This topic was archived here:

https://web.archive.org/web/20230000000000fw_/https://www.zenhax.com/viewtopic.php?t=1757

crushedice2000, posted Wed Nov 11, 2015 12:26 pm (9606)

---

Hi! I've seen on Internet a C code to descramble a binary data file:

Code:

uint8_t descramble(uint8_t s) {
uint8_t a = (s   0xFF) & 0xFF;
uint8_t b = a ^ MAGIC;
uint8_t p := b & 0x7E | b >> 7 & 0x01 | b << 7 & 0x80;
return p; }

Can I do this on QuickBMS for a entire file (byte by byte)?

aluigi, posted Wed Nov 11, 2015 12:56 pm (9607)

---

Yes, complex math operations can be accomplished with the xmath command:

Code:

xmath a "(s   0xFF) & 0xFF"
xmath b "a ^ MAGIC"
xmath p "(b & 0x7E) | (b >> 7 & 0x01) | ((b << 7) & 0x80)"

Quickbms has also support for functions, but they don't return values.
They can be called as sort of inline where every variable changed in the function is visible also outside or as stand-alone (by default) where all the variables are restored when they finish.
In this case I think that the first type is perfect:

Code:

math s = 0x11223344
callfunction descramble 1
print "%p|x%"

startfunction descramble
  xmath a "(s   0xFF) & 0xFF"
  xmath b "a ^ MAGIC"
  xmath p "(b & 0x7E) | (b >> 7 & 0x01) | ((b << 7) & 0x80)"
endfunction

crushedice2000, posted Wed Nov 11, 2015 1:45 pm (9609)

---

How can I descramble the entire file?

This

Code:

for
    get s BYTE
    xmath a "(s   0xFF) & 0xFF"
    xmath b "a ^ MAGIC"
    xmath p "(b & 0x7E) | (b >> 7 & 0x01) | ((b << 7) & 0x80)"
    print "%p%"
next I

works well, but instead of printing the descrambled bytes in decimal, I want to parse again the descrambled file.

Example:

Code:

##  Descramble:
for
    get s BYTE
    xmath a "(s   0xFF) & 0xFF"
    xmath b "a ^ MAGIC"
    xmath p "(b & 0x7E) | (b >> 7 & 0x01) | ((b << 7) & 0x80)"
    DoSomeMagicToAppend %p% ContentsIntoATemporalMemoryToReprocessAgain
next I
## Now parse the descrambled data:
for
    get TMP BYTE
    print "Value: %TMP%"
next I

aluigi, posted Wed Nov 11, 2015 3:02 pm (9616)

---

There are some ways to do that but those byte-per-byte operations are very slow in quickbms.
It has also an xmath encryption algorithm that allows to perform those types of operations in one line but that's not possible here because it's a 2-stage math operation.
The following is one of the ways to do the job with some comments:

Code:

get SIZE asize                      # size of the file
putvarchr MEMORY_FILE SIZE 0        # pre-allocation (unnecessary but it's faster)
log MEMORY_FILE 0 0                 # reset the memory file
for OFFSET = 0 < SIZE
    get s byte                      # read the byte
    xmath b "(s   0xFF) ^ MAGIC"
    xmath p "(b & 0x7E) | (b >> 7 & 0x01) | ((b << 7) & 0x80)"
    put p byte MEMORY_FILE          # write the byte in the memory file
next OFFSET
log "dump.dat" 0 SIZE MEMORY_FILE   # dump the memory file in dump.dat

An alternative way is to load the file in a memory file and using getvarchr/putvarchr for reading/writing the byte but doesn't change much.

crushedice2000, posted Fri Nov 13, 2015 2:27 pm (9669)

---

Thanks! However I'm traveling and I can't test it now.

I'll reply you later with my experience.