help reverse engineer this pls!

diggerdoo · Post by **diggerdoo** » 06 Apr 2009, 09:29

ok, I'll give you what I think i've got! All my data is from a database that was gathered through sql injection.

N1gQ1DRW1 W6HW9S1E <--Andrew Luff
T18E1JY1D 1uVWPUWPEW_ <--Gerald Fisher
E10A1eL1AQWxQW0R1E <--Randell or Randy Dodge
T18B1DT1s 1lNW8RWT <--George Baker

diggerdoo · Post by **diggerdoo** » 10 Apr 2009, 14:02

Nothing, eh? I thought this was going to be easier than this...Damn! Would the names in a database be salted? Would the same salt value be used on all the names?

hiper · Post by **hiper** » 10 Apr 2009, 14:45

what type of injection did u use? and what type of database was it?

Post by **bad_brain** » 10 Apr 2009, 15:06

I doubt it's a MySQL database, because the hashes are definitely NOT MD5 ones...neither regular nor salted ones. you should retrieve info about the system, the OS the server is running on for example would be worth a lot already....I bet it's MS and not *nix.

p.s. and yes, the "salt" is usually the same for all hashes in a database.

diggerdoo · Post by **diggerdoo** » 10 Apr 2009, 15:33

k, somemore info...

apache/2.2.4(unix)
mod_ssl/2.2.4
PHP, Open SSL
MySQL

Thanx!

ps. it is unix and it is mysql!

diggerdoo · Post by **diggerdoo** » 10 Apr 2009, 15:44

If i'm looking at a list of the database tables and columns of each, will my answer be found within? Is the salt value a "value" that can be found here as well? Heres some more words with their encrypted versions as well.

I1XF1J visa
Z10F1IR1oP1FEWN mastercard
W18A1yV1rWN W9NWfEWYHc6FcL jennifer fairhurst
W1JU1y 1M.1hTw john (cant remember last name)
W1JRz joe
W1JN1y 1 joan

They're all from the same table.
*every second character is a "1"*
john, joe, joan all begin "W1J......."
jennifer begins with "W1" so any name starting with the letter j will be encoded as W1? Could this be like a Captain Crunch Decoder Ring? How could the second digit of every encrypted value be a 1? Is this encryption? Help?!

diggerdoo · Post by **diggerdoo** » 12 Apr 2009, 14:00

I don't know if this is reverse engineering, but after comparing all these names to the "encrypted value", I have come up with a table of values that does in fact work like a decoder ring (for the first name, then it goes way off base!) I also noticed a regular pattern; Ill let * represent any letter of the alphabet.
*1**1**1 or *1**1*1

Z1=m
W1=j
j=o
v1 or x=i
E1=r
T=g
Q=d
O=b
P1=c
C or 8 or R1=e
s=f
u=h
Q1 or E=k
T or Y=L
A1 or Y1=N
C1=p
F1=s
I or G1=t
H1=u
I1=v
j=w

This will decode pretty much the first name but then it goes way off. Give me your thoughts please!

diggerdoo · Post by **diggerdoo** » 14 Apr 2009, 01:34

Ok, no one has any thoughts on what could be going on here? Is a salt value a number, or mix of letters and numbers? Is it saved somewhere that can be read? Is it chosen by the web operator or is it a random value calculated by the website? Why can't a salt value be calculated if we have enough data to compare? Kinda like cracking a wep key when you've captured enough IV's?

Post by **bad_brain** » 14 Apr 2009, 04:16

well, the problem is that it might be even right for the 1st name, but if it don't work for the others it is no real pattern. the "W1" could be simply a database-prefix for example. the decryption you showed is a simple Caesar encryption, and I doubt a halfway modern application would use such an easy to break algorithm.

about the "salt": the problem is that there are 2 methods:
- a fixed salt that applies to any database-entry
- a dynamic salt that is randomly generated for each single database-entry
ok, the latter method is not used that often, but if I interpret the data right and it's about CC-data (

) it is even likely that this method is used to provide a good security....and then you're out of luck.

diggerdoo · Post by **diggerdoo** » 18 Apr 2009, 13:00

so this is encryption...and ceasar the only new thought I gathered? I'm off to google somemore, i'll keep you updated either way. Thanx.