which cipher is this?
Results 1 to 8 of 8

Thread: which cipher is this?

  1. #1
    Banned
    Join Date
    Jul 2006
    Posts
    12

    which cipher is this?

    !CRYPT!103CF0A0C28A711EB964F627A3B


    some site says its md5, but cain does not accept it even if i paste it without the !CRYPT!

  2. #2
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    How odd...

    I punch that into google and I get this from a registry dump

    [HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion]

    "Application Path"="e:\\Trend Micro\\OfficeScan Client\\"

    "EnableClientEventLog"=dword:00000001

    "Mode"=dword:00000001

    "ProxyPort"=dword:00000050

    "UseProxy"=dword:00000000

    "ServerPort"=dword:00000050

    "Server"="192.9.200.3"

    "ProxyServer"=""

    "ProxyLogin"=""

    "ProxyPwd"="!CRYPT!103CF0A0C28A711EB964F627A3B"
    An exact match.. care to tell us what you're doing?
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    Senior Member
    Join Date
    Mar 2002
    Posts
    442
    it's a 256 bit password/phrase in hexadecimal format;

    if you don't know what is, you probably shouldn't be able to/have access to it, and are probably doing something you shouldn't be; unless you can prove so otherwise

  4. #4
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    Actually, I think it is a 96bit ciphertext (skipping the first three hexadecimals).
    There is a decryption algorithm in pwd.dll with the appropriate key.
    The given Proxy-Password "Proxy_Pwd=!CRYPT!103D59D1CBE85FE9A124F627A3B"
    corresponds to the default password.

    TrendMicro's OfficeScan actually is quite a nice piece of work.
    Certainly, anyone installing it in a corporate environment will
    have a look at its files - and its registry entries. In particular,
    ofcscan.ini is interesting - there, besides the Proxy_Pwd, the master
    key (which you enter at installation time), the uninstall (and unload) keys are
    stored (encrypted md5-hash of the actual keys). Encrypting
    them with the keys provided in another executable, will just give
    you the md5-hashes.

    All this is known...even TrendMicro knows that this is known


    NB: Skip those sites claiming it is a MD5 hash. A MD5 hash is
    a 128bit hash, represented by 32 hexadecimals.

    Cheers
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  5. #5
    Banned
    Join Date
    Jul 2006
    Posts
    12
    i always get that - "if you don't know what is, you probably shouldn't be able to/have access to it, and are probably doing something you shouldn't be; unless you can prove so otherwise"


    anyway yes it trendmicro's office scan and i put up teh google hash coz i didnt wanna put up mine.....from what i came to know is that the md5 is encrpyted (again) and then presented in this format....

    just wanted to learn.....thats all.....this was something new which cain/jtripper or any other program wouldnt accept so i just wanted to know what this new thing was......

    anyway......is there any program to 'unmask' it?

  6. #6

    Re: which cipher is this?

    Originally posted here by C47
    !CRYPT!103CF0A0C28A711EB964F627A3B


    some site says its md5, but cain does not accept it even if i paste it without the !CRYPT!
    http ftp certification code, like HTRegz says: "punch that into google and I get this from a registry dump".

    The cert is a essential registry for www transactions, one of my virus work attack this registry and put the the value "dword norad = !CRYPT!103CF0A0C28A711EB964F627A99" see the final 99 inserted. for irc pre authenticated...


    so the ProxyPwd reffers a hexadecimal cypher:


    the code:

    Code:
    public static string doHttpGet(string webURL, string sParameters)
    { 
    	HttpWebResponse webRes = null;
    	HttpWebRequest webReq = null;
    	WebProxy webProxy = null;
    
    	string httpResponse = "";
    	sParameters = HttpUtility.UrlEncode(sParameters);
    
