Help me solve obfuscation method?

I am a web developer trying to reverse engineer a seemingly simple password obfuscation scheme.  I have spent a few hours looking at the data and it seems like what I need now is a fresh pair of eyes and someone with a logic puzzle mindset.  I assure you, this is not a hacking project.  I need to be able to call on a web API that is undocumented and without source so I am trying to replicate what it already does.  It is simple to see what is being done except for this password obfuscation.  I have ruled out all the difficult encryptions (MD5, etc.), and it doesn't appear to have any salt or be affected by username or anything else I can see.  If anyone has any ideas it would be of great help!

On the left is the hash it creates and on the right are the simple passwords I put through the original interface to get that hash:

7F61C2 a
7F62C4 b
7F63C6 c

7F55B6B6 aa
7F55B7B7 bb
7F55B8B8 cc

7F61C2C2C2 aaa
7F62C4C4C4 bbb
7F63C6C6C6 ccc

7F036465 ab
7F026365 ac
7F056669 ad

7F62C3C3C4 aab
7F63C4C4C6 aac
7F64C5C5C8 aad

and just for giggles:

7F55B6B6B6B6B6B6B6B6B6B6 aaaaaaaaaa
7F55B7B7B7B7B7B7B7B7B7B7 bbbbbbbbbb
7F0364646464646464646465 aaaaaaaaab

To me it appears to be in hexadecimal, always starting with 7F. Then there is another hex character that does something, then the following hex values each represent a digit for the password.  It looks quite simple until the aab example, which starts confusing me to no end.  Let me know if you need more examples and what to try.  I hope you are up to the challenge!

Thanks for any help you may gleam!

Who is Participating?
perl -le 'for( @ARGV ){$x=0;$x^=$_ for @x=unpack"C*",$_;$x||=0x55; $_+=$x for @x; print unpack("H*",pack"C*",0x7f,$x,@x),"  $_"}' a b c aa bb cc aaa bbb ccc ab ac ad aab aac aad aaaaaaaaaa bbbbbbbbbb  aaaaaaaaab
7f61c2  a
7f62c4  b
7f63c6  c
7f55b6b6  aa
7f55b7b7  bb
7f55b8b8  cc
7f61c2c2c2  aaa
7f62c4c4c4  bbb
7f63c6c6c6  ccc
7f036465  ab
7f026365  ac
7f056669  ad
7f62c3c3c4  aab
7f63c4c4c6  aac
7f64c5c5c8  aad
7f55b6b6b6b6b6b6b6b6b6b6  aaaaaaaaaa
7f55b7b7b7b7b7b7b7b7b7b7  bbbbbbbbbb
7f0364646464646464646465  aaaaaaaaab
Can you try
Dave BaldwinFixer of ProblemsCommented:
There are some patterns.

7F61C2 a  61h = 'a' 61h * 2 = c2h
7F62C4 b  62h = 'b' 62h * 2 = c4h
7F63C6 c  63h = 'c'  63h * 2 =c6h

7F55B6B6 aa  55h + 61h = b6h and it's repeated twice if the number of chars is even
7F55B7B7 bb  55h + 62h = b7h
7F55B8B8 cc  55h = 63h = b8h

7F61C2C2C2 aaa  61h * 2 = c2h
7F62C4C4C4 bbb  62h * 2 = c4h
7F63C6C6C6 ccc   63h * 2 = c6h

7F036465 ab  61h + 3 = 64h, 62h + 3 = 65h
7F026365 ac  61h +2 = 63h, 63h + 2 = 65h
7F056669 ad

7F62C3C3C4 aab 62h = 'b', 61h + 62h = c3h, 62h + 62h = c4h (last char + prev char)
7F63C4C4C6 aac
7F64C5C5C8 aad

These use the rules above:
7F55B6B6B6B6B6B6B6B6B6B6 aaaaaaaaaa
7F55B7B7B7B7B7B7B7B7B7B7 bbbbbbbbbb
7F0364646464646464646465 aaaaaaaaab

Actually it look like the hex pair in the second position is subtracted from all the following pairs to get the original code.  The 7f is ignored.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Vorcht12Author Commented:
ozo, I will get that list encoded in the morning and get it posted.

Dave, interesting.  What I am needing to do is to encode a password following this example, where I can use any password and create the hash for it myself.  Do you see any similarities/patterns that would account for the hex pair in the second position?
Dave BaldwinFixer of ProblemsCommented:
I think the hex pair in the second position is either one of the characters or some semi-random choice.  From your examples above, I don't see any special requirement except that the results don't overflow usable hex values.  I would just try a bunch of values.  To create the hash, select the value and just add it to the characters in the password.
the hex pair in the second position is subtracted from all the following pairs to
It remains to be explained how the second hex pair was obtained.  
Or was that a requirement to answer the question?
Is the hash on the left always the same when given the same string on the right?
Dave BaldwinFixer of ProblemsCommented:
While there are some simple patterns I can see, I don't think there is enough info to say for sure what the requirement maybe.  I think that some phrases that are more like passwords need to be used to get a better idea of what's going on.
Dave BaldwinFixer of ProblemsCommented:
If the hash works the way I think it does, it does not have to return the same value each time for the same phrase.  The second hex pair can change which will change the hash but still give the same decoded result when subtracted from the rest of the hash.
Vorcht12Author Commented:
Ozo, it is not a one way hash, it is just obfuscated.  You can encode it as many times as you want with the same input and get the same result.

Yes, looking back I guess my question wasn't very clear.  I need to be able to choose any password and be able to come up with the same hex string as the original code.
Second hex pair might be xor of all characters, except replace 00 with 55
Vorcht12Author Commented:

I never got into perl, php is my language of preference.  I haven't tried to convert it yet, but that is next.  In the meantime here are the additional encoded strings you asked for earlier.

7F78F0 x
7F79F2 y
7F7AF4 z
7F55CECE yy
7F037C7D yz
7F037D7C zy
7F55CFCF zz
7F1B957C za
7F18927A zb
7F1B7C95 az
7F187A92 bz
7F036564 ba
7F62C3C4C3 aba
7F61C2C3C3 abb
7F62C4C3C3 baa
7F61C3C2C3 bab
7F61C3C3C2 bba
7F55B6B6B6B6 aaaa
7F0364646465 aaab
7F0364646564 aaba
7F0364646564 abaa
7F0365646464 baaa
7F55B7B7B7B7 bbbb
7F0365656564 bbba
7F0365656465 bbab
7F0365646565 babb
7F0364656565 abbb

Your solution sounds promising, I'll start trying to read / convert your code to php so I can test it myself.
xor||55 hypothesis seems corroborated
perl -le 'for( @ARGV ){$x=0;$x^=$_ for @x=unpack"C*",$_;$x||=0x55; $_+=$x for @x; print unpack("H*",pack"C*",0x7f,$x,@x),"  $_"}' x y z yy yz zy zz za zb az bz ba aba abb baa bab bba aaaa aaab aaba abaa baaa bbbb bbba bbab babb abbb
7f78f0  x
7f79f2  y
7f7af4  z
7f55cece  yy
7f037c7d  yz
7f037d7c  zy
7f55cfcf  zz
7f1b957c  za
7f18927a  zb
7f1b7c95  az
7f187a92  bz
7f036564  ba
7f62c3c4c3  aba
7f61c2c3c3  abb
7f62c4c3c3  baa
7f61c3c2c3  bab
7f61c3c3c2  bba
7f55b6b6b6b6  aaaa
7f0364646465  aaab
7f0364646564  aaba
7f0364656464  abaa
7f0365646464  baaa
7f55b7b7b7b7  bbbb
7f0365656564  bbba
7f0365656465  bbab
7f0365646565  babb
7f0364656565  abbb
Vorcht12Author Commented:
I'm pretty confident you have solved this, but I am having trouble reading your level of perl (I'm impressed, it's extremely concise.)  :-)

This could be because I haven't dealt with hex values or even perl much but you seem to have some PHP knowledge too (from your profile).  Any chance you could help me create a PHP example to encode a string into it's obfuscated value?

Of course, if you want me to create another question in the PHP forums to find someone else to help with porting this I could do that too - it wasn't part of the question. :-/
Vorcht12Author Commented:
I went ahead and posted a question on the PHP section of Experts Exchange to port your perl script to PHP.  FYI, that question is:

As soon as I am able to reliably verify that this solves my issue I will close this problem and give you credit ozo.

Vorcht12Author Commented:
Ozo, there is a question from the other thread - how is the xor bit computed?

Is the XOR for  "abc" going to be computed by a XOR b = x, then x XOR c = final bitmap?
Vorcht12Author Commented:
Looks like that worked.  Thanks so much for your help!

Vorcht12Author Commented:
Great Work!  I still can't believe you figured out the second digit was an xor with a 00 replacement.  Wow!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.