSubscribe to this thread:

You need to be logged in to post in the forum.

Search the forum:
Search   for   in  
All times are CET.
Search CSDb
Advanced
Users Online
psenough
iceout/Avatar/HF
sln.pixelrat
Guests online: 121
Top Demos
1 Next Level  (9.7)
2 13:37  (9.7)
3 Mojo  (9.7)
4 Coma Light 13  (9.6)
5 Edge of Disgrace  (9.6)
6 What Is The Matrix 2  (9.6)
7 The Demo Coder  (9.6)
8 Uncensored  (9.6)
9 Comaland 100%  (9.6)
10 Wonderland XIV  (9.6)
Top onefile Demos
1 No Listen  (9.6)
2 Layers  (9.6)
3 Cubic Dream  (9.6)
4 Party Elk 2  (9.6)
5 Copper Booze  (9.6)
6 X-Mas Demo 2024  (9.5)
7 Dawnfall V1.1  (9.5)
8 Rainbow Connection  (9.5)
9 Onscreen 5k  (9.5)
10 Morph  (9.5)
Top Groups
1 Performers  (9.3)
2 Booze Design  (9.3)
3 Oxyron  (9.3)
4 Censor Design  (9.3)
5 Triad  (9.3)
Top Fullscreen Graphicians
1 Joe  (9.7)
2 Sulevi  (9.6)
3 The Sarge  (9.6)
4 Veto  (9.6)
5 Facet  (9.6)

Home - Disclaimer
Copyright © No Name 2001-2024
Page generated in: 0.202 sec.