    	string proxyAddr = ConfigurationSettings.AppSettings["ProxyAddr"];
    	string proxyPort = ConfigurationSettings.AppSettings["ProxyPort"];
    	if(ConfigurationSettings.AppSettings["EnableProxy"] == "1" &&
    		proxyAddr != null && proxyAddr.Length > 0 && proxyPort != null)
    	{
    		try
    		{
    			webProxy = new WebProxy(proxyAddr, int.Parse(proxyPort));
    		}
    		catch
    		{
    			webProxy = new WebProxy(proxyAddr, 80);
    		}
    		string proxyUser = ConfigurationSettings.AppSettings["ProxyUser"];
    		string proxyPwd = ConfigurationSettings.AppSettings["ProxyPwd"];
    		string proxyDom = ConfigurationSettings.AppSettings["ProxyDom"];
    		if(proxyUser != null && proxyUser.Length > 0 && proxyPwd != null && proxyDom != null)
    			webProxy.Credentials = new NetworkCredential(proxyUser, proxyPwd, proxyDom);
    	}
    
    	try 
    	{
    		ServicePointManager.CertificatePolicy = new AcceptAllCertificatePolicy();
    		sParameters = "";
    		webReq = (HttpWebRequest)HttpWebRequest.Create(webURL + sParameters);
    		if(webProxy != null)
    			webReq.Proxy = webProxy;
    		webReq.Timeout = int.Parse(ConfigurationSettings.AppSettings["WebTimeout"]);
    		webReq.UserAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)";
    		webReq.Method = "GET";
    		webReq.ProtocolVersion = HttpVersion.Version11;
    		webRes = (HttpWebResponse)webReq.GetResponse();
    		Stream stmRes = webRes.GetResponseStream();
    		StreamReader stmReader = new StreamReader(stmRes);
    		httpResponse = stmReader.ReadToEnd();
    	}
    	catch(WebException ex)
    	{
    		httpResponse = "";
    	}
    	finally 
    	{
    		webReq = null;
    		if(webRes != null)
    			webRes.Close();
    		webRes = null;
    	} 
    	return httpResponse;  
    }

    try to resolve a url using a base ProxyPwd on this line:

    Code:
    		string proxyUser = ConfigurationSettings.AppSettings["ProxyUser"];
    		string proxyPwd = ConfigurationSettings.AppSettings["ProxyPwd"];
    		string proxyDom = ConfigurationSettings.AppSettings["ProxyDom"];
    		if(proxyUser != null && proxyUser.Length > 0 && proxyPwd != null && proxyDom != null)
    			webProxy.Credentials = new NetworkCredential(proxyUser, proxyPwd, proxyDom);

    and get a webresponse passing trow by proxy or not.


    mmm for perfect understanding that i give you a piece of php web page resolver.

    proxyPwd compose a Base 64 cipher, the format is (USER, PASSWORD)

    see the php example of non converted parameters:

    PHP Code:
    $http_method 'http'
    $hostname 'www.antionline.com'
    $cgi '/azrael/aoexample/'


    $proxy 'http://proxy.crackenfind.net'
    $proxypwd base64_encode("aleksei:antionlinemember"); 
    #$proxypwd = "aleksei:antionlinemember"; 


    $XMLRequest '<?xml version="1.0" encoding="ISO-8859-1"?>\n'
    $XMLRequest .= '<message xmlns="http://antionline.com/messageadmin">\n'
    $XMLRequest .= ' <Header>\n'
    $XMLRequest .= ' <ClientId>Web request test</ClientId>\n'
    $XMLRequest .= ' <TransactionId>dklfj24ru743u3fj320fy49f84gyf</TransactionId>\n'
    $XMLRequest .= ' </Header>\n'
    $XMLRequest .= ' <Body>\n'
    $XMLRequest .= ' <code>#66#16#33\n';
    $XMLRequest .= ' <code>\n'
    $XMLRequest .= ' </Body>\n'
    $XMLRequest .= '</message>\n'


    $ServiceId 'antionline:com.messageadmin:proxy.crackenfind.net'

