TIP: Click on subject to list as thread! ANSI
echo: alt-comp-anti-virus
to: ALL
from: PAUL
date: 2019-06-05 16:15:00
subject: Re: Kaspersky Rescue Disk
Apd wrote:
> "Paul" wrote:
>> When you look at the klr.enc1 files, what's the first
>> thing you notice ? There's a couple of groups of 0xCF hex
>> bytes. "Real" encryption would have high entropy.
>> This smells funny...
>>
>>     CF CF CF CF CF CF CF CF CF CF CF CF
> 
> It smells like spaces!
> 
> XOR the base64 with 0xEF and you have plain text with a single
> linefeed terminating each line. It's an XML report. Here's a line from
> your second example, krdeicar.txt (wrapped for ease of reading):
> 
>  
Object="@Filesystem[65ba0377-31a7-52e4-8e5b-5415b3a73f12]/Downloads/EICARAntiVi
rusTestFile.com"
>  Info="EICAR-Test-File" />

Yup. Even when the problem switched from "encryption"
to "encoding", I still couldn't see it. And I've had
trouble spotting XOR() related patterns before too.
It's a disease.

*******

I tried to implement the function in gawk, but the conversion
from substr() to number insisted on doing the wrong thing when the
msb of a character is set. So I had to punt and use C instead.
For which, somebody already wrote our program for us. Just change
the XORBYTE constant, and it's ready to compile.

It required a little touch-up here and there though.

https://stackoverflow.com/questions/35734572/how-to-xor-a-file-buffer-in-c-and-
output-to-a-new-file

#include 
#include 
#include 

/* gcc -o xorfile.exe xorfile.c */

int main(int argc, char *argv[]) {
     FILE *fpi, *fpo;
     int c;

     if (argc != 3) {
         fprintf(stderr, "usage: xorfile input_file output_file\n");
         return -1 ;
     }

     if ((fpi = fopen(argv[1], "rb")) == NULL) {
         fprintf(stderr,"cannot open input file %s\n", argv[1]);
         return 1;
     }
     if ((fpo = fopen(argv[2], "wb")) == NULL) {
         fprintf(stderr,"cannot open output file %s\n", argv[2]);
         fclose(fpi);
         return 2;
     }

     while ( (c = getc(fpi)) != EOF ) {
         if (c == (0x0a ^ 0xEF)) putc( 0x0d, fpo );  /* convert LF to CR LF */
         putc(c ^ 0xEF, fpo);
     }
     fclose(fpi);
     fclose(fpo);

     return 0;
}

In MinGW, for example

    gcc -o xorfile.exe xorfile.c

    xorfile   report_2019.06.05_15.15.24.klr.enc1  readable.txt

Looks like this. At first, it had the squares in it, because
the line endings weren't the best. So I quickly bodged in
enough of a fix so you wouldn't need Wordpad to read it.


     
     
         
             
             
             
             
             
             
             
         
     


HTH,
     Paul



--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.