Nichijou Kisekae App Images (no file type)

[calmevening]

Hi! There's a group of numbered files from a wallpaper app which are encrypted. The developer of the app, HeartBit, mentioned on their website that they used SHA-1 ("160-bit SHA") for the encryption, but that doesn't really say much. I tried looking through the app's classes.dex file to see how it is decrypted, but didn't find anything. The images don't use XOR, and I can't figure out what it uses and how it is decrypted.

Other than images, some of the encrypted files might be .csv files, but I'm not too sure.

assets.zip classes.dex_Decompiler.com.zip

[piken]

On 5/8/2024 at 6:18 AM, calmevening said:

The images don't use XOR

🤔 What interesting regular repeating patterns:

⊻ Let's ^ that. Well that looks like something:

🙃 The CaSe is wrong though, as it should be "JFIF" and "http". So let's additionally xor it with 20h:

🤗 Please use bestowed knowledge for wholesome goodness.

Edited May 12 by piken

[calmevening]

Ah I see, I was definitely too caught up in reading the code to look directly at the bytes like that, thanks!

I'm curious, what program is that? I was using the xortool python package when I was bruteforcing the images, I couldn't really get anything out of that here.

 

[piken]

1 hour ago, calmevening said:

I'm curious, what program is that?

For the above, I'm using 010 Hex Editor (but I often use HxD too), my own little 24-year old pattern viewer (that I can't really recommend to others these days due to no mouse support and lack of basic expected things like resizeable windows, but it does the one thing I need of drawing colors behind the numbers 😅), and NirSoft's XorFiles.

Edited May 12 by piken

[calmevening]

Um, I'm sorry to ask but I tried to use the nirsoft thing and couldn't exactly figure it out haha, what exactly was the key to the images anyway?

[piken]

2 hours ago, calmevening said:

couldn't exactly figure it out haha

So sometimes files have empty regions for padding, and you'll see the key leaks through, such as this trailing padding in the XMP metadata full of space and line feed characters. Those line feeds add a little noise to the matter in a few of the rows, but if you ignore the outliers, you'll see the 20-byte (160 / 8 = 20) sequence pretty clearly in 1200001001 at 564h (per screenshot above). Concatenating that sequence {4B,FA,6F...} to itself until it's as long as the target file gives the complete XOR file (cheap way is just to copy and paste the sequence in your favorite hex editor). I just tried XorFiles because it was the first app I found, but if there's another app you like better, go for it (Nirsoft's evidently truncates the output file to the shorter of the two input files, and does not repeat the XOR file for you up to the primary file's length). Note additionally since that padding region consists of space characters (U+0020) rather than nul characters, you'll have to xor every byte by 20h {4B,FA,6F,...} -> {6B,DA,4F,...}, for which 010 Editor has a useful action.

Edited May 12 by piken

[calmevening]

ah okay, I get it now! Thank you!