Follow us on Twitter!
One mans freedom fighter, another's terrorist.
Friday, April 18, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 6
Guests Online: 6
Members Online: 0

Registered Members: 82822
Newest Member: TheBunter
Latest Articles
View Thread

HellBound Hackers | Computer General | Cryptography

Author

BASE64 and XOR

lostuser
Member

Your avatar

Posts: 2
Location:
Joined: 03.04.13
Rank:
Newbie
Posted on 05-04-13 21:20
Hello and thank you so much for giving your precious time reading my question.

Fist I like to say, while doing those Basic challenges, I learned more about the internet than I ever did before. Thank you so much. (Every time I got a question right, I was shouting "15 points for Gryffindor" :-) .

I have kind of a problem. From time to time, we do computer based tests at work. Most of them are easy, some are very hard. Is is test about rules and laws concerning our work. We do make aircraft clean an load bags into aircraft and from time to time we drive passengers to the aircraft or to the terminal. Working at airport is big fun.

We tried to make "helper" tool for testing.

One day during work, we were able to have a look at the testing system.

It is very simple system. After starting the .exe, the program creates an MS ACCESS 2000 file in the local program's folder. This database is password protected, but after goggling we were able to obtain the password.

The database contains 100 Question, it's structure is very simple:
'running number' + 'Question' + 'correct answer'+ 'wrong_answer_1'+ 'wrong_answer_2'+ 'wrong_answer_3'.
We always have to do 100 Questions out of a big pool.

After 4+ weeks of intense goggling, I was able to write my very first visual studio .net program. I am very proud of this milestone.
The program runs on work- computer very well. Before we start the test, we can open up the helper Tool and switch between it an the test program with alt+ tab. The tool shows the running number and the correct answer. With the A and D key, the user can go to next or previous question.

From observation, we are sure, that the order of database entry's is the same as the order of asked questions. The possible answers get shuffled from the testing Program before asking.


But we have still one huge problem. The questions and answers are encrypted.
They look like:
60HS25Bn1xnk9w1rNe3+wA==

The Internet told me, that it is maybe BASE64 but after thinking and trying I don't believe it.
Maybe it is something like XOR + BASE64 + Parity ?

I tried to chance letters within the database, but overtime I chanced a single letter, one answer-field stays empty:

60HS25Bn1xnk9w1rNe3+wA== ---> PANS-OPS means:
70HS25Bn1xnk9w1rNe3+wA== ---> (blank)
xx60HS25Bn1xnk9w1rNe3+wA== ---> (blank)
60HS25Bn1xnk9w1rNe3+wA== ---> PANS-OPS means:

Last week I noticed that there are only questions/answers with this amount of letters:
24 (always == at the end)
44 (always =at the end)
64 nothing special
88 (always == at the end)
108 (always = at the end)
128 nothing special
152 (always == at the end)
172 (always = at the end)
192 nothing special
216 (always == at the end)
236 (always = at the end)
256 nothing special
280 (always == at the end)
320 nothing special
344 (always == at the end)
364 (always = at the end)
384 nothing special
408 (always == at the end)
512 nothing special

I made you small letter counting. maybe it is helping:

(1000 Questions / 4 answers each)
[F] => 3259
[0] => 3266
[O] => 3373
[S] => 3368
[9] => 3403
[6] => 3272
[1] => 3433
[Q] => 3980
[B] => 3194
[l] => 3304
[Z] => 3418
[D] => 3300
[N] => 3327
[t] => 3322
[V] => 3327
[s] => 3486
[f] => 3393
[z] => 3368
[=] => 5495
[I] => 3424
[5] => 3449
[G] => 3383
[b] => 3343
[c] => 3506
[x] => 3362
[W] => 3313
[w] => 3954
[L] => 3417
[y] => 3358
[n] => 3450
[e] => 3315
[j] => 3445
[U] => 3489
[a] => 3322
[Y] => 3404
[g] => 4061
[q] => 3255
[k] => 3435
[r] => 3338
[i] => 3318
[4] => 3415
[m] => 3304
[d] => 3345
[2] => 3343
[/] => 3378
[J] => 3427
[K] => 3406
[v] => 3313
[A] => 3968
[h] => 3402
[o] => 3443
[p] => 3417
[7] => 3298
[3] => 3322
[T] => 3420
[P] => 3198
[H] => 3212
[E] => 3485
[u] => 3288
[X] => 3161
[8] => 3453
[M] => 3305
[+] => 3299
[R] => 3385
[C] => 3338

imageshack.us/a/img833/9151/indexphpe.png


I know for sure, that those Q/A belong to these encrypted strings. (chanceed one letter each time).

