Solved

Help me solve obfuscation method?

Posted on 2013-05-20
19
562 Views
Last Modified: 2013-05-21
I am a web developer trying to reverse engineer a seemingly simple password obfuscation scheme.  I have spent a few hours looking at the data and it seems like what I need now is a fresh pair of eyes and someone with a logic puzzle mindset.  I assure you, this is not a hacking project.  I need to be able to call on a web API that is undocumented and without source so I am trying to replicate what it already does.  It is simple to see what is being done except for this password obfuscation.  I have ruled out all the difficult encryptions (MD5, etc.), and it doesn't appear to have any salt or be affected by username or anything else I can see.  If anyone has any ideas it would be of great help!

On the left is the hash it creates and on the right are the simple passwords I put through the original interface to get that hash:

7F61C2 a
7F62C4 b
7F63C6 c

7F55B6B6 aa
7F55B7B7 bb
7F55B8B8 cc

7F61C2C2C2 aaa
7F62C4C4C4 bbb
7F63C6C6C6 ccc

7F036465 ab
7F026365 ac
7F056669 ad

7F62C3C3C4 aab
7F63C4C4C6 aac
7F64C5C5C8 aad

and just for giggles:

7F55B6B6B6B6B6B6B6B6B6B6 aaaaaaaaaa
7F55B7B7B7B7B7B7B7B7B7B7 bbbbbbbbbb
7F0364646464646464646465 aaaaaaaaab

To me it appears to be in hexadecimal, always starting with 7F. Then there is another hex character that does something, then the following hex values each represent a digit for the password.  It looks quite simple until the aab example, which starts confusing me to no end.  Let me know if you need more examples and what to try.  I hope you are up to the challenge!

Thanks for any help you may gleam!

--David
0
Comment
Question by:Vorcht12
  • 8
  • 6
  • 4
  • +1
19 Comments
 
LVL 84

Expert Comment

by:ozo
Comment Utility
Can you try
x
y
z
yy
yz
zy
zz
za
zb
az
bz
ba
aba
abb
baa
bab
bba
aaaa
aaab
aaba
abaa
baaa
bbbb
bbba
bbab
babb
abbb
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
There are some patterns.

7F61C2 a  61h = 'a' 61h * 2 = c2h
7F62C4 b  62h = 'b' 62h * 2 = c4h
7F63C6 c  63h = 'c'  63h * 2 =c6h

7F55B6B6 aa  55h + 61h = b6h and it's repeated twice if the number of chars is even
7F55B7B7 bb  55h + 62h = b7h
7F55B8B8 cc  55h = 63h = b8h

7F61C2C2C2 aaa  61h * 2 = c2h
7F62C4C4C4 bbb  62h * 2 = c4h
7F63C6C6C6 ccc   63h * 2 = c6h

7F036465 ab  61h + 3 = 64h, 62h + 3 = 65h
7F026365 ac  61h +2 = 63h, 63h + 2 = 65h
7F056669 ad

7F62C3C3C4 aab 62h = 'b', 61h + 62h = c3h, 62h + 62h = c4h (last char + prev char)
7F63C4C4C6 aac
7F64C5C5C8 aad

These use the rules above:
7F55B6B6B6B6B6B6B6B6B6B6 aaaaaaaaaa
7F55B7B7B7B7B7B7B7B7B7B7 bbbbbbbbbb
7F0364646464646464646465 aaaaaaaaab

Actually it look like the hex pair in the second position is subtracted from all the following pairs to get the original code.  The 7f is ignored.
0
 

Author Comment

by:Vorcht12
Comment Utility
ozo, I will get that list encoded in the morning and get it posted.

Dave, interesting.  What I am needing to do is to encode a password following this example, where I can use any password and create the hash for it myself.  Do you see any similarities/patterns that would account for the hex pair in the second position?
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
I think the hex pair in the second position is either one of the characters or some semi-random choice.  From your examples above, I don't see any special requirement except that the results don't overflow usable hex values.  I would just try a bunch of values.  To create the hash, select the value and just add it to the characters in the password.
0
 
LVL 84

Expert Comment

by:ozo
Comment Utility
the hex pair in the second position is subtracted from all the following pairs to
It remains to be explained how the second hex pair was obtained.  
Or was that a requirement to answer the question?
0
 
LVL 84

Expert Comment

by:ozo
Comment Utility
Is the hash on the left always the same when given the same string on the right?
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
While there are some simple patterns I can see, I don't think there is enough info to say for sure what the requirement maybe.  I think that some phrases that are more like passwords need to be used to get a better idea of what's going on.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
If the hash works the way I think it does, it does not have to return the same value each time for the same phrase.  The second hex pair can change which will change the hash but still give the same decoded result when subtracted from the rest of the hash.
0
 

Author Comment

by:Vorcht12
Comment Utility
Ozo, it is not a one way hash, it is just obfuscated.  You can encode it as many times as you want with the same input and get the same result.

Yes, looking back I guess my question wasn't very clear.  I need to be able to choose any password and be able to come up with the same hex string as the original code.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 84

Expert Comment

by:ozo
Comment Utility
Second hex pair might be xor of all characters, except replace 00 with 55
0
 
LVL 84

Accepted Solution

by:
ozo earned 500 total points
Comment Utility
perl -le 'for( @ARGV ){$x=0;$x^=$_ for @x=unpack"C*",$_;$x||=0x55; $_+=$x for @x; print unpack("H*",pack"C*",0x7f,$x,@x),"  $_"}' a b c aa bb cc aaa bbb ccc ab ac ad aab aac aad aaaaaaaaaa bbbbbbbbbb  aaaaaaaaab
7f61c2  a
7f62c4  b
7f63c6  c
7f55b6b6  aa
7f55b7b7  bb
7f55b8b8  cc
7f61c2c2c2  aaa
7f62c4c4c4  bbb
7f63c6c6c6  ccc
7f036465  ab
7f026365  ac
7f056669  ad
7f62c3c3c4  aab
7f63c4c4c6  aac
7f64c5c5c8  aad
7f55b6b6b6b6b6b6b6b6b6b6  aaaaaaaaaa
7f55b7b7b7b7b7b7b7b7b7b7  bbbbbbbbbb
7f0364646464646464646465  aaaaaaaaab
0
 

Author Comment

by:Vorcht12
Comment Utility
ozo,

I never got into perl, php is my language of preference.  I haven't tried to convert it yet, but that is next.  In the meantime here are the additional encoded strings you asked for earlier.

7F78F0 x
7F79F2 y
7F7AF4 z
7F55CECE yy
7F037C7D yz
7F037D7C zy
7F55CFCF zz
7F1B957C za
7F18927A zb
7F1B7C95 az
7F187A92 bz
7F036564 ba
7F62C3C4C3 aba
7F61C2C3C3 abb
7F62C4C3C3 baa
7F61C3C2C3 bab
7F61C3C3C2 bba
7F55B6B6B6B6 aaaa
7F0364646465 aaab
7F0364646564 aaba
7F0364646564 abaa
7F0365646464 baaa
7F55B7B7B7B7 bbbb
7F0365656564 bbba
7F0365656465 bbab
7F0365646565 babb
7F0364656565 abbb

Your solution sounds promising, I'll start trying to read / convert your code to php so I can test it myself.
0
 
LVL 84

Expert Comment

by:ozo
Comment Utility
xor||55 hypothesis seems corroborated
perl -le 'for( @ARGV ){$x=0;$x^=$_ for @x=unpack"C*",$_;$x||=0x55; $_+=$x for @x; print unpack("H*",pack"C*",0x7f,$x,@x),"  $_"}' x y z yy yz zy zz za zb az bz ba aba abb baa bab bba aaaa aaab aaba abaa baaa bbbb bbba bbab babb abbb
7f78f0  x
7f79f2  y
7f7af4  z
7f55cece  yy
7f037c7d  yz
7f037d7c  zy
7f55cfcf  zz
7f1b957c  za
7f18927a  zb
7f1b7c95  az
7f187a92  bz
7f036564  ba
7f62c3c4c3  aba
7f61c2c3c3  abb
7f62c4c3c3  baa
7f61c3c2c3  bab
7f61c3c3c2  bba
7f55b6b6b6b6  aaaa
7f0364646465  aaab
7f0364646564  aaba
7f0364656464  abaa
7f0365646464  baaa
7f55b7b7b7b7  bbbb
7f0365656564  bbba
7f0365656465  bbab
7f0365646565  babb
7f0364656565  abbb
0
 

Author Comment

by:Vorcht12
Comment Utility
I'm pretty confident you have solved this, but I am having trouble reading your level of perl (I'm impressed, it's extremely concise.)  :-)

This could be because I haven't dealt with hex values or even perl much but you seem to have some PHP knowledge too (from your profile).  Any chance you could help me create a PHP example to encode a string into it's obfuscated value?

Of course, if you want me to create another question in the PHP forums to find someone else to help with porting this I could do that too - it wasn't part of the question. :-/
0
 

Author Comment

by:Vorcht12
Comment Utility
I went ahead and posted a question on the PHP section of Experts Exchange to port your perl script to PHP.  FYI, that question is: http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_28134741.html

As soon as I am able to reliably verify that this solves my issue I will close this problem and give you credit ozo.

Thanks!
0
 

Author Comment

by:Vorcht12
Comment Utility
Ozo, there is a question from the other thread - how is the xor bit computed?

Is the XOR for  "abc" going to be computed by a XOR b = x, then x XOR c = final bitmap?
0
 
LVL 108

Expert Comment

by:Ray Paseur
Comment Utility
0
 

Author Comment

by:Vorcht12
Comment Utility
Looks like that worked.  Thanks so much for your help!

--David
0
 

Author Closing Comment

by:Vorcht12
Comment Utility
Great Work!  I still can't believe you figured out the second digit was an xor with a 00 replacement.  Wow!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now