AnalysisLog.sr0 decrypted

  • Posted on: 31 March 2013
  • By: Michał Turecki

Curiosity is one important part of the engine of progress. Recently I've sent a bug report as Test Drive Unlimited 2 crashes on Windows Server 2012 and one of the files was named AnalysisLog.sr0.
It was created after a crash after I was kindly asked to voluntarily create it.
What's inside? As some suggest it contains encrypted private information.

What are the actual contents?

Using my favourite text editor it was easy to check that the sr0 file is just a hexadecimal representation of binary data starting with X letter, for example: X5C2D25333321272533....

Easy enough, I removed the initial X letter from the text file and then using TinyHexer (original website is down for some reason) import feature I loaded hexadecimal text which showed the intended contents of this file, now in binary.

The binary data looks like it is encrypted, texts are nowhere to be found but I've noticed patterns are emerging in the file, especially repetitive exact sentences of characters at random offsets. This suggests two things:

1. the file is not encrypted using a strong cipher in which repetitions can occur but only in large segments of identical data with the offset matching the multiple of cipher length.
2. encryption key length is one byte because of randomly offseted identical data.

These two hints are enough to guess it must be one of a few simple tricks to hide information - XOR or ROR/ROL/ROT-x, most probably XOR, second most ROR or ROL.

A wild guess by looking at the beginning of the file gave me a clue - multiple subsequent 60 hexadecimal must be either spaces or nulls so using TinyHexer Tools -> Scripts -> XOR file data feature I managed to find out that 0x60 (96 decimal) is the key.

To sum things up:
1. With a text editor remove leading X from the AnalysisLog.sr0 file
2. Using TinyHexer File -> Import -> Import -> (select file) -> hex text convert hexadecimal text to binary (and save)
3. Using TinyHexer Tools -> Scripts -> XOR file data -> leave position and count unchanged and type in 96 as XOR value

The file looks like a serialized binary object with hexadecimal identifiers and unencrypted values of these identifiers. Identifiers look like a sort of random GUID type values yet looks can be deceiving in this case especially because these identifiers have different lenght, so we might have another encryption here.
In a spare time I'll look into it further.

Thanks for reading.