Need help! Recoveri...
 
Notifications
Clear all

Need help! Recovering scrambled bits!

Page 1 / 2
depende
(@depende)
New Member

Hi Guys,

I'm trying to solve this problem I got a txt file with scrambled bits which I have to recover so that I can read the plaintext.

These are the scrambled bits
W/5¿Q5;¿-¿=¿%!5¿7=#15!¿'=95¿/=#¿%!¿5!'5¿%=
¿/-#)£¿Q-/¿%!5¿/=#¿!#5¿;-''-!#¿5;-5¿#!¿'--#1¿!#¿/5¿'#5#5¿=#7¿!5¿ŸŸ§ŸŸŸ¿5;-5¿95=57¿7=-'
§¿/5¿-)¿3!%¿'#5=;'5¿-5¿-¿%'-'
-#1£¿m#¿3=9§¿!#5¥/-7¿!3¿/5¿%!¥=33-9)57¿5;-5¿=5¿-)
§¿#5¿55=9/¿/=¿55='57£åëåë£3!5#-9%=1£9!%¿Óš‘¿e=9/¿›Ÿ•åë

I put these bits in a txt file and open it with WinHEX tool. With that tool I've tried to shift one bit to left or to the right and I was unsuccessful. Then I've tried to shift 1, 2, until 10 bits to the left or to the right but I was still unsuccessful. Furthermore, I've tried these functions 'circular left rotation', 'invert bits', 'ROT13', 'XOR 1,2', 'OR 1,2', 'AND 1,2' but I was still unsuccessful.

Do I need to use may another tool? Do I have to try the function with 'Shift by .. byte(s)' until I'm successful?

Do you any better ideas?

Thanks in advance!

Quote
Topic starter Posted : 17/04/2015 6:03 pm
jaclaz
(@jaclaz)
Community Legend

Hi Guys,

I'm trying to solve this problem I got a txt file with scrambled bits which I have to recover so that I can read the plaintext.

Is this a "real problem"?
I mean, in the sense that you are doing data recovery or similar?
Or is it a school/UNI assignment?
Or what?

What is the source of this?
How did it came to you?
Why are you trying to descramble it?
How do you know that the "scrambled bits" correspond to plain text?

Etc., etc.

The more context you provide the more likely that someonw will be able to assist you or at least hint towards a suitable descrambling procedure.

BTW, what you posted makes NO sense whatsoever, in the sense that it is the graphical representation as text of the "scrambled bits", what you need to do is to compress the actual binary file into a .zip or similar archive, upload the archive to any free hosting site and provide a link to it.

jaclaz

ReplyQuote
Posted : 17/04/2015 6:13 pm
depende
(@depende)
New Member

Hi jaclaz,

It's not real problem, it's an assignment because I'm studying digital forensic. Unfortunately, our lecturer reads only from the slides and has itself no idea…every step we have to find it by ourselves which is time consuming if you are working besides your study.

These are the scrambled bits which I have copied from the txt file
W/5¿Q5;¿-¿=¿%!5¿7=#15!¿'=95¿/=#¿%!¿5!'5¿%=
¿/-#)£¿Q-/¿%!5¿/=#¿!#5¿;-''-!#¿5;-5¿#!¿'--#1¿!#¿/5¿'#5#5¿=#7¿!5¿ŸŸ§ŸŸŸ¿5;-5¿95=57¿7=-'
§¿/5¿-)¿3!%¿'#5=;'5¿-5¿-¿%'-'
-#1£¿m#¿3=9§¿!#5¥/-7¿!3¿/5¿%!¥=33-9)57¿5;-5¿=5¿-)
§¿#5¿55=9/¿/=¿55='57£åëåë£3!5#-9%=1£9!%¿Óš‘¿e=9/¿›Ÿ•åë

If you copy these scrambled bits and paste it in a txt file, you can then open that file in a tool like WinHex or Hex Workshop. I'm trying since 2 days with both tools to get any results about the original order of the plain text but I'm unsuccessful. I really don't what I have to do…
In Hex Workshop, I've tried with shift left, shift right, rotate left, rotate right, block shift left, block shift right, change sign and so on, but the text is still scrambled.

