September, 8th 2011

Solving Kevin Mitnick's Ghost in The Wires encrypted messages.

I received today my copy of Kevin Mitnick's book: Ghost in The Wires. It is a great read so far. But even more interesting are the ciphered sentences at the beginning of each chapters. I am trying to solve all of them but if you can contribute: comment or send me an email !


EDIT (September 11, 2011 1:04am): All codes have been broken, this page is the complete solution to "Ghost in The Wires".

Post-mortem : Most of the cryptograms were simple constant ROT and the program I wrote to solve them proved very efficient. The program was inspired by an excellent book by Simon Singh: The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography". In this book Singh described how Alan Turing exploited the cribs in Nazy Enigma encrypted messages by looking for the probable location of the german word "WETTER" ("weather" in english). The "colossus" could only test 5 letters in order to find the key of the day but nowadays the raw power allowed me to test all possible rotations searching for cribs in Mitnik sentences (since most seemed to be "questions": the program automatically searched for "WHAT","WHY,"WHERE" and others words usually found at the beginning of a sentence). This method allowed to decrypt 50% of the messages within 30 seconds...and since the other 50% can be decrypted using the answer from the previous question: Almost all cryptograms were decoded thanks to Turin's work to break Enigma....60 years ago.

The Challenge


If you want to play around, here are all the ciphered strings:

				 
				
 char* cypheredText[] = 
 {
	/*1 SOLVED*/
	"yjcv ku vjg pcog qh vjg uauvgo wugf da jco qrgtcvqtu vq ocmg htgg rjqpg ecnnu ?",
	
	/*2 SOLVED*/
	"wbth lal voe htat oy voe wxbirtn vfzbqt wagye C poh aeovsn vojgav ?",
	
	/*3 SOLVED*/
	"Nyrk grjjnfiu uzu Z xzmv kf jvklg re rttflek fe Kyv Rib ?",
	
	/*4 SOLVED*/
	"Flle ujw esc wexp mo xsp kjr hsm hiwwcm, \"Wplpll stq lec qma e wzerg mzkk!\" ?",
    
	/*5 SOLVED*/
	"Bmfy ytbs ini N mnij tzy ns zsynq ymj Ozajsnqj Htzwy qtxy ozwnxinhynts tajw rj ?",
	
	/*6 SOLVED*/
	"Kyoo olxi rzr Niyovo Cohjpcx ojy dn T apopsy ?",
	
	/*7 SOLVED*/
	"Kvoh wg hvs boas ct hvs Doqwtwq Pszz sadzcmss kvc fsor hvs wbhsfboz asac opcih am voqywbu oqhwjwhwsq cjsf hvs voa forwc ?" ,
	
	/*8 SOLVED*/
	"Iwh xwqv wpvpj fwr Vfvyj qks wf nzc ncgsoo esg psd gwc ntoqujvr ejs rypz nzfs ?",
	
	/*9 SOLVED*/
	"Hsle td esp epcx qzc dzqehlcp mfcypo zy esp nsta esle Yzglepw dpye xp ?",
	
	/*10 SOLVED*/
	"Bprf cup esanqneu xmm gtknv amme U biiwy krxheu Iwqt Taied ?",
	
	/*11 SOLVED*/
	"Lwpi idlc sxs bn upiwtg axkt xc lwtc X bdkts xc lxiw wxb ?",
	
	/*12 SOLVED*/
	"Yhlt xak tzg iytfrfad RanBfld squtpm uhst uquwd ce mswf tz wjrwtsr a wioe lhsv Ecid mwnlkoyee bmt oquwdo't ledn mp acomt ?",
	
	/*13 SOLVED*/
	"Zkdw lv wkh qdph ri wkh SL ilup wkdw zdv zluhwdsshg eb Sdflilf Ehoo ?",
    
	/*14 SOLVED*/
	"Plpki ytw eai rtc aaspx M llogw qj wef ms rh xq ?",
    
	/*15 SOLVED*/
	"Ituot oaybmzk ymwqe ftq pqhuoq ftmf Xqiue geqp fa buow gb mzk dmpua eusmxe zqmd Qduo ?",
	
	/*16 SOLVED*/
	"Kwth qzrva rbq lcq rxw Svtg vxcz zm vzs lbfieerl nsem rmh dg ac oef'l cwamu ?",
	
	/*17 SOLVED*/
	"Epib qa bpm vium wn bpm ixizbumvb kwuxtmf epmzm Q bziksml lwev Mzqk Pmqvh ?",
	
	/*18 SOLVED*/
	"Khkp wg wve kyfcqmm yb hvh TBS oeidr trwh Yhb MmCiwus Wko ogvwgxar hr ?",
	
