The Economist cache

The Economist provides a nice Android application, however: the cache contents (saved on the sd-card by the application) are 'encrypted' for some silly reason. We will fix that within a few minutes.

Analyzing the data

The 'encrypted' data is stored at /your/phone/com.economist/library/$date, let us have a look at some cached files: $ hexdump -C 20110813_AMC392.gif|head -5
00000000 c7 c9 c6 b8 b9 e1 ac 81 b5 81 77 80 80 95 8e 87 |Ƹ..w.....|
00000010 99 93 8b a2 9c 95 a7 a2 9c ae aa a4 b5 b1 ac bc |......|
00000020 b9 b4 ae da ec ad e5 fa c4 bd ba f0 8c 80 f4 93 |Ľ...|
00000030 80 f6 9a 80 f8 9d 81 fa a1 85 fc a5 89 fc a8 8d |........|
00000040 f4 ad 97 fd ab 91 fc b3 9d e8 b7 a9 c2 c0 bc db |...跩|

hmm.. doesn't look like a GIF, let's try some other file... $ hexdump -C 20110813_BBC384.gif|head -5
00000000 c7 c9 c6 b8 b9 e1 ac 81 12 81 77 80 80 93 8c 84 |Ƹ...w.....|
00000010 99 92 8c 99 92 8b a2 9c 96 a7 a2 9c ad a8 a3 b1 |.........|
00000020 ad a8 b5 b1 ac b8 b3 ae b9 b5 b1 bc b9 b4 be bc ||
00000030 b8 8b bc ce 80 c4 db 80 c8 de 9d c1 ca 9e cb d7 |.....|
00000040 80 cd e4 80 cc e6 80 d3 ed 87 d2 e8 80 dc fa 80 |......|

Drat: also just some binary data, but wait: the first few bytes of both images are exactly the same! So let's have a look at some XML file: $ hexdump -C LA_economies_13-08-2011_8T2ERJO_26.xhtml | head -1
00000000 bc bf f8 ed ec a0 f6 e5 f2 f3 e9 ef ee bd a2 b1 ||
$ hexdump -C indian_aid_13-08-2011_CI2EBBT_59.xhtml | head -1
00000000 bc bf f8 ed ec a0 f6 e5 f2 f3 e9 ef ee bd a2 b1 ||

How nice: The first few bytes are also exactly the same for both files... but they wouldn't be stupid enough to use XOR to 'protect' such files, or would they?
Guessing the first few bytes of an XML-File is very easy and therefore we can calculate the 'key': $ perl -e 'print unpack("H*",pack("H*", "bcbff8") ^ " 808080
Wow: Single-Byte XOR - WTF did they even try to 'encrypt' them?

'Decrypting' the data

'Decrypting' the data is rather easy: Save this script als 'deconomist.pl'... #!/usr/bin/perl
# this is deconomist.pl
use strict;

my $infile = shift or die;
open(X, "<", $infile) or die;
$infile = join("",<X>);
close(X);

print $infile ^ ( chr(0x80) x length($infile));

..and run: $ perl deconomist.pl INPUT > OUTPUT

..some examples: $ perl deconomist.pl ./20110917/edition/content/images/20110917_STP001.jpg > test.jpg
$ file test.jpg
test.jpg: JPEG image data, JFIF standard 1.01

# also works for the MP3 files (that's the reason why i've started to look into this)

$ perl deconomist.pl ./20110813/audio/SCIENCE_4R2ES00.mp3 > test.mp3
$ file test.mp3
test.mp3: Audio file with ID3 version 2.3.0, contains:





comments powered by Disqus