|
|
|
|
|
|
by xmcqdpt2
1113 days ago
|
|
|
Do you have access to the program that reads the data? If so, you can use a debugger to step through the parser for the file, even if symbols are stripped [1]. You can breakpoint on syscalls, such as when the file gets opened [2] and then step through and look around memory for the decrypted version. If you have an idea of what the file should contain you can probably identify patterns this way. I'm not an expert on this topic at all though. [1] Of course you then have less information but it's still possible to see the assembly while the file gets parsed. See for example, http://felix.abecassis.me/2012/08/gdb-debugging-stripped-bin... [2] https://sourceware.org/gdb/onlinedocs/gdb/Set-Catchpoints.ht... |
|
|
[1] https://rizin.re/
[2] https://github.com/rizinorg/rizin
[3] https://cutter.re/
[4] https://github.com/rizinorg/cutter
[5] https://rizin.re/posts/gsoc-2023-announcement/
[6] https://binary.ninja/2023/05/03/3.4-finally-freed.html#debug...