Tabimatsu File Decryption (iOS) (.png/.jpg, .csb)

[sencha]

I think these files are XOR encrypted (I might be wrong). It looks like it's just adding/subtracting 3s and 1s in some pattern. Does it look possible to guess the encryption key?

Samples:

samples.zip

Hex editor snippets:

Code: Select all

b8 61 7f 76 3c 3b 2b 3b 31 31 31 3c 78 79 31 31 - start of encrypted .png files
89 50 4e 47 0d 0a 1a 0a 00 00 00 0d ?? ?? 00 00 - what I assume it corresponds to

Code: Select all

31 31 31 78 74 7f 75 9f 73 51 b3 0a - end of encrypted .png files
00 00 00 49 45 4e 44 ae 42 60 82 ?? - what I assume it corresponds to

I also have assembly code from the 'encryptDecrypt' portion of the file that was probably used for the encryption...If the key can't be guessed from the samples, should I try reading this or is it a waste of time?

Code: Select all

push %rbp
mov %rsp %rbp
sub $0x1b0,%rsp
mov %rdi,%rax
mov 0x630c(%rip),%c1 # 0x100006d90
mov %c1, -0x131(%rbp)
mov $0x0, -0x132(%rbp)
mov %rdi, 0x150(%rbp)
mov %rsi, 0x158(%rbp)
mov %rax, 0x160(%rbp)
callq func_100006554

Full executable: https://drive.google.com/open?id=0B2FK8VIu6fm2S0NZbkVnMTEwbms

[aluigi]

xor 0x31

If you need a script:

Code: Select all

get NAME filename
get SIZE asize
filexor 0x31
log NAME 0 SIZE

[sencha]

Thank you so much, it's perfect!