After a week of getting more and more frustrated i found a solution that i should have used the first time. But i'm fairly lazy. So for those who are still banging there heads against a wall, try the following for solving 25.2; Spoiler 1) Convert Hex to Bin 2) Open notepad and write out the Bin code on a line(s) 3) Write down the passphrase beneath the encrypted Bin code Spoiler Rolling XOR, where the precending, former Byte is the password of the next Byte 4) Decrypt on the next line by hand the encrypted code. Spoiler De-Cipher by example: Encrypt 0011 Passwrd 0101 Decrypt 0110 Following 0+0=0; 0+1=1; 1+0=1; 1+1=0 5) Convert solution to Text 6) Check Letter from Team 4 Spoiler "It is probably an instruction to Set the location for where to Dump sensitive information from infected machines." 7) Use solution.
So I got frustrated enough with this mission that I eventually just threw in the towel and took a 6 month break from the Watchmen. Even with all the help posted on this thread, I still feel clueless. I surrender. Would someone please just PM me the solution so I can move on...?
I've been trying and trying to decrypt this using the advice from Watch2300, but I just can't seem to get anything but a load of gibberish. It's getting very frustrating, and any help, nudges, slaps in the face would be greatly appreciated.
Spoiler Tip; Do not write all the binary code in one continuing long line, but group them up for a better overview. 00000000 00000000 etc.
Well, I've had a break and I've had a few more tries at this one but I just can't seem to end up with anything other than a load of gibberish. I've tried everything suggested but I must be doing something wrong, it's so frustrating. Can anyone help so that I can carry on with the game?
Really struggling with this one after a few weeks on it (on and off) - tried all of the above but I think I'm not seeing the wood for the trees. Spoiler I get that the key is the preceding bit of data, and I've tried several variations with the binary and hex codes, using the website linked above, and still can't produce anything that makes sense! A bit of guidance?
Spoiler Use a XOR calculator that will operate in hex (remember, hex is just a numeric system, not really a cipher). Rolling XOR can be a little bit difficult to understand, so let me see if I can explain it to you visually. Hope this makes sense to you! Colors help me a lot when visualizing cipher mechanics.
Solved! Many thanks. For those struggling where I did: Spoiler Go backwards Such a simple thing to get tripped up by!
I think I'm in the same boat as several of the previous agents above, have taken everything suggested above into account for 25.2 but can't come up with anything that is not gibberish. Somewhat frustrating as I had been on a roll for a while until this roadblock and have completely lost the momentum as a result, set this aside for a few weeks/months now. Anything would be helpful at this point, up to and including the actual solution. I know, I know, I will own my shame...
Hey! Don't give up hope, this one is tough. Shoot me a PM and I'll happily walk you through step-by-step how this encryption system works. No question is a bad question if it increases your understanding!
I'm banging my head against the wall trying to figure out 25.2. I've gone through all the advice so far and I'm still at a dead end. Any help (short of the answer) would be must appreciated!
Months. That is how long I have been stuck on this decryption puzzle! Massive thanks to @Watch2300 and @codex-13 those tips and that colored chart finally made the light bulb switch on and I have cracked it. Time for a well earned pint Thanks again folks!
Nudgery: Nudges provided in this post will include hints that include information hinted at in posts before it. If you wish, you can look at this post and get all hints given in this thread before this post was made. ------------------------------------------------------------------------------------ 25-1 Malware Sample Pretty Straightforward if you follow the NITE Team's Instructions Nudges: Spoiler Malware is most often tailored to a given operating system, and can attack specific system files. Bigger, Final Nudge Spoiler What specific files does this malware target? Can you find any other strains of malware that target the same ones? What about this malware's actual executable file? ------------------------------------------------------------------------------------ 25-2 Encrypted Traffic Let's Start with a little bit of background info from your friendly neighborhood Cybersecurity student. Background on this method of Encryption, Nudges Included: Spoiler The Spoiler tags not marked with Nudge are to keep the post nice and compressed, not to actually hide any spoilers. XOR encryption is a method of "additive" cipher encryption. This means a plaintext message is broken down into blocks or a stream of binary digits, 1's and 0's, and transformed. The original plaintext message is then transformed by combining it with a key string (also made of binary digits) via a bitwise operation - in this case, the XOR function. What are bitwise operations? Spoiler The simplest bitwise operator to understand is AND - which outputs a 1 (true) if and only if BOTH inputs are 1. AND Truth Table: 0 & 0 = 0 0 & 1 = 0 1 & 0 = 0 1 & 1 = 1 If the binary logic isn't too obvious to you, consider this. You can only say "That's a spicy meatball!" after eating something that is both: a. Spicy b. A Meatball Consider the Following Foods: Regular Bread with no toppings not Spicy ( A = 0) and not a meatball (B = 0) 0 & 0 = 0, we can't eat bread and say "That's a spicy meatball!" Ikea Meatball not Spicy (A=0) and a meatball (B = 1) 0 & 1 = 0, we can't eat the Ikea Metball and say "That's a spicy meatball!" Ghost Pepper (over 1 million Scoville (spicy) units) Very Spicy (A = 1) and not a meatball (B = 0) 1 & 0 = 0, we can't eat the Ghost Pepper and say "That's a spicy meatball!" (Also because we will be crying and might have to go to the hospital) A Spicy Meatball Spicy! (A =1) and a meatball! (B = 1) 1 & 1 = 1, we can say "That's a Spicy Meatball!" What is the XOR function and why is it used? Spoiler XOR, or exclusive OR, is a bitwise operation that outputs a 1 if one (and only one) of the two inputs is true. XOR Truth Table: 0 xor 0 = 0 0 xor 1 = 1 1 xor 0 = 1 1 xor 1 = 0 if our plaintext is the number 19 (in decimal), rendered in binary as 10011 and our key string is the number 9 (in decimal), rendered in binary as 01001 1 0 0 1 1 xor 0 1 0 0 1 ----------------------------- 1 1 0 1 0 Our ciphertext is 11010, the number 26. Why is XOR used? It is also its own reverse! 1 0 0 1 1 (19) xor 1 1 0 1 0 (26) ----------------------------- 0 1 0 0 1 (9) Do you see a method of simply passing the input to the output? (it involves a certain key string) Note that for this example I only used 5 bits. Most of the time, a byte is used (8 bits) Therefore our encryption works via: plaintext XOR key = ciphertext plaintext XOR ciphertext = key ciphertext XOR key = plaintext The operations are: Associative: P xor K = C and P = K xor C Reflexive: P xor K = K xor P = C But we don't have binary, how can we do bitwise operations? Spoiler Hexadecmial is the most common form of shorthand for binary that uses base 16. It goes from 0-F (15), and is written 8 bits a time: So, if have the number zero, it can be written like so: Decimal: 0 Binary: 00000000 (I used 8 bits to show it as a byte.) Hexadecimal: 00 (each hex digit represents 4 bits, and are found in pairs) Now for the number twenty one: Decimal: 21 (2 tens (10^1) and 1 one (10^0)) Binary: 00010101 (1 sixteen (2^4) + 1 four (2^2) + 1 one (2^0)) Hexadecimal: 15 (1 sixteen(16^1) + 5 ones (16^0)) So, using the same operations as before, we can just do it shorthand: Code = 19 (decimal) = 13 (hex) Key = 10 (decimal) = 0A (hex) (since we don't have a whole sixteen in the one's place, we use letters to represent ten through fifteen) 13 xor 0A (hex) == 10011 xor 01001 (binary) Most of the time this conversion is done behind the scenes by programs A handy XOR Calculator, but I'm going to make you work a LITTLE bit: Spoiler pastebin.com/ sOME bAD pEOPLE aRE dESIGNING vIRUSES TO lOCK UP YOUr FILES Fun Fact: An encoder that uses polymorphic additive XOR functionality (a frequently changing key) is called Shikata Ga Nai by the Cybersecurity/Hacker community - this is Japanese for "it cannot be helped" or "nothing can be done about it." Malicous code encrypted using this method "cannot be discovered" by an antivirus program. Real Nudges: Spoiler Have you found any information on the base strain of malware from before 2013? There are many articles that discuss breaking a complicated method of encryption, but the earliest version of the malware used a simpler method. It didn't use polymorphic xor encryption. The SANS institute has a good paper on the malware. Bigger Nudge: Spoiler Hexadecimal messages are bytes separated by space. The simple types of encryption can use a variation of the plaintext as the key. Biggest, Cryptic Nudges: Spoiler uggcf://v.vzthe.pbz/8ul8Iqx.cat uggcf://v.vzthe.pbz/sWiLHoI.cat uggcf://v.vzthe.pbz/YzpdZsI.wct Spoiler Ouroboros can't bite its own head. MUCH Less Cryptic Spoiler Leave the first byte alone. How? Look at the XOR Truth Table - what key can you apply to simply pass the input to the output?
@Treppengeist that's how I felt for ages! It just means when you crack it you will feel amazing! PM me if you would like some hints beyond what others have posted
