Re: [Burp-users] Restore fails with Could not determine cipher from: 0 and EVP_CipherInit_ex failed

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Sun, Mar 01, 2026 at 06:34:30PM +0100, Koen Drai wrote:
> Hi,
> 
> I need to restore a single file from a rather ancient burp backup and get the following error messages:
> 
> Could not determine cipher from: 0
> 
> EVP_CipherInit_ex failed
> 
> 
> The latter error occurred earlier with a different file. So fixed my local openssl.cnf for the legacy provider, which helped.
> 
> 
> I have looked in the manifest of the old backup:
> 1      2 3   4 5 6 7 8   9 1011     12     13     14151617
> r0039A A IH/ B A A A FTB A A BP3QJN BFITOG BP3QJN A g J -B A A
> 
> 
> Tried to decode following Graham's instructions from last January (see below).
> 
> Not sure I fully understand, I would expect a B instead of a -B.
> However, when I "correct" the manifest (i.e. gunzip, edit, gzip), I get the following error:
> 
> 2026-03-01 18:25:06 +0100: burp[4133904] yajl error: lexical error: invalid char in json text.
>                                        restoreend
>                      (right here) ------^
> 
> Which disappears again after changing back to -B.
> 
> 
> 
> Do you have any ideas on how I get the file back?
> 
> 
> Thanks a lot and regards,
> 
>  Koen
> 
> 
> 
> 
> 
> "It starts with 'r', then the next 4 characters are the length of the attributes
> 
> line. Then the rest of the characters are various attributes, base64 encoded.
> The encryption flag is in the 17th place. In this example, it is the 'A' after
> the 'J'.
> 
> The possible (decoded) values that this field come out of burp's src/sbuf.h
> definitions:
> #define ENCRYPTION_UNSET                        -1 // Also legacy
> #define ENCRYPTION_NONE                         0
> #define ENCRYPTION_KEY_DERIVED_BF_CBC           1 // Legacy
> #define ENCRYPTION_KEY_DERIVED_AES_CBC_256      2
> 
> So, in the example, 'A' is 0 means ENCRYPTION_NONE.
> ENCRYPTION_UNSET:                   ?
> ENCRYPTION_NONE:                    A
> ENCRYPTION_KEY_DERIVED_BF_CBC:      B
> ENCRYPTION_KEY_DERIVED_AES_CBC_256: C"

Hello,

What do the next three lines in the manifest look like, after this?
r0039A A IH/ B A A A FTB A A BP3QJN BFITOG BP3QJN A g J -B A A