2

I've the following line retrieved with ilSpy

p[var1] = (t[var1] + z.c[var1 % z.c.Length]) % 'Ā';

p,t and c are char array[].

my question is: how can he + characters? t[var1]+z.c[someNumber] are 2 characters and then he module the result with a number 'A' at the end.

Oded
  • 489,969
  • 99
  • 883
  • 1,009
NoobTom
  • 555
  • 1
  • 9
  • 21
  • if you don't have the source, should you be reverse engineering? – Mitch Wheat Mar 06 '12 at 11:13
  • 4
    @MitchWheat: That implies that by definition nobody should ever reverse engineer. – Jon Mar 06 '12 at 11:14
  • @MitchWheat: if the license doesn't explicitly prohibit reverse engineering, then why not? – Igor Korkhov Mar 06 '12 at 11:17
  • Reverse engineering does not see the big picture. You need to see why it would be doing something like that in the RAW format, possbily look at the ASM callstack. Because the original source code could be doing something completely different. ilSpy is only a tool.. you cant rely on proper code back from it. – Piotr Kula Mar 06 '12 at 11:18
  • you are right, but i've my reasons to believe that operation genuine, i wanted to write it backwords and see if i can figure out the cleartext from the encoding – NoobTom Mar 06 '12 at 11:24
  • @NoobTom: please see my answer below. – Igor Korkhov Mar 06 '12 at 12:40

3 Answers3

4

char is an integral type, just like int and long are, so you can add them together and use % on the value of a char instance.

In the same way that you can add ints and % them.

This explains why the above works.

What it means is a different question and is not so apparent. It could be the char was used because of its range, but is used as an integral type. It cold be that this is a function that converts lowercase characters to upper case (or vice versa), but without more context it is impossible to tell.

It is entirely possible that the decompiler you are using has misinterpreted (or couldn't fully interpret) the IL and is presenting you with something equivalent to the IL, but that is not the same as the original code.

Oded
  • 489,969
  • 99
  • 883
  • 1,009
  • Thank you, i got this question because when i try to do the same operation in visualstudio, it complains that you cant sum a char with an int. that line is an encoding. It takes one text file one array sums up and put the output in the p array. the p array should contain a decoded "something" which i am trying to figure out :D – NoobTom Mar 06 '12 at 11:22
  • Its of note that Ā is unicode 256(dec) so that mod is basically constraining it to a byte range. Whether this is because as you say its being used as a byte or if they just want to lock to the ascii character set or something I don't know. Just thought I'd note that though. :) – Chris Mar 06 '12 at 11:23
  • @Chris - So it ends up discarding the higher byte. Could be a way to encode to something like EBDIC or such that is not natively supported in the BCL. – Oded Mar 06 '12 at 11:24
  • I think you gave me an idea...it might be UNICODE, the unicode are numbers, and then with ToCharArray it transforms it into a ASCII char. – NoobTom Mar 06 '12 at 11:26
  • 1
    Possibly... As you say though without more context it is impossible to tell. It may be that it is just effectively doing a one time pad style encoding and using the modulo to wrap overflow. I think this is out of scope though and the OP needs another question if he wants us to figure out what the full code does. ;-) – Chris Mar 06 '12 at 11:27
0

If you add characters, you are actually calling the Int operator+, because addition is not defined on char. Basically, chars are numeric values (just displayed differently), too, so that's no problem. He probably mods the result with 'Ā' (numeric value: 256) so that the result is in the range of a 1 byte char.

Botz3000
  • 39,020
  • 8
  • 103
  • 127
  • 1
    As a correction Ā is 256 (though your argument still stands, it just allows 255 as well). – Chris Mar 06 '12 at 11:24
0

As Oded pointed out, the expression retrieved by ilSpy is syntactically valid, yet I think the original code was different.

The code of Ā (U+0100, Latin Capital Letter A With Macron) is 256, which suggests that that t, c, and p represent some string in a single-byte encoding such as ASCII. Then the code you got from ilSpy does make sense. For example (I just renamed t, c, and p):

encrypted[index] = (source[index] + z.passPhrase[index % z.passPhrase.Length]) % 256;

Here we have a simple encryptor, which cyclically adds some passphrase to the original string.

Community
  • 1
  • 1
Igor Korkhov
  • 8,283
  • 1
  • 26
  • 31