I think these files are XOR encrypted (I might be wrong). It looks like it's just adding/subtracting 3s and 1s in some pattern. Does it look possible to guess the encryption key?
Samples:
Attachment:
samples.zip [124.89 KiB]
Downloaded 15 times
Hex editor snippets:
Code:
b8 61 7f 76 3c 3b 2b 3b 31 31 31 3c 78 79 31 31 - start of encrypted .png files
89 50 4e 47 0d 0a 1a 0a 00 00 00 0d ?? ?? 00 00 - what I assume it corresponds to
Code:
31 31 31 78 74 7f 75 9f 73 51 b3 0a - end of encrypted .png files
00 00 00 49 45 4e 44 ae 42 60 82 ?? - what I assume it corresponds to
I also have assembly code from the 'encryptDecrypt' portion of the file that was probably used for the encryption...If the key can't be guessed from the samples, should I try reading this or is it a waste of time?
Code:
push %rbp
mov %rsp %rbp
sub $0x1b0,%rsp
mov %rdi,%rax
mov 0x630c(%rip),%c1 # 0x100006d90
mov %c1, -0x131(%rbp)
mov $0x0, -0x132(%rbp)
mov %rdi, 0x150(%rbp)
mov %rsi, 0x158(%rbp)
mov %rax, 0x160(%rbp)
callq func_100006554
Full executable:
https://drive.google.com/open?id=0B2FK8VIu6fm2S0NZbkVnMTEwbms
Register
Login
FAQ
Search