	/*19 SOLVED*/
	"Rcvo dn ivhz ja ocz omvinvxodji oj adiy v kzmnji'n njxdvg nzxpmdot iphwzm pndib oczdm ivhz viy yvoz ja wdmoc ?",
	
	/*20 SOLVED*/
	"Wspa wdw gae ypte rj gae dilan lbnsp loeui V tndllrhh gae awvnh \"HZO, hzl jaq M uxla nvu\"",
	
	/*21 SOLVED*/
	"4A 75 6E 67 20 6A 6E 66 20 62 68 65 20 61 76 70 78 61 6E 7A 72 20 74 76 69 72 61 20 67 62 \
	 20 47 72 65 65 6C 20 55 6E 65 71 6C 3F ",
	
	
	/*22 SOLVED*/
	"Gsig cof dsm fkqeoe vnss jo farj tbb epr Csyvd Nnxub mzlr ut grp lne ?",
	
	/*23 SOLVED*/
	"Fqjc nunlcaxwrl mnerln mrm cqn OKR rwcnwcrxwjuuh kanjt fqnw cqnh bnjalqnm vh jyjacvnwc rw Ljujkjbjb ?",
	
	/*24 SOLVED*/
	"Xvof jq qis bmns lg hvq thlss ktffb J cifsok EAJ uojbthwsbhlsg ?",
	
	/*25 SOLVED*/
	"Cngz zuct ngy znk grsg sgzkx lux znk xkgr Kxoi Ckoyy ?",
	
	/*26 SOLVED*/
	"Aslx jst rlxi bx ns wgzzcmgw UP jnsh hlrjf nyk TT seq s cojorpdw pssx gxmyeie ao bzy glc ?",
	
	/*27 SOLVED*/
	"85 102 121 114 32 103 113 32 114 102 99 32 108 121 107 99 32 109 100 32 114 102 99 32 122 109 105 113 \
	 114 109 112 99 32 71 32 100 112 99 111 115 99 108 114 99 98 32 103 108 32 66 99 108 116 99 112 63",
	
	
	/*28 SOLVED*/
	"Phtm zvvvkci sw mhx Fmtvr VOX Ycmrt Emki vqimgv vowx hzh L cgf Ecbst ysi ?",
	
	/*29 SOLVED*/
	"126,147,172,163, 040, 166,172,162, 040, 154,170, 040, 157,172,162,162,166,156,161,143, 040, 145,156,161,\
	 040, 163,147,144, 040, 115,156,165,144,153,153, 040, 163,144,161,154,150,155,172,153, 040, 162,144,161,165,\ 
	 144,161, 040, 150,155, 040, 122,172,155,040,111,156,162,144,077",
	
	/*30 SOLVED*/
	"Ouop lqeg gs zkds ulv V deds zq lus DS urqstsn't wwiaps ?",
	
	/*31 SOLVED*/
	"Alex B25 rixasvo hmh M ywi xs xli HQZ qemrjveqi ?",
	
	/*32 SOLVED*/
	"Caem alw Ymek Xptq'd tnwlchvw xz lrv lkkzxv ?",
	
	/*33 SOLVED*/
	"Ozg ojglw lzw hshwj gf AH Khggxafy lzsl BKR skcww ew stgml ?",
	
	/*34 SOLVED*/
	"Nvbx nte hyv bqgs pj gaabv jmjmwdi whd hyv UVT'g Giuxdoc Gctcwd Hvyqbuvz hycoij ?",
	
	/*35 SOLVED*/
	"2B 2T W 2X 2Z 26 36 2P 36 2V 3C W 3A 32 39 38 2Z W 3D 33 31 38 2V 36 3D W \
	2R 2Z W 3E 3C 2V 2X 2Z 2Y W 3E 39 W 2R 32 2V 2E W 2V 3A 2V 3C 3E 37 2X 38 3E \
	W 2X 39 37  3A 36 2Z 2S 1R",
	
	/*36 SOLVED*/
	"Lsar JSA cryoi ergiu lq wipz tnrs dq dccfunaqi zf oj wqpctkiel dpzpgp I jstcgo cu dy hgq ?",
	
	/*37 SOLVED*/
	"V2hhdCBGQkkgYWdlbnQgYXNrZWQgU3VuIE1pY3Jvc3lzdGVtcyB0byBjbGFpbSB0aGV51Gxvc3QgODAgbWlsbGlvbiBkb2xsYXJzPw==",
	
	/*38 SOLVED*/
	"100-1111-10-0 011-000-1-111 00-0100 1101-10-1110-000-101-11-0-1 \
	0111-110-00-1001-1-101 111-0-11-0101-010-1-101 111-10-0100 11-00-11",

 };

One: Rough Start


yjcv ku vjg pcog qh vjg uauvgo wugf da jco qrgtcvqtu vq ocmg htgg rjqpg ecnnu ?

Looks a lot like words. And it is the first chapter so it is probably the easiest and most known cypher off all time: ROT-2

					

            yjcv ku vjg pcog qh vjg uauvgo wugf da jco qrgtcvqtu vq ocmg htgg rjqpg ecnnu ?
            what is the name of the system used by ham operators to make free phone calls ?
			
			
			

Note : There is a good tool online that also provide frequency analysis: ROT-13 encrypt/decrypt (Caesar cipher). The frequency distribution is consistent with a ROT encryption:

Edit : I wrote a quick C program called CrackKevin.exe to automate ROT testing. Here it is. It works by testing all 26 ROT and then searching for keyword in the deciphered string. The output helped to identify very fast a ROT candidate and solved 17 out of the 38 encrypted strings ;) !


Answer : "autopatch"

Two: Just visiting


wbth lal voe htat oy voe wxbirtn vfzbqt wagye C poh aeovsn vojgav ?

I am working on it.The question mark indicate that the first word has to be among:

			
			
        - What
        - How
        - Why
        - When
        - Where
        - Which
			
			
			

Since the cypher does not seem to be encoding spaces, we can conclude the first work is four letters long so it is either "what" or "when". Now a bit of shooting in the dark:

			
			
      WBTH - WHEN = "22,1,19,7" - "22,7,4,13" =  "0,-6,15,- 6" 
      WBTH - WHAT = "22,1,19,7" - "22,7,0,19" =  "0,-6,19,-12"
      
      If we loop on a 0-25 array (example: -6 is actually +20, 19 is 19, -12 is 14)
      
      WBTH - WHEN = "0,20,15,20" = AUPU
      WBTH - WHAT = "0,20,19,14" = AUTO			 
				 
			
			

Now "AUTO" is interesting because it is the beginning on the answer to the last question: "autopatch". Writing a quick program called Vigenere.exe to test this proved right. This is Vigenere keybased ROT, the rotation is not a constant value. Instead the ROT value for each letter comes from the key characters.

			
			   
          wbth lal voe htat oy voe wxbirtn vfzbqt wagye C poh aeovsn vojgav ?
        - auto pat cha utop at cha utopatc hautop atcha u top atchau topatc
        = what was the name of the central office where i was almost caught ?
			   
			
			


Answer : "Sunset-Gower"

Acknowledgment: Thanks to Krzysztof Narkowicz and Geoff Salmon for helping finding out about Vigenere cypher.

Edit :I wrote an other C program called Vigenere.exe to speedup the Vigenere key testing process. Here it is. And here are the outputs.



Three: Original sin


Nyrk grjjnfiu uzu Z xzmv kf jvklg re rttflek fe Kyv Rib ?

Solved with CrackKevin.exe ROT16 was a valid candidate:

					
			
            Nyrk grjjnfiu uzu Z xzmv kf jvklg re rttflek fe Kyv Rib ?
            What password did I give to setup an account on The Ark ?
			
			
			

Note : It seems odd chapters are using ROT-X permutation.

Answer : "jelly"



Four: Escape Artist


Flle ujw esc wexp mo xsp kjr hsm hiwwcm, "Wplpll stq lec qma e wzerg mzkk!" ?

According to "Hateyou" from fohguild.org the quotation is for "Search his car for a logic bomb!" (a quote from the chapter). Using Vigenere.exe with key = "jelly":

			
			
          Flle ujw esc wexp mo xsp kjr hsm hiwwcm, "Wplpll stq lec qma e wzerg mzkk!"  ?
        - jell yje lly jell yj ell yje lly jellyj   ellyje lly jel lyj e llyje llyj
        = what was the name of the man who yelled, "search his car for a logic bomb!" ?
			
			
			

"Hateyou"'s intuition was correct. I am impressed by this.

Answer : "Steve Cooley"



Five: All your phone lines belong to me


Bmfy ytbs ini N mnij tzy ns zsynq ymj Ozajsnqj Htzwy qtxy ozwnxinhynts tajw rj ?

Solved with CrackKevin.exe: ROT5

					
			
            Bmfy ytbs ini N mnij tzy ns zsynq ymj Ozajsnqj Htzwy qtxy ozwnxinhynts tajw rj ?
            What town did I hide out in until the Juvenile Court lost jurisdiction over me ?
						
			



Answer : "oroville"



Six: Will hack for love


Kyoo olxi rzr Niyovo Cohjpcx ojy dn T apopsy?

Using Vigenere.exe with key = "oroville":

			
			
             Kyoo olxi rzr Niyovo Cohjpcx ojy dn T apopsy ?
           - orov ille oro villeo roville oro vi l leorov	 
           = what game did sandra lambert ask if i played ?	   
			
			



Answer : "hearts"



Seven: Hitched in Haste


Kvoh wg hvs boas ct hvs Doqwtwq Pszz sadzcmss kvc fsor hvs wbhsfboz asac opcih am voqywbu oqhwjwhwsq cjsf hvs voa forwc?

The 4 "hvs" left no doubt: ROT19 but Solved with CrackKevin.exe anyway ;) !

					
			
     Kvoh wg hvs boas ct hvs Doqwtwq Pszz sadzcmss kvc fsor hvs wbhsfboz asac opcih am voqywbu oqhwjwhwsq cjsf hvs voa forwc?
     WHAT IS THE NAME OF THE PACIFIC BELL EMPLOYEE WHO READ THE INTERNAL MEMO ABOUT MY HACKING ACTIVITIEC OVER THE HAM RADIO
						
			



Answer : "Bill Cook"



Eight: Lex Luthor


Iwh xwqv wpvpj fwr Vfvyj qks wf nzc ncgsoo esg psd gwc ntoqujvr ejs rypz nzfs ?

Using Vigenere.exe with key = "billcook":

			
			
          Iwh xwqv wpvpj fwr Vfvyj qks wf nzc ncgsoo esg psd gwc ntoqujvr ejs rypz nzfs ?
        - bil lcoo kbill coo kbill coo kb ill cookbi llc ook bil lcookbil lco okbi llco
        = how much money did lenny owe me for losing the bet for cracking the door code ?
			
			
			


Answer : "150$"



Nine: The Kevin Mitnick Discount Plan


Hsle td esp epcx qzc dzqehlcp mfcypo zy esp nsta esle Yzglepw dpye xp ?

Again, the double "esp" was quite suspicious: ROT22 still Solved with CrackKevin.exe.

					
			
     Hsle td esp epcx qzc dzqehlcp mfcypo zy esp nsta esle Yzglepw dpye xp ?
     WHAT IS THE TERM FOR SOFTWARE BURNED ON THE CHIP THAT NOVATEL SENT ME ?
						
			


Answer : "firmware"



Ten: Mystery Hacker


Bprf cup esanqneu xmm gtknv amme U biiwy krxheu Iwqt Taied ?

Using Vigenere.exe with key = "firmware":

			
			
             Bprf cup esanqneu xmm gtknv amme U biiwy krxheu Iwqt Taied ?
           - firm war efirmwar efi rmwar efir m waref irmewa refi rmwar
           = what guy answered the phone when i first called eric heinz ?  
			
			


Answer : "Henry Spiegel"



Eleven: Foul play


Lwpi idlc sxs bn upiwtg axkt xc lwtc X bdkts xc lxiw wxb ?

ROT-(-11)

					
			
     Lwpi idlc sxs bn upiwtg axkt xc lwtc X bdkts xc lxiw wxb ?
     WHAT TOWN DID MY FATHER LIVE IN WHEN I MOVED IN WITH HIM
						
			


Answer : "calabasas"



Twelve: You Can Never Hide


Yhlt xak tzg iytfrfad RanBfld squtpm uhst uquwd ce mswf tz wjrwtsr a wioe lhsv Ecid mwnlkoyee bmt oquwdo't ledn mp acomt ?

Using Vigenere.exe with key = "calabasas":

					
			
     Yhlt xak tzg iytfrfad RanBfld squtpm uhst uquwd ce mswf tz wjrwtsr a wioe lhsv Ecid mwnlkoyee bmt oquwdo't ledn mp acomt ?
    -cala bas asc alabasas calabas ascala basa scala ba sasc al abasasc a laba sasc alab asascalab asa scalab a sasc al abasa 
     what was the internal pacbell system that could be used to wiretap a line that eric mentioned but wouldn't tell me about ?
						
			


Answer : "SAS"



Thirteen: The Wiretapper


Zkdw lv wkh qdph ri wkh SL ilup wkdw zdv zluhwdsshg eb Sdflilf Ehoo ?

Solved with CrackKevin.exe (ROT4)

			 
			 
       Zkdw lv wkh qdph ri wkh SL ilup wkdw zdv zluhwdsshg eb Sdflilf Ehoo ?
       what is the name of the pi firm that was wiretapped by pacific bell ?
			
			


Answer : "teltec"



Fourteen: You Tap Me, I Tape You


Plpki ytw eai rtc aaspx M llogw qj wef ms rh xq ?