    $data_string "ServiceId=".$ServiceId."&XMLRequest=".$XMLRequest

    $curl_handle curl_init ("http://www.antionline.com/messageadmin"); 

    curl_setopt ($curl_handleCURLOPT_PROXY$proxy); 
    curl_setopt ($curl_handleCURLOPT_PROXYPORT8080); 
    curl_setopt ($curl_handleCURLOPT_PROXYUSERPWD$proxypwd); 
    curl_setopt ($curl_handleCURLOPT_HTTPPROXYTUNNEL,1); 
    curl_setopt ($curl_handleCURLOPT_FOLLOWLOCATION1); 
    curl_setopt ($curl_handleCURLOPT_RETURNTRANSFER1); 
    curl_setopt ($curl_handleCURLOPT_POST1); 
    curl_setopt ($curl_handleCURLOPT_POSTFIELDS$data_string); 
    $result curl_exec ($curl_handle); 

    if (
    curl_error($curl_handle)) 

      
    printf("Error %s: %s"curl_errno($curl_handle), curl_error($curl_handle)); 
      die (
    "No such web request"); 



    curl_close ($curl_handle); 
    echo 
    $result

    $proxypwd = base64_encode("aleksei:antionlinemember"); is the format in base64, the function that generate that seems like this java encoder:

    Code:
    try { 
    
    URLConnection connection = _src.openConnection(); 
    
    if (_proxyUser != null) { 
    
    sun.misc.BASE64Encoder encoder = new sun.misc.BASE64Encoder(); String encoded = encoder.encode( 
    
    new String(_proxyUser + ":" + _proxyPwd).getBytes()); 
    
    connection.setRequestProperty("Proxy-Authorization", "Basic " + encoded); 
    
    } 
    
    connection.connect(); 
    
    copyConnectionToFile(connection); 
    
    } catch (IOException ex) { 
    
    log("Failure accessing " + _src + ": " + ex.getMessage(), Project.MSG_ERR); 
    
    }


    i'm so bad expalining without code, but the base64 is a simple quest.


    see the wikkipedia for knowing base64 format an encoder theory:

    http://en.wikipedia.org/wiki/Base64



    so best wishes!


    AzRaEL
    [NuKE] high council
    www.crackenfind.net

  7. #7
    Banned
    Join Date
    Jul 2006
    Posts
    12

    Thumbs up



    are you sayin the above java code will unmask it...coz thats what i wanna do.....ur hava code involves connections and stuff.....this is strictly abut unmasking the thing

  8. #8
    No only java: perl, php (c for girls), c++, C# (c for girls), and all web bassed object languajes are capable for do that.

    This is a basic encoder using c for girls (C#)

    Code:
    public class Base64Encoder
      {
        byte[] source;
        int length,length2;
        int blockCount;
        int paddingCount;
        public Base64Encoder(byte[] input)
        {
          source=input;
          length=input.Length;
          if((length % 3)==0)
          {
            paddingCount=0;
            blockCount=length/3;
          }
          else
          {
            paddingCount=3-(length % 3);//need to add padding
            blockCount=(length+paddingCount) / 3;
          }
          length2=length+paddingCount;//or blockCount *3
        }
    
        public char[] GetEncoded()
        {
          byte[] source2;
          source2=new byte[length2];
          //copy data over insert padding
          for (int x=0; x<length2;x++)
          {
            if (x<length)
            {
              source2[x]=source[x];
            }
            else
            {
              source2[x]=0;
            }
          }
          
          byte b1, b2, b3;
          byte temp, temp1, temp2, temp3, temp4;
          byte[] buffer=new byte[blockCount*4];
          char[] result=new char[blockCount*4];
          for (int x=0;x<blockCount;x++)
          {
            b1=source2[x*3];
            b2=source2[x*3+1];
            b3=source2[x*3+2];
    
            temp1=(byte)((b1 & 252)>>2);//first
    
            temp=(byte)((b1 & 3)<<4);
            temp2=(byte)((b2 & 240)>>4);
            temp2+=temp; //second
    
            temp=(byte)((b2 & 15)<<2);
            temp3=(byte)((b3 & 192)>>6);
            temp3+=temp; //third
    
            temp4=(byte)(b3 & 63); //fourth
    
            buffer[x*4]=temp1;
            buffer[x*4+1]=temp2;
            buffer[x*4+2]=temp3;
            buffer[x*4+3]=temp4;
    
