Export (0) Print
Expand All

2.3.7.2 Binary Document XOR Array Initialization Method 1

Office

The CreateXorArray_Method1 procedure specifies how a 16-byte XOR obfuscation array is initialized. The procedure takes the following parameter:

  • Password: An ASCII string that specifies the password to be used to encrypt the data. Password MUST NOT be longer than 15 characters.

    SET PadArray TO ( 0xBB, 0xFF, 0xFF, 0xBA, 0xFF, 0xFF, 0xB9, 0x80,
                      0x00, 0xBE, 0x0F, 0x00, 0xBF, 0x0F, 0x00 )
    
    SET InitialCode TO ( 0xE1F0, 0x1D0F, 0xCC9C, 0x84C0, 0x110C,
                         0x0E10, 0xF1CE, 0x313E, 0x1872, 0xE139,
                         0xD40F, 0x84F9, 0x280C, 0xA96A, 0x4EC3 )
    
    SET XorMatrix TO ( 0xAEFC, 0x4DD9, 0x9BB2, 0x2745, 0x4E8A, 0x9D14, 0x2A09,
                       0x7B61, 0xF6C2, 0xFDA5, 0xEB6B, 0xC6F7, 0x9DCF, 0x2BBF,
                       0x4563, 0x8AC6, 0x05AD, 0x0B5A, 0x16B4, 0x2D68, 0x5AD0,
                       0x0375, 0x06EA, 0x0DD4, 0x1BA8, 0x3750, 0x6EA0, 0xDD40,
                       0xD849, 0xA0B3, 0x5147, 0xA28E, 0x553D, 0xAA7A, 0x44D5,
                       0x6F45, 0xDE8A, 0xAD35, 0x4A4B, 0x9496, 0x390D, 0x721A,
                       0xEB23, 0xC667, 0x9CEF, 0x29FF, 0x53FE, 0xA7FC, 0x5FD9,
                       0x47D3, 0x8FA6, 0x0F6D, 0x1EDA, 0x3DB4, 0x7B68, 0xF6D0,
                       0xB861, 0x60E3, 0xC1C6, 0x93AD, 0x377B, 0x6EF6, 0xDDEC,
                       0x45A0, 0x8B40, 0x06A1, 0x0D42, 0x1A84, 0x3508, 0x6A10,
                       0xAA51, 0x4483, 0x8906, 0x022D, 0x045A, 0x08B4, 0x1168,
                       0x76B4, 0xED68, 0xCAF1, 0x85C3, 0x1BA7, 0x374E, 0x6E9C,
                       0x3730, 0x6E60, 0xDCC0, 0xA9A1, 0x4363, 0x86C6, 0x1DAD,
                       0x3331, 0x6662, 0xCCC4, 0x89A9, 0x0373, 0x06E6, 0x0DCC,
                       0x1021, 0x2042, 0x4084, 0x8108, 0x1231, 0x2462, 0x48C4 )
    
    
    FUNCTION CreateXorArray_Method1
        PARAMETERS Password
        RETURNS array of 8-bit unsigned integers
    
        DECLARE XorKey AS 16-bit unsigned integer
        DECLARE ObfuscationArray AS array of 8-bit unsigned integers
    
        SET XorKey TO CreateXorKey_Method1(Password)
    
        SET Index TO Password.Length
        SET ObfuscationArray TO (0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                                 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)
    
        IF Index MODULO 2 IS 1
            SET Temp TO most significant byte of XorKey
            SET ObfuscationArray[Index] TO XorRor(PadArray[0], Temp) 
    
            DECREMENT Index
    
            SET Temp TO least significant byte of XorKey
            SET PasswordLastChar TO Password[Password.Length MINUS 1]
            SET ObfuscationArray[Index] TO XorRor(PasswordLastChar, Temp)
        END IF
    
        WHILE Index IS GREATER THAN to 0
            DECREMENT Index
            SET Temp TO most significant byte of XorKey
            SET ObfuscationArray[Index] TO XorRor(Password[Index], Temp)
    
            DECREMENT Index
            SET Temp TO least significant byte of XorKey
            SET ObfuscationArray[Index] TO XorRor(Password[Index], Temp)
        END WHILE 
    
        SET Index TO 15
        SET PadIndex TO 15 MINUS Password.Length
        WHILE PadIndex IS greater than 0
    
            SET Temp TO most significant byte of XorKey
            SET ObfuscationArray[Index] TO XorRor(PadArray[PadIndex], Temp)
            DECREMENT Index
            DECREMENT PadIndex
    
            SET Temp TO least significant byte of XorKey
            SET ObfuscationArray[Index] TO XorRor(PadArray[PadIndex], Temp)
            DECREMENT Index
            DECREMENT PadIndex
        END WHILE
    
        RETURN ObfuscationArray
    END FUNCTION
    
    
    FUNCTION CreateXorKey_Method1
        PARAMETERS Password
        RETURNS 16-bit unsigned integer
    
        DECLARE XorKey AS 16-bit unsigned integer
        
        SET XorKey TO InitialCode[Password.Length MINUS 1]
    
        SET CurrentElement TO 0x00000068
    
        FOR EACH Char IN Password IN REVERSE ORDER
            FOR 7 iterations 
                IF (Char BITWISE AND 0x40) IS NOT 0
                    SET XorKey TO XorKey BITWISE XOR XorMatrix[CurrentElement]
                END IF
                SET Char TO Char MULTIPLIED BY 2
                DECREMENT CurrentElement
            END FOR
        END FOR
    
        RETURN XorKey
    END FUNCTION
    
    
    FUNCTION XorRor
        PARAMETERS byte1, byte2
        RETURNS 8-bit unsigned integer
    
        RETURN Ror(byte1 XOR byte2)    
    END FUNCTION
    
    
    FUNCTION Ror
        PARAMETERS byte
        RETURNS 8-bit unsigned integer
    
        SET temp1 TO byte DIVIDED BY 2
        SET temp2 TO byte MULTIPLIED BY 128
        SET temp3 TO temp1 BITWISE OR temp2
        RETURN temp3 MODULO 0x100
    END FUNCTION
Show:
© 2014 Microsoft