
Training session 24: Basic Encryption #3
Difficulty: Medium Learn how to break Hackerpad Encryption
Creator: m101
By now you have learnt to encrypt a string with the Hackerpad encryption scheme, and for some reason you decide that you want to reverse the process to crack the password. Although this cannot be accomplished by simply putting the string thru a simple algorithm to reverse the string, and brute forcing the entire string would take way too long for any considerable sized password, by annalysing the proccess used to encrypt the string we can find a somewhat quicker way to crack the string in an extremely short period of time.
If we were encrypt the string 'MMMMMMMMMMMMMMMM' with a small password like 'PASS' we would endup with the following result:
Text:
MMMMMMMMMMMMMMMM
077 077 077 077 077 077 077 077 077 077 077 077 077 077 077 077
Password:
PASSPASSPASSPASS
080 065 083 083 080 065 083 083 080 065 083 083 080 065 083 083
Result:
157 142 160 160 157 142 160 160 157 142 160 160 157 142 160 160
It now becomes evident that by using a constant string we are left with just groups of 157 142 160 160. So you are probably asking why this is of any use to anyone at all, well if we encrypt a unified string its use can become more evident:
Text:
!z}/
033 122 125 047
Password:
MMMM
077 077 077 077
Result:
110 199 202 124
The resulting string is reasonably varied, and for the purpose of the excercise we will forget that we know the password. In an attempt to crack this we will do some small excercises to derive how cracking may be possible. If we were to guess the first letter as a Z then the result from subtracting the value of Z (90) from the first character of the encrypted string (110) we are left with 20. Now if we know how the string is encrypted we know that a correct value would only exist between 32 and 126 so we know for sure that the first letter is not Z. Likewise by checking the if the second character is the character A (65) then we are left with 134 which is too large to work and therefore is not a correct answer. So now we have a method to roughly guess what a character is going to be, but only within about 40 or 50 characters of the real result. Another interesting factor can be used to find more conditions a correct result must contain. Consider the following:
Text:
This text is going to be encrypted.
Password:
crypt
Result:
This text is going to be encrypted.
cryptcryptcryptcryptcryptcryptcrypt
If you notice every fifth character after the first is linked to the character 'c'. So you say to yourself how can this be of any use? Well lets divide all the characters linked to each of the characters in the password:
c:
Ttiioep
r:
hesn nt
y:
ix gbce
p:
stg erd
t:
pot y.
Result:
Ttiioep
hesn nt
ix gbce
stg erd
pot y.
You will notice the text is readable by reading down the lines instead of across, this is the best way to make sure you dont make a mistake. Since each row is linked to a character of the password we can safely say that any character we trial as a password must satisfy the requirements for all of the characters in that line. This is shown through the elimination process below were we will crack the first letter of our text:
The first line 'Ttiioep' when encrypted with the password letter 'c' gives us:
++++
183 215 204 204 210 200 211
Now we try a value to see if it satisfies our requirements, the character we will try is 'A' (65):
v
118 150 139 139 145 135 146
As you can see only the first character satisfied our requirements. So now we will try the letter 'g':
Ppeekal
80 112 101 101 107 97 108
The character 'g' managed to satisfy our requirments so we will continue to the next character even tho we know this is wrong. The next line 'hesn nt' is encrypted with 'r' and gives us:
++saa
218 215 229 224 146 224 230
So to start off we will try the character 'd':
vs.
118 115 129 124 46 124 130
We are reasonably far close to the result so we will try 'x' as a password:
b_mh?hn
98 95 109 104 26 104 110
The characters are still not quite reasonable enough so we will try 'q':
ifto!ou
105 102 116 111 33 111 117
The string is extremely close, but with a little logic we can decide that since '!' is only one character off a space and a space is more common we will try adding one to the password and use 'r':
hesn nt
104 101 115 110 32 110 116
All the requirements are met so we will move onto the next line. When its encrypted we are left with:
Ga_
226 241 153 224 219 220 222
First guess is 'a':
8z{}
129 144 56 127 122 123 125
Not even close so we will try 'x':
jy!hcdf
106 121 33 104 99 100 102
Yet again we prefer trying spaces so we move it to 'y'. This process is repeated till all the characters have been roughly guessed. Then the text is reassembled after being cracked with the code 'grypt' as the first letter was incorrectly guessed and we find that we are left with the following:
Phis pext es goeng tk be ancrylted.
It appears close, but quite obviously a bit wrong, but with a little bit of work this is easily fixed. If you look at the 'tk' and 'goeng' you can guess that they are meant to be 'going' and 'to'. So by subtracting 'k' (107) from 'o' (111) we are left with 4. so we take this 4 to our original guess of 'g' and we are left with 'c'. Now after decrypting the text we are given 'This text is going to be encrypted.' This result is much more satisfactory, and we now have a method to crack a password. The only thing we now have to do is guess the length of the password. The more complex the text, the easier it becomes to crack the password. This process can be rather exhaustive so the following is a simple program that will crack the encryption in most cases without needing correction. I appologise for the sloppy coding but i coded this version in BASIC for the benefit of everyone to understand.
CODE
CLS
wake:
lengthoftext = 0
textpos = 0
xc$ = ""
hg$ = ""
sg = 0
alpa = 0
qw = 0
z = 0
w$ = ""
e$ = ""
r$ = ""
i$ = ""
i2$ = ""
i3$ = ""
i4$ = ""
i5$ = ""
i6$ = ""
i7$ = ""
i8$ = ""
i9$ = ""
i10$ = ""
i11$ = ""
i12$ = ""
i13$ = ""
i14$ = ""
i15$ = ""
i16$ = ""
i17$ = ""
i18$ = ""
i19$ = ""
i20$ = ""
i21$ = ""
i22$ = ""
i23$ = ""
i24$ = ""
i25$ = ""
i26$ = ""
i27$ = ""
i28$ = ""
w1$ = ""
e1$ = ""
r1$ = ""
q1$ = ""
q2$ = ""
q3$ = ""
q4$ = ""
q5$ = ""
q6$ = ""
q7$ = ""
q8$ = ""
q9$ = ""
q10$ = ""
q11$ = ""
q12$ = ""
q13$ = ""
q14$ = ""
q15$ = ""
q16$ = ""
q17$ = ""
q18$ = ""
q19$ = ""
q20$ = ""
q21$ = ""
q22$ = ""
q23$ = ""
q24$ = ""
q25$ = ""
q26$ = ""
q27$ = ""
IF mop = 1 THEN GOTO intskip
SCREEN 12
COLOR 1
PRINT ""
COLOR 2
PRINT " m101 presents =Hackerpad Password Cracker= v0.7"
PRINT ""
PRINT " m101@area6.net"
PRINT ""
COLOR 1
PRINT "Greetz go out to jimmyj, harper, simAI, b0iler, Term_0z, Vegas, Sangoma, Forbze, Zaleth, DIGICRIME and Dead_Beat..."
PRINT ""
PRINT ""
PRINT "Go to ";
COLOR 2
PRINT "http://www.area6.net ";
COLOR 1
PRINT "and learn the real way to hack!!"
PRINT ""
PRINT ""
PRINT "To use this just replace the text in passwd.txt and run the program!!"
PRINT ""
PRINT ""
PRINT ""
intskip:
text$ = ""
OPEN "passwd.txt" FOR INPUT AS #1
REM text$ = "ؔ܌ԎݎԔѓؓۉܘؔ؎ɔێʎ͌ДהωѓӔێʔєԉʛԗ"
INPUT #1, text$
CLOSE #1
mop = 1
IF mop = 1 THEN GOTO lenskip
COLOR 2
INPUT "Estimated Password Length"; length
PRINT ""
lenskip:
IF mop = 1 THEN length = length + 1
lengthoftext = LEN(text$)
textpos = lengthoftext
begin:
k = 0
FOR i = 1 TO lengthoftext
k = k + 1
a$ = LEFT$(RIGHT$(text$, textpos), 1)
a = ASC(a$)
IF k = 1 THEN w$ = w$ + a$
IF k = 2 THEN e$ = e$ + a$
IF k = 3 THEN r$ = r$ + a$