Using Vigenere.exe with key = "teltec":

					
			
     Plpki ytw eai rtc aaspx M llogw qj wef ms rh xq ?
    -telte cte lte cte ltect e ltect el tec te lt ec  
     where was the pay phone i asked my dad to go to ?
						
			


Answer : "teltec"



Fiteen: "How the Fuck Did You Get That ?"


Ituot oaybmzk ymwqe ftq pqhuoq ftmf Xqiue geqp fa buow gb mzk dmpua eusmxe zqmd Qduo ?

Solved with CrackKevin.exe (ROT21)

			 
			 
       Ituot oaybmzk ymwqe ftq pqhuoq ftmf Xqiue geqp fa buow gb mzk dmpua eusmxe zqmd Qduo ?
       which company makes the device that lewis used to pick up any radio sigals near eric ?
			
			


Answer : "optoelectronics"



Sixteen: Crashing Eric's Private Party


Kwth qzrva rbq lcq rxw Svtg vxcz zm vzs lbfieerl nsem rmh dg ac oef'l cwamu ?

Using Vigenere.exe with key = "optoelectronics":

			
			
             Kwth qzrva rbq lcq rxw Svtg vxcz zm vzs lbfieerl nsem rmh dg ac oef'l cwamu ?
           - opto elect ron ics opt oele ctro ni cso ptoelect roni cso pt oe lec t ronic	 
           = what month and day did eric tell me the wiretaps were put on my dad's lines ? 
			
			



Answer : "January 27"



Seventeen: Pulling Back the Curtain


Epib qa bpm vium wn bpm ixizbumvb kwuxtmf epmzm Q bziksml lwev Mzqk Pmqvh ?

Solved with CrackKevin.exe ROT25 was a valid candidate:

					
			
            Epib qa bpm vium wn bpm ixizbumvb kwuxtmf epmzm Q bziksml lwev Mzqk Pmqvh ?
            what is the name of the apartment complex where i tracked down eric heinz ?
			
			
			


Answer : "oakwood"



Eighteen: Traffic Analysis


Khkp wg wve kyfcqmm yb hvh TBS oeidr trwh Yhb MmCiwus Wko ogvwgxar hr ?

Using Vigenere.exe with key = "oakwood":

			
			
             Khkp wg wve kyfcqmm yb hvh TBS oeidr trwh Yhb MmCiwus Wko ogvwgxar hr ?
           - oakw oo doa kwoodoa kw ood oak woodo akwo odo akwoodo akw oodoakwo od	 
           = what is the acronym of the fbi squad that ken mcguire was assigned to ?
			
			



Answer : "wcc3"



Nineteen: Revelations


Rcvo dn ivhz ja ocz omvinvxodji oj adiy v kzmnji'n njxdvg nzxpmdot iphwzm pndib oczdm ivhz viy yvoz ja wdmoc ?

Solved with CrackKevin.exe ROT12 was a valid candidate:

					
			
            Rcvo dn ivhz ja ocz omvinvxodji oj adiy v kzmnji'n njxdvg nzxpmdot iphwzm pndib oczdm ivhz viy yvoz ja wdmoc ?
            what is name of the transaction to find a person's social security number using their name and date of birth ?
			
			
			


Answer : "alphadent"



Twenty: Reverse String


Wspa wdw gae ypte rj gae dilan lbnsp loeui V tndllrhh gae awvnh "HZO, hzl jaq M uxla nvu" ?

Using Vigenere.exe with key = "alphadent":

			
			
             Wspa wdw gae ypte rj gae dilan lbnsp loeui V tndllrhh gae awvnh "HZO, hzl jaq M uxla nvu" ?
           - alph ade nta lpha de nta lphad ental phade n talphade nta lphad  alp  had ent e ntal pha	 
           = what was the name of the steak house where i answered the phone "dmv, how can i help you" ?
			
			



Answer : "bob burns"



Twenty-One: Cat and Mouse


4A 75 6E 67 20 6A 6E 66 20 62 68 65 20 61 76 70 78 61 6E 7A 72 20 74 76 69 72 61 20 67 62 20 47 72 65 65 6C 20 55 6E 65 71 6C 3F

Those are hexadecimal value encoding a string:

				
				
    char cypher21[] =
    {  0x4A,0x75,0x6E,0x67,0x20,0x6A,0x6E,0x66,0x20,0x62,0x68,0x65,0x20,0x61,
       0x76,0x70,0x78,0x61,0x6E,0x7A,0x72,0x20,0x74,0x76,0x69,0x72,0x61,0x20,
       0x67,0x62,0x20,0x47,0x72,0x65,0x65,0x6C,0x20,0x55,0x6E,0x65,0x71,0x6C,0x3F,
    };


    int main(int argc, char** argv)
    {
        printf("%s\n",cypher21);

        return 1;
    }

    
    Output: "Jung jnf bhe avpxanzr tvira gb Greel Uneql ?"
    