Thanks in advance for any hints, tips!!!!

ReplyQuote
Topic starter Posted : 17/04/2015 6:35 pm
jaclaz
(@jaclaz)
Community Legend

If you copy these scrambled bits and paste it in a txt file, you can then open that file in a tool like WinHex or Hex Workshop.

NO.

Meaning that what you copy and paste to a .txt file you are NOT opening the "scrambled bits", but a copy of the TEXTUAL REPRESENTATION of the original.

If you want help/support you need to provide the ACTUAL bits, and NOT a copy/paste of them gone through a text editor.

As an example, a LARGE number of NON PRINTABLE characters may be rendered as "a small square" and even the SAME text editor may interpret them differently with different local settings, fonts and what not.

Is there any difficult part in this?

what you need to do is to compress the actual binary file into a .zip or similar archive, upload the archive to any free hosting site and provide a link to it.

jaclaz

ReplyQuote
Posted : 17/04/2015 6:52 pm
depende
(@depende)
New Member

ok,

this is the link where you can download that file

http//www.freeuploadsite.com/do.php?id=69467

Thanks for any feedback!

ReplyQuote
Topic starter Posted : 17/04/2015 7:13 pm
PaulSanderson
(@paulsanderson)
Senior Member

Without doing your assignment for you - I would probably start by looking for patterns in the hex of the sample you provide viz hex in a sample of plain text.

You can spend an age trying different bit shifts/rotates etc. but if you have an idea of what a particular character might be you can start making informed 'guesses'

ReplyQuote
Posted : 17/04/2015 8:09 pm
depende
(@depende)
New Member

Without doing your assignment for you - I would probably start by looking for patterns in the hex of the sample you provide viz hex in a sample of plain text.

You can spend an age trying different bit shifts/rotates etc. but if you have an idea of what a particular character might be you can start making informed 'guesses'

Hi Paul,

The idea of my post isn't that somebody has to do my assignment. I need somebody that guide me a bit.

What do you mean 'start looking by patterns in the hex'?
For example, if I'm looking at the first raw, I see in the column 2,5,10 and 16 the number 35 four times or in the column 3, 7,A, C and 11 the letters BF. So what that means? How it helps me to solve this case?

Thanks!

ReplyQuote
Topic starter Posted : 17/04/2015 8:38 pm
PaulSanderson
(@paulsanderson)
Senior Member

I am trying to help you - but I (and jaclaz) are trying to make you think about it and not explain it to you in minute detail.

Have you looked at the hex of a text file with known content as I suggested in my last post?

If you understand the patterns of hex in a clear text file then you may start to get an idea of where to look next.

ReplyQuote
Posted : 17/04/2015 8:42 pm
jaclaz
(@jaclaz)
Community Legend

More generally, assuming that the original text
1) was written into a known human language (let's say English)
2) the sentences have actually a meaning (i.e. let's say that it is NOT the laundry note)

there are definite "patterns" and "frequencies" of characters.
http//en.wikipedia.org/wiki/Letter_frequency

Winhex (among other hex editors) have a nice histogram tool to quickly check frequences of hex values in a binary file, but you can as well use the freeware HxD or even (shameless plug wink ) an Excel worksheet
http//www.msfn.org/board/topic/173080-release-byte-count-in-excel/

Analyzing these frequencies sometimes helps in understanding if there has been some kind of "shift" applied.

jaclaz

ReplyQuote
Posted : 17/04/2015 10:01 pm
depende
(@depende)
New Member

Thank you guys for your input but I've still not solved this problem.

