Economist

Posted on Sep 23, 2011

The Economist provides a nice Android Application, however: the cache contents (saved on the sd-card by the application) are ’encrypted’ for some silly reason.

Analyzing the data

The ’encrypted’ data is stored at /your/phone/com.economist/library/$date, let us have a look at some cached files:

$ hexdump -C 20110813_AMC392.gif|head -5
00000000  c7 c9 c6 b8 b9 e1 ac 81  b5 81 77 80 80 95 8e 87  |Ƹ.w.....|
00000010  99 93 8b a2 9c 95 a7 a2  9c ae aa a4 b5 b1 ac bc  |........|
00000020  b9 b4 ae da ec ad e5 fa  c4 bd ba f0 8c 80 f4 93  |..Ľ.....|
00000030  80 f6 9a 80 f8 9d 81 fa  a1 85 fc a5 89 fc a8 8d  |........|
00000040  f4 ad 97 fd ab 91 fc b3  9d e8 b7 a9 c2 c0 bc db  |..跩....|

hmm.. doesn’t look like a GIF, let’s try some other file…

$ hexdump -C 20110813_BBC384.gif|head -5
00000000  c7 c9 c6 b8 b9 e1 ac 81  12 81 77 80 80 93 8c 84  |Ƹ..w.....|
00000010  99 92 8c 99 92 8b a2 9c  96 a7 a2 9c ad a8 a3 b1  |.........|
00000020  ad a8 b5 b1 ac b8 b3 ae  b9 b5 b1 bc b9 b4 be bc  |.........|
00000030  b8 8b bc ce 80 c4 db 80  c8 de 9d c1 ca 9e cb d7  |.........|
00000040  80 cd e4 80 cc e6 80 d3  ed 87 d2 e8 80 dc fa 80  |.........|

Drat: also just some binary data, but wait: the first few bytes of both images are exactly the same! So let’s have a look at some XML file:

$ hexdump -C LA_economies_13-08-2011_8T2ERJO_26.xhtml | head -1
00000000  bc bf f8 ed ec a0 f6 e5  f2 f3 e9 ef ee bd a2 b1  ||
$ hexdump -C indian_aid_13-08-2011_CI2EBBT_59.xhtml | head -1
00000000  bc bf f8 ed ec a0 f6 e5  f2 f3 e9 ef ee bd a2 b1  ||

How nice: The first few bytes are also exactly the same for both files… but they wouldn’t be stupid enough to use xor to ‘protect’ such files, or would they?

Guessing the first few bytes of an XML-File is very easy and therefore we can calculate the ‘key’:


$ perl -e 'print unpack("H*",pack("H*", "bcbff8") ^ "<?x")."\n"'
808080

Wow: Single-Byte XOR - WTF did they even try to ’encrypt’ them?

‘Decrypting’ the data

‘Decrypting’ the data is rather easy: Save this script als ‘deconomist.pl’…

#!/usr/bin/perl
# this is deconomist.pl
use strict;

my $infile = shift or die;
open(X, "<", $infile) or die;
$infile = join("",<X>);
close(X);

print $infile ^ ( chr(0x80) x length($infile));

..and run:

$ perl deconomist.pl INPUT > OUTPUT</br>

..some examples:

$ perl deconomist.pl ./20110917/edition/content/images/20110917_STP001.jpg > test.jpg
$ file test.jpg
test.jpg: JPEG image data, JFIF standard 1.01

also works for the MP3 files (that’s the reason why i’ve started to look into this)

$ perl deconomist.pl ./20110813/audio/SCIENCE_4R2ES00.mp3 > test.mp3
$ file test.mp3
test.mp3: Audio file with ID3 version 2.3.0, contains: