Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Help me solve obfuscation?
38 views
Skip to first unread message
Vorcht
May 20, 2013, 9:31:26 PM5/20/13
to
I am a web developer trying to reverse engineer a seemingly simple password obfuscation scheme. I have spent a few hours looking at the data and it seems like what I need now is a fresh pair of eyes and someone with a logic puzzle mindset. I assure you, this is not a hacking project. I need to be able to call on a web API that is undocumented and without source so I am trying to replicate what it already does. It is simple to see what is being done except for this password obfuscation. I have ruled out all the difficult encryptions (MD5, etc.), and it doesn't appear to have any salt or be affected by username or anything else I can see. If anyone has any ideas it would be of great help!
On the left is the hash it creates and on the right are the simple passwords I put through the original interface to get that hash:
7F61C2 a
7F62C4 b
7F63C6 c
7F55B6B6 aa
7F55B7B7 bb
7F55B8B8 cc
7F61C2C2C2 aaa
7F62C4C4C4 bbb
7F63C6C6C6 ccc
7F036465 ab
7F026365 ac
7F056669 ad
7F62C3C3C4 aab
7F63C4C4C6 aac
7F64C5C5C8 aad
and just for giggles:
7F55B6B6B6B6B6B6B6B6B6B6 aaaaaaaaaa
7F55B7B7B7B7B7B7B7B7B7B7 bbbbbbbbbb
7F0364646464646464646465 aaaaaaaaab
To me it appears to be in hexadecimal, always starting with 7F. Then there is another hex character that does something, then the following hex values each represent a digit for the password. It looks quite simple until the aab example, which starts confusing me to no end. Let me know if you need more examples and what to try. I hope you are up to the challenge!
Thanks for any help you may gleam!
--David
On the left is the hash it creates and on the right are the simple passwords I put through the original interface to get that hash:
7F61C2 a
7F62C4 b
7F63C6 c
7F55B6B6 aa
7F55B7B7 bb
7F55B8B8 cc
7F61C2C2C2 aaa
7F62C4C4C4 bbb
7F63C6C6C6 ccc
7F036465 ab
7F026365 ac
7F056669 ad
7F62C3C3C4 aab
7F63C4C4C6 aac
7F64C5C5C8 aad
and just for giggles:
7F55B6B6B6B6B6B6B6B6B6B6 aaaaaaaaaa
7F55B7B7B7B7B7B7B7B7B7B7 bbbbbbbbbb
7F0364646464646464646465 aaaaaaaaab
To me it appears to be in hexadecimal, always starting with 7F. Then there is another hex character that does something, then the following hex values each represent a digit for the password. It looks quite simple until the aab example, which starts confusing me to no end. Let me know if you need more examples and what to try. I hope you are up to the challenge!
Thanks for any help you may gleam!
--David
Daniel
May 21, 2013, 5:36:17 AM5/21/13
to
Al 21/05/13 03:31, En/na Vorcht ha escrit:
c4-62=62 ascii code of 'b'
etc
>
> 7F55B6B6 aa 7F55B7B7 bb 7F55B8B8 cc
>
> 7F61C2C2C2 aaa 7F62C4C4C4 bbb 7F63C6C6C6 ccc
>
> 7F036465 ab 7F026365 ac 7F056669 ad
>
> 7F62C3C3C4 aab 7F63C4C4C6 aac 7F64C5C5C8 aad
>
c3-62=61 ascii code for 'a'
c4-63=61 ascii code for 'a'
and so on
> and just for giggles:
>
> 7F55B6B6B6B6B6B6B6B6B6B6 aaaaaaaaaa 7F55B7B7B7B7B7B7B7B7B7B7
> bbbbbbbbbb
b7-55=62 ascii code for 'b'
> 7F0364646464646464646465 aaaaaaaaab
>
> To me it appears to be in hexadecimal, always starting with 7F. Then
> there is another hex character that does something, then the
> following hex values each represent a digit for the password. It
> looks quite simple until the aab example, which starts confusing me
> to no end. Let me know if you need more examples and what to try. I
> hope you are up to the challenge!
>
> Thanks for any help you may gleam!
>
> --David
>
So ignore 7f, get the next byte and substract from it from the array of
bytes that follow. Hope might help. Remains open how to choose the
second byte, probably some checksum like in credit cards.
Regards
Daniel
> I am a web developer trying to reverse engineer a seemingly simple
> password obfuscation scheme. I have spent a few hours looking at the
> data and it seems like what I need now is a fresh pair of eyes and
> someone with a logic puzzle mindset. I assure you, this is not a
> hacking project. I need to be able to call on a web API that is
> undocumented and without source so I am trying to replicate what it
> already does. It is simple to see what is being done except for this
> password obfuscation. I have ruled out all the difficult encryptions
> (MD5, etc.), and it doesn't appear to have any salt or be affected by
> username or anything else I can see. If anyone has any ideas it
> would be of great help!
>
> On the left is the hash it creates and on the right are the simple
> passwords I put through the original interface to get that hash:
>
> 7F61C2 a 7F62C4 b 7F63C6 c
c2-61=61 ascii code of 'a'
> password obfuscation scheme. I have spent a few hours looking at the
> data and it seems like what I need now is a fresh pair of eyes and
> someone with a logic puzzle mindset. I assure you, this is not a
> hacking project. I need to be able to call on a web API that is
> undocumented and without source so I am trying to replicate what it
> already does. It is simple to see what is being done except for this
> password obfuscation. I have ruled out all the difficult encryptions
> (MD5, etc.), and it doesn't appear to have any salt or be affected by
> username or anything else I can see. If anyone has any ideas it
> would be of great help!
>
> On the left is the hash it creates and on the right are the simple
> passwords I put through the original interface to get that hash:
>
> 7F61C2 a 7F62C4 b 7F63C6 c
c4-62=62 ascii code of 'b'
etc
>
> 7F55B6B6 aa 7F55B7B7 bb 7F55B8B8 cc
>
> 7F61C2C2C2 aaa 7F62C4C4C4 bbb 7F63C6C6C6 ccc
>
> 7F036465 ab 7F026365 ac 7F056669 ad
>
> 7F62C3C3C4 aab 7F63C4C4C6 aac 7F64C5C5C8 aad
>
c4-63=61 ascii code for 'a'
and so on
> and just for giggles:
>
> 7F55B6B6B6B6B6B6B6B6B6B6 aaaaaaaaaa 7F55B7B7B7B7B7B7B7B7B7B7
> bbbbbbbbbb
> 7F0364646464646464646465 aaaaaaaaab
>
> To me it appears to be in hexadecimal, always starting with 7F. Then
> there is another hex character that does something, then the
> following hex values each represent a digit for the password. It
> looks quite simple until the aab example, which starts confusing me
> to no end. Let me know if you need more examples and what to try. I
> hope you are up to the challenge!
>
> Thanks for any help you may gleam!
>
> --David
>
bytes that follow. Hope might help. Remains open how to choose the
second byte, probably some checksum like in credit cards.
Regards
Daniel
jbrig...@gmail.com
May 22, 2013, 5:18:58 PM5/22/13
to
On Tuesday, May 21, 2013 5:36:17 AM UTC-4, Daniel wrote:
> Remains open how to choose the
>
> second byte, probably some checksum like in credit cards.
Compute the second byte as the XOR of the ASCII codes of the characters in the string. If the XOR comes to 00 then change to 55 instead. [Presumably
> Remains open how to choose the
>
> second byte, probably some checksum like in credit cards.
to avoid the all-too likely possibility of having a zero value leave the
hashed result as directly readable plaintext]
a => 61
b => 62
c => 63
aa => 55
bb => 55
cc => 55
aaa => 61
bbb => 62
ccc => 63
ab => 03
ac => 02
ad => 05
aab => 62
aac => 63
aad => 64
aaaaaaaaaa => 55
bbbbbbbbbb => 55
aaaaaaaaab => 03
Vorcht
May 23, 2013, 11:58:28 AM5/23/13
to
Very happy!
0 new messages