sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
for i=0..15:<br />
take all characters from file at n*16+i<br />
generate statistics on characters<br />
key[i]=find most common character<br />
for i=0..filesize:<br />
decrypted[i]=encrypted[i] XOR key[i%16]<br />
Figure 21 –Encryption E6A – TO691 1 st stage generic decryption pseudocode<br />
The decrypted text after E6A is still not cleartext database format, but one can easily see<br />
that it is very similar to the file format of audcache.dat (after decryption).<br />
The second stage is a mono-alphabetical substitution, for which it may not be impossible to<br />
find a short mathematical formula to calculate the substitutions, but so far we were not able<br />
to find that. Instead, we manually investigated the file and built a partial substitution table<br />
on the characters used. The partial table is denoted as E6B in Figure 22.<br />
<strong>Lab</strong>oratory of Cryptography and System Security (<strong>CrySyS</strong>)<br />
Budapest University of Technology and Economics<br />
www.crysys.hu 30