Help me solve obfuscation method?

Posted on 2013-05-20
Medium Priority
Last Modified: 2013-05-21
I am a web developer trying to reverse engineer a seemingly simple password obfuscation scheme.  I have spent a few hours looking at the data and it seems like what I need now is a fresh pair of eyes and someone with a logic puzzle mindset.  I assure you, this is not a hacking project.  I need to be able to call on a web API that is undocumented and without source so I am trying to replicate what it already does.  It is simple to see what is being done except for this password obfuscation.  I have ruled out all the difficult encryptions (MD5, etc.), and it doesn't appear to have any salt or be affected by username or anything else I can see.  If anyone has any ideas it would be of great help!

On the left is the hash it creates and on the right are the simple passwords I put through the original interface to get that hash:

7F61C2 a
7F62C4 b
7F63C6 c

7F55B6B6 aa
7F55B7B7 bb
7F55B8B8 cc

7F61C2C2C2 aaa
7F62C4C4C4 bbb
7F63C6C6C6 ccc

7F036465 ab
7F026365 ac
7F056669 ad

7F62C3C3C4 aab
7F63C4C4C6 aac
7F64C5C5C8 aad

and just for giggles:

7F55B6B6B6B6B6B6B6B6B6B6 aaaaaaaaaa
7F55B7B7B7B7B7B7B7B7B7B7 bbbbbbbbbb
7F0364646464646464646465 aaaaaaaaab

To me it appears to be in hexadecimal, always starting with 7F. Then there is another hex character that does something, then the following hex values each represent a digit for the password.  It looks quite simple until the aab example, which starts confusing me to no end.  Let me know if you need more examples and what to try.  I hope you are up to the challenge!

Thanks for any help you may gleam!

Question by:Vorcht12
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
  • 4
  • +1
LVL 84

Expert Comment

ID: 39183445
Can you try
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39183479
There are some patterns.

7F61C2 a  61h = 'a' 61h * 2 = c2h
7F62C4 b  62h = 'b' 62h * 2 = c4h
7F63C6 c  63h = 'c'  63h * 2 =c6h

7F55B6B6 aa  55h + 61h = b6h and it's repeated twice if the number of chars is even
7F55B7B7 bb  55h + 62h = b7h
7F55B8B8 cc  55h = 63h = b8h

7F61C2C2C2 aaa  61h * 2 = c2h
7F62C4C4C4 bbb  62h * 2 = c4h
7F63C6C6C6 ccc   63h * 2 = c6h

7F036465 ab  61h + 3 = 64h, 62h + 3 = 65h
7F026365 ac  61h +2 = 63h, 63h + 2 = 65h
7F056669 ad

7F62C3C3C4 aab 62h = 'b', 61h + 62h = c3h, 62h + 62h = c4h (last char + prev char)
7F63C4C4C6 aac
7F64C5C5C8 aad

These use the rules above:
7F55B6B6B6B6B6B6B6B6B6B6 aaaaaaaaaa
7F55B7B7B7B7B7B7B7B7B7B7 bbbbbbbbbb
7F0364646464646464646465 aaaaaaaaab

Actually it look like the hex pair in the second position is subtracted from all the following pairs to get the original code.  The 7f is ignored.

Author Comment

ID: 39183553
ozo, I will get that list encoded in the morning and get it posted.

Dave, interesting.  What I am needing to do is to encode a password following this example, where I can use any password and create the hash for it myself.  Do you see any similarities/patterns that would account for the hex pair in the second position?
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

LVL 84

Expert Comment

by:Dave Baldwin
ID: 39183576
I think the hex pair in the second position is either one of the characters or some semi-random choice.  From your examples above, I don't see any special requirement except that the results don't overflow usable hex values.  I would just try a bunch of values.  To create the hash, select the value and just add it to the characters in the password.
LVL 84

Expert Comment

ID: 39183577
the hex pair in the second position is subtracted from all the following pairs to
It remains to be explained how the second hex pair was obtained.  
Or was that a requirement to answer the question?
LVL 84

Expert Comment

ID: 39183583
Is the hash on the left always the same when given the same string on the right?
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39183587
While there are some simple patterns I can see, I don't think there is enough info to say for sure what the requirement maybe.  I think that some phrases that are more like passwords need to be used to get a better idea of what's going on.
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39183592
If the hash works the way I think it does, it does not have to return the same value each time for the same phrase.  The second hex pair can change which will change the hash but still give the same decoded result when subtracted from the rest of the hash.

Author Comment

ID: 39183608
Ozo, it is not a one way hash, it is just obfuscated.  You can encode it as many times as you want with the same input and get the same result.

Yes, looking back I guess my question wasn't very clear.  I need to be able to choose any password and be able to come up with the same hex string as the original code.
LVL 84

Expert Comment

ID: 39183609
Second hex pair might be xor of all characters, except replace 00 with 55
LVL 84

Accepted Solution

ozo earned 2000 total points
ID: 39183668
perl -le 'for( @ARGV ){$x=0;$x^=$_ for @x=unpack"C*",$_;$x||=0x55; $_+=$x for @x; print unpack("H*",pack"C*",0x7f,$x,@x),"  $_"}' a b c aa bb cc aaa bbb ccc ab ac ad aab aac aad aaaaaaaaaa bbbbbbbbbb  aaaaaaaaab
7f61c2  a
7f62c4  b
7f63c6  c
7f55b6b6  aa
7f55b7b7  bb
7f55b8b8  cc
7f61c2c2c2  aaa
7f62c4c4c4  bbb
7f63c6c6c6  ccc
7f036465  ab
7f026365  ac
7f056669  ad
7f62c3c3c4  aab
7f63c4c4c6  aac
7f64c5c5c8  aad
7f55b6b6b6b6b6b6b6b6b6b6  aaaaaaaaaa
7f55b7b7b7b7b7b7b7b7b7b7  bbbbbbbbbb
7f0364646464646464646465  aaaaaaaaab

Author Comment

ID: 39184629

I never got into perl, php is my language of preference.  I haven't tried to convert it yet, but that is next.  In the meantime here are the additional encoded strings you asked for earlier.

7F78F0 x
7F79F2 y
7F7AF4 z
7F55CECE yy
7F037C7D yz
7F037D7C zy
7F55CFCF zz
7F1B957C za
7F18927A zb
7F1B7C95 az
7F187A92 bz
7F036564 ba
7F62C3C4C3 aba
7F61C2C3C3 abb
7F62C4C3C3 baa
7F61C3C2C3 bab
7F61C3C3C2 bba
7F55B6B6B6B6 aaaa
7F0364646465 aaab
7F0364646564 aaba
7F0364646564 abaa
7F0365646464 baaa
7F55B7B7B7B7 bbbb
7F0365656564 bbba
7F0365656465 bbab
7F0365646565 babb
7F0364656565 abbb

Your solution sounds promising, I'll start trying to read / convert your code to php so I can test it myself.
LVL 84

Expert Comment

ID: 39184752
xor||55 hypothesis seems corroborated
perl -le 'for( @ARGV ){$x=0;$x^=$_ for @x=unpack"C*",$_;$x||=0x55; $_+=$x for @x; print unpack("H*",pack"C*",0x7f,$x,@x),"  $_"}' x y z yy yz zy zz za zb az bz ba aba abb baa bab bba aaaa aaab aaba abaa baaa bbbb bbba bbab babb abbb
7f78f0  x
7f79f2  y
7f7af4  z
7f55cece  yy
7f037c7d  yz
7f037d7c  zy
7f55cfcf  zz
7f1b957c  za
7f18927a  zb
7f1b7c95  az
7f187a92  bz
7f036564  ba
7f62c3c4c3  aba
7f61c2c3c3  abb
7f62c4c3c3  baa
7f61c3c2c3  bab
7f61c3c3c2  bba
7f55b6b6b6b6  aaaa
7f0364646465  aaab
7f0364646564  aaba
7f0364656464  abaa
7f0365646464  baaa
7f55b7b7b7b7  bbbb
7f0365656564  bbba
7f0365656465  bbab
7f0365646565  babb
7f0364656565  abbb

Author Comment

ID: 39184849
I'm pretty confident you have solved this, but I am having trouble reading your level of perl (I'm impressed, it's extremely concise.)  :-)

This could be because I haven't dealt with hex values or even perl much but you seem to have some PHP knowledge too (from your profile).  Any chance you could help me create a PHP example to encode a string into it's obfuscated value?

Of course, if you want me to create another question in the PHP forums to find someone else to help with porting this I could do that too - it wasn't part of the question. :-/

Author Comment

ID: 39185127
I went ahead and posted a question on the PHP section of Experts Exchange to port your perl script to PHP.  FYI, that question is: http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_28134741.html

As soon as I am able to reliably verify that this solves my issue I will close this problem and give you credit ozo.


Author Comment

ID: 39185467
Ozo, there is a question from the other thread - how is the xor bit computed?

Is the XOR for  "abc" going to be computed by a XOR b = x, then x XOR c = final bitmap?
LVL 111

Expert Comment

by:Ray Paseur
ID: 39185533

Author Comment

ID: 39185588
Looks like that worked.  Thanks so much for your help!


Author Closing Comment

ID: 39185597
Great Work!  I still can't believe you figured out the second digit was an xor with a 00 replacement.  Wow!

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses how to implement server side field validation and display customized error messages to the client.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Simple Linear Regression
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question