PANS-OPS means:
60HS25Bn1xnk9w1rNe3+wA==

Procedures for Air Navigation Systems - Airfield operations
rSpBFEHLRLdgFl0zZIoC9I7KatfV3l2IwWZuE3hDvkyE4qgsuC3OpXtBbhwEBy0fLoUlmVwEzT+gHCdeoETmaw==

Procedures for Air Navigation Services - Aircraft operations
rSpBFEHLRLdgFl0zZIoC9AADGZ0Bevq5p3t23vfa7Of66eWwlSE36oi1NOqj124UFE99Df/QEVkAXWw/CDfceA==

Pilots Alternate Navigational Systems and Operational Procedures
D7o+YgYxGS0oSSPOtlbwKHcVQsdbNea6XcBJfdLND9lbbYsFZcpU/VeHRd01RdyD9lNCy1LDEXhPh2kB1Un2WQ==

Primary and Alternate Navigation Systems and Operations
Rf1ml49fLxNxKvjcQpjQWCGwSi2eeGWQKF6vSNKHEKgahqaqJPTjl1WXUai3cUuZ4KpKq4fmil1Jv45Fdw2+PA==



AND:


The right to damages is lost if an action is not brought within 2 years, this time starts from:
KBHF1SrepHhfHLIrQpJGJ1oaO0F8vqltivgauSEOEeblRvNM9akgAo3dpRsIsbfcsWuXL7350Rl0sLnwM45VNUjEV/VEG+It3jspdyeFemvy6wVGidU9lrg7+0UeAdwS

The date of arrival at the destination
ZYX+DNuBV9+itRBFb7q7atnAhHhZW+WZ30AYQHKU0H4R05+AFi/HGQOdlR2OS6Ek

The date of arrival at the destination, or from the date on which the carriage ceased 85
ZYX+DNuBV9+itRBFb7q7atnAhHhZW+WZ30AYQHKU0H5cPPCk4aBZB9Nk+bV4ARMSco6OBAEyE16dg1LqmodYV2vSbQD5lIO7hkE1e6m9VLnNbcSz5OfO/uW2L7ygXBld 128

The date of arrival at the destination, or from the time at which the aircraft ought to have arrived, or from the date on which the carriage ceased 147
ZYX+DNuBV9+itRBFb7q7atnAhHhZW+WZ30AYQHKU0H5cPPCk4aBZB9Nk+bV4ARMSW4/gNFE879bD9zKs2bjb3iR5zgDmtqpFA/7Sls3mG6e+S8AD5/9C0fhNdkvLWcB94XZbmair7mfVpZjj311B4PpeRthlRp0/qKYfSwX57/WLRsy4zMeuzOTOa70dEgmBGmMX7OY2fDm3EH8AsyK8Aw== 216

The date of arrival at the destination, or from the date on which the aircraft ought to have arrived, or from the date on which the carriage ceased
ZYX+DNuBV9+itRBFb7q7atnAhHhZW+WZ30AYQHKU0H5cPPCk4aBZB9Nk+bV4ARMSco6OBAEyE16dg1LqmodYV5ojpQSSE3kE25CiBgL8vXK4LTNAQvRMPpivk0ai7S1z4eDpAoF5HMjLnxT3eRlQo3DfQa/IEs/VA18m0fQd5TJE6tWr53EOMPVIbCSfaBB85YAEcVAuWP7pN3qpA/YHpw==





We have to do this test regularly. If I don't do it, I lose my insurance- discount. The accident insurance pays in case of me damaging a passenger bag during loading or unloading.
(Check your bag after you receive it back. You don't believe how some people treat your stuff.)


Thank you for dealing with my basic English and thank you for your precious time.
Do you have seen this before?
Do you know how to decrypt this?
Or can give me a hint/ reading recommendation?



Edited by rex_mundi on 05-04-13 22:14
Author

RE: BASE64 and XOR

elmiguel
Member



Posts: 160
Location: Your Computer
Joined: 12.12.07
Rank:
God
Posted on 06-04-13 00:40
Wow, a lot of info here!

Well the info on the testing and possible setup is close to what I do for my work. I work at a state college and I am the head system administrator for our Online LMS. Although, our tests are so heavily encrypted, but I see a similar pattern. Could there be a simple concatenation going on here? For example:

TestName(b64)+Question(b64)+CorrectANS(64)+Seed? = output(b64)

For base 64, == will always be at the end; sometimes just one Wink. I would try taking the test bank data and try caching the single components in base64 and insert into another table. This way you can hit the table during an algorithm test analysis.

This is just an assumption. It would help if there was more information in the program that creates these tests. You might want to debug it, immunity debugger / olly debug / or whatever you use, and look to see if some of the algorithms aren't to heavily protected or shifted in memory during run time. Check the stack and look to see how the extract (test output) is being calculated.

If all goes well you can decrypt it faster then trial an error.


The philosophy of one century is the common sense of the next. -Fortune Cookie

I would like to thank a few friends that I have made here that helped me and deserve to be mentioned:
System_Meltdown, Futility, nvrlivenvrdie, Mastergamer, TrueHacker, S1L3NTKn1GhT, Reelix, ynori7, Demons Halo, kryptor

www.hellboundhackers.org/sig/r/24963.png

www.hellboundhackers.org/sig/hbh2.png
<script>alert('XSS');</script>
Author

RE: BASE64 and XOR

ArgonQ
Member

Your avatar

Posts: 17
Location:
Joined: 20.11.09
Rank:
God
Posted on 06-04-13 01:48
I'm with elmiguel "Wow!",
that's the most epic post i have ever seen.
Also intriguing, iF i were a suspicious person, i would note:
someone with Basic englIsh ,
can spell gryffindor correctly,
is working at an english speaking airport,
has free enought access the test machine that he can examine the exe internally,
is answering questions about 'Pilots.. Procedures',
can spend 4 weeks googling, learning to program and doing cryptoanalysis instead of learning the answers.
Curious.
However i am not suspicious so i would go with elmiguels' recommendation;
crack the exe and rip the algo.
(That is one fishy post though).
lead to
Author

RE: BASE64 and XOR

elmiguel
Member



Posts: 160
Location: Your Computer
Joined: 12.12.07
Rank:
God
Posted on 06-04-13 02:31
I do agree with ArgonQ as well, this is very odd. Hopefully this isn't some sort of ploy to get someone to help crack sensitve data that could be exploitable for harm.

I you are indeed trying to learn the system for analysis, I am sure that if you are of the right position at your job you can get support for this product and should have some documentation about how the program works. If you are in the tech side and the main operator of the software you should have direct access to a ticket help support system or contact with the software developer. If you are testing the security f this software then my original post stands, you must figure out how the app runs and calculates before moving forward on decrypting. This would be basic recon on this task that anyone would have to start off on. If you are up to the task then it shouldn't be hard to learn.

I would like to say that I take no responisblilty on how you proceed and if something goes arie, this is soley on you. This obviously goes without saying, to everyone here at HBH, messing around with airline procedures and property is a serious offense and we (HBH) take no part in such matters as a whole or singular person.

As a caution, I would like to say to the admins to watch this post and shut it down if indeed this is more than meets the eye. The last thing I need is to be brought into questioning about some person online whom I never meet asking if I was aware of the event that took place. Sorry if I seem paranoid, but the post does seem a little off.


The philosophy of one century is the common sense of the next. -Fortune Cookie

I would like to thank a few friends that I have made here that helped me and deserve to be mentioned:
System_Meltdown, Futility, nvrlivenvrdie, Mastergamer, TrueHacker, S1L3NTKn1GhT, Reelix, ynori7, Demons Halo, kryptor

www.hellboundhackers.org/sig/r/24963.png

www.hellboundhackers.org/sig/hbh2.png


Edited by elmiguel on 06-04-13 02:34
<script>alert('XSS');</script>
Author

RE: BASE64 and XOR

lostuser
Member

Your avatar

Posts: 2
Location:
Joined: 03.04.13
Rank:
Newbie
Posted on 11-04-13 14:36
Hallo friends,

Spend most of my free evenings with paper /pencil and excel scribbling down my guesses and trials until my girlfriend was going mad. We went to the cinema. Fun times.

I spook with my supervisor. I asked him about program copy designed for home training. But he refused, forwarding me to developer company. I called them. They will sell me identical program for 6000 RUB. Without copy this is a dead end now.
But buying program is money for one month. I must think about next step.


My friends, here is no conspiracy : - )

Word spell checker know how to write Gryffindor. I don't.
Yes, we need to speak English at airport, because pilot guys shout at you in English.

This entire thing has nothing to do with airline, but "working at airport". stuff like
way of right: car or big plane (always plane),
what will you do if you see fire: go away not your business or call airport authority .

Or difficult one: In bad weather there is called "Bad weather operation". During "Bad weather operation" no one is allowed in ILS radiation area, or landing signal will be disoriented.

It is law in country, that if you work at airport, you have to do knowledge check up-test regularly. But it does not state what happens if you have bad marks or good marks.
We had one weekend training that's it, that was 14 years ago. no school, no book. government gives a shit about your marks. only boss is interested. You work hard, but bad marks you get wage cut and pay more insurance.

You work hard and make one test with good marks, you get more money. Hurray.
Next day you come to work --> big surprise: random check up test. every day/second day testing until you make bad test. big shit.

There is cleaning personal for only public area. whining floor and making toilets very shiny. Hard work, dirty work. But do similar test. Cleaning lady does not need to know who has way of right. they doesn't even have driving license.

Working here is ok. Working conditions are ok. during winter, rooms are heated, easy work and good money.
but always you have to make compromise. Or someone else will take your position.

So long my friends.
I will give you all update after progress.
Stay in school.