| |
The Shadow
Registered: Oct 2007
Posts: 304 |
EOR file coders
Someone once told me that it is impossible to open a file which was coded with an EOR coder. With todays machines, is there any conceivable way that an EOR coded file can be placed into a PC and descrambled? |
|
... 48 posts hidden. Click here to view all posts....
|
| |
MagerValp
Registered: Dec 2001
Posts: 1055 |
Sadly I haven't had time to work on it. I confirmed that my emulator produces the same output as VICE though, which is good.
|
| |
tlr
Registered: Sep 2003
Posts: 1714 |
Added another hint... |
| |
tlr
Registered: Sep 2003
Posts: 1714 |
I guess most gave up on this so I'm giving the pw this evening unless someone says they are still trying. :)
It's apparent that Ymgve chose a really good strategy for cracking it!
When I got the correct answer reported only 5 hours after release I thought I might had accidentally made the challenge way too easy. ;)
|
| |
tlr
Registered: Sep 2003
Posts: 1714 |
Posted the answer: Crack me too! |
| |
Quetzal
Registered: Jul 2002
Posts: 71 |
Tried brute force attack myself and failed, since searching for #$08 at $0802 gave far too many results to sort through (have just confirmed "2,4" was in my list of results, damn!). Also tried looking for POKE565xx in the decrypted code (for disabling CIA timer), but TLR cleverly hid that, as I suspected when no results were found.
I'll be interested to hear a report from Ymgve as to what his method of attack was.
|
| |
Ymgve
Registered: May 2002
Posts: 84 |
I actually found it by doing a bit of statistics. One of my ideas was to count the number of digit characters in the first 128 bytes, and then the "2,4" combination showed up with 45 out of 128 bytes being digits. |
| |
MagerValp
Registered: Dec 2001
Posts: 1055 |
Nice work Ymgve!
My next step would have been code execution and a breakpoint on the basic SYS command and the error routine, but I didn't have the time to implement it. Would it have worked?
|
| |
Ymgve
Registered: May 2002
Posts: 84 |
Yeah, detecting changes to the error routine should work. He never actually uses a SYS command. He POKEs a small program into memory, hooks the error message vector, then executes a syntax error. There's also no numbers larger than 3 digits, all addresses are created through obfuscated math. |
| |
MagerValp
Registered: Dec 2001
Posts: 1055 |
Nasty! :)
|
| |
tlr
Registered: Sep 2003
Posts: 1714 |
Quote: Nasty! :)
Thanks. :)
I've added the decrypted payload data for people to check out:
http://noname.c64.org/csdb/getinternalfile.php/55441/payload.prg
One attack vector I thought would be usable was statistics in some form. 6502 instruction statistics for instance.
I tried to make the basic stub hard to identify but the Ymgves digit statistics was a very clever idea... :)
|
| Previous - 1 | 2 | 3 | 4 | 5 | 6 | 7 - Next |
