Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 13:57

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 10 posts ] 
Author Message
 Post subject: What Encryption is this ?
PostPosted: 29 Jul 2009 23:05 

Joined: 30 Apr 2009 21:06
Posts: 22
Hello Aluigi ,

i have a crypted pass like this way : 6C7E4DDC2D9CB150F63CD4

i'am wondering what encryption is this ?

Thanks


Top
 Profile  
 
 
 Post subject: Re: What Encryption is this ?
PostPosted: 29 Jul 2009 23:47 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
where did you got this hash from ?
i checked few places and tools (cain and passwordspro), but i can't find anything similiar at all.
seem to be hex+num 22 chars long, but it won't help to identify it.


Top
 Profile  
 
 Post subject: Re: What Encryption is this ?
PostPosted: 29 Jul 2009 23:53 

Joined: 30 Apr 2009 21:06
Posts: 22
ok cause i'am also interesting on how to know the algo o a password given :p
here you some help : 6C7E4DDC2D9CB150F63CD4 = 3907841

i want to know how come crypted and decrypted password you can know the algo used

cheerz & Thanks


Top
 Profile  
 
 Post subject: Re: What Encryption is this ?
PostPosted: 30 Jul 2009 00:35 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I premise that a sequence of bytes can be anything so your question and your doubt is wrong from the beginning.

anyway there are some rules to have an "idea" of what type or category of algorithm it can be.

for example the string you pasted is probably a sequence of hex chars, so 22 chars which are 11 bytes.
11 bytes is a length not divisible by 16 or 8 so this exclude any algorithm which works with fixed blocks or data like blowfish, aes and so on (otherwise the last bytes were unencrypted).

then it's not a simple xor or rot13 solution or any other byte-per-byte encoding or encryption (for example rc4) because the real password is smaller (7 bytes long).

so it's used a custom algorithm which generates an encoded/encrypted sequence of bytes longer than the original one, job for debugging.


Top
 Profile  
 
 Post subject: Re: What Encryption is this ?
PostPosted: 30 Jul 2009 00:41 

Joined: 30 Apr 2009 21:06
Posts: 22
alright i see now Aluigi,

so sometimes when we dont know password algo we go debugging..

i have a question Aluigi if it was AES encryption how i can know the key used ?

here you another string derypted : 6A9D545256E3C50A34 = 12345

Thanks


Top
 Profile  
 
 Post subject: Re: What Encryption is this ?
PostPosted: 30 Jul 2009 00:49 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
in that case you need to locate the function which set the AES key and this is a job enough simple because you can retrieve the s-boxes (practically the array with the constants) with my signsrch tool (http://aluigi.org/mytoolz.htm#signsrch) and so with a disassembler you see the function which calls/uses that s-box.

if the key is fixed and you are lucky you could even find the key there in the disassembled code, otherwise you need to use the debugger.
in that case the key can be fixed (like happen almost ever) or it's calculated at runtime using some unique fields of the computer (mac address of the interfaces, productid of windows, volumeid of c: and so on).


Top
 Profile  
 
 Post subject: Re: What Encryption is this ?
PostPosted: 30 Jul 2009 00:54 

Joined: 30 Apr 2009 21:06
Posts: 22
hmm nice info Aluigi ,

this will help me a lot of as this is going to be my first decryption

ok here you 3 example fo decrypted and encrypted password

6A9D545256E3C50A34 = 12345
6C7E4DDC2D9CB150F63CD4 = 3907841
C5D3F5979C5710C671B4 = abcdef

so what you suggest me to start from ?

Thanks & much appreciated


Top
 Profile  
 
 Post subject: Re: What Encryption is this ?
PostPosted: 30 Jul 2009 01:24 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
the step-by-step is ever the usual:
- find the input string (for example a breakpoint on ReadFile or GetQueryValueA depending by where is located the password)
- follow all the operations performed on it (hardware on-access breakpoints)

you already know that there is a hex2byte conversion somewhere in the program so this is the first operation performed.

then from the encrypted strings you pasted is visible that there is an additional byte for each additional byte in the original password (so if the original is 7 bytes the encrypted one is 11, if it's 8 then it's 12 and so on) which means that there are ever 4 bytes at the beginning of each encrypted string which "could be" (hypothesis) something like a seed (like a mini-key in very poor words) used in the encryption.


Top
 Profile  
 
 Post subject: Re: What Encryption is this ?
PostPosted: 30 Jul 2009 18:42 

Joined: 30 Apr 2009 21:06
Posts: 22
been 2 days working on i could not figure it out , tryed many things
damn :s


Top
 Profile  
 
 Post subject: Re: What Encryption is this ?
PostPosted: 30 Jul 2009 18:45 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
can you tell me where you got this from ?
also original password can be more than just a word, you can use that for text too. so it means that the hash you pasted here can have many 'passwords' that generates the same hash.


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 10 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: