From what I´ve seen, only the header and some other specific file parts are encrypted, I also got the key from one of the files (which is 0x500 bytes long, btw. Basically xores and then decreases, eight times, and then jumps to xor a random value twice, then starts decreasing again...).
Not quite. All of the values follow a certain (quite obnoxious) pattern:
the numerals array can be calculated and doesn't actually need to be stored.
tick is basically a byte counter.
offset is always 4 but changes its sign every 20 bytes
key49Digits are the digits of the key that is returned when tick mod 10 = 4 to 9
Similarly, key0Digits and key1Digits are the digits of the hex numeral when tick mod 10 = 0 or 1,
key2 is what gets returned on 2 and 3.
The initial values are the seeds.
Code: Select all
int[] numerals = {
0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11, 4, 5, 6, 7
};
int tick = -1;
int offset = 4;
int[] key49Digits = {0, 14};
int[] key0Digits = {4, 1};
int[] key1Digits = {4, 5};
int key2 = 0;
int getNextKey() {
byte key = 0;
tick++;
if (key49Digits[1] == 0) {
key49Digits[0] = (key49Digits[0] + 1) % 16;
key0Digits[0] = (key0Digits[0] + 1) % 16;
key1Digits[0] = (key1Digits[0] + 1) % 16;
key49Digits[1] = 16;
}
key49Digits[1]--;
switch (tick % 10) {
case 0:
key0Digits[1] = (key0Digits[1] + 10) % 16;
key = (byte) (key0Digits[0] * 16 + key0Digits[1]);
break;
case 1:
key1Digits[1] = (key0Digits[1] + offset) % 16;
if (tick % 20 == 1) {
offset = -offset;
}
key = (byte) (key1Digits[0] * 16 + key1Digits[1]);
break;
case 2:
key2 = numerals[key49Digits[0]] * 16 + key49Digits[1];
case 3:
key = (byte) key2;
break;
default:
key = (byte) (numerals[key49Digits[0]] * 16 + key49Digits[1]);
}
return key;
}
Basically, the value that counts down always does so and in a certain pattern and on certain values of it, the other, seemingly random values, are changed.
As I mentioned this works fine on the encrypted parts of vs01000000.rev, but produces minor mistakes on other files (maybe because there're some corner cases I'm ignoring)
(Alternatively, it's possible that I found a pattern where there is none, hell yeah!)
Also, are you sure that what you've got is actually the key? The algorithm will repeat values eventually, and if the desired value is 0, the file will contain a small part of the correct key, but certainly not all of it. (basically, what's used there is that for every integer a, a xor a equals 0)
Where did you get it anyway?
Here's another rev file as well as what my alg made of its first few KB:
http://forte.spacequadrat.de/upload/more_rev_stuff.rar
I guess I'll look for more decrypted stuff in the memory sometime.