Solving Kevin Mitnick's Ghost in The Wires encrypted messages.
I received today my copy of Kevin Mitnick's book:
Ghost in The Wires.
It is a great read so far. But even more interesting are the ciphered sentences at the beginning of
each chapters. I am trying to solve all of them but if you can contribute: comment or send me an email !
EDIT (September 11, 2011 1:04am): All codes have been broken, this page is the complete solution to "Ghost in The Wires".
Post-mortem : Most of the cryptograms were simple constant ROT and the program I wrote to solve them proved very efficient. The program was inspired by an excellent book by Simon Singh:
The Code Book:
The Science of Secrecy from Ancient Egypt to Quantum Cryptography". In this book Singh described how Alan Turing exploited the cribs
in Nazy Enigma encrypted messages by looking for the probable location of the german word "WETTER" ("weather" in english). The "colossus"
could only test 5 letters in order to find the key of the day but nowadays the raw power allowed me to test all possible rotations searching for
cribs in Mitnik sentences (since most seemed to be "questions": the program automatically searched for "WHAT","WHY,"WHERE" and others words usually found at the beginning of a sentence).
This method allowed to decrypt 50% of the messages within 30 seconds...and since the other 50% can be decrypted using the answer from the previous question:
Almost all cryptograms were decoded thanks to Turin's work to break Enigma....60 years ago.
The Challenge
If you want to play around, here are all the ciphered strings:
char* cypheredText[] =
{
/*1 SOLVED*/
"yjcv ku vjg pcog qh vjg uauvgo wugf da jco qrgtcvqtu vq ocmg htgg rjqpg ecnnu ?",
/*2 SOLVED*/
"wbth lal voe htat oy voe wxbirtn vfzbqt wagye C poh aeovsn vojgav ?",
/*3 SOLVED*/
"Nyrk grjjnfiu uzu Z xzmv kf jvklg re rttflek fe Kyv Rib ?",
/*4 SOLVED*/
"Flle ujw esc wexp mo xsp kjr hsm hiwwcm, \"Wplpll stq lec qma e wzerg mzkk!\" ?",
/*5 SOLVED*/
"Bmfy ytbs ini N mnij tzy ns zsynq ymj Ozajsnqj Htzwy qtxy ozwnxinhynts tajw rj ?",
/*6 SOLVED*/
"Kyoo olxi rzr Niyovo Cohjpcx ojy dn T apopsy ?",
/*7 SOLVED*/
"Kvoh wg hvs boas ct hvs Doqwtwq Pszz sadzcmss kvc fsor hvs wbhsfboz asac opcih am voqywbu oqhwjwhwsq cjsf hvs voa forwc ?" ,
/*8 SOLVED*/
"Iwh xwqv wpvpj fwr Vfvyj qks wf nzc ncgsoo esg psd gwc ntoqujvr ejs rypz nzfs ?",
/*9 SOLVED*/
"Hsle td esp epcx qzc dzqehlcp mfcypo zy esp nsta esle Yzglepw dpye xp ?",
/*10 SOLVED*/
"Bprf cup esanqneu xmm gtknv amme U biiwy krxheu Iwqt Taied ?",
/*11 SOLVED*/
"Lwpi idlc sxs bn upiwtg axkt xc lwtc X bdkts xc lxiw wxb ?",
/*12 SOLVED*/
"Yhlt xak tzg iytfrfad RanBfld squtpm uhst uquwd ce mswf tz wjrwtsr a wioe lhsv Ecid mwnlkoyee bmt oquwdo't ledn mp acomt ?",
/*13 SOLVED*/
"Zkdw lv wkh qdph ri wkh SL ilup wkdw zdv zluhwdsshg eb Sdflilf Ehoo ?",
/*14 SOLVED*/
"Plpki ytw eai rtc aaspx M llogw qj wef ms rh xq ?",
/*15 SOLVED*/
"Ituot oaybmzk ymwqe ftq pqhuoq ftmf Xqiue geqp fa buow gb mzk dmpua eusmxe zqmd Qduo ?",
/*16 SOLVED*/
"Kwth qzrva rbq lcq rxw Svtg vxcz zm vzs lbfieerl nsem rmh dg ac oef'l cwamu ?",
/*17 SOLVED*/
"Epib qa bpm vium wn bpm ixizbumvb kwuxtmf epmzm Q bziksml lwev Mzqk Pmqvh ?",
/*18 SOLVED*/
"Khkp wg wve kyfcqmm yb hvh TBS oeidr trwh Yhb MmCiwus Wko ogvwgxar hr ?",
/*19 SOLVED*/
"Rcvo dn ivhz ja ocz omvinvxodji oj adiy v kzmnji'n njxdvg nzxpmdot iphwzm pndib oczdm ivhz viy yvoz ja wdmoc ?",
/*20 SOLVED*/
"Wspa wdw gae ypte rj gae dilan lbnsp loeui V tndllrhh gae awvnh \"HZO, hzl jaq M uxla nvu\"",
/*21 SOLVED*/
"4A 75 6E 67 20 6A 6E 66 20 62 68 65 20 61 76 70 78 61 6E 7A 72 20 74 76 69 72 61 20 67 62 \
20 47 72 65 65 6C 20 55 6E 65 71 6C 3F ",
/*22 SOLVED*/
"Gsig cof dsm fkqeoe vnss jo farj tbb epr Csyvd Nnxub mzlr ut grp lne ?",
/*23 SOLVED*/
"Fqjc nunlcaxwrl mnerln mrm cqn OKR rwcnwcrxwjuuh kanjt fqnw cqnh bnjalqnm vh jyjacvnwc rw Ljujkjbjb ?",
/*24 SOLVED*/
"Xvof jq qis bmns lg hvq thlss ktffb J cifsok EAJ uojbthwsbhlsg ?",
/*25 SOLVED*/
"Cngz zuct ngy znk grsg sgzkx lux znk xkgr Kxoi Ckoyy ?",
/*26 SOLVED*/
"Aslx jst rlxi bx ns wgzzcmgw UP jnsh hlrjf nyk TT seq s cojorpdw pssx gxmyeie ao bzy glc ?",
/*27 SOLVED*/
"85 102 121 114 32 103 113 32 114 102 99 32 108 121 107 99 32 109 100 32 114 102 99 32 122 109 105 113 \
114 109 112 99 32 71 32 100 112 99 111 115 99 108 114 99 98 32 103 108 32 66 99 108 116 99 112 63",
/*28 SOLVED*/
"Phtm zvvvkci sw mhx Fmtvr VOX Ycmrt Emki vqimgv vowx hzh L cgf Ecbst ysi ?",
/*29 SOLVED*/
"126,147,172,163, 040, 166,172,162, 040, 154,170, 040, 157,172,162,162,166,156,161,143, 040, 145,156,161,\
040, 163,147,144, 040, 115,156,165,144,153,153, 040, 163,144,161,154,150,155,172,153, 040, 162,144,161,165,\
144,161, 040, 150,155, 040, 122,172,155,040,111,156,162,144,077",
/*30 SOLVED*/
"Ouop lqeg gs zkds ulv V deds zq lus DS urqstsn't wwiaps ?",
/*31 SOLVED*/
"Alex B25 rixasvo hmh M ywi xs xli HQZ qemrjveqi ?",
/*32 SOLVED*/
"Caem alw Ymek Xptq'd tnwlchvw xz lrv lkkzxv ?",
/*33 SOLVED*/
"Ozg ojglw lzw hshwj gf AH Khggxafy lzsl BKR skcww ew stgml ?",
/*34 SOLVED*/
"Nvbx nte hyv bqgs pj gaabv jmjmwdi whd hyv UVT'g Giuxdoc Gctcwd Hvyqbuvz hycoij ?",
/*35 SOLVED*/
"2B 2T W 2X 2Z 26 36 2P 36 2V 3C W 3A 32 39 38 2Z W 3D 33 31 38 2V 36 3D W \
2R 2Z W 3E 3C 2V 2X 2Z 2Y W 3E 39 W 2R 32 2V 2E W 2V 3A 2V 3C 3E 37 2X 38 3E \
W 2X 39 37 3A 36 2Z 2S 1R",
/*36 SOLVED*/
"Lsar JSA cryoi ergiu lq wipz tnrs dq dccfunaqi zf oj wqpctkiel dpzpgp I jstcgo cu dy hgq ?",
/*37 SOLVED*/
"V2hhdCBGQkkgYWdlbnQgYXNrZWQgU3VuIE1pY3Jvc3lzdGVtcyB0byBjbGFpbSB0aGV51Gxvc3QgODAgbWlsbGlvbiBkb2xsYXJzPw==",
/*38 SOLVED*/
"100-1111-10-0 011-000-1-111 00-0100 1101-10-1110-000-101-11-0-1 \
0111-110-00-1001-1-101 111-0-11-0101-010-1-101 111-10-0100 11-00-11",
};
One: Rough Start
yjcv ku vjg pcog qh vjg uauvgo wugf da jco qrgtcvqtu vq ocmg htgg rjqpg ecnnu ?
Looks a lot like words. And it is the first chapter so it is probably the easiest and most known cypher off all time: ROT-2
yjcv ku vjg pcog qh vjg uauvgo wugf da jco qrgtcvqtu vq ocmg htgg rjqpg ecnnu ?
what is the name of the system used by ham operators to make free phone calls ?
Note : There is a good tool online that also provide frequency analysis:
ROT-13 encrypt/decrypt (Caesar cipher). The frequency
distribution is consistent with a ROT encryption:
Edit : I wrote a quick C program called CrackKevin.exe to automate ROT testing. Here it is. It works by testing all 26 ROT and then searching
for keyword in the deciphered string. The output helped to identify very fast a ROT candidate and solved
17 out of the 38 encrypted strings ;) !
Answer : "autopatch"
Two: Just visiting
wbth lal voe htat oy voe wxbirtn vfzbqt wagye C poh aeovsn vojgav ?
I am working on it.The question mark indicate that the first word has to be among:
- What
- How
- Why
- When
- Where
- Which
Since the cypher does not seem to be encoding spaces, we can conclude the first work is four letters long so it is either "what" or "when".
Now a bit of shooting in the dark:
WBTH - WHEN = "22,1,19,7" - "22,7,4,13" = "0,-6,15,- 6"
WBTH - WHAT = "22,1,19,7" - "22,7,0,19" = "0,-6,19,-12"
If we loop on a 0-25 array (example: -6 is actually +20, 19 is 19, -12 is 14)
WBTH - WHEN = "0,20,15,20" = AUPU
WBTH - WHAT = "0,20,19,14" = AUTO
Now "AUTO" is interesting because it is the beginning on the answer to the last question: "autopatch". Writing a quick
Solved with CrackKevin.exe ROT16 was a valid candidate:
Note : It seems odd chapters are using ROT-X permutation.
According to "Hateyou" from fohguild.org the quotation is for "Search his car for a logic bomb!" (a quote from the chapter).
Using Vigenere.exe with key = "jelly":
"Hateyou"'s intuition was correct. I am impressed by this.
Solved with CrackKevin.exe: ROT5
Using Vigenere.exe with key = "oroville":
The 4 "hvs" left no doubt: ROT19 but Solved with CrackKevin.exe anyway ;) !
Using Vigenere.exe with key = "billcook":
Again, the double "esp" was quite suspicious: ROT22 still Solved with CrackKevin.exe.
Using Vigenere.exe with key = "firmware":
ROT-(-11)
Using Vigenere.exe with key = "calabasas":
Solved with CrackKevin.exe (ROT4)
Using Vigenere.exe with key = "teltec":
Solved with CrackKevin.exe (ROT21)
Using Vigenere.exe with key = "optoelectronics":
Solved with CrackKevin.exe ROT25 was a valid candidate:
Using Vigenere.exe with key = "oakwood":
Solved with CrackKevin.exe ROT12 was a valid candidate:
Using Vigenere.exe with key = "alphadent":
Those are hexadecimal value encoding a string:
Sent "Jung jnf bhe avpxanzr tvira gb Greel Uneql ?" to CrackKevin.exe
Using Vigenere.exe with key = "klingon":
Solved with CrackKevin.exe ROT24 was a valid candidate:
Using Vigenere.exe with key = "boombox":
Solved with CrackKevin.exe ROT1 was a valid candidate:
Using Vigenere.exe with key = "ensburgell":
The string is decimal value for characters:
Sent "Ufyr gq rfc lykc md rfc zmiqrmpc G dpcosclrcb gl Bcltcp ?" to CrackKevin.exe
wbth lal voe htat oy voe wxbirtn vfzbqt wagye C poh aeovsn vojgav ?
- auto pat cha utop at cha utopatc hautop atcha u top atchau topatc
= what was the name of the central office where i was almost caught ?
Answer : "Sunset-Gower"
Acknowledgment: Thanks to Krzysztof Narkowicz and Geoff Salmon for helping finding out about Vigenere cypher.
