Mission #25

Discussion in 'Missions Center' started by crux, Mar 4, 2016.

  1. Watch2300

    Watch2300 New Agent

    After a week of getting more and more frustrated i found a solution that i should have used the first time. But i'm fairly lazy.
    So for those who are still banging there heads against a wall, try the following for solving 25.2;
    1) Convert Hex to Bin
    2) Open notepad and write out the Bin code on a line(s)
    3) Write down the passphrase beneath the encrypted Bin code
    Rolling XOR, where the precending, former Byte is the password of the next Byte
    4) Decrypt on the next line by hand the encrypted code.
    De-Cipher by example:
    Encrypt 0011
    Passwrd 0101
    Decrypt 0110
    Following 0+0=0; 0+1=1; 1+0=1; 1+1=0
    5) Convert solution to Text
    6) Check Letter from Team 4
    "It is probably an instruction to Set the location for where to Dump sensitive information from infected machines."
    7) Use solution.
    Petry likes this.
  2. Grey Ronin

    Grey Ronin Active Agent

    So I got frustrated enough with this mission that I eventually just threw in the towel and took a 6 month break from the Watchmen. Even with all the help posted on this thread, I still feel clueless. I surrender. Would someone please just PM me the solution so I can move on...?
  3. codex-13

    codex-13 Senior Agent

    Hey man, send me a PM. I'll help you work through it step by step.
  4. Grey Ronin

    Grey Ronin Active Agent

    Got the help I needed. Thanks a lot team. Back to fighting the good fight.
    2 people like this.
  5. Willowmyst

    Willowmyst Active Agent

    I've been trying and trying to decrypt this using the advice from Watch2300, but I just can't seem to get anything but a load of gibberish. It's getting very frustrating, and any help, nudges, slaps in the face would be greatly appreciated.
  6. Watch2300

    Watch2300 New Agent

    Tip; Do not write all the binary code in one continuing long line, but group them up for a better overview.
    00000000 00000000 etc.
    Last edited by a moderator: Oct 21, 2016
  7. Willowmyst

    Willowmyst Active Agent

    Well, I've had a break and I've had a few more tries at this one but I just can't seem to end up with anything other than a load of gibberish. I've tried everything suggested but I must be doing something wrong, it's so frustrating. Can anyone help so that I can carry on with the game?
  8. Watch2300

    Watch2300 New Agent

  9. Jacobdonegood

    Jacobdonegood Active Agent

    Really struggling with this one after a few weeks on it (on and off) - tried all of the above but I think I'm not seeing the wood for the trees.

    I get that the key is the preceding bit of data, and I've tried several variations with the binary and hex codes, using the website linked above, and still can't produce anything that makes sense!

    A bit of guidance?
  10. codex-13

    codex-13 Senior Agent

    Use a XOR calculator that will operate in hex (remember, hex is just a numeric system, not really a cipher). Rolling XOR can be a little bit difficult to understand, so let me see if I can explain it to you visually.
    Hope this makes sense to you! Colors help me a lot when visualizing cipher mechanics.
    Rohzek, Snarkk and Jimbo9 like this.
  11. Jacobdonegood

    Jacobdonegood Active Agent

    Solved! Many thanks.

    For those struggling where I did:

    Go backwards

    Such a simple thing to get tripped up by!
    Anashel likes this.
  12. Kestrel

    Kestrel New Agent

    I think I'm in the same boat as several of the previous agents above, have taken everything suggested above into account for 25.2 but can't come up with anything that is not gibberish. Somewhat frustrating as I had been on a roll for a while until this roadblock and have completely lost the momentum as a result, set this aside for a few weeks/months now. Anything would be helpful at this point, up to and including the actual solution. I know, I know, I will own my shame...
  13. codex-13

    codex-13 Senior Agent

    Hey! Don't give up hope, this one is tough. :) Shoot me a PM and I'll happily walk you through step-by-step how this encryption system works. No question is a bad question if it increases your understanding!
  14. Kestrel

    Kestrel New Agent

    Solved it. Once more unto the breach...thanks for the much needed nudge.
  15. Fuzzy

    Fuzzy New Agent

    I'm banging my head against the wall trying to figure out 25.2. I've gone through all the advice so far and I'm still at a dead end. Any help (short of the answer) would be must appreciated!
  16. AgentZeus

    AgentZeus Senior Agent

    Months. That is how long I have been stuck on this decryption puzzle!:eek: Massive thanks to @Watch2300 and @codex-13 those tips and that colored chart finally made the light bulb switch on and I have cracked it. Time for a well earned pint :D Thanks again folks! :)
  17. berzerk0

    berzerk0 Active Agent


    Nudges provided in this post will include hints that include information hinted at in posts before it.
    If you wish, you can look at this post and get all hints given in this thread before this post was made.


    25-1 Malware Sample

    Pretty Straightforward if you follow the NITE Team's Instructions

    Malware is most often tailored to a given operating system, and can attack specific system files.

    Bigger, Final Nudge
    What specific files does this malware target?
    Can you find any other strains of malware that target the same ones?
    What about this malware's actual executable file?


    25-2 Encrypted Traffic

    Let's Start with a little bit of background info from your friendly neighborhood Cybersecurity student.

    Background on this method of Encryption, Nudges Included:
    The Spoiler tags not marked with Nudge are to keep the post nice and compressed, not to actually hide any spoilers.

