How 2 open .dat :(

Hi 4chan. Please help me open these darn .dat files.
They have an .xls (excel) file in them... but I don't know how to open this .dat file.

You can get the .dat files here: http://www.megaupload.com/?d=PHJBAT6L
or here: http://files-upload.com/247181/Language.rar.html
they're in a rar.



You're my only hope!

Comparing the files side by side in a hex editor indicates that many of the bytes remain the same in all files. This would indicate to me that some sort of XOR-based algorithm is in place and those sections that are the same will largely be 00s.

How to determine the XOR key? Well, first it is useful to determine how large it is - does it have periodicity? Picking a couple of bytes from the parts of the files that are largely the same and searching for it again in that file shows that the pattern repeats itself every 662 (decimal) bytes.

Next, I picked what looked like a relatively sparse file (i.e. when decrypted will be mostly zeroes) and ran a program on it to count the frequencies at which different bytes appear in the repeated sections of 662 bytes.


/* datstat.c */

#include <stdio.h>
#include <fcntl.h>
#include <io.h>

int main(int argc, char* argv[])
{
    unsigned char buffer[662];
    int frequencies[662*256] = {0};
    int bytes_read = 0;
    int i, j;
    int highest_freq, highest_pos, tmp;

    _setmode(_fileno(stdin), _O_BINARY);

    do {
        bytes_read = fread(buffer, 1, 662, stdin);
        for (i=0;i<bytes_read;i++)
        {
            frequencies[i*256+(int)(buffer[i])]++;
        }
    } while(bytes_read > 0 || !feof(stdin));

    printf("unsigned char key[662] = {\n");
    for(i=0;i<662;i++)
    {
        highest_pos = 0;
        highest_freq = 0;
        for(j=0;j<256;j++)
        {
            tmp = frequencies[i*256+j];
            if (tmp>highest_freq)
            {
                highest_pos = j;
                highest_freq = tmp;
            }
        }
        printf(" 0x%02X", highest_pos);
        if (i<661)
            printf(",");
        if (7==i%8)
            printf("\n");
    }
    printf("};");

    return 0;
}

Running datstat < BanNick.dat spat out a likely key, which I then included in the next program to decode the dat files:

/* datdec.c */

#include <stdio.h>
#include <fcntl.h>
#include <io.h>

unsigned char key[662] = {
 0xA5, 0x93, 0xF7, 0xB5, 0x6C, 0x63, 0x5B, 0x4A,
 0xA6, 0x0A, 0xA8, 0xE0, 0xB3, 0xB9, 0x59, 0xD2,
 0x10, 0x47, 0xFA, 0x4A, 0xCF, 0xD4, 0x3D, 0x07,
 0x44, 0xAC, 0x4B, 0x5E, 0x02, 0x6D, 0x58, 0x7F,
 0x06, 0x6D, 0x7A, 0xFA, 0x31, 0x56, 0xBB, 0x82,
 0xFC, 0x13, 0x6D, 0xF0, 0x67, 0xF0, 0xBD, 0x8B,
 0x32, 0xFC, 0x8B, 0x86, 0x50, 0xB2, 0x79, 0xCA,
 0x99, 0xD9, 0x42, 0xF6, 0xBF, 0xA9, 0x4E, 0xA4,
 0x83, 0x2F, 0x83, 0xEF, 0x28, 0xF3, 0x5D, 0x32,
 0x28, 0xD7, 0x41, 0x11, 0x27, 0x42, 0x0E, 0xBE,
 0x25, 0x7E, 0xF6, 0x75, 0xF7, 0x5F, 0x8C, 0x49,
 0xF8, 0x26, 0x1D, 0x23, 0xFC, 0xA4, 0x44, 0x08,
 0x85, 0xA3, 0xB9, 0x9A, 0x3A, 0x81, 0x6A, 0xE2,
 0x94, 0x1E, 0xCD, 0x4C, 0xDB, 0xF9, 0x74, 0xF3,
 0x51, 0x95, 0xE2, 0x1F, 0xAD, 0x22, 0x9D, 0x0C,
 0xCA, 0x59, 0x84, 0xEE, 0xA1, 0xA8, 0x63, 0x31,
 0x75, 0x8F, 0xC5, 0x05, 0x4D, 0x4A, 0x09, 0x1A,
 0xA7, 0xB0, 0xB8, 0xA8, 0x6B, 0x5B, 0x16, 0xB3,
 0x1E, 0x09, 0xF7, 0x8D, 0x58, 0x42, 0xD4, 0x9C,
 0x78, 0x3B, 0x1E, 0x5D, 0x96, 0xFB, 0xD2, 0xA9,
 0xB9, 0xBC, 0x4E, 0x38, 0x4A, 0x94, 0x63, 0x63,
 0xC9, 0x54, 0xAB, 0x2E, 0xBF, 0xB1, 0x1D, 0x85,
 0xF4, 0xA1, 0xDE, 0xC6, 0xE1, 0x08, 0x5A, 0x80,
 0x68, 0x94, 0x94, 0x7B, 0xC3, 0xE5, 0xBA, 0xF8,
 0xBB, 0xF2, 0xFD, 0x39, 0x1A, 0xA8, 0xA0, 0x44,
 0x62, 0xD4, 0x4E, 0xE5, 0xBF, 0x42, 0xB0, 0xF2,
 0x3B, 0x26, 0x3F, 0xD2, 0x31, 0xBC, 0x57, 0x40,
 0x04, 0x2C, 0x8D, 0x4D, 0x10, 0xB0, 0x43, 0xA4,
 0xE1, 0xF8, 0x7A, 0x12, 0xA3, 0xCE, 0xE7, 0x46,
 0xDA, 0xF6, 0x48, 0xD5, 0x54, 0x58, 0xF8, 0x81,
 0x5B, 0x61, 0xC1, 0xBA, 0x2F, 0xA6, 0xF2, 0x65,
 0xB3, 0xCA, 0xB2, 0xDD, 0x66, 0xA2, 0x94, 0x37,
 0x95, 0x98, 0x6C, 0xCB, 0xCF, 0x4D, 0x60, 0xEF,
 0x9A, 0x83, 0x42, 0x06, 0x64, 0x39, 0x1D, 0xBA,
 0xBC, 0x17, 0x0D, 0x85, 0xC2, 0x0D, 0x54, 0x76,
 0xDC, 0x38, 0xAB, 0x32, 0xAB, 0x05, 0xD6, 0x39,
 0x3E, 0x98, 0x7B, 0x6A, 0x85, 0x6F, 0x34, 0xCA,
 0x08, 0x42, 0xE3, 0x81, 0xD8, 0x2E, 0x46, 0x25,
 0xC6, 0x13, 0xCB, 0x3B, 0xD4, 0x3B, 0xA5, 0xFB,
 0xE9, 0x3C, 0x1F, 0x54, 0xC9, 0x1F, 0x30, 0x30,
 0x43, 0xC1, 0x50, 0xF9, 0xAD, 0x7A, 0x8B, 0x5C,
 0x8D, 0xFD, 0xD4, 0xA5, 0x93, 0xF7, 0xB5, 0x6C,
 0x63, 0x5B, 0x4A, 0xA6, 0x0A, 0xA8, 0xE0, 0xB3,
 0xB9, 0x59, 0xD2, 0x10, 0x47, 0xFA, 0x4A, 0xCF,
 0xD4, 0x3D, 0x07, 0x44, 0xAC, 0x4B, 0x5E, 0x02,
 0x6D, 0x58, 0x7F, 0x06, 0x6D, 0x7A, 0xFA, 0x31,
 0x56, 0xBB, 0x82, 0xFC, 0x13, 0x6D, 0xF0, 0x67,
 0xF0, 0xBD, 0x8B, 0x32, 0xFC, 0x8B, 0x86, 0x50,
 0xB2, 0x79, 0xCA, 0x99, 0xD9, 0x42, 0xF6, 0xBF,
 0xA9, 0x4E, 0xA4, 0x83, 0x2F, 0x83, 0xEF, 0x28,
 0xF3, 0x5D, 0x32, 0x28, 0xD7, 0x41, 0x11, 0x27,
 0x42, 0x0E, 0xBE, 0x25, 0x7E, 0xF6, 0x75, 0xF7,
 0x5F, 0x8C, 0x49, 0xF8, 0x26, 0x1D, 0x23, 0xFC,
 0xA4, 0x44, 0x08, 0x85, 0xA3, 0xB9, 0x9A, 0x3A,
 0x81, 0x6A, 0xE2, 0x94, 0x1E, 0xCD, 0x4C, 0xDB,
 0xF9, 0x74, 0xF3, 0x51, 0x95, 0xE2, 0x1F, 0xAD,
 0x22, 0x9D, 0x0C, 0xCA, 0x59, 0x84, 0xEE, 0xA1,
 0xA8, 0x63, 0x31, 0x75, 0x8F, 0xC5, 0x05, 0x4D,
 0x4A, 0x09, 0x1A, 0xA7, 0xB0, 0xB8, 0xA8, 0x6B,
 0x5B, 0x16, 0xB3, 0x1E, 0x09, 0xF7, 0x8D, 0x58,
 0x42, 0xD4, 0x9C, 0x78, 0x3B, 0x1E, 0x5D, 0x96,
 0xFB, 0xD2, 0xA9, 0xB9, 0xBC, 0x4E, 0x38, 0x4A,
 0x94, 0x63, 0x63, 0xC9, 0x54, 0xAB, 0x2E, 0xBF,
 0xB1, 0x1D, 0x85, 0xF4, 0xA1, 0xDE, 0xC6, 0xE1,
 0x08, 0x5A, 0x80, 0x68, 0x94, 0x94, 0x7B, 0xC3,
 0xE5, 0xBA, 0xF8, 0xBB, 0xF2, 0xFD, 0x39, 0x1A,
 0xA8, 0xA0, 0x44, 0x62, 0xD4, 0x4E, 0xE5, 0xBF,
 0x42, 0xB0, 0xF2, 0x3B, 0x26, 0x3F, 0xD2, 0x31,
 0xBC, 0x57, 0x40, 0x04, 0x2C, 0x8D, 0x4D, 0x10,
 0xB0, 0x43, 0xA4, 0xE1, 0xF8, 0x7A, 0x12, 0xA3,
 0xCE, 0xE7, 0x46, 0xDA, 0xF6, 0x48, 0xD5, 0x54,
 0x58, 0xF8, 0x81, 0x5B, 0x61, 0xC1, 0xBA, 0x2F,
 0xA6, 0xF2, 0x65, 0xB3, 0xCA, 0xB2, 0xDD, 0x66,
 0xA2, 0x94, 0x37, 0x95, 0x98, 0x6C, 0xCB, 0xCF,
 0x4D, 0x60, 0xEF, 0x9A, 0x83, 0x42, 0x06, 0x64,
 0x39, 0x1D, 0xBA, 0xBC, 0x17, 0x0D, 0x85, 0xC2,
 0x0D, 0x54, 0x76, 0xDC, 0x38, 0xAB, 0x32, 0xAB,
 0x05, 0xD6, 0x39, 0x3E, 0x98, 0x7B, 0x6A, 0x85,
 0x6F, 0x34, 0xCA, 0x08, 0x42, 0xE3, 0x81, 0xD8,
 0x2E, 0x46, 0x25, 0xC6, 0x13, 0xCB, 0x3B, 0xD4,
 0x3B, 0xA5, 0xFB, 0xE9, 0x3C, 0x1F, 0x54, 0xC9,
 0x1F, 0x30, 0x30, 0x43, 0xC1, 0x50, 0xF9, 0xAD,
 0x7A, 0x8B, 0x5C, 0x8D, 0xFD, 0xD4};

int main(int argc, char* argv[])
{
    unsigned char buffer[662];
    int bytes_read = 0;
    int i;

    _setmode(_fileno(stdin), _O_BINARY);
    _setmode(_fileno(stdout), _O_BINARY);

    do {
        bytes_read = fread(buffer, 1, 662, stdin);
        for (i=0;i<bytes_read;i++)
        {
            buffer[i] ^= key[i];
        }
        fwrite(buffer, 1, bytes_read, stdout);
    } while(bytes_read > 0 || !feof(stdin));

    return 0;
}

One for %a in (*.dat) do datdec.exe < %a > %a.dec later and they're all decrypted. Some visual checking in the hex editor shows that it was successful.

They're not XLS files though. The data is stored in a custom format but the records are fixed size. All text appears to be Unicode and much of it is in Korean.