Decoding / Decoding: Getting Started

Question

Decoding / Decoding: Getting Started

I intercepted data packets between the software on my computer and the software on the remote server. The idea is to reverse engineer the API between them and integrate the API into another software module.

The problem is that I cannot figure out how to read the data. Here are 92 bytes of hexadecimal data:

10:02:42:6d:95:72:1a:70:be:00:ba:cc:a9:95:72:81:49:dd:00:ae:39:bd:c2:4a:0e:00:d1:fe:a6:01:fc:51:09:42:c1:49:dd:00:59:57:31:b2:3a:ce:00:d1:7e:7c:fa:1d:65:c9:42:41:7c:b6:40:dd:f5:71:52:f1:c7:65:12:be:c0:86:71:03:62:eb:81:49:dd:00:dd:f5:71:dc:7a:ce:00:d1:be:00:ba:1d:65:61:52:c2

This translates to an ASCII string:

 ??Bm?r?p??????r?I???9??J???????Q?B?I??YW1?:???~|??e?BA| ?@ ??qR??e????q?b??I????q?z???????eaR?

I know approximately what this data should contain if it helps.

I'm just looking for tips to help me break the code.

+4

encryption decode

klonq Aug 2 '11 at 13:29

source share

3 answers

Anton · Answer 1 · 2011-08-02T13:54:01+0000

Assuming that the data is encoded rather than encrypted, one thing that can reveal a lot of information about the data is to compare the packets over time. Parts that change over time are likely to be data, and parts that are not likely to be structural information.

An experiment, changing the state of the software (provided that it is possible), any changes observed in the data are hints.

Since you know roughly what packages should contain this, this may give you enough information to determine the data format. Especially if you have excellent control over the state of the software.

Note: Also remember that multibyte data has endianess and assuming that the wrong endianess can make things very confusing. Similarly, there are many other ways to encode strings than with ASCII.

If there is a lot of data sent, you can also check that the data is compressed in some way.

Treye · Answer 2 · 2011-08-02T13:36:43+0000

This data cannot be actually encrypted as far as it can be encoded.

One of the possible encodings you can deal with is a standard known as Basic Encoding Rules (BER). This is a way to encode the Abstract Syntax Notation One (ASN.1) data structure into a binary stream.

Check out http://en.wikipedia.org/wiki/Basic_Encoding_Rules for understanding.

It should be noted, however, that there are several toolkits for different languages that make it easier to work with BER data. One of the most extensive I've seen is a Perl library called Convert :: ASN1.

Hope this helps, and I will try to keep this up to date with a lot of toolkits for this encoding when I come across them.

In addition, if it is simply encoded, it is also possible that you have binary data, just ASCII, separated using the given value. This value may be the pipe symbol (|) that you see in the output. There are several formats that use the wired protocol of this form, for example HL7.

emboss · Answer 3 · 2011-08-02T18:38:51+0000

If you don’t know if the data is encrypted or not, a good test to check is to study the randomness of the data.

Any encryption algorithm that deserves its name displays data that seems completely random. This way you can iterate over bytes and check if the values are evenly distributed. If they are, you can be sure that the data is really encrypted, not just encoded.

Decoding / Decoding: Getting Started

More articles: