The Forum is up for sale: XeNTaX Forum looking for new owner
Compression vs. encryption?
-
Rheini
- Moderator
- Posts: 652
- Joined: Wed Oct 18, 2006 9:48 pm
- Location: Germany
- Has thanked: 19 times
- Been thanked: 46 times
- Contact:
Re: Compression vs. encryption?
Compressed files can't be compressed considerably again.
Also the histogram should be quite uniformly distributed.
Also the histogram should be quite uniformly distributed.
-
Rheini
- Moderator
- Posts: 652
- Joined: Wed Oct 18, 2006 9:48 pm
- Location: Germany
- Has thanked: 19 times
- Been thanked: 46 times
- Contact:
Re: Compression vs. encryption?
If you take the simplest case of a XOR encryption with only 1 byte the distribution stays uniform of course.
That's why these ones are easy to come by without any disassembling. Series of zeros become series of the xor byte.
In general if you see runs of data in the file you can bet it (or at least that part) isn't compressed.
More sophisticated encryptions use a function to modify the xor key after each round similar to a pseudo-random number generator. Thus it depends on the function that is used how random the output is.
It would be really interesting to investigate if there is a way to detect encryption and compression with static mathematical analysis.
That's why these ones are easy to come by without any disassembling. Series of zeros become series of the xor byte.
In general if you see runs of data in the file you can bet it (or at least that part) isn't compressed.
More sophisticated encryptions use a function to modify the xor key after each round similar to a pseudo-random number generator. Thus it depends on the function that is used how random the output is.
It would be really interesting to investigate if there is a way to detect encryption and compression with static mathematical analysis.
-
Rheini
- Moderator
- Posts: 652
- Joined: Wed Oct 18, 2006 9:48 pm
- Location: Germany
- Has thanked: 19 times
- Been thanked: 46 times
- Contact:
Re: Compression vs. encryption?
Well that's pretty hard. You might try scanning the exe with http://www.peid.info/ and it's Krypto plugin.

