Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Help me solve obfuscation method?

Posted on 2013-05-20
19
Medium Priority
?
589 Views
Last Modified: 2013-05-21
I am a web developer trying to reverse engineer a seemingly simple password obfuscation scheme.  I have spent a few hours looking at the data and it seems like what I need now is a fresh pair of eyes and someone with a logic puzzle mindset.  I assure you, this is not a hacking project.  I need to be able to call on a web API that is undocumented and without source so I am trying to replicate what it already does.  It is simple to see what is being done except for this password obfuscation.  I have ruled out all the difficult encryptions (MD5, etc.), and it doesn't appear to have any salt or be affected by username or anything else I can see.  If anyone has any ideas it would be of great help!

On the left is the hash it creates and on the right are the simple passwords I put through the original interface to get that hash:

7F61C2 a
7F62C4 b
7F63C6 c

7F55B6B6 aa
7F55B7B7 bb
7F55B8B8 cc

7F61C2C2C2 aaa
7F62C4C4C4 bbb
7F63C6C6C6 ccc

7F036465 ab
7F026365 ac
7F056669 ad

7F62C3C3C4 aab
7F63C4C4C6 aac
7F64C5C5C8 aad

and just for giggles:

7F55B6B6B6B6B6B6B6B6B6B6 aaaaaaaaaa
7F55B7B7B7B7B7B7B7B7B7B7 bbbbbbbbbb
7F0364646464646464646465 aaaaaaaaab

To me it appears to be in hexadecimal, always starting with 7F. Then there is another hex character that does something, then the following hex values each represent a digit for the password.  It looks quite simple until the aab example, which starts confusing me to no end.  Let me know if you need more examples and what to try.  I hope you are up to the challenge!

Thanks for any help you may gleam!

--David
0
Comment
Question by:Vorcht12
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
  • 4
  • +1
19 Comments
 
LVL 84

Expert Comment

by:ozo
ID: 39183445
Can you try
x
y
z
yy
yz
zy
zz
za
zb
az
bz
ba
aba
abb
baa
bab
bba
aaaa
aaab
aaba
abaa
baaa
bbbb
bbba
bbab
babb
abbb
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39183479
There are some patterns.

7F61C2 a  61h = 'a' 61h * 2 = c2h
7F62C4 b  62h = 'b' 62h * 2 = c4h
7F63C6 c  63h = 'c'  63h * 2 =c6h

7F55B6B6 aa  55h + 61h = b6h and it's repeated twice if the number of chars is even
7F55B7B7 bb  55h + 62h = b7h
7F55B8B8 cc  55h = 63h = b8h

7F61C2C2C2 aaa  61h * 2 = c2h
7F62C4C4C4 bbb  62h * 2 = c4h
7F63C6C6C6 ccc   63h * 2 = c6h

7F036465 ab  61h + 3 = 64h, 62h + 3 = 65h
7F026365 ac  61h +2 = 63h, 63h + 2 = 65h
7F056669 ad

7F62C3C3C4 aab 62h = 'b', 61h + 62h = c3h, 62h + 62h = c4h (last char + prev char)
7F63C4C4C6 aac
7F64C5C5C8 aad

These use the rules above:
7F55B6B6B6B6B6B6B6B6B6B6 aaaaaaaaaa
7F55B7B7B7B7B7B7B7B7B7B7 bbbbbbbbbb
7F0364646464646464646465 aaaaaaaaab

Actually it look like the hex pair in the second position is subtracted from all the following pairs to get the original code.  The 7f is ignored.
0
 

Author Comment

by:Vorcht12
ID: 39183553
ozo, I will get that list encoded in the morning and get it posted.

Dave, interesting.  What I am needing to do is to encode a password following this example, where I can use any password and create the hash for it myself.  Do you see any similarities/patterns that would account for the hex pair in the second position?
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39183576
I think the hex pair in the second position is either one of the characters or some semi-random choice.  From your examples above, I don't see any special requirement except that the results don't overflow usable hex values.  I would just try a bunch of values.  To create the hash, select the value and just add it to the characters in the password.
0
 
LVL 84

Expert Comment

by:ozo
ID: 39183577
the hex pair in the second position is subtracted from all the following pairs to
It remains to be explained how the second hex pair was obtained.  
Or was that a requirement to answer the question?
0
 
LVL 84

Expert Comment

by:ozo
ID: 39183583
Is the hash on the left always the same when given the same string on the right?
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39183587
While there are some simple patterns I can see, I don't think there is enough info to say for sure what the requirement maybe.  I think that some phrases that are more like passwords need to be used to get a better idea of what's going on.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39183592
If the hash works the way I think it does, it does not have to return the same value each time for the same phrase.  The second hex pair can change which will change the hash but still give the same decoded result when subtracted from the rest of the hash.
0
 

Author Comment

by:Vorcht12
ID: 39183608
Ozo, it is not a one way hash, it is just obfuscated.  You can encode it as many times as you want with the same input and get the same result.

Yes, looking back I guess my question wasn't very clear.  I need to be able to choose any password and be able to come up with the same hex string as the original code.
0
 
LVL 84

Expert Comment

by:ozo
ID: 39183609
Second hex pair might be xor of all characters, except replace 00 with 55
0
 
LVL 84

Accepted Solution

by:
ozo earned 2000 total points
ID: 39183668
perl -le 'for( @ARGV ){$x=0;$x^=$_ for @x=unpack"C*",$_;$x||=0x55; $_+=$x for @x; print unpack("H*",pack"C*",0x7f,$x,@x),"  $_"}' a b c aa bb cc aaa bbb ccc ab ac ad aab aac aad aaaaaaaaaa bbbbbbbbbb  aaaaaaaaab
7f61c2  a
7f62c4  b
7f63c6  c
7f55b6b6  aa
7f55b7b7  bb
7f55b8b8  cc
7f61c2c2c2  aaa
7f62c4c4c4  bbb
7f63c6c6c6  ccc
7f036465  ab
7f026365  ac
7f056669  ad
7f62c3c3c4  aab
7f63c4c4c6  aac
7f64c5c5c8  aad
7f55b6b6b6b6b6b6b6b6b6b6  aaaaaaaaaa
7f55b7b7b7b7b7b7b7b7b7b7  bbbbbbbbbb
7f0364646464646464646465  aaaaaaaaab
0
 

Author Comment

by:Vorcht12
ID: 39184629
ozo,

I never got into perl, php is my language of preference.  I haven't tried to convert it yet, but that is next.  In the meantime here are the additional encoded strings you asked for earlier.

7F78F0 x
7F79F2 y
7F7AF4 z
7F55CECE yy
7F037C7D yz
7F037D7C zy
7F55CFCF zz
7F1B957C za
7F18927A zb
7F1B7C95 az
7F187A92 bz
7F036564 ba
7F62C3C4C3 aba
7F61C2C3C3 abb
7F62C4C3C3 baa
7F61C3C2C3 bab
7F61C3C3C2 bba
7F55B6B6B6B6 aaaa
7F0364646465 aaab
7F0364646564 aaba
7F0364646564 abaa
7F0365646464 baaa
7F55B7B7B7B7 bbbb
7F0365656564 bbba
7F0365656465 bbab
7F0365646565 babb
7F0364656565 abbb

Your solution sounds promising, I'll start trying to read / convert your code to php so I can test it myself.
0
 
LVL 84

Expert Comment

by:ozo
ID: 39184752
xor||55 hypothesis seems corroborated
perl -le 'for( @ARGV ){$x=0;$x^=$_ for @x=unpack"C*",$_;$x||=0x55; $_+=$x for @x; print unpack("H*",pack"C*",0x7f,$x,@x),"  $_"}' x y z yy yz zy zz za zb az bz ba aba abb baa bab bba aaaa aaab aaba abaa baaa bbbb bbba bbab babb abbb
7f78f0  x
7f79f2  y
7f7af4  z
7f55cece  yy
7f037c7d  yz
7f037d7c  zy
7f55cfcf  zz
7f1b957c  za
7f18927a  zb
7f1b7c95  az
7f187a92  bz
7f036564  ba
7f62c3c4c3  aba
7f61c2c3c3  abb
7f62c4c3c3  baa
7f61c3c2c3  bab
7f61c3c3c2  bba
7f55b6b6b6b6  aaaa
7f0364646465  aaab
7f0364646564  aaba
7f0364656464  abaa
7f0365646464  baaa
7f55b7b7b7b7  bbbb
7f0365656564  bbba
7f0365656465  bbab
7f0365646565  babb
7f0364656565  abbb
0
 

Author Comment

by:Vorcht12
ID: 39184849
I'm pretty confident you have solved this, but I am having trouble reading your level of perl (I'm impressed, it's extremely concise.)  :-)

This could be because I haven't dealt with hex values or even perl much but you seem to have some PHP knowledge too (from your profile).  Any chance you could help me create a PHP example to encode a string into it's obfuscated value?

Of course, if you want me to create another question in the PHP forums to find someone else to help with porting this I could do that too - it wasn't part of the question. :-/
0
 

Author Comment

by:Vorcht12
ID: 39185127
I went ahead and posted a question on the PHP section of Experts Exchange to port your perl script to PHP.  FYI, that question is: http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_28134741.html

As soon as I am able to reliably verify that this solves my issue I will close this problem and give you credit ozo.

Thanks!
0
 

Author Comment

by:Vorcht12
ID: 39185467
Ozo, there is a question from the other thread - how is the xor bit computed?

Is the XOR for  "abc" going to be computed by a XOR b = x, then x XOR c = final bitmap?
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 39185533
0
 

Author Comment

by:Vorcht12
ID: 39185588
Looks like that worked.  Thanks so much for your help!

--David
0
 

Author Closing Comment

by:Vorcht12
ID: 39185597
Great Work!  I still can't believe you figured out the second digit was an xor with a 00 replacement.  Wow!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Q&A with Course Creator, Mark Lassoff, on the importance of HTML5 in the career of a modern-day developer.
We live in a world of interfaces like the one in the title picture. VBA also allows to use interfaces which offers a lot of possibilities. This article describes how to use interfaces in VBA and how to work around their bugs.
The viewer will learn how to count occurrences of each item in an array.
Six Sigma Control Plans

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question