    XOR encryption is a method of "additive" cipher encryption. This means a plaintext message is broken down into blocks or a stream of binary digits, 1's and 0's, and transformed.

    The original plaintext message is then transformed by combining it with a key string (also made of binary digits) via a bitwise operation - in this case, the XOR function.

    What are bitwise operations?
    The simplest bitwise operator to understand is AND - which outputs a 1 (true) if and only if BOTH inputs are 1.

    AND Truth Table:
    0 & 0 = 0
    0 & 1 = 0
    1 & 0 = 0
    1 & 1 = 1

    If the binary logic isn't too obvious to you, consider this.
    You can only say "That's a spicy meatball!" after eating something that is both:
    Consider the Following Foods:
    1. Regular Bread with no toppings
      1. not Spicy ( A = 0) and not a meatball (B = 0)
      2. 0 & 0 = 0, we can't eat bread and say "That's a spicy meatball!"
    2. Ikea Meatball
      1. not Spicy (A=0) and a meatball (B = 1)
      2. 0 & 1 = 0, we can't eat the Ikea Metball and say "That's a spicy meatball!"
    3. Ghost Pepper (over 1 million Scoville (spicy) units)
      1. Very Spicy (A = 1) and not a meatball (B = 0)
      2. 1 & 0 = 0, we can't eat the Ghost Pepper and say "That's a spicy meatball!" (Also because we will be crying and might have to go to the hospital)
    4. A Spicy Meatball
      1. Spicy! (A =1) and a meatball! (B = 1)
      2. 1 & 1 = 1, we can say "That's a Spicy Meatball!"

    What is the XOR function and why is it used?
    XOR, or exclusive OR, is a bitwise operation that outputs a 1 if one (and only one) of the two inputs is true.

    XOR Truth Table:
    0 xor 0 = 0
    0 xor 1 = 1
    1 xor 0 = 1
    1 xor 1 = 0

    if our plaintext is the number 19 (in decimal), rendered in binary as 10011 and our key string is the number 9 (in decimal), rendered in binary as 01001

    1 0 0 1 1
    0 1 0 0 1
    1 1 0 1 0

    Our ciphertext is 11010, the number 26.

    Why is XOR used? It is also its own reverse!

    1 0 0 1 1 (19)
    1 1 0 1 0 (26)
    0 1 0 0 1 (9)

    Do you see a method of simply passing the input to the output?
    (it involves a certain key string)

    Note that for this example I only used 5 bits. Most of the time, a byte is used (8 bits)

    Therefore our encryption works via:
    plaintext XOR key = ciphertext
    plaintext XOR ciphertext = key
    ciphertext XOR key = plaintext

    The operations are:
    Associative: P xor K = C and P = K xor C
    Reflexive: P xor K = K xor P = C

    But we don't have binary, how can we do bitwise operations?
    Hexadecmial is the most common form of shorthand for binary that uses base 16.
    It goes from 0-F (15), and is written 8 bits a time:

    So, if have the number zero, it can be written like so:
    • Decimal: 0
    • Binary: 00000000 (I used 8 bits to show it as a byte.)
    • Hexadecimal: 00 (each hex digit represents 4 bits, and are found in pairs)
    Now for the number twenty one:
    • Decimal: 21 (2 tens (10^1) and 1 one (10^0))
    • Binary: 00010101 (1 sixteen (2^4) + 1 four (2^2) + 1 one (2^0))
    • Hexadecimal: 15 (1 sixteen(16^1) + 5 ones (16^0))

    So, using the same operations as before, we can just do it shorthand:
    Code = 19 (decimal) = 13 (hex)
    Key = 10 (decimal) = 0A (hex)
    (since we don't have a whole sixteen in the one's place, we use letters to represent ten through fifteen)

    13 xor 0A (hex) == 10011 xor 01001 (binary)

    Most of the time this conversion is done behind the scenes by programs

    A handy XOR Calculator, but I'm going to make you work a LITTLE bit:

    Fun Fact:
    An encoder that uses polymorphic additive XOR functionality (a frequently changing key) is called Shikata Ga Nai by the Cybersecurity/Hacker community - this is Japanese for "it cannot be helped" or "nothing can be done about it." Malicous code encrypted using this method "cannot be discovered" by an antivirus program.

    Real Nudges:
    Have you found any information on the base strain of malware from before

    There are many articles that discuss breaking a complicated method of encryption, but the earliest version of the malware used a simpler method.
    It didn't use polymorphic xor encryption.

    The SANS institute has a good paper on the malware.

    Bigger Nudge:
    Hexadecimal messages are bytes separated by space.

    The simple types of encryption can use a variation of the plaintext as the key.

    Biggest, Cryptic Nudges:
    Ouroboros can't bite its own head.

    MUCH Less Cryptic
    Leave the first byte alone.

    How? Look at the XOR Truth Table - what key can you apply to simply pass the input to the output?
    Last edited: May 15, 2018
    Petry and Snarkk like this.
  18. Treppengeist

    Treppengeist Active Agent

    I fear this might be too complicated for my noggin. :/
  19. AgentZeus

    AgentZeus Senior Agent

    @Treppengeist that's how I felt for ages! It just means when you crack it you will feel amazing! :D

    PM me if you would like some hints beyond what others have posted
  20. Treppengeist

    Treppengeist Active Agent

    Gosh, it's done, thanks to @berzerk0 - couldn't have done it without you. Thanks so much!
    AgentZeus likes this.

Share This Page