Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Design and usage of the memfrob function

From the man page of memfrob:

void *memfrob(void *s, size_t n);

The memfrob() function encrypts the first n bytes of the memory area s by exclusive-ORing each character with the number 42. The effect can be reversed by using memfrob() on the encrypted memory area.

Note that this function is not a proper encryption routine as the XOR constant is fixed, and is only suitable for hiding strings.

I have the following questions regarding the memfrob function:

  1. Why is the XORing done with number 42?
  2. Is there any reason why XOR constant is fixed and why the designers of memfrob did not leave choice of the constant to the user?
  3. In what sense is it suitable for hiding strings? Since it can be reversed and therefore shouldn't be used in applications where encryption is important, what it is used for on practice?
like image 494
syntagma Avatar asked Nov 29 '14 22:11

syntagma


1 Answers

The purpose of memfrob() (if you want to call that a purpose) is to hide strings so you don't see them when you run strings. This might be useful when your binary contains plaintext passwords and you want to stop nosey people from finding out what these passwords are. Of course, it's not hard to crack XOR-by-42, but it's better than nothing.

The number to XOR with can be arbitrary but it needs to stay constant over successive releases of the glibc so code that relies on the number being 42 doesn't break.

Some people consider memfrob() to be a joke function, but I am not sure if this is really the case. None the less, you should not use it because it isn't a standard function (and thus not available on non-glibc platforms) and because obfuscation is not a substitute for proper security.

The joke of it is that it is the meaning of Life. It's similar to rot-13 in that it's a most trivial encryption and running it again restores the string. Rot-13 doesn't do anything to spaces in the plaintext while memfrob has the odd result of swapping spaces and line feeds:

space = 100000 (32), 42 = 101010, 32^42 = 001010 (10 = LF, and 10^42 back to 32)

While these obfuscate they are poor encryption because they can be recognized just by looking at the result: lots of r's and n's then it's rot13; lots of CRs, \ and ^ then memfrob.

like image 130
fuz Avatar answered Oct 21 '22 06:10

fuz