May 9, 2012

Cracking Kevin Mitnick's Ghost in The Wire paperback edition

I received yesterday a copy of Ghost In The Wire Paperback edition. Kevin Mitnick seems to have updated all of the challenges found at the beginning of each chapters. Since they are all available on book.google.com preview I don't think it is a big deal to publish and discuss our solutions here.

The codes are much more difficult than the hardcover edition and much more resistant to the cribs/bruteforce method I used last time: The utility CrackKevin.exe was able to crack 50% of the codes from the hardcover edition but only 5% of the paperback editon. Moreverover it seems a stack of obfuscation layers are used: Chapter 14 encryption is:

  1. Remove all spaces.
  2. Reverse string.
  3. Encode with Base64.


Anyway here they are:




    [0 ] `Max vhlm hy max unl wkboxk ingva B nlxw mh ingva fr hpg mktglyxkl`,
    // DECODED (ROT) via crackKevin.exe:
    // the cost of the bus driver punch i used to punch my own transfer
    // Answer: $15


    [1 ] `Estd mzzv esle elfrse xp szh ez ncplep yph topyetetpd hspy T hld l acp-eppy`,
    // DECODED (ROT) via crackKevin.exe:
    // this book that taught me how to coeate new identities when i was a pre-teen
    // Answer: The Paper Trip

    [2 ] `pbzfsobp dkfobtpkx lq pbkfi ppbkfpry aoxtolc iixz lq abpr bobt pbzfsba cl bmvq obail bpbeQ`,
    // DECODED (reverse + ROT)
    // Reverse string: Qebpb liabo qvmb lc absfzbp tbob rpba ql zxii clotxoa yrpfkbpp ifkbp ql xkptbofkd pbosfzbp
    // ROT:            These older type of devices were used to call forward business lines to answering services
    // Answer: "diverters"

    [3 ]  `gsvmznvlugsvnzrmuiznvhrszxpvwzgfhxrmgsvzikzmvgwzbh`,
    // DECODED (Atbash cypher commonly known as "pig latin") by "Kahootbird" and "xenex"
    // gsv mznv lu gsv nzrmuiznvh r szxpvw zg fhx rm gsv zikzmvg wzbh
    // the name of the mainframes i hacked at usc in the arpanet days
    // Q: "I took a course in this subject when I ran from the Juvenile authorities"
    // A: DEC TOPS-20 or DEC 20

    [4 ]  `jbi ujt veo eco ntk iwa lhc eeo anu uir trs hae oni rfn irt toh imi ets shs !eu`,
    // DECODED (by "xenex"): Column Transposition - Key 321.
    // i t o o k a c o u r s e i n t h i s s u : "I took a course in this su"
    // b j e c t w h e n i r a n f r o m t h e : "bject when I ran from the "
    // j u v e n i l e a u t h o r i t i e s ! : "Juvenile authorities      "
    // Q: "I took a course in this subject when I ran from the Juvenile authorities"
    // A: In chapter 5 you will find the answer, which is "Criminal Justice."

    [5 ]  `bmFtZXRoZWNvbXBhbnl3aGVyZWJvbm5pZXdhc2VtcGxveWVkd2hlbndlