Sign in to follow this  
Followers 0
chronomex

Unknown password hash format

5 posts in this topic

Has anyone ever seen a password hashing/encryption method that looks like these examples?

  • luje!svj. (suspected plaintext "indspw")
  • luwr!cn!!!! (suspected plaintext "crftpw")
  • !KV!!Y!S (this could also be "crftpw" instead)
  • j1b1rvn*!01! (plaintext unknown)

I'm pulling these from a hexdump, so these strings might either have extra crap at the end, or be zero-filled up to 12 bytes.  In the dump they're aligned.

 

My money's on a modified base64, which would turn these into 8 octets.  However, base64 has two punctuation characters, whereas these have three ('.', '!', and '*').

 

Your thoughts?

Edited by chronomex
0

Share this post


Link to post
Share on other sites

I thought I'd give a bit of an update to this. I've looked into these hashes independently as well. luwr!cn!!!! and luje!svj. are indeed crftpw and indspw in plaintext. I don't know anything about the encoding scheme, but if anybody would like to look into it, I can encode any passphrase you want with it.

 

For what it's worth, they don't seem to be salted or anything along those lines. You can overwrite one password with the other, and it'll be accepted without question.

 

EDIT: I'm a noob and have no idea how salting works. Nevermind me. My offer stands, though :) .

Edited by ThoughtPhreaker
0

Share this post


Link to post
Share on other sites

I don't think it's hashed. I think it's obfuscated. Also, from googling, I think I know it is from. ;)

 

Look at the tools the developer had available to obfuscated credentials stored in the file you have got. 

 

My guess: it's using a combination of base64 and xor obfuscation. All you need to do is make a tool that will base64 encode/xor in different combinations, and stop and write to a file when a combination is found that takes a known plaintext and gets the obfuscated result.

 

Good luck!

0

Share this post


Link to post
Share on other sites
Also, from googling, I think I know it is from. ;%29.gif

>.>

<.<

 

Look at the tools the developer had available to obfuscated credentials stored in the file you have got.

 

Unfortunately, that's a bit of a tough one; the developer coded the OS from scratch in the mid-80's, and also pretty much developed most of the modern world as we know it. For what it's worth, they also introduced the abilitity to run Unix executables, though this was at least a couple years into the OS's lifespan. The obfuscation probably predates that.

 

I will say that if you do a ramdump of the process responsible for storing passwords, !KV!!Y!S appears in the exact spot as a password would be for any vacant accounts. I'll have to look into xor'ing myself in a bit, but I think this string having some hand in the obfuscation process would make the most sense.

0

Share this post


Link to post
Share on other sites

 

the developer coded the OS from scratch in the mid-80's

 

Yes, I know. I know what kind of file it is.

 

He probably used C.  Why not just use an algorithm or key to xor the values? 

 

This might help: http://computer-forensics.sans.org/blog/2013/05/14/tools-for-examining-xor-obfuscation-for-malware-analysis

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0