I really need help for this case, that's the hardest I've tried. I'm stuck, not so far from the answer I think but right now I'm becoming a little bit crazy. Spoiler: MAYBE HUGE SPOILERS = what I did in 25.2 I know it's a rolling XOR-based cypher. I first transcript the HEX to binary, then with ASCII tables I transcript my binary to what I assume to be the key. For example, the first part of the data is HEX 73 : in binary I have 01110011. So I took the bin before this one and got 01110010 => I choose this one as a key and get 00000001. Which is pure non-sense for me. I've tried different orders (n+1 or n-1 for the key), still with absurd results. I've tried different transcriptions, BIN, HEX, Unicode... but I never had a nice plaintext box. I've used several websites like asciitohex; r12a.github.io/uniview/ ; darkfader.net/toolbox/convert/ but I still don't get it... Can I have a huge nudge here or by PM please ? Also I have to notice that english is not my native language.
Thanks for your quick answer. I'm already on your own nudges. I'll keep that way a bit more, but if I'm still stuck I'll be glad to talk about this with you. EDIT : And it's doooooooooooooooone ! Woah ! The hardest case in my short carreer with the Black Watchmen. Many, many thanks to all the agents who shared their nudges about this case. I have few things to add for future desperate agents. Spoiler: 25.2 obviously * * if you're still stuck on what kind of encryption is in front of you, remember that you're starting from a Malware. * read carefully previous nudges, the ones from @berzerk0 are very complete * take a moment to watch several times @codex-13's schema. It breaks the case for me, but i first had to internalize it. *Some letters missing ? Or some agents missing letters ? * That's all, you REALLY have everything sent by the agency and here to complete the mission, trust me. Good luck to future agents, I need a short pause before mission 26.
This one (25.2) really confused me and my girlfriend as well. We were stuck on it for longer than I'd like to admit, but we eventually got it. Spoiler: A little help The post by codex-13 is it 100%, but I figured I'd help a little more than that, as well, if anyone wants it. Spoiler: A much bigger help Rather than calculating it by hand, I wrote a short bit of code in Java to do it for me. I'm not going to give you the answer, but if you want to use the code to visualize the calculations, or want to run it yourself, here it is: Code: public class XOR { /* * Outputs one bitstring at a time */ public static String xorDecrypt(String input, String key) { String output = ""; for(int i = 0; i < input.length(); i++) { char eval = input.charAt(i), keyval = key.charAt(i); if(eval == keyval) { output += "0"; } else { output += "1"; } } return output; } } public class Main { static String[] binary = { //Input your bit strings here }; static ArrayList<String> output = new ArrayList<String>(); public static void main(String[] args) { for(int i = (binary.length - 1); i > 0; i--) { output.add(XOR.xorDecrypt(binary[i], binary[i-1])); } output.add(binary[0]); Collections.reverse(output); for(String out : output) { System.out.print(out + " "); } } } It takes byte strings in, and puts them back out, so you'll need to convert the hex to binary, and then the binary it outputs, back to ascii
Okay, I'm stuck on 25.2 myself. Spoiler: progress I found the IP address, but the first word I'm confused about. I decrpyted the whole thing, but if et means @, the letters don't fill in. I'm short a couple letters of the answer.
@Halokrauser - you are very close, the same thing happened to me a few times. Spoiler Spoiler You are missing the first letter. This is due to a quirk of the encryption method. Make sure you read it carefully from the SANS guide about this version of the malware (it is the first version) Esoteric Hint about this encryption method: Spoiler Ouroboros cannot bite his own head.
I'm completely lost here even with all the hints, I know that the report is in heexadecimal, converting them makes no sense whatsoever: Spoiler sbtkKyN`SgIxL~PeT So I have no idea what to do, a PM or any other help would be appreciated
@misstriggermortiss at what stage are you stuck? If the other hints in this post haven't helped, start a convo with me
Like some others I am totally stumped by decoding the message. If anyone can help please PM me. EDIT: Got it with the help of fathamburger on discord, its simpler than it appears, I swear.
Hey guys, so last December I posted a hint for 25.2 and now today, I have a bit more of an iteration on the same hint. Spoiler: It's a bit of a heavy handed hint... So I asked the mods if they thought it was appropriate, given how effective of a hint it is... It seems most of the mods agree it's okay. So... I've took the java code that I wrote in December and polished it up a lot, made it a runnable jar file, and added a GUI. This can both encode and decode using the Rolling XOR technique, and displays the output in both the encrypted and unencrypted/decrypted binary and hex so that you can look at them side by side, and hopefully better understand how the algorithm works, along with codex-13's picture. The GUI: Here's the link to the project page, if you want to see the code, too. And the runnable jar can be found under the releases. It was written with Java 8 in mind, and it seems Java 10 won't work correctly. (a friend of mine couldn't get it to work on Java 10)
Thanks I see that. I have no idea why imgur decided to drop it. I'll get it changed as soon as I can. (It's currently blocking my change for being "spam-like")
Update: Nevermind, got it. No one responded but I managed to get the answer. -- So I've been slowly making my way through this game for a while; I'm no great puzzle mastermind and this one ("Encrypted Traffic", plaintext message from traffic logs) is beyond me. It makes my eyes cross and my brain stop; I'm at the point where I just want the answer to get past it -- and I won't feel bad about it either because I've got no ego about this kind of thing and I'm absolutely ticked off, lol. Would someone kindly PM me with the answer? I've really had it.
useful resoureces i found for those struggling with 25.2 Spoiler This document was gold about getting the decoding method to use https://www.sans.org/reading-room/whitepapers/detection/analysis-gameover-zeus-network-traffic-35742 Then I used this to make some calculations https://xor.pw/#
Big thanks ! I was having troubles trying to find that freaking paper. It doesn't help that apparently they recently release a new one in 2021. After reading that, it all made sense
I am still stuck at 25.2. I know the enryption, i converted the hex to bin, i read the paper. It seems i am too dumb for this. xD I tried out the first byte as the First key and go on from there, but i just get funny results. Maybe someone can help me here or via pm? Thanks in advance!