Edit :I wrote an other C program called Vigenere.exe to speedup the Vigenere key testing process. Here it is. And here are the outputs.
Three: Original sin
Nyrk grjjnfiu uzu Z xzmv kf jvklg re rttflek fe Kyv Rib ?
Nyrk grjjnfiu uzu Z xzmv kf jvklg re rttflek fe Kyv Rib ?
What password did I give to setup an account on The Ark ?
Answer : "jelly"
Four: Escape Artist
Flle ujw esc wexp mo xsp kjr hsm hiwwcm, "Wplpll stq lec qma e wzerg mzkk!" ?
Flle ujw esc wexp mo xsp kjr hsm hiwwcm, "Wplpll stq lec qma e wzerg mzkk!" ?
- jell yje lly jell yj ell yje lly jellyj ellyje lly jel lyj e llyje llyj
= what was the name of the man who yelled, "search his car for a logic bomb!" ?
Answer : "Steve Cooley"
Five: All your phone lines belong to me
Bmfy ytbs ini N mnij tzy ns zsynq ymj Ozajsnqj Htzwy qtxy ozwnxinhynts tajw rj ?
Bmfy ytbs ini N mnij tzy ns zsynq ymj Ozajsnqj Htzwy qtxy ozwnxinhynts tajw rj ?
What town did I hide out in until the Juvenile Court lost jurisdiction over me ?
Answer : "oroville"
Six: Will hack for love
Kyoo olxi rzr Niyovo Cohjpcx ojy dn T apopsy?
Kyoo olxi rzr Niyovo Cohjpcx ojy dn T apopsy ?
- orov ille oro villeo roville oro vi l leorov
= what game did sandra lambert ask if i played ?
Answer : "hearts"
Seven: Hitched in Haste
Kvoh wg hvs boas ct hvs Doqwtwq Pszz sadzcmss kvc fsor hvs wbhsfboz asac opcih am voqywbu oqhwjwhwsq cjsf hvs voa forwc?
Kvoh wg hvs boas ct hvs Doqwtwq Pszz sadzcmss kvc fsor hvs wbhsfboz asac opcih am voqywbu oqhwjwhwsq cjsf hvs voa forwc?
WHAT IS THE NAME OF THE PACIFIC BELL EMPLOYEE WHO READ THE INTERNAL MEMO ABOUT MY HACKING ACTIVITIEC OVER THE HAM RADIO
Answer : "Bill Cook"
Eight: Lex Luthor
Iwh xwqv wpvpj fwr Vfvyj qks wf nzc ncgsoo esg psd gwc ntoqujvr ejs rypz nzfs ?
Iwh xwqv wpvpj fwr Vfvyj qks wf nzc ncgsoo esg psd gwc ntoqujvr ejs rypz nzfs ?
- bil lcoo kbill coo kbill coo kb ill cookbi llc ook bil lcookbil lco okbi llco
= how much money did lenny owe me for losing the bet for cracking the door code ?
Answer : "150$"
Nine: The Kevin Mitnick Discount Plan
Hsle td esp epcx qzc dzqehlcp mfcypo zy esp nsta esle Yzglepw dpye xp ?
Hsle td esp epcx qzc dzqehlcp mfcypo zy esp nsta esle Yzglepw dpye xp ?
WHAT IS THE TERM FOR SOFTWARE BURNED ON THE CHIP THAT NOVATEL SENT ME ?
Answer : "firmware"
Ten: Mystery Hacker
Bprf cup esanqneu xmm gtknv amme U biiwy krxheu Iwqt Taied ?
Bprf cup esanqneu xmm gtknv amme U biiwy krxheu Iwqt Taied ?
- firm war efirmwar efi rmwar efir m waref irmewa refi rmwar
= what guy answered the phone when i first called eric heinz ?
Answer : "Henry Spiegel"
Eleven: Foul play
Lwpi idlc sxs bn upiwtg axkt xc lwtc X bdkts xc lxiw wxb ?
Lwpi idlc sxs bn upiwtg axkt xc lwtc X bdkts xc lxiw wxb ?
WHAT TOWN DID MY FATHER LIVE IN WHEN I MOVED IN WITH HIM
Answer : "calabasas"
Twelve: You Can Never Hide
Yhlt xak tzg iytfrfad RanBfld squtpm uhst uquwd ce mswf tz wjrwtsr a wioe lhsv Ecid mwnlkoyee bmt oquwdo't ledn mp acomt ?
Yhlt xak tzg iytfrfad RanBfld squtpm uhst uquwd ce mswf tz wjrwtsr a wioe lhsv Ecid mwnlkoyee bmt oquwdo't ledn mp acomt ?
-cala bas asc alabasas calabas ascala basa scala ba sasc al abasasc a laba sasc alab asascalab asa scalab a sasc al abasa
what was the internal pacbell system that could be used to wiretap a line that eric mentioned but wouldn't tell me about ?
Answer : "SAS"
Thirteen: The Wiretapper
Zkdw lv wkh qdph ri wkh SL ilup wkdw zdv zluhwdsshg eb Sdflilf Ehoo ?
Zkdw lv wkh qdph ri wkh SL ilup wkdw zdv zluhwdsshg eb Sdflilf Ehoo ?
what is the name of the pi firm that was wiretapped by pacific bell ?
Answer : "teltec"
Fourteen: You Tap Me, I Tape You
Plpki ytw eai rtc aaspx M llogw qj wef ms rh xq ?
Plpki ytw eai rtc aaspx M llogw qj wef ms rh xq ?
-telte cte lte cte ltect e ltect el tec te lt ec
where was the pay phone i asked my dad to go to ?
Answer : "teltec"
Fiteen: "How the Fuck Did You Get That ?"
Ituot oaybmzk ymwqe ftq pqhuoq ftmf Xqiue geqp fa buow gb mzk dmpua eusmxe zqmd Qduo ?
Ituot oaybmzk ymwqe ftq pqhuoq ftmf Xqiue geqp fa buow gb mzk dmpua eusmxe zqmd Qduo ?
which company makes the device that lewis used to pick up any radio sigals near eric ?
Answer : "optoelectronics"
Sixteen: Crashing Eric's Private Party
Kwth qzrva rbq lcq rxw Svtg vxcz zm vzs lbfieerl nsem rmh dg ac oef'l cwamu ?
Kwth qzrva rbq lcq rxw Svtg vxcz zm vzs lbfieerl nsem rmh dg ac oef'l cwamu ?
- opto elect ron ics opt oele ctro ni cso ptoelect roni cso pt oe lec t ronic
= what month and day did eric tell me the wiretaps were put on my dad's lines ?
Answer : "January 27"
Seventeen: Pulling Back the Curtain
Epib qa bpm vium wn bpm ixizbumvb kwuxtmf epmzm Q bziksml lwev Mzqk Pmqvh ?
Epib qa bpm vium wn bpm ixizbumvb kwuxtmf epmzm Q bziksml lwev Mzqk Pmqvh ?
what is the name of the apartment complex where i tracked down eric heinz ?
Answer : "oakwood"
Eighteen: Traffic Analysis
Khkp wg wve kyfcqmm yb hvh TBS oeidr trwh Yhb MmCiwus Wko ogvwgxar hr ?
Khkp wg wve kyfcqmm yb hvh TBS oeidr trwh Yhb MmCiwus Wko ogvwgxar hr ?
- oakw oo doa kwoodoa kw ood oak woodo akwo odo akwoodo akw oodoakwo od
= what is the acronym of the fbi squad that ken mcguire was assigned to ?
Answer : "wcc3"
Nineteen: Revelations
Rcvo dn ivhz ja ocz omvinvxodji oj adiy v kzmnji'n njxdvg nzxpmdot iphwzm pndib oczdm ivhz viy yvoz ja wdmoc ?
Rcvo dn ivhz ja ocz omvinvxodji oj adiy v kzmnji'n njxdvg nzxpmdot iphwzm pndib oczdm ivhz viy yvoz ja wdmoc ?
what is name of the transaction to find a person's social security number using their name and date of birth ?
Answer : "alphadent"
Twenty: Reverse String
Wspa wdw gae ypte rj gae dilan lbnsp loeui V tndllrhh gae awvnh "HZO, hzl jaq M uxla nvu" ?
Wspa wdw gae ypte rj gae dilan lbnsp loeui V tndllrhh gae awvnh "HZO, hzl jaq M uxla nvu" ?
- alph ade nta lpha de nta lphad ental phade n talphade nta lphad alp had ent e ntal pha
= what was the name of the steak house where i answered the phone "dmv, how can i help you" ?
Answer : "bob burns"
Twenty-One: Cat and Mouse
4A 75 6E 67 20 6A 6E 66 20 62 68 65 20 61 76 70 78 61 6E 7A 72 20 74 76 69 72 61 20 67 62 20 47 72 65 65 6C 20 55 6E 65 71 6C 3F
char cypher21[] =
{ 0x4A,0x75,0x6E,0x67,0x20,0x6A,0x6E,0x66,0x20,0x62,0x68,0x65,0x20,0x61,
0x76,0x70,0x78,0x61,0x6E,0x7A,0x72,0x20,0x74,0x76,0x69,0x72,0x61,0x20,
0x67,0x62,0x20,0x47,0x72,0x65,0x65,0x6C,0x20,0x55,0x6E,0x65,0x71,0x6C,0x3F,
};
int main(int argc, char** argv)
{
printf("%s\n",cypher21);
return 1;
}
Output: "Jung jnf bhe avpxanzr tvira gb Greel Uneql ?"
Jung jnf bhe avpxanzr tvira gb Greel Uneql ?
[21]: Candidate (ROT20): what was our nickname given to terry hardy ?
Answer : "klingon"
Twenty-Two: Detective Work
Gsig cof dsm fkqeoe vnss jo farj tbb epr Csyvd Nnxub mzlr ut grp lne ?
Gsig cof dsm fkqeoe vnss jo farj tbb epr Csyvd Nnxub mzlr ut grp lne ?
- klin gon kli ngonkl ingo nk ling onk lin gonkl ingon klin go nkl ing
= what was the secret name we used for the wells fargo code of the day ?
Answer : ""
Twenty-Three: Raided
Fqjc nunlcaxwrl mnerln mrm cqn OKR rwcnwcrxwjuuh kanjt fqnw cqnh bnjalqnm vh jyjacvnwc rw Ljujkjbjb ?
Fqjc nunlcaxwrl mnerln mrm cqn OKR rwcnwcrxwjuuh kanjt fqnw cqnh bnjalqnm vh jyjacvnwc rw Ljujkjbjb ?
what electronic device did the fbi intentionally break when they searched my apartment in calabasas ?
Answer : "boombox"
Twenty-Four: Vanishing Act
Xvof jq qis bmns lg hvq thlss ktffb J cifsok EAJ uojbthwsbhlsg ?
Xvof jq qis bmns lg hvq thlss ktffb J cifsok EAJ uojbthwsbhlsg ?
- boom bo xbo ombo xb oom boxbo ombox b oombox boo mboxboomboxbo
= what ic the name of the store where i outran dmv investigators ?
Answer : "kinko"
Twenty-Five: Harry Houdini
Cngz zuct ngy znk grsg sgzkx lux znk xkgr Kxoi Ckoyy ?
Cngz zuct ngy znk grsg sgzkx lux znk xkgr Kxoi Ckoyy ?
what town has the alma mater for the real eric weiss ?
Answer : ""
Twenty-Six: Private Investigator
Aslx jst rlxi bx ns wgzzcmgw UP jnsh hlrjf nyk TT seq s cojorpdw pssx gxmyeie ao bzy glc ?
Aslx jst rlxi bx ns wgzzcmgw UP jnsh hlrjf nyk TT seq s cojorpdw pssx gxmyeie ao bzy glc ?
- ensb urg elle ns bu rgellens bu rgel lensb urg el len s burgelle nsbu rgellen sb urg ell
= wftw pbn name of my favorite tv show where the pi had a business card printer in his car ?
Answer : ""
Twenty-Seven: Here Comes the Sun
85 102 121 114 32 103 113 32 114 102 99 32 108 121 107 99 32 109 100 32 114 102 99 32 122 109 105 113 114 109 112 99 32 71 32 100 112 99 111 115 99 108 114 99 98 32 103 108 32 66 99 108 116 99 112 63
char cypher27[] = {
85, 102, 121, 114, 32, 103, 113, 32, 114, 102, 99, 32, 108, 121, 107, 99, 32, 109, 100, 32,
114, 102, 99, 32, 122, 109, 105, 113, 114, 109, 112, 99, 32, 71, 32, 100, 112, 99, 111, 115,
99, 108, 114, 99, 98, 32, 103, 108, 32, 66, 99, 108, 116, 99, 112, 63};
int main(int argc, char** argv)
{
printf("%s\n",cypher27);
return 1;
}
Output: "Ufyr gq rfc lykc md rfc zmiqrmpc G dpcosclrcb gl Bcltcp ?"
Ufyr gq rfc lykc md rfc zmiqrmpc G dpcosclrcb gl Bcltcp ?
[27]: Candidate (ROT9): what is the name of the bokstore i frequented in denver ?
Twenty-Eight: Trophy Hunter
Phtm zvvvkci sw mhx Fmtvr VOX Ycmrt Emki vqimgv vowx hzh L cgf Ecbst ysi ?
Using Vigenere.exe with key = "tatteredcover":
Phtm zvvvkci sw mhx Fmtvr VOX Ycmrt Emki vqimgv vowx hzh L cgf Ecbst ysi ?
- tatt eredcov er tat tered cov ertat tere dcover tatt ere d cov ertat ter
= what version of the micro tac ultra lite source code did i ask alisa for ?
Answer : ""
Twenty-Nine: Departure
126 147 172 163 040 166 172 162 040 154 170 040 157 172 162 162 166 156 161 143 040 145 156 161 040 163 147 144 040 115 156 165 144 153 153 040 163 144 161 154 150 155 172 153 040 162 144 161 165 144 161 040 150 155 040 122 172 155 040 111 156 162 144 077
040 is seen very often in this serie and is also very interesting because it is also "space" in octal notation:
char text[] =
{
126,147,172,163, //WHAT ?
040,
166,172,162, //WAS ?
040,
154,170,
040,
157,172,162,162,166,156,161,143,
040,
145,156,161,
040,
163,147,144,
040,
115,156,165,144,153,153,
040,
163,144,161,154,150,155,172,153,
040,
162,144,161,165,144,161,
040,
150,155,
040,
122,172,155,
040,
111,156,162,144,077
}
So all character are consistently encoded. Let's try to print out the octal value:
#include <stdio.h>
char text[] ={
0126,0147,0172,0163, 040, 0166,0172,0162, 040, 0154,0170, 040, 0157,\
0172,0162,0162,0166,0156,0161,0143, 040, 0145,0156,0161, 040, 0163,0147,0144, 040,\
0115,0156,0165,0144,0153,0153, 040, 0163,0144,0161,0154,0150,0155,0172,0153, 040,\
0162,0144,0161,0165,0144,0161, 040, 0150,0155, 040, 0122,0172,0155,040,0111,0156,\
0162,0144,077
};
int main(int argc, char** argv)
{
printf("%s\n",text);
return ;
}
Output: Vgzs vzr lx ozrrvnqc enq sgd Mnudkk sdqlhmzk rdqudq hm Rzm Inrd?¦!
Sending this to CrackKevin.exe -> ROT8
Vgzs vzr lx ozrrvnqc enq sgd Mnudkk sdqlhmzk rdqudq hm Rzm Inrd? what was my password for the novell terminal server in san jose?
Thirty: Blindsided
Ouop lqeg gs zkds ulv V deds zq lus DS urqstsn't wwiaps ?
Using Vigenere.exe with key = "snowbird":
Ouop lqeg gs zkds ulv V deds zq lus DS urqstsn't wwiaps ?
- snow bird sn owbi rds n owbi rd sno wb irdsnow b irdsno
= what kind of lock did i pick in the hr manager's office ?
Answer : ""
Thirty-One: Eyes in the Sky
Alex B25 rixasvo hmh M ywi xs xli HQZ qemrjveqi ?
Solved with CrackKevin.exe (ROT3):
Alex B25 rixasvo hmh M ywi xs xli HQZ qemrjveqi ?
what x25 network did i use to the dmv mainframe ?
Thirty-Two: Sleepless in Seattle
Caem alw Ymek Xptq'd tnwlchvw xz lrv lkkzxv ?
Using Vigenere.exe with key = "gtetelenet":
Caem alw Ymek Xptq'd tnwlchvw xz lrv lkkzxv ?
- gtet ele netg tete l enetgtet el ene tgtete
= what was lile elam's password to her server ?
Answer : ""
Thirty-Three: Hacking the Samurai
Ozg ojglw lzw hshwj gf AH Khggxafy lzsl BKR skcww ew stgml ?
Solved with CrackKevin.exe (ROT15):
Ozg ojglw lzw hshwj gf AH Khggxafy lzsl BKR skcww ew stgml ?
who wrote the paper on ip spoofing that jsz askee me about ?
Thirty-Four: Hiding in the Bible Belt
Nvbx nte hyv bqgs pj gaabv jmjmwdi whd hyv UVT'g Giuxdoc Gctcwd Hvyqbuvz hycoij ?
Using Vigenere.exe with key = "robertmorris":
Nvbx nte hyv bqgs pj gaabv jmjmwdi whd hyv UVT'g Giuxdoc Gctcwd Hvyqbuvz hycoij ?
- robe rtm orr isro be rtmor risrobe rtm orr isr o bertmor risrob ertmorri srober
= what was the type of phone service for the mdc's federal public defender phones ?
Answer : ""
Thirty-Five: GameOver
2B 2T W 2X 2Z 26 36 2P 36 2V 3C W 3A 32 39 38 2Z W 3D 33 31 38 2V 36 3D W 2R 2Z W 3E 3C 2V 2X 2Z 2Y W 3E 39 W 2R 32 2V 2E W 2V 3A 2V 3C 3E 37 2X 38 3E W 2X 39 37 3A 36 2Z 2S 1R
Just like in 29, we can notice the repeating W pattern: Could it be space?
2B 2T
W
2X 2Z 26 36 2P 36 2V 3C
W
3A 32 39 38 2Z
W
3D 33 31 38 2V 36 3D
W
2R 2Z
W
3E 3C 2V 2X 2Z 2Y
W
3E 39
W
2R 32 2V 2E
W
2V 3A 2V 3C 3E 37 2X 38 3E
W
2X 39 37 3A 36 2Z 2S 1R
Since this is probably a question this would mean that is starts with IS => 2B=I 2T = S. "ikp" confirmed my intuition: This is base36 encoding. I wrote a tiny program to convert base36 to ASCII:
Se ikNrargx vnutk yomtgry ck zxgikj zu cngV gvgxzsitz iusvrkd?
Now sending it to CrackKevin.exe: ROT20 came back positive:
My cellular phone signals were traced to what apartment complex?
Thirty-Six: An FBI Valentive
Lsar JSA cryoi ergiu lq wipz tnrs dq dccfunaqi zf oj wqpctkiel dpzpgp I jstcgo cu dy hgq ?
Using Vigenere.exe with key = "playersclub":
Lsar JSA cryoi ergiu lq wipz tnrs dq dccfunaqi zf oj wqpctkiel dpzpgp I jstcgo cu dy hgq ?
- play ers clubp layer sc lubp laye rs clubplaye rs cl ubplayers clubpl a yerscl ub pla ye
= what fbi agent tried to look into my briefcase in my cpartment before i locked it on him ?
Answer : ""
Thirty-Seven: Winning the scrapegoat Sweepstakes.
V2hhdCBGQkkgYWdlbnQgYXNrZWQgU3VuIE1pY3Jvc3lzdGVtcyB0byBjbGFpbSB0aGV51Gxvc3QgODAgbWlsbGlvbiBkb2xsYXJzPw==
The "==" at the end is typical of base64 encoding padding:
V2hhdCBGQkkgYWdlbnQgYXNrZWQgU3VuIE1pY3Jvc3lzdGVtcyB0byBjbGFpbSB0aGV51Gxvc3QgODAgbWlsbGlvbiBkb2xsYXJzPw==
What FBI agent asked Sun Microsystems to claim they lost 80 million dollars?
Thirty-Eight: Winning the scrapegoat Sweepstakes.
100-1111-10-0 011-000-1-111 00-0100 1101-10-1110-000-101-11-0-1 0111-110-00-1001-1-101 111-0-11-0101-010-1-101 111-10-0100 11-00-11
100-1111-10-0 //WHAT?
011-000-1-111 //WAS ?
00-0100
1101-10-1110-000-101-11-0-1
0111-110-00-1001-1-101
111-0-11-0101-010-1-101
111-10-0100
11-00-11
As suggested by "ikp", this is morse code.
.-- .... .- - //WHAT
-.. --- . ... //DOES
-- .-.. //ML
..-. .- ...- --- .-. .. - . //FAVORITE
-... ..- -- .--. . .-. //BUMPER
... - .. -.-. -.- . .-. //STICKER
... .- -.-- //SAY
.. -- .. //?
Answer : ""
Recommended readings
Of course read Kevin Mitnik's book. Try to get different perspectives with Tsutomu Shimomura/John Markoff version in "Takedown". Finally read bit about cryptography with "The Code Book" a delicious read!