IF k = 4 THEN i2$ = i2$ + a$
IF k = 5 THEN i3$ = i3$ + a$
IF k = 6 THEN i4$ = i4$ + a$
IF k = 7 THEN i5$ = i5$ + a$
IF k = 8 THEN i6$ = i6$ + a$
IF k = 9 THEN i7$ = i7$ + a$
IF k = 10 THEN i8$ = i8$ + a$
IF k = 11 THEN i9$ = i9$ + a$
IF k = 12 THEN i10$ = i10$ + a$
IF k = 13 THEN i11$ = i11$ + a$
IF k = 14 THEN i12$ = i12$ + a$
IF k = 15 THEN i13$ = i13$ + a$
IF k = 16 THEN i14$ = i14$ + a$
IF k = 17 THEN i15$ = i15$ + a$
IF k = 18 THEN i16$ = i16$ + a$
IF k = 19 THEN i17$ = i17$ + a$
IF k = 20 THEN i18$ = i18$ + a$
IF k = 21 THEN i19$ = i19$ + a$
IF k = 22 THEN i10$ = i20$ + a$
IF k = 23 THEN i20$ = i21$ + a$
IF k = 24 THEN i21$ = i22$ + a$
IF k = 25 THEN i22$ = i23$ + a$
IF k = 26 THEN i23$ = i24$ + a$
IF k = 27 THEN i24$ = i25$ + a$
IF k = 28 THEN i25$ = i26$ + a$
IF k = 29 THEN i26$ = i27$ + a$
IF k = 30 THEN i27$ = i28$ + a$
textpos = textpos  1
IF passpos = 0 THEN passpos = lengthofpass
IF k = length THEN k = 0
NEXT i
REM this is to print all the password hashes rem the following line to print them
GOTO jipper
PRINT "these are the password hashes"
PRINT ""
PRINT w$
PRINT e$
PRINT r$
PRINT i2$
PRINT i3$
PRINT i4$
PRINT i5$
PRINT i6$
PRINT i7$
PRINT i8$
PRINT i9$
PRINT i10$
PRINT i11$
PRINT i12$
PRINT i13$
PRINT i14$
PRINT i15$
PRINT i16$
PRINT i17$
PRINT i18$
PRINT i19$
PRINT i20$
PRINT i21$
PRINT i22$
PRINT i23$
PRINT i24$
PRINT i25$
PRINT i26$
PRINT i27$
PRINT i28$
jipper:
FOR alpa = 1 TO length
IF alpa = 2 THEN w$ = e$
IF alpa = 3 THEN w$ = r$
IF alpa = 4 THEN w$ = i2$
IF alpa = 5 THEN w$ = i3$
IF alpa = 6 THEN w$ = i4$
IF alpa = 7 THEN w$ = i5$
IF alpa = 8 THEN w$ = i6$
IF alpa = 9 THEN w$ = i7$
IF alpa = 10 THEN w$ = i8$
IF alpa = 11 THEN w$ = i9$
IF alpa = 12 THEN w$ = i10$
IF alpa = 13 THEN w$ = i11$
IF alpa = 14 THEN w$ = i12$
IF alpa = 15 THEN w$ = i13$
IF alpa = 16 THEN w$ = i14$
IF alpa = 17 THEN w$ = i15$
IF alpa = 18 THEN w$ = i16$
IF alpa = 19 THEN w$ = i17$
IF alpa = 20 THEN w$ = i18$
IF alpa = 21 THEN w$ = i19$
IF alpa = 22 THEN w$ = i20$
IF alpa = 23 THEN w$ = i21$
IF alpa = 24 THEN w$ = i22$
IF alpa = 25 THEN w$ = i23$
IF alpa = 26 THEN w$ = i24$
IF alpa = 27 THEN w$ = i25$
IF alpa = 28 THEN w$ = i26$
IF alpa = 29 THEN w$ = i27$
IF alpa = 30 THEN w$ = i28$
FOR i = 1 TO 57
attempt$ = CHR$(65 + i)
xc$ = ""
FOR z = 1 TO LEN(w$)
u$ = LEFT$(RIGHT$(w$, (LEN(w$) + 1  z)), 1)
ON ERROR GOTO spitzy
xc$ = xc$ + CHR$(ASC(u$)  ASC(attempt$))
NEXT z
spitzy:
s = 0
FOR qw = 1 TO LEN(xc$)
hg$ = LEFT$(RIGHT$(xc$, (LEN(xc$) + 1  qw)), 1)
IF s = 0 AND hg$ = " " THEN GOTO hippy
REM IF s = 0 AND hg$ = ":" THEN GOTO hippy
REM IF s = 0 AND hg$ = "," THEN GOTO hippy
