Skip to content
View in the app

A better way to browse. Learn more.

ResHax

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.
Help us keep the site running.
Zero Tolerance for Disrespect

Nichijou Kisekae App Images (no file type)

Featured Replies

Hi! There's a group of numbered files from a wallpaper app which are encrypted. The developer of the app, HeartBit, mentioned on their website that they used SHA-1 ("160-bit SHA") for the encryption, but that doesn't really say much. I tried looking through the app's classes.dex file to see how it is decrypted, but didn't find anything. The images don't use XOR, and I can't figure out what it uses and how it is decrypted.

Other than images, some of the encrypted files might be .csv files, but I'm not too sure.

image.png

assets.zip classes.dex_Decompiler.com.zip

Solved by piken

  • Solution
On 5/8/2024 at 6:18 AM, calmevening said:

The images don't use XOR

🤔 What interesting regular repeating patterns:

image.png.8bbf253092e352b4e2a73961a4f32add.png

⊻ Let's ^ that. Well that looks like something:

image.png.7c1d4bab849dd53cd81e813dce411903.png

🙃 The CaSe is wrong though, as it should be "JFIF" and "http". So let's additionally xor it with 20h:

image.png.305032ab528b2f99bd986dc399b9084b.png

🤗 Please use bestowed knowledge for wholesome goodness.

Edited by piken

  • Author

Ah I see, I was definitely too caught up in reading the code to look directly at the bytes like that, thanks!

I'm curious, what program is that? I was using the xortool python package when I was bruteforcing the images, I couldn't really get anything out of that here.

 

1 hour ago, calmevening said:

I'm curious, what program is that?

For the above, I'm using 010 Hex Editor (but I often use HxD too), my own little 24-year old pattern viewer (that I can't really recommend to others these days due to no mouse support and lack of basic expected things like resizeable windows, but it does the one thing I need of drawing colors behind the numbers 😅), and NirSoft's XorFiles.

Edited by piken

  • Author

Um, I'm sorry to ask but I tried to use the nirsoft thing and couldn't exactly figure it out haha, what exactly was the key to the images anyway?

2 hours ago, calmevening said:

couldn't exactly figure it out haha

So sometimes files have empty regions for padding, and you'll see the key leaks through, such as this trailing padding in the XMP metadata full of space and line feed characters. Those line feeds add a little noise to the matter in a few of the rows, but if you ignore the outliers, you'll see the 20-byte (160 / 8 = 20) sequence pretty clearly in 1200001001 at 564h (per screenshot above). Concatenating that sequence {4B,FA,6F...} to itself until it's as long as the target file gives the complete XOR file (cheap way is just to copy and paste the sequence in your favorite hex editor). I just tried XorFiles because it was the first app I found, but if there's another app you like better, go for it (Nirsoft's evidently truncates the output file to the shorter of the two input files, and does not repeat the XOR file for you up to the primary file's length). Note additionally since that padding region consists of space characters (U+0020) rather than nul characters, you'll have to xor every byte by 20h {4B,FA,6F,...} -> {6B,DA,4F,...}, for which 010 Editor has a useful action.

1200001001-with-visible-XMP.png

010HexEditor.png

Edited by piken

Create an account or sign in to comment

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.