【set a strategy】
A normal PDF files, binary structure is certainly 0x46445025 (ie ASCII of "% PDF") as the beginning flag. At the beginning of this file begins with 0x71736712. Comparing both a heterologous or apparently converted, by calculation, a difference (XOR) 0x37. TAIL This PDF file, find the same do tampered with.
Thus, all the contents of the selected file in the WINHEX, on the selected blocks do byte 0x37 XOR (xor):
After you save it, open the file normally.
Next, do an analysis of other documents, found tampering algorithms are all the files on a value xor, but this value is uncertain, in bytes probability, there should be 256 possible, coupled with the large number of file types and, obviously can not manually corrected. Law that need to be analyzed to generate xor addend.
https://blog.csdn.net/weixin_33863087/article/details/89936413