Xor is a simple and efficient encryption method frequently used.
Recently, we have studied the xor encryption and decryption methods for text information. (Xor will not change only in the encryption process)
Let's talk about ideas. I hope you can add more information.
The ciphertext is mainly used here:
1 The original article is an English article with a length greater than H. (The longer the length, the easier it is to decrypt)
2. encryption is a simple xor single-byte operation. The xor value can be any value of 00-FF.
My idea is as follows:
How can I determine whether a string is an English document and is not encrypted?
My method is as follows:
1. The vast majority of characters are in the range of 20-80 h.
2 a few characters are in the range of 00H-1FH, with no more than 5 Characters
For example, if the line break is 0D0A and the TAB is 09
3. The numbers of 0A and 0D are equal (because normal articles only have line breaks with ODOA)
4. other methods. For example, common words, such as The occurrence rate of letters (high probability of e occurrence)
How can I determine whether an article uses the same XOR for single-byte encryption? My method is as follows:
1. The number of characters in Hex_sum (the number of characters in 00-FF). If the number is too large, it is basically not xor encryption.
This number will not change before and after xor encryption. Here I set it to 70 H.
2 (very important) locate the linefeed location, that is, the 0D 0A location.
Because the two characters 1 are equal, and the probability of occurrence is not very low. In articles with a large number of characters, the probability of equal characters is very low.
2. The two characters are close to each other. After xor encryption, the location is controlled between 1 and 7 characters.
3 most of the characters near the two characters are empty. It can be calculated as follows. In the start position AND 20 h after 0E0H, there are no more than five data characters.
4 normal files will have line breaks.
Our method is to find the two of them in the password, and then xor until 0D 0A. (If you do not know the number of xor, You can first xor yourself, then xor 0A)
So this is over? None. If the original 0D is the current 0A, the original 0A is the current 0D, then the decryption is incomplete.
How can this problem be solved? There are many methods. The fourth method to determine whether a string can be used.
Here I use a simple but not universal method, that is, comparing 20 H and 27 H.
The number of 20 h in a normal article is definitely greater than 27 h (20 H is a space)
If 20 H is less than 27 H, then xor7 is enough.
.
The text is relatively poor. We use an example to analyze
Datahack.exe is a program that has the function of decrypting such encrypted strings.
Image 1 is our decryption object.
Image 2 is the byte Analysis of the image. (The number of bytes)
We found that there are two equal characters: 7AH and 7DH.
Therefore, we perform operations on xor, XOR 70 H.
Next we will see Figure 3 and figure 4.
At this time, 0AH and 0DH are equal, but we find that the string is not the string we want. After careful consideration, we will find that 20 has a low probability and 27 has a high probability. So we get xor7 again in plain text. And
Decrypted successfully.
Why xor7? Because 0D xor oa = 7