Full Disclosure mailing list archives

Re: Cipher detection

From: Tim <tim-security () sentinelchicken org>
Date: Fri, 8 Apr 2011 15:02:49 -0700

Here're some more examples:

dummy () example com GGobQ2bsqd64PXVAmaDiDBg=
eummy () example com GWobQ2bsqd64PXVAmaDiDBg=
dummy () example co  GGobQ2bsqd64PXVAmaDiDA==
dummy@example.@ex GGobQ2bsqd64PXVAmaDBBg0=
dummy             GGobQ2Y=
dumm              GGobQw==
eummy             GWobQ2Y=
eumm              GWobQw==
example.com       GWcXQ2/AqYi6P2g=
dxample.com       GGcXQ2/AqYi6P2g=
11111 () example com TS5HHy7sqd64PXVAmaDiDBg=
11111             TS5HHy4=

Looks like a base64+xor, am I right? And that's enough information for me.



Yes, it is looking like a fixed key stream XORed with the plaintext.
Note that this could mean they're using any number of "good"
encryption algorithms (block cipher in OFB mode, stream cipher) with a
fixed IV.  This means the encryption is very broken, but it doesn't
necessarily mean they are using some half-baked custom obfuscation
technique.  They could be, but be careful with your accusations.

HTH,
tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Cipher detection Maksim . Filenko (Apr 07)
- Re: Cipher detection Thor (Hammer of God) (Apr 07)
  - Re: Cipher detection Cal Leeming (Apr 07)
    - Re: Cipher detection ichib0d crane (Apr 08)
- Re: Cipher detection Tim (Apr 07)
- Re: Cipher detection Valdis . Kletnieks (Apr 07)
- Message not available
  - Re: Cipher detection Maksim . Filenko (Apr 08)
    - Re: Cipher detection Tim (Apr 08)
    - Re: Cipher detection Brandon Enright (Apr 08)