    

Sent "Jung jnf bhe avpxanzr tvira gb Greel Uneql ?" to CrackKevin.exe

					
			
                             Jung jnf bhe avpxanzr tvira gb Greel Uneql ?
    [21]: Candidate (ROT20): what was our nickname given to terry hardy ?
						
			


Answer : "klingon"



Twenty-Two: Detective Work


Gsig cof dsm fkqeoe vnss jo farj tbb epr Csyvd Nnxub mzlr ut grp lne ?

Using Vigenere.exe with key = "klingon":

			
			
             Gsig cof dsm fkqeoe vnss jo farj tbb epr Csyvd Nnxub mzlr ut grp lne ?
           - klin gon kli ngonkl ingo nk ling onk lin gonkl ingon klin go nkl ing	 
           = what was the secret name we used for the wells fargo code of the day ?
			
			



Answer : ""



Twenty-Three: Raided


Fqjc nunlcaxwrl mnerln mrm cqn OKR rwcnwcrxwjuuh kanjt fqnw cqnh bnjalqnm vh jyjacvnwc rw Ljujkjbjb ?

Solved with CrackKevin.exe ROT24 was a valid candidate:

					
			
            Fqjc nunlcaxwrl mnerln mrm cqn OKR rwcnwcrxwjuuh kanjt fqnw cqnh bnjalqnm vh jyjacvnwc rw Ljujkjbjb ?
            what electronic device did the fbi intentionally break when they searched my apartment in calabasas ?
			
			
			


Answer : "boombox"



Twenty-Four: Vanishing Act


Xvof jq qis bmns lg hvq thlss ktffb J cifsok EAJ uojbthwsbhlsg ?

Using Vigenere.exe with key = "boombox":

			
			
             Xvof jq qis bmns lg hvq thlss ktffb J cifsok EAJ uojbthwsbhlsg ?
           - boom bo xbo ombo xb oom boxbo ombox b oombox boo mboxboomboxbo
           = what ic the name of the store where i outran dmv investigators ?
			
			


Answer : "kinko"



Twenty-Five: Harry Houdini


Cngz zuct ngy znk grsg sgzkx lux znk xkgr Kxoi Ckoyy ?

Solved with CrackKevin.exe ROT1 was a valid candidate:

					
			
            Cngz zuct ngy znk grsg sgzkx lux znk xkgr Kxoi Ckoyy ?
            what town has the alma mater for the real eric weiss ?
			
			
			


Answer : ""



Twenty-Six: Private Investigator


Aslx jst rlxi bx ns wgzzcmgw UP jnsh hlrjf nyk TT seq s cojorpdw pssx gxmyeie ao bzy glc ?

Using Vigenere.exe with key = "ensburgell":

			
			
             Aslx jst rlxi bx ns wgzzcmgw UP jnsh hlrjf nyk TT seq s cojorpdw pssx gxmyeie ao bzy glc ?
           - ensb urg elle ns bu rgellens bu rgel lensb urg el len s burgelle nsbu rgellen sb urg ell
           = wftw pbn name of my favorite tv show where the pi had a business card printer in his car ?
			
			

WTF with the bugged beginning of the sentence ?!?!


Answer : ""



Twenty-Seven: Here Comes the Sun


85 102 121 114 32 103 113 32 114 102 99 32 108 121 107 99 32 109 100 32 114 102 99 32 122 109 105 113 114 109 112 99 32 71 32 100 112 99 111 115 99 108 114 99 98 32 103 108 32 66 99 108 116 99 112 63

The string is decimal value for characters:

			
			
    char cypher27[] = {
     85, 102, 121, 114,  32, 103, 113,  32, 114, 102,  99,  32, 108, 121, 107,  99,  32, 109, 100,  32,
    114, 102,  99,  32, 122, 109, 105, 113, 114, 109, 112,  99,  32,  71,  32, 100, 112,  99, 111, 115,
     99, 108, 114,  99,  98,  32, 103, 108,  32,  66,  99, 108, 116,  99, 112,  63};

    int main(int argc, char** argv)
    {
	    printf("%s\n",cypher27);

	    return 1;
    }
			
    Output: "Ufyr gq rfc lykc md rfc zmiqrmpc G dpcosclrcb gl Bcltcp ?"		
			
			

Sent "Ufyr gq rfc lykc md rfc zmiqrmpc G dpcosclrcb gl Bcltcp ?" to CrackKevin.exe

					
			
                            Ufyr gq rfc lykc md rfc zmiqrmpc G dpcosclrcb gl Bcltcp ?
    [27]: Candidate (ROT9): what is the name of the bokstore i frequented in denver ?
						
			



Twenty-Eight: Trophy Hunter


Phtm zvvvkci sw mhx Fmtvr VOX Ycmrt Emki vqimgv vowx hzh L cgf Ecbst ysi ?

Using Vigenere.exe with key = "tatteredcover":

			
			
             Phtm zvvvkci sw mhx Fmtvr VOX Ycmrt Emki vqimgv vowx hzh L cgf Ecbst ysi ?
           - tatt eredcov er tat tered cov ertat tere dcover tatt ere d cov ertat ter
           = what version of the micro tac ultra lite source code did i ask alisa for ?
			
			



Answer : ""



Twenty-Nine: Departure


126 147 172 163 040 166 172 162 040 154 170 040 157 172 162 162 166 156 161 143 040 145 156 161 040 163 147 144 040 115 156 165 144 153 153 040 163 144 161 154 150 155 172 153 040 162 144 161 165 144 161 040 150 155 040 122 172 155 040 111 156 162 144 077

040 is seen very often in this serie and is also very interesting because it is also "space" in octal notation:

			
    char text[] =
    {
	    
    126,147,172,163,               //WHAT ?
    040,
    166,172,162,                   //WAS ?
    040,
    154,170,
    040,
    157,172,162,162,166,156,161,143,
    040,
    145,156,161,
    040,
    163,147,144,
    040,
    115,156,165,144,153,153,
    040,
    163,144,161,154,150,155,172,153,
    040,
    162,144,161,165,144,161,
    040,
    150,155,
    040,
    122,172,155,
    040,
    111,156,162,144,077
    
    }		
			
			
			

So all character are consistently encoded. Let's try to print out the octal value:

			
			
       #include <stdio.h>
			
       char text[] ={
	   0126,0147,0172,0163, 040, 0166,0172,0162, 040, 0154,0170, 040, 0157,\
       0172,0162,0162,0166,0156,0161,0143, 040, 0145,0156,0161, 040, 0163,0147,0144, 040,\
       0115,0156,0165,0144,0153,0153, 040, 0163,0144,0161,0154,0150,0155,0172,0153, 040,\
       0162,0144,0161,0165,0144,0161, 040, 0150,0155, 040, 0122,0172,0155,040,0111,0156,\
       0162,0144,077
       };

       int main(int argc, char** argv)
       {
          printf("%s\n",text);
         return ;
       }
			
       Output: 	Vgzs vzr lx ozrrvnqc enq sgd Mnudkk sdqlhmzk rdqudq hm Rzm Inrd?!	
			

Sending this to CrackKevin.exe -> ROT8

		
		Vgzs vzr lx ozrrvnqc enq sgd Mnudkk sdqlhmzk rdqudq hm Rzm Inrd?
		what was my password for the novell terminal server in san jose?
		
		



Thirty: Blindsided


Ouop lqeg gs zkds ulv V deds zq lus DS urqstsn't wwiaps ?

Using Vigenere.exe with key = "snowbird":

			
			
             Ouop lqeg gs zkds ulv V deds zq lus DS urqstsn't wwiaps ?
           - snow bird sn owbi rds n owbi rd sno wb irdsnow b irdsno
           = what kind of lock did i pick in the hr manager's office ?
			
			



Answer : ""



Thirty-One: Eyes in the Sky


Alex B25 rixasvo hmh M ywi xs xli HQZ qemrjveqi ?

Solved with CrackKevin.exe (ROT3):

					
			
    Alex B25 rixasvo hmh M ywi xs xli HQZ qemrjveqi ?
    what x25 network did i use to the dmv mainframe ?
						
			



Thirty-Two: Sleepless in Seattle


Caem alw Ymek Xptq'd tnwlchvw xz lrv lkkzxv ?

Using Vigenere.exe with key = "gtetelenet":

			
			
             Caem alw Ymek Xptq'd tnwlchvw xz lrv lkkzxv ?
           - gtet ele netg tete l enetgtet el ene tgtete
           = what was lile elam's password to her server ?
			
			



Answer : ""



Thirty-Three: Hacking the Samurai


Ozg ojglw lzw hshwj gf AH Khggxafy lzsl BKR skcww ew stgml ?

Solved with CrackKevin.exe (ROT15):

					
			
    Ozg ojglw lzw hshwj gf AH Khggxafy lzsl BKR skcww ew stgml ?
    who wrote the paper on ip spoofing that jsz askee me about ?
						
			



Thirty-Four: Hiding in the Bible Belt


Nvbx nte hyv bqgs pj gaabv jmjmwdi whd hyv UVT'g Giuxdoc Gctcwd Hvyqbuvz hycoij ?

Using Vigenere.exe with key = "robertmorris":

			
			
             Nvbx nte hyv bqgs pj gaabv jmjmwdi whd hyv UVT'g Giuxdoc Gctcwd Hvyqbuvz hycoij ?
           - robe rtm orr isro be rtmor risrobe rtm orr isr o bertmor risrob ertmorri srober
           = what was the type of phone service for the mdc's federal public defender phones ?
			
			



Answer : ""



Thirty-Five: GameOver


2B 2T W 2X 2Z 26 36 2P 36 2V 3C W 3A 32 39 38 2Z W 3D 33 31 38 2V 36 3D W 2R 2Z W 3E 3C 2V 2X 2Z 2Y W 3E 39 W 2R 32 2V 2E W 2V 3A 2V 3C 3E 37 2X 38 3E W 2X 39 37 3A 36 2Z 2S 1R

Just like in 29, we can notice the repeating W pattern: Could it be space?

			
			
    2B 2T 
    W 
    2X 2Z 26 36 2P 36 2V 3C 
    W 
    3A 32 39 38 2Z 
    W 
    3D 33 31 38 2V 36 3D 
    W 
    2R 2Z 
    W 
    3E 3C 2V 2X 2Z 2Y 
    W 
    3E 39 
    W 
    2R 32 2V 2E 
    W 
    2V 3A 2V 3C 3E 37 2X 38 3E 
    W 
    2X 39 37  3A 36 2Z 2S 1R			
			
			
			

Since this is probably a question this would mean that is starts with IS => 2B=I 2T = S. "ikp" confirmed my intuition: This is base36 encoding. I wrote a tiny program to convert base36 to ASCII:

			
			
			Se ikNrargx vnutk yomtgry ck zxgikj zu cngV gvgxzsitz iusvrkd?
			
			
			

Now sending it to CrackKevin.exe: ROT20 came back positive:

			
			
			My cellular phone signals were traced to what apartment complex?
			
			
			



Thirty-Six: An FBI Valentive


Lsar JSA cryoi ergiu lq wipz tnrs dq dccfunaqi zf oj wqpctkiel dpzpgp I jstcgo cu dy hgq ?

Using Vigenere.exe with key = "playersclub":

			
			
             Lsar JSA cryoi ergiu lq wipz tnrs dq dccfunaqi zf oj wqpctkiel dpzpgp I jstcgo cu dy hgq ?
           - play ers clubp layer sc lubp laye rs clubplaye rs cl ubplayers clubpl a yerscl ub pla ye
           = what fbi agent tried to look into my briefcase in my cpartment before i locked it on him ?
			
			



Answer : ""



Thirty-Seven: Winning the scrapegoat Sweepstakes.


V2hhdCBGQkkgYWdlbnQgYXNrZWQgU3VuIE1pY3Jvc3lzdGVtcyB0byBjbGFpbSB0aGV51Gxvc3QgODAgbWlsbGlvbiBkb2xsYXJzPw==

The "==" at the end is typical of base64 encoding padding:

			
			
    V2hhdCBGQkkgYWdlbnQgYXNrZWQgU3VuIE1pY3Jvc3lzdGVtcyB0byBjbGFpbSB0aGV51Gxvc3QgODAgbWlsbGlvbiBkb2xsYXJzPw==
    What FBI agent asked Sun Microsystems to claim they lost 80 million dollars?
			
			
			



Thirty-Eight: Winning the scrapegoat Sweepstakes.


100-1111-10-0 011-000-1-111 00-0100 1101-10-1110-000-101-11-0-1 0111-110-00-1001-1-101 111-0-11-0101-010-1-101 111-10-0100 11-00-11

			
			
    100-1111-10-0                 //WHAT?
    011-000-1-111                 //WAS ?
    00-0100                       
    1101-10-1110-000-101-11-0-1 
    0111-110-00-1001-1-101 
    111-0-11-0101-010-1-101 
    111-10-0100 
    11-00-11
			
			
			
			

As suggested by "ikp", this is morse code.

			
	.-- .... .- -                  //WHAT 
    -.. --- . ...                  //DOES
    
    -- .-..                        //ML
    ..-. .- ...- --- .-. .. - .    //FAVORITE       
    -... ..- -- .--. . .-.         //BUMPER 
    ... - .. -.-. -.- . .-.        //STICKER 
    ... .- -.--                    //SAY
    .. -- ..                       //? 
    
			
			
			
			

Answer : ""

Recommended readings

Of course read Kevin Mitnik's book. Try to get different perspectives with Tsutomu Shimomura/John Markoff version in "Takedown". Finally read bit about cryptography with "The Code Book" a delicious read!

Comments

 

Fabien Sanglard @2011