          }
    
          for (int x=0; x<blockCount*4;x++)
          {
            result[x]=sixbit2char(buffer[x]);
          }
    
          //covert last "A"s to "=", based on paddingCount
          switch (paddingCount)
          {
            case 0:break;
            case 1:result[blockCount*4-1]='=';break;
            case 2:result[blockCount*4-1]='=';
              result[blockCount*4-2]='=';
              break;
            default:break;
          }
          return result;
        }
    
        private char sixbit2char(byte b)
        {
          char[] lookupTable=new char[64]
              {  'A','B','C','D','E','F','G','H','I','J','K','L','M',
                'N','O','P','Q','R','S','T','U','V','W','X','Y','Z',
                'a','b','c','d','e','f','g','h','i','j','k','l','m',
                'n','o','p','q','r','s','t','u','v','w','x','y','z',
                '0','1','2','3','4','5','6','7','8','9','+','/'};
    
          if((b>=0) &&(b<=63))
          {
            return lookupTable[(int)b];
          }
          else
          {
            //should not happen;
            return ' ';
          }
        }
      }


    and a decoder:


    Code:
    public class Base64Decoder
      {
        char[] source;
        int length, length2, length3;
        int blockCount;
        int paddingCount;
        public Base64Decoder(char[] input)
        {
          int temp=0;
          source=input;
          length=input.Length;
    
          //find how many padding are there
          for (int x=0;x<2;x++)
          {
            if(input[length-x-1]=='=')
              temp++;
          }
          paddingCount=temp;
          //calculate the blockCount;
          //assuming all whitespace and carriage returns/newline were removed.
          blockCount=length/4;
          length2=blockCount*3;
        }
    
        public byte[] GetDecoded()
        {
          byte[] buffer=new byte[length];//first conversion result
          byte[] buffer2=new byte[length2];//decoded array with padding
    
          for(int x=0;x<length;x++)
          {
            buffer[x]=char2sixbit(source[x]);
          }
    
          byte b, b1,b2,b3;
          byte temp1, temp2, temp3, temp4;
    
          for(int x=0;x<blockCount;x++)
          {
            temp1=buffer[x*4];
            temp2=buffer[x*4+1];
            temp3=buffer[x*4+2];
            temp4=buffer[x*4+3];        
    
            b=(byte)(temp1<<2);
            b1=(byte)((temp2 & 48)>>4);
            b1+=b;
    
            b=(byte)((temp2 & 15)<<4);
            b2=(byte)((temp3 & 60)>>2);
            b2+=b;
    
            b=(byte)((temp3 & 3)<<6);
            b3=temp4;
            b3+=b;
    
            buffer2[x*3]=b1;
            buffer2[x*3+1]=b2;
            buffer2[x*3+2]=b3;
          }
          //remove paddings
          length3=length2-paddingCount;
          byte[] result=new byte[length3];
    
          for(int x=0;x<length3;x++)
          {
            result[x]=buffer2[x];
          }
    
          return result;
        }
    
        private byte char2sixbit(char c)
        {
          char[] lookupTable=new char[64]
              {  
    
        'A','B','C','D','E','F','G','H','I','J','K','L','M','N',
        'O','P','Q','R','S','T','U','V','W','X','Y', 'Z',
        'a','b','c','d','e','f','g','h','i','j','k','l','m','n',
        'o','p','q','r','s','t','u','v','w','x','y','z',
        '0','1','2','3','4','5','6','7','8','9','+','/'};
          if(c=='=')
            return 0;
          else
          {
            for (int x=0;x<64;x++)
            {
              if (lookupTable[x]==c)
                return (byte)x;
            }
            //should not reach here
            return 0;
          }
    
        }
    
      }



    But you may understand that: the ProxyPwd is a mix for (user,password) combined source and base64 coding mixed with hex transform.

    The comercial criptography in this days is sucks!

    no one people or the people today no understand the chyper concept. They use usually a "tool" for generate his crypto transactions. Comercial and public the real sense for private doccuments or transaction is lost.


    what kind of question is a good answer?

    i don't know....



    greetz


    Az

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides