flat assembler
Message board for the users of flat assembler.

Index > Main > Is XOR reversible ?

Author
Thread Post new topic Reply to topic
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
I made this simple text encryptor using XOR.

Is XOR reversible or is it one way only

Code:
proc Enc, string

push ebp esi edi ebx
        
sub esp,16 ; char * encrypted;

mov esi,[ebp+16]
mov edi,[ebp-16]
xor ecx,ecx

__loop:
    cmp byte [esi+ecx],0
   je __done:
   mov al,byte [esi+ecx]
   xor  al,cl                 ; al xor cl
   add al,30                ; just added this for fun
   mov byte [edi+ecx],al
   inc   ecx
   jmp __loop
__done:
  mov byte [edi+ecx],0      ;terminate the encrypted string
   mov eax,edi                  ; return the string (encrypted one)
                                      ; this can be used in attacks using buffer overflow. But I'm not patching that right now

   pop ebx edi esi ebp
add esp,16
mov ebp,esp
ret
    



So the question is ? Is XOR reversible, I tried reversing but It doesn't seem to work. So maybe I was doing it wrong. Very Happy
Post 11 Apr 2011, 19:17
View user's profile Send private message Reply with quote
asmhack



Joined: 01 Feb 2008
Posts: 431
asmhack
Code:
; ecx= length
; esi= lpstring

@@:
mov al,byte [esi+ecx]
sub al,30
xor al,cl
dec ecx
cmp ecx,0
jae @b
    
Post 11 Apr 2011, 20:02
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
You owe me your email though Very Happy
Post 11 Apr 2011, 20:08
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
XOR <a>, <b> is reversible by XOR-ing <a> with same value <b> again.
Post 11 Apr 2011, 20:10
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
vid wrote:
XOR <a>, <b> is reversible by XOR-ing <a> with same value <b> again.



Thank you....
Post 11 Apr 2011, 20:11
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
That would suck if my code were a commercial encryptor.... Many banks would have been hacked .... LOL... I'd be in deep shit LOL Very Happy
Post 11 Apr 2011, 20:13
View user's profile Send private message Reply with quote
asmhack



Joined: 01 Feb 2008
Posts: 431
asmhack
Code:
xor eax, ebx
xor ebx, eax
xor eax, ebx
=
xchg eax, ebx
    
Post 11 Apr 2011, 21:16
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
mov eax,3
mov ebx,2

xor ebx,eax

ebx = 5
eax = ??
Post 11 Apr 2011, 21:23
View user's profile Send private message Reply with quote
asmhack



Joined: 01 Feb 2008
Posts: 431
asmhack
eax= eax Rolling Eyes
Post 11 Apr 2011, 21:28
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
asmhack wrote:
eax= eax Rolling Eyes

I knew that... Rolling Eyes I just wasn't sure Laughing
Post 11 Apr 2011, 21:42
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Anyways, this code looks buggy... I'm at school and going to class right now.

Some one fix it for me

Code:
format pe gui 4.0

include 'win32ax.inc'
include 'api/kernel32.inc'
include 'api/user32.inc'

entry main

section '.idata' import data readable

library kernel32,'kernel32.dll',\
        user32,'user32.dll'

section '.data' data readable writeable

cipher db '1234',0
c_ptr  db ?
p_ptr  db ?,0;'AQOU',0

section '.text' code readable executable

proc main

     push cipher
     call Enc
     mov  dword [c_ptr],eax

     push MB_OK
     push dword [c_ptr]
     push dword [c_ptr]
     push 0
     call [MessageBox]
     xor  eax,dword[c_ptr]

     push cipher
     call deci
     mov  dword[p_ptr],eax

     push MB_ICONINFORMATION
     push dword [p_ptr]
     push dword [p_ptr]
     push 0
     call [MessageBox]

     ret
endp
;decode
;
;
;

proc deci, string

push ebp esi edi ebx

     sub esp,20
     mov ebp,esp

     mov esi,dword [ebp+8]
     mov edi,dword [ebp-20]
     ;count string size
     xor ecx,ecx
@@:
     ;dec ecx
     cmp byte[esi+ecx],0
     jae  @f
     inc ecx
     jmp @b

@@:
     cmp ecx,0               ;ptext[i] = ( (text[i] -30 ) xor i )
     jbe  @f                 ;
     mov al,byte [esi+ecx]   ;
     sub al,30               ;
     xor al,cl
     mov byte[edi+ecx],al
     dec ecx
     jmp @b

@@:
     mov eax,esi
     pop ebx edi esi ebp
     add esp,20
     mov ebp,esp
     ret
endp


;encode
proc Enc, string

push ebp esi edi ebx 
         
sub esp,16 ; char * encrypted;

mov esi,[ebp+8]
mov edi,[ebp-16]
xor ecx,ecx 

__loop: 
    cmp byte [esi+ecx],0 
   je __done
   mov al,byte [esi+ecx] 
   xor  al,cl                 ; al xor cl 
   add al,30                ; just added this for fun 
   mov byte [edi+ecx],al 
   inc   ecx 
   jmp __loop 
__done: 
  mov byte [edi+ecx],0      ;terminate the encrypted string 
   mov eax,edi                  ; return the string (encrypted one) 
                                      ; this can be used in attacks using buffer overflow. But I'm not patching that right now 

   pop ebx edi esi ebp 
add esp,16
mov ebp,esp
ret 
endp

    
Post 11 Apr 2011, 21:43
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Code:
ADDEND = 30
KEY = 1 ; Parity inverter

;decode
proc deci, string
     push esi

     mov  esi, [string]
     jmp  .load

.crypt:
     xor  al, KEY
     sub  al, ADDEND

     mov  byte [esi - 1], al

.load:
     lodsb
     test al, al
     jnz  .crypt

     mov  eax, [string]

     pop esi
     ret
endp

;encode
proc Enc, string
     push esi

     mov  esi, [string]
     jmp  .load

.crypt:
     add  al, ADDEND
     xor  al, KEY

     mov  byte [esi - 1], al

.load:
     lodsb
     test al, al
     jnz  .crypt

     mov  eax, [string]

     pop esi
     ret
endp    
For the buffer overflow stuff look for some other example, because returning pointer pointing to a stack frame buffer to the caller is a completely non-real life situation.

Still, just for the sake of seeing what it would happen with a vulnerable decode:
Code:
format pe gui 4.0

include 'win32ax.inc'
include 'api/kernel32.inc'
include 'api/user32.inc'

entry main

section '.idata' import data readable

library kernel32,'kernel32.dll',\
        user32,'user32.dll'

section '.data' data readable writeable

cipher db '1234'
       db '5678' ; Will destroy saved EBP
       dd hidden ; Will destroy return address
       db 0 ; NUL terminator (But actually the dword above already contains zero in the most significant byte)

c_ptr  db ?
p_ptr  db ?,0;'AQOU',0

section '.text' code readable executable

proc main
     push cipher
     call Enc
     mov  dword [c_ptr],eax

     push MB_OK
     push dword [c_ptr]
     push dword [c_ptr]
     push 0
     call [MessageBox]
     xor  eax,dword[c_ptr]

     push cipher
     call deci
     mov  dword[p_ptr],eax

     push MB_ICONINFORMATION
     push dword [p_ptr]
     push dword [p_ptr]
     push 0
     call [MessageBox]

     ret
endp

; To make sure the hidden address doesn't have a zero too soon
align 256
nop
; Note that the code above is flawed, as the second byte could end up to be zero and also Enc may be putting zeros too soon as well. Still, for this example it works good.
proc hidden

     push MB_ICONEXCLAMATION
     push .title
     push .message
     push 0
     call [MessageBox]

     push 0
     call [ExitProcess]

.title db 'Question for you', 0
.message db 'And who exactly let you in here?', 0

endp

ADDEND = 30
KEY = 1 ; Parity inverter

;decode (INTENTIONALLY VULNERABLE AND WITH THE SERIOUS DESIGN ERROR OF RETURNING A POINTER TO THE ABOUT TO BE RELEASED STACK SPACE)
proc deci, string
local buff[4]:BYTE
     push esi

     mov  esi, [string]
     lea  edi, [buff]
     jmp  .load

.crypt:
     xor  al, KEY
     sub  al, ADDEND

     stosb

.load:
     lodsb
     test al, al
     jnz  .crypt

     lea  eax, [buff]

     pop esi
     ret
endp

;encode
proc Enc, string
     push esi

     mov  esi, [string]
     jmp  .load

.crypt:
     add  al, ADDEND
     xor  al, KEY

     mov  byte [esi - 1], al

.load:
     lodsb
     test al, al
     jnz  .crypt

     mov  eax, [string]

     pop esi
     ret
endp    
Post 12 Apr 2011, 02:49
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Hahaha, nice I'm making this my sig


.title db 'Question for you', 0
.message db 'And who exactly let you in here?', 0

Thanks for fixing it..... I also learned some stuff Very Happy
Post 12 Apr 2011, 05:42
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.