Weblog

dbsynergy wins the first challenge

Categories: Challenges

Congratulations to dbsynergy for solving the first SF2600 challenge! nodus and yotta completed the challenge second and third respectively.

To celebrate the completion of the site, a hacking challenge was posted in the Terminal section. The challenge involved reversing of the algorithm used to encrypt passwords of JS/UIX OS and recovering of the root password.

Below are several code snippets used to solve the challenge. Everyone found the encrypted password in jsuix_krnl.js and correctly reversed the algorithm:

//dbsynergy's Quick 'n Dirty Solution
//-------------------------------------------------
var printable = new
Array('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o',
'p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E',
'F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U',
'V','W','X','Y','Z','1','2','3','4','5','6','7','8','9','0','-',
'=','[',']','\',';','\'',',','.','/','_','+',
'{','}','|',':','"','<','>','?');

var decrypted = '';
var currentTest = '';
for(var i=0; i < conf_rootpassskey.length; i+=2){
      for(var p=0; pprintable.length; p++){
              if(krnlCrypt(currentTest+printable[p]) ==
conf_rootpassskey.substr(0,i+2)){
                      currentTest += printable[p];
                      continue;
              }
      }
}

This algorithm has a slightly longer runtime, because it iterates over entire alphabet. This can be optimized a bit more by decoding the string character by character as as done in the next example.

#nodus's Algorithm Decode Solution
#--------------------------------------------------

import re
#from line 50 of jsuix_krnl.js
hashed='735ABB3DBD9AFA7FF2DE4C'
pairs=re.split('(..)',hashed)
while '' in pairs:
   pairs.remove('')

#got this from the js console in chromium with
keys=[14, 122, 255, 33] 
console.log(crptKeyquence)
numbers=[]
for str_pair in pairs:
   numbers.append(int(str_pair,16))

count=0;last=0;numbers2=[];string='';

for i in numbers:
   number = (i-last)-keys[count%4]
   while number <1:
       number+=256
   count+=1
   last=i
   #string+=(ascii[i])
   numbers2.append(number)
for i in numbers2:
   string+=(chr(i))
print string

It took nodus a bit longer (15 minutes to be exact) to write a complete decoder. While the code looks a bit longer, it is actually more efficient (no nested loops and reverses the algorithm character by character).

iphelix's Masochist Calculator Solution
---------------------------------------
If you feel like torturing yourself a bit, you can
solve the puzzle manually with a piece of paper 
and a calculator ;-)

The algorithm went along something like this:

Hash = 73 5A BB 3D BD 9A FA 7F F2 DE 4C
Salt = 0e 7a ff 21

0x73 - 0x0e - 0 [+0x100]    = 'e'
0x5A - 0x7a - 73 [+0x100]  = 'm'
0xBB - 0xff - 5A [+0x100]   = 'b'
and so on...

Well I hope everyone enjoyed the challenge, I will cook up something more evil for the next one.

Feel free to design and submit your own challenges to the site.

Posted by iphelix on Apr 06, 2011
blog comments powered by Disqus