Home > Others

Winhex data recovery before add and XOR

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

FirstADDagainXORthe recovery

recently, there have been netizens QQ ask me, with Winhex Modify the data, first ADD operation, and then XOR operation, so how can the modified (encrypted) data be restored (restored)?

This seems to be the subject of secondary (or higher) students participating in the national data Recovery competition. I tried to do it, and here's the process:

First, you create an experiment named Doc document ", such as:

with Winhex Open the file, select all the bytes, and do the following:

Add 23H First , then XOR 32H(these two values are optional). such as:

The data after this operation is as follows:

The data has been encrypted.

The following begins to recover data:

idea: First put the file header of the compound document 0x d0cf11e0a1b11ae1 as a keyword, and the value of the post-encryption keyword offset position is 0x c1c00631f6e60f36 .

the current value of the known keyword is preceded by the keywordADDa value againXORa numerical value, in theory the reverse operation (firstXORagainADD), two times by Byte (ADDand theXOR), and a single byte can represent the maximum thenumber of values (xx HtoFF H), then using the exhaustive method, you need to calculate the maximum thethe square= 65536time to do it.

if the file header is obtained after the inverse operation 0x d0cf11e0a1b11ae1 , then you can get these two operations ( ADD and the XOR ) is a numeric value.

Some might ask, ADD The result of the operation, to use subtraction to restore the line ah. In fact, minus a number equals a minus, so it's understandable. Oh.

Obviously, this order of magnitude is too slow to work by hand, so you need to write Winhex scripts or small programs to complete the calculation. such as:

The computational efficiency of the program is much higher, and soon the results come out.  As you can see, two sets of values were found in reverse calculations:1. + H and the DD H ; 2. B2 H and 5D H .

by verifying that both sets of values can restore the original data. So why are there two groups? You can think about it and don't say it in detail here.

Well, these are my thoughts and methods of recovery. Good bye!


2018. 2. 22

Winhex data recovery before add and XOR

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More