REM IF s = 0 AND hg$ = "/" THEN GOTO hippy
REM IF s = 0 AND hg$ = "." THEN GOTO hippy
IF ASC(hg$) < 32 OR ASC(hg$) > 122 THEN s = 1
hippy:
NEXT qw
IF s = 0 AND alpa = 1 THEN w1$ = attempt$
IF s = 0 AND alpa = 2 THEN e1$ = attempt$
IF s = 0 AND alpa = 3 THEN r1$ = attempt$
IF s = 0 AND alpa = 4 THEN q1$ = attempt$
IF s = 0 AND alpa = 5 THEN q2$ = attempt$
IF s = 0 AND alpa = 6 THEN q3$ = attempt$
IF s = 0 AND alpa = 7 THEN q4$ = attempt$
IF s = 0 AND alpa = 8 THEN q5$ = attempt$
IF s = 0 AND alpa = 9 THEN q6$ = attempt$
IF s = 0 AND alpa = 10 THEN q7$ = attempt$
IF s = 0 AND alpa = 11 THEN q8$ = attempt$
IF s = 0 AND alpa = 12 THEN q9$ = attempt$
IF s = 0 AND alpa = 13 THEN q10$ = attempt$
IF s = 0 AND alpa = 14 THEN q11$ = attempt$
IF s = 0 AND alpa = 15 THEN q12$ = attempt$
IF s = 0 AND alpa = 16 THEN q13$ = attempt$
IF s = 0 AND alpa = 17 THEN q14$ = attempt$
IF s = 0 AND alpa = 18 THEN q15$ = attempt$
IF s = 0 AND alpa = 19 THEN q16$ = attempt$
IF s = 0 AND alpa = 20 THEN q17$ = attempt$
IF s = 0 AND alpa = 21 THEN q18$ = attempt$
IF s = 0 AND alpa = 22 THEN q19$ = attempt$
IF s = 0 AND alpa = 23 THEN q20$ = attempt$
IF s = 0 AND alpa = 24 THEN q21$ = attempt$
IF s = 0 AND alpa = 25 THEN q22$ = attempt$
IF s = 0 AND alpa = 26 THEN q23$ = attempt$
IF s = 0 AND alpa = 27 THEN q24$ = attempt$
IF s = 0 AND alpa = 28 THEN q25$ = attempt$
IF s = 0 AND alpa = 29 THEN q26$ = attempt$
IF s = 0 AND alpa = 30 THEN q27$ = attempt$
NEXT i
NEXT alpa
pass$ = ""
pass$ = pass$ + w1$
pass$ = pass$ + e1$
pass$ = pass$ + r1$
pass$ = pass$ + q1$
pass$ = pass$ + q2$
pass$ = pass$ + q3$
pass$ = pass$ + q4$
pass$ = pass$ + q5$
pass$ = pass$ + q6$
pass$ = pass$ + q7$
pass$ = pass$ + q8$
pass$ = pass$ + q9$
pass$ = pass$ + q10$
pass$ = pass$ + q11$
pass$ = pass$ + q12$
pass$ = pass$ + q13$
pass$ = pass$ + q14$
pass$ = pass$ + q15$
pass$ = pass$ + q16$
pass$ = pass$ + q17$
pass$ = pass$ + q18$
pass$ = pass$ + q19$
pass$ = pass$ + q20$
pass$ = pass$ + q21$
pass$ = pass$ + q22$
pass$ = pass$ + q23$
pass$ = pass$ + q24$
pass$ = pass$ + q25$
pass$ = pass$ + q26$
pass$ = pass$ + q27$
REM PRINT pass$
REM PRINT LEN(pass$)
REM PRINT length
REM INPUT myass$
IF LEN(pass$) < length THEN mop = 1
IF LEN(pass$) < length THEN GOTO wake
PRINT ""
COLOR 1
PRINT "The Password is: ";
COLOR 14
PRINT pass$
COLOR 1
PRINT ""
PRINT ""
PRINT ""
PRINT ""
PRINT ""
PRINT ""
PRINT ""
PRINT "Press any key to exit..."
ifius:
x$ = INKEY$
IF x$ = "" THEN GOTO ifius
END
CODE
Hopefully you will now have a good idea on how encryption schemes in general can be cracked and even how to create them.

