|
Message-ID: <CABh=JRHLHWoV0R-4BauJ8NNmZit+mGJM7eN5gzqwJ_QKoZ0YpA@mail.gmail.com>
Date: Thu, 31 Jan 2013 09:43:14 +0200
From: Milen Rangelov <gat3way@...il.com>
To: john-dev@...ts.openwall.com
Subject: Re: DMG (was: dmg2john)
Hello
I would rather avoid the "zero" test BTW. This is what my initial version
did and it did work for some of the images, it also gave out a lot of false
negatives for others. This saves a lot of CPU work, but it does not work
reliably unfortunately :(
I think the key to this is to get more samples and understand the image
layout properly. When we worked with Dhiru on dmg, we did not dig that much
into this (and we did not have many samples to analyze). So we just looked
for known plaintexts that happened to occur either in the first or the last
2 decrypted sectors (that would be either MSDOS signatures, UEFI
signatures, filesystem signatures, etc). Now decrypting that much of data
then searching for signatures in it slows it down a lot. In fact, speed
dropped several times going from the zeros check to the heuristics checks.
It became more reliable, but much slower.
Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.