The βCF10β header appears to be a private signature, meaning that the rest of the file is βencodedβ. This is a very simple XOR encoding: xor 8Dh was the first value I tried, and I also got it for the first time. The rationale for the first value is that the 8D value is very common in the first 100 bytes or so, where there can usually be many zeros.
The "decryption" is thus very simple: if the file starts with four bytes of CF10 , delete them and apply xor 8Dh to the rest of the file. Decoding the files shows that the first "JPG" is actually a small PNG image (and not very interesting to download), the second is a PNG file:
The file extension may or may not be the original file extension; one sample called ".jpg" is actually also a PNG file, as can be seen from its header signature.
The next fast and dirty C source will decode the images. The same program can be adjusted in the same way as for encoding them, since the xor operation is exactly the same. The only thing needed is to add a bit of logical flow:
- read the first 4 bytes (maximum) of the input file and test if this forms a string
CF10 - if not, the file is not encoded:
a. write CF10 to the output file
b. encode an image using xor 8Dh for each byte - if so,
b. decode the image using xor 8Dh for each byte.
As you can see, there is no β3a,β and both steps of βbβ are the same.
#include <stdio.h> #include <string.h> #ifndef MAX_PATH #define MAX_PATH 256 #endif #define INPUTPATH "c:\\documents" #define OUTPUTPATH "" int main (int argc, char **argv) { FILE *inp, *outp; int i, encode_flag = 0; char filename_buffer[MAX_PATH]; char sig[] = "CF10", *ptr; if (argc != 3) { printf ("usage: decode [input] [output]\n"); return -1; } filename_buffer[0] = 0; if (!strchr(argv[1], '/') && !strchr(argv[1], 92) && !strchr(argv[1], ':')) strcpy (filename_buffer, INPUTPATH); strcat (filename_buffer, argv[1]); inp = fopen (filename_buffer, "rb"); if (inp == NULL) { printf ("bad input file '%s'\n", filename_buffer); return -2; } ptr = sig; while (*ptr) { i = fgetc (inp); if (*ptr != i) { encode_flag = 1; break; } ptr++; } if (encode_flag) { /* rewind file because we already read some bytes */ fseek (inp, 0, SEEK_SET); printf ("encoding input file: '%s'\n", filename_buffer); } else printf ("decoding input file: '%s'\n", filename_buffer); filename_buffer[0] = 0; if (!strchr(argv[2], '/') && !strchr(argv[2], 92) && !strchr(argv[2], ':')) strcpy (filename_buffer, OUTPUTPATH); strcat (filename_buffer, argv[2]); outp = fopen (filename_buffer, "wb"); if (outp == NULL) { printf ("bad output file '%s'\n", filename_buffer); return -2; } printf ("output file: '%s'\n", filename_buffer); if (encode_flag) fwrite (sig, 1, 4, outp); do { i = fgetc(inp); if (i != EOF) fputc (i ^ 0x8d, outp); } while (i != EOF); fclose (inp); fclose (outp); printf ("all done. bye bye\n"); return 0; }