|
#1
|
|||
|
|||
Reverse CRC ...
Hi,
I need help to reverse calc of CRC. This is a few sequence : Code:
01 00 00 46 71 - CRC E5 9F 00 00 02 00 00 02 00 00 13 24 00 00 46 71 - CRC 0B AF 00 00 01 00 00 01 00 00 15 7C 00 00 46 71 - CRC B9 8A 00 00 02 00 00 02 00 00 19 64 00 00 46 71 - CRC 9C C5 Does anyone at a glance understand which CRC is used ? debugasm |
#2
|
|||
|
|||
Some context would help. Is there a reason to treat the algorithm as a blackbox?
|
#3
|
|||
|
|||
I think identification of CRC algorithm is a better description. Reversing a compression function in the mathematical sense is simply not possible unless there are trapdoors or biases and the like. But in the reverse engineering context I think we can imply as such.
Have you tried all CRC16 possibilities on this page in Javascript? http://www.sunshine2k.de/coding/javascript/crc/crc_js.html Considering it could be a truncated CRC32 or CRC64 or concatenated CRC8 of subpieces or a custom CRC, it is somewhat hard to say. If its based off a polynomial may e there is a way to find it but I've not seen a technique for this but it sounds promising. Otherwise you may need to see if you can white box reverse this. I doubt glancing at what seem to be CRC16 type values will be trivially obvious to anyone though |
#4
|
||||
|
||||
Didn't we have a thread about this subject last year?. Have you searched here for the problem Debugasm?
Git |
#5
|
|||
|
|||
Quote:
I have a program which computes all the known CRC codes but it can also bruteforce the polynomial if you provide the CRC. I've tried with reflected data, non-direct init value, reversed CRC, swapped CRC and none matches a 16bit CRC. Those values are computed in a different way. |
#6
|
|||
|
|||
Hi CZC, is there a name for the polynomial finding tool? Also can you tell us for CRC-N bits how many CRC of N bits are needed to recover the polynomial and what if there are more or less bits input into CRC function does it change this requirement? For N to N bit mapping I suppose only 1 CRC value determines it, or less than N bits due to 1 to 1 mapping. But if CRC of large data, due to collisions or seems each extra bit adds a power of 2 more values needed to determine it. Anyway, this is interesting enough that it sounds you have a tool to make it easily done.
Also for questioners asking for mapping functions, remember to provide huge amounts of values or white box info if not absolutely sure. Because even CRC with an XOR which flips some bits of the result would likely throw off any ordinary detection. E.g. CRC16 ^ 0x1f1f. But as part of protocol reversing it would be nice to have powerful numeric identification tools where computation is all done server side. Of course no guarantee server is not using random numbers and tracking them with a database but it's more expensive to do such overkill solutions. Last edited by chants; 01-24-2020 at 11:45. |
#7
|
|||
|
|||
Quote:
At some point in the past I was using CRCs a lot in microcontrollers and I decided to write my own tool for that. The source code is attached, it compiles in linux and windows as a command line program. You can use shortcuts like using hex or strings directly on the command line. Code:
CRC generator V1.4 $ ./getcrc [options] file(s) -z # polynom size -p # CRC polynom -r reverse polynom -m mirror (reflect) data -n non-direct init value -i # initial value -e # exit value -c reverse CRC -a all known CRCs -b # bruteforce to target CRC -v verbose bruteforce -s interpret filename as a string -f interpret filename as a hex string -C check CRC values for the "123456789" input -t trace CRC generation -T dump CRC table and exit |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
How to reverse set top box of TV | suddenLy | General Discussion | 4 | 12-11-2014 22:37 |
Audio API Reverse | obfuscator | General Discussion | 3 | 11-26-2014 18:53 |