Date: Thu, 31 Jan 2013 09:43:14 +0200 From: Milen Rangelov <gat3way@...il.com> To: john-dev@...ts.openwall.com Subject: Re: DMG (was: dmg2john) Hello I would rather avoid the "zero" test BTW. This is what my initial version did and it did work for some of the images, it also gave out a lot of false negatives for others. This saves a lot of CPU work, but it does not work reliably unfortunately :( I think the key to this is to get more samples and understand the image layout properly. When we worked with Dhiru on dmg, we did not dig that much into this (and we did not have many samples to analyze). So we just looked for known plaintexts that happened to occur either in the first or the last 2 decrypted sectors (that would be either MSDOS signatures, UEFI signatures, filesystem signatures, etc). Now decrypting that much of data then searching for signatures in it slows it down a lot. In fact, speed dropped several times going from the zeros check to the heuristics checks. It became more reliable, but much slower. Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.