When I'm opening the that file in Winhex I can see this text
W/5.Q5;.-..=.%!.5.7=#15.!….'=95../=#.%!….5!.'5.%=…/-#)..Q-./.%!.5../=#.!#5.;-''-!#..5;.-.5..#!..'-.-#1.!#../5.'#.5.#5..=#7.!.5………..5;.-.5..9.5=.57.7=-'…./5..-.).3.!%…'#5.=;'5..-.5..-..%.'.-.'.-#1..m#.3=9…!#5../-.7.!3../5.%!…..=33-9)57..5;.-.5..=.5..-.)…#5…5.5=.9/./=…5.5='57………3!.5#.-9%=1.9!%…..e=.9/…….

Then I've opened another file with known content and started to compare both files.

Ok, in the file with the scrambled bits I can see the letter W which has the hex code 57 compared to the known content file which the letter W has the hex code 77. If I change the hex code to 77 in scrambled bits file, it only change w to W.

Furthermore, I've tried that byte count excel file. I can see for example in Byte 21, Count 16, Printable 16, ^!, is 4.75% or in Byte 35, Count 36, Printable 36, ^5, is 10.68%. Now I know which signs are more common but how I connect these all information to solve this case?

I understand that each hex code equal a letter or number but I don't understand looking at patterns that should give a clue how the original file should be….I'm really confused at the moment.

ReplyQuote
Topic starter Posted : 18/04/2015 8:05 am
mscotgrove
(@mscotgrove)
Senior Member

I don't now the answer but a few points.

Number one - you MUST use a hex viewer to look at the data

Number two. The code 0xbf occurs on it's own many times. If the data is a text message it may indicate a space.

Number 3 0xe5 is always followed 0xeb. What is the most common two character sequence in text? (clue non printing)

Your skill is to find patterns. In over 30 years of data manipulation, reverse engineering I know almost anything can be used.

A true story - I once spent a long time trying to decode an embedded number field on an optical disk. Eventually I realised the number was based on a different base, ie not 10 or 16. I was very amused when I discovered that the answer to what base (question) was 42.

ReplyQuote
Posted : 18/04/2015 5:44 pm
jaclaz
(@jaclaz)
Community Legend

Mind you not necessarily the frequencies of letters in the given text or word patterns will help you solve the problem.
It is only one of the possible preventive analysis of the text that you should carry.
Without any further data, hint or information about the kind of transformation algorithm that produced the given results, you are posed before a kind of textual puzzle, which may well be analyzed linguistically.
And maybe it is just another red herring.

The "scrambled bits" you provided is exactly 0x155 or 341 bytes in length.

Not so casually wink the following snippet of the above text

It is only one of the possible preventive analysis of the text that you should carry.
Without any further data, hint or information about the kind of transformation algorithm that produced the given results, you are posed before a kind of textual puzzle, which may well be analyzed linguistically.
And maybe it is just another red herring.

is also exactly 341 bytes in length.
Try copying the above quote and pasting it in a hex editor, and check it.

You should be able to see some patterns.

Like the most common character being actually 0x20 (space), like being there a few occurrences of 0x2E 0x0D 0x0A (period+CR+LF), and if you create and look at the histogram you see how, set apart the space, most of the "peaks" are between 0x61 i.e. 97 and 0x7A i.e. 122.
As well in the actual "scrambled bits" you may see some anomalies, like the occurrence of sequences of three "same" codes, 9F9F9F and 111111 which is something that very rarely happens in properly written/formatted text, and that thus will need to be somehow justified, or maybe it is a hint towards the use of a form of encoding/scrambling/whatever algorithm that is not a simple "code shift" or modification at the single byte level.

More generally I tend to refuse to believe 😯 (though it is of course well possible) that your professor/teacher did not provide you with the means of resolving this puzzle, by way of what specifically was taught you or through the exact wording of the question, or because a limited number of specific algorithms were th etopic of the connected lesson(s) or that he/she gave you an unresolvable puzzle, just for the fun of it ? .

jaclaz

ReplyQuote
Posted : 18/04/2015 7:28 pm
depende
(@depende)
New Member

Hi Jaclaz,

Slowly, I understand what do you mean looking at patterns. I guess that the 0xbf in the scrambled bits is space. So that means by analysing this kind of files I have to guess each hex code? Is there another method, for example, through any calculations?

