From 8f24b1280b8b9d8414dda3b65c14b43c6c2c2704 Mon Sep 17 00:00:00 2001 From: itsme Date: Fri, 9 Jul 2021 19:57:22 +0200 Subject: added notes about CroSys. blocksize. notes about encryption --- docs/cronos-research.md | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) (limited to 'docs') diff --git a/docs/cronos-research.md b/docs/cronos-research.md index a60d054..d076f0f 100644 --- a/docs/cronos-research.md +++ b/docs/cronos-research.md @@ -13,12 +13,19 @@ and a Vocabulary database with another set of these files in a sub directory Voc `CroIndex.*` can be ignored, unless we suspect there to be residues of old data. All words are serialized in little endianess. +Additionally there are the `CroSys.dat` and `CroSys.tad` files in the cronos application directory, which list the currently +known databases. + +## app installation + On a default Windows installation, the CronosPro app shows with several encoding issues that can be fixed like this: reg set HKLM\System\CurrentControlSet\Control\Nls\Codepage 1250=c_1251.nls 1252=c_1251.nls [from](https://ixnfo.com/en/question-marks-instead-of-russian-letters-a-solution-to-the-problem-with-windows-encoding.html) +Also note that the v3 cronos app will run without problem on a linux machine using [wine](https://winehq.org/) + ##Files ending in .dat All .dat files start with a 19 byte header: @@ -26,9 +33,13 @@ All .dat files start with a 19 byte header: char magic[9] // allways: 'CroFile\x00' uint16 unknown char version[5] // 01.02, 01.03, 01.04 - uint16 encoding // 1 = KOD, 3 = encrypted - uint16 blocksize // 0040 = Bank, 0400 = Index, 0200 = Stru - + uint16 encoding // 0 or 2 = plain, 1 = KOD, 3 = encrypted + uint16 blocksize // 0x0040, 0x0200 or 0x0400 + +Most Bank files use blocksize == 0x0040 +most Index files use blocksize == 0x0400 +most Stru files use blocksize == 0x0200 + This is followed by a block of 0x101 or 0x100 minus 19 bytes seemingly random data. The unknown word is unclear but seems not to be random, might be a checksum. @@ -140,6 +151,8 @@ The original description of an older database format called the per block counte In noticed that the first 256 bytes of CroStru.dat look close to identical (except the first 16 bytes) than CroBank.dat. +The toplevel table-id for CroStru and CroSys is #3, while referenced records have tableid #4. + ##CroBank CroBank.dat contains the actual database entries for multiple tables as described in the CroStru file. After each chunk is re-assembled (and potentially decoded with the per block offset being the record number in the .tad file). @@ -204,3 +217,14 @@ some records are compressed, the format is like this: uint8 compdata[size-4] uint8 tail[3] = { 0, 0, 2 } +## encrypted records + +In files with encoding type #3, records are encrypted. + +Several things observed: + * in encrypted .dat files, the first record starts at 0x100, instead of the usual 0x101 + * probably with a fixed key, and no IV. This is likely so because I found several unrelated files where the + start of the encrypted data is the same for the first +- bytes. + * likely a stream of cipherdata xorred with the plaintext, since I found several records which differ in only a few bits. + * so probably: rc4. + -- cgit v1.2.3