Question

8 bit or 16 bit algorhythm determination (security)

Asked by: valiant_at_mci

Scenario:

We have a very old application at my current assignment that was written in PowerBuilder 4, but we do not have the source code from the company that designed the product.

The application controls alot of our security functionality and recently stopped working.  Trying to rollback, etc. has already been tried.  Sufficed to say that this application was one that ran, but everyone who used the 2 machines it ran on held their breath whenever using the application.  It's a real house of cards.

I'm seeking to rebuild and emulate some of the security functionality of the application itself in something much newer, but the problem is that we don't know what algorhythm was used to encrypt the passwords, and this is necessary.   It is necessary to mimic the security functionality and the encryption.

Since this is in a very old language, chances are the encryption is an 8 bit encryption or at the very most a 16 bit.  

I'm looking for an application that will parse the data between the password and teh encrypted password for the logic used to encrypt.

Essentially:

I have the Password from the user.  I have the encrypted password from the database.  I need a program that will determine what happens in between.  Chances are someone somewhere has something or knows of something that might do the trick.

Thanks much in advance.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2003-07-08 at 10:02:48ID20672040
Topics

Miscellaneous Security

,

IPSec Security Protocol

Participating Experts
4
Points
250
Comments
7

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Seek or find in ADO & Jet
    I need to check the existence of records by ID in a loop. Under DAO seek worked much faster than repeatedly running an SQL query under ADO and checking if the resulting recordset is empty. Is there any way of using seek or find under ADO? or is there some other fast way under...
  2. OS/400 Emulator
    Is there an emulator for DOS or Windows for the OS/400 operating system? (i.e. OS/400 Emulator for Windows or DOS)
  3. Searching a table with  SEEK
    I understand that using SEEK is better than using .FIND when finding a record in a table since .FIND reads the records in the table in sequential order. But SEEK requires an index. If I want to use SEEK then how will I connect to the database and open Tables with its corres...
  4. emulator in PDA
    is there a emulator in visual studio 2005 express edition.... if there is,then where is it in the edition Thanks

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: generalkPosted on 2003-07-08 at 11:30:07ID: 8879368

I don't know of any tools that will magically tell you the algorithm.  If it's any decent hash function (even at 8 bits) then it would be impossible to tell what's going on inside without looking at the code.

I think your only option is a trial and error approach.  If the application is old, than SHA and MD5 are out of the question.  MD4 or MD2 maybe?  Could it be a crypt()?

What is the length of the hashed password?  Could you post some known pairs?

 

by: fishtankPosted on 2003-07-08 at 16:41:47ID: 8881367

The good encryption secret should be based on algorithm but not any magical things. Remember you are trying to implement the same algorithm but not going to break it so the chance to find out and implement the same algorithm may not be impossible.

You have the plantext and ciphertext, for example if it is encrypted by MD5 hash then you simply implement the MD5 algorithm in your new application then you should have the same hash result. Even the MD5 added some salt still can find out by brute force method (just take some time but not forever).  It may use DES or other well known algorithm but you still can easy to implement it because all the algorithm you can obtain source from the Internet.

If the algorithm just their own algorithm then the chance to break it still possible because it may not strong enough as well known algorithm such as simply applied the XOR with a pre-defined string e.g.: "#s7Dxz*-^...". You may try to browse the binary see any speical chars there in binary data area. Of course you still need some debugging skill to do such task.

I think the algorithm is a simple one for they will not put many effort on powerbuilder algorithm because they're writing a encrypt function for application but not the encryption application.  Search the powerbuilder 4 see any crypt function build in then you save a lot of time sure they will use it. If not then it should be the well known or their own one.

All you have to do is find out what algorithm it is using and this is a critical issue. Try post some out see any luck because I'm not the Cryptanalysis but my 0.02 cents.

 

by: fishtankPosted on 2003-07-08 at 18:49:22ID: 8881843

You may try in this way:
Create 3 new user account as following:

Login ID          Name            Password
AAAAA            AAAAA           AAAAA
AAAAB            AAAAA           AAAAA
AAAAC            AAAAA           AAAAAA

For the simply self develop crypto algorithm may uses XOR with pre-defined string, or XOR Login ID (if not auto gen.), Name or bit shift, or time a small value prime number.

See the encrypted result from database then you may have an idea.

 

by: Somewhat_DifferentPosted on 2003-07-09 at 04:10:55ID: 8884208

Hi!

There is only one tool which can help you in this. SoftICE, It is industry standard number one debugger and extinsively used by crackers to make serial number generators for various softwares. Get it from

www.compuware.com

also try searching Google with term SoftICE you might get its free distribution from some cracking site.

The problem will be that SoftICE will show you the runnig code in Assembly but it is a sure shot.

 

by: BradleyEEPosted on 2003-07-09 at 20:15:39ID: 8890630

Exactly what is this "security functionality" that this application provides?  Why can't everyone just pick new passwords?

If you actually have the plaintext password and the encrypted password of two users, you can test for a simple XOR by XORing the plaintext and encrypted to come up with the "key" and then testing that key on the other password.
If A XOR B = C, then A XOR C = B.

If you go the route of reverse-engineering the algorithm, then SoftICE is your best bet.  You might also try Win32DAsm, though.  The difficulty of this route is going to be dependent on how "well" PowerBuilder compiles code.  If it does a "good" job there will hopefully be little clutter within the algorithm.

Bradley

 

by: fishtankPosted on 2003-07-10 at 08:41:44ID: 8893993

Before a PowerBuilder 4.0 developer provides an application to users, the application code goes through a partial translation to pseudo-code or P-Code like the other players such as VB 1-4, dBase 3/4, Clipper 87/5.x, FoxPro2-5 at that time. At run time, interpretation occurs before the code is executed. So it is possible to decompile the P-Code to Source code as VB, dBase, FoxPro, Clipper because they already has decompiler.

Actually I found some very simple PB 6,7, or 8 decompiler in the Net but still in the alpha state. However PB 4 is much simpler design then nowaday. If you really necessary need to study the SoftICE and Assembler to trace the code from scratch, I suggested you consider write your own PB 4 decompiler instead .

My suggestion still try to find out the password algorithm may more practical.

 

by: Somewhat_DifferentPosted on 2003-07-15 at 01:45:27ID: 8923614

Hi valiant_at_mci!

Thanks for points!

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...