I've paste that text that is also exactly 341 bytes in length. The space in that text is in hex code 0x20 but is there any connections between 0xbf to 0x20?

BTW, this is the slide that our lecture show us without any deeper explanation
Bit-Shiting

-Some users use a low-level encryption program that changes the order of binary data
-Makes altered data unreadable To secure a file, users run an assembler program (also called a “macro”) to scramble bits
-Run another program to restore the scrambled bits to their original order
-Bit shifting changes data from readable code to data that looks like binary executable code
-WinHex includes a feature for shifting bits

There is a sentence (Run another program to restore the scrambled bits to their original order), so there exists a program that restore scrambled bits?

@mscotgrove, yes I'm using 2 hex viewer tools, one is Winhex and the second is Hex Workshop. Do you have more hints?

Has anybody here find the solution, if yes it was difficult or it is an easy task?

ReplyQuote
Topic starter Posted : 19/04/2015 11:20 am
jaclaz
(@jaclaz)
Community Legend

I had some spare time to look at the "scrambled bits".

It is relatively easy to transform them into the original content, and I can confirm (without giving away the solution) a few things

  1. the already given hints (as expected wink ) fully apply to the specific text
  2. the content is plain enough English
  3. it comes from a recent article published on an online magazine
  4. there is seemingly one error 😯 (either due to transcoding or copying) in byte at offset 0x146 which is 0x9A but should IMNSHO really be 0x9B (but this of course does not affect the rest)
  5. [/listo]

    depende, you are seemingly taking it the "wrong" way, in the sense that you are looking at it thinking of "scrambled", "mathematical" transformation etc, which is loosely correct BTW but what you are doing is essentially the decrypting of a crypted message, more than pertaining to "digital forensics" (or "digital") you have to think at the challenge as solving a puzzle, the hex editor and the use of hex codes are only "means".

    Of course there is a coding or crypting algorithm behind every such puzzle, but usually you first find the solution and only later reverse the transformation algorithm used.

    But it is possible to use your line of reasoning, once you have *something* logical to try.

    Your approach was to "blindly" throw a number of "random" trasformation algorithms to the "scrambled bits" (and you failed), now that you have been given an hypothesis to follow, try to actually follow it, i.e. assuming that actually the "original" hex code 0x20 is corresponding univocally to the hex code 0xBF

    1. find and describe an algorithm that can transform 0x20 into 0xBF
    2. find and describe it's reverse one (i.e. one that can transform the 0xBF to 0x20)
    3. try applying the algorithm in #2 above to the whole file
    4. [/listo]

      For the record (and in my simplicity) the text accompanying the slide(s) is however far from being accurate (BTW I am very picky).

      • low-level encryption program -> Hmmm, no, this is not low-level or high-level, it is is "simple" or "elementary".
      • an assembler program? -> Hmmm, I actually used an Excel spreadsheet to solve the puzzle, but as a matter of fact I could have used some paper and pencil for the decryption, and as well I could have used the same means for the actual encryption.
      • also called a "macro"? -> Hmmm, I definitely did not use any assembler in it, nor a "macro", just good ol', plain, spreadsheet functions.
      • looks like executable code? Hmmm, NO, it looks like hex gibberish, definitely NOT like "executable code", this is exactly one of the reasons why looking at a hex file through it's frequency histogram allows to usually guess if contents of a file are what they should be.

      jaclaz

ReplyQuote
Posted : 19/04/2015 6:43 pm
mscotgrove
(@mscotgrove)
Senior Member

I think a big link between 0xBF and 0x20 is the number bits - if you invert the values

ie ~0x20 is 0xDF and ~0xBF is 0x40

(It shows how important thinking in Hex is)

ReplyQuote
Posted : 19/04/2015 11:01 pm
Page 1 / 2
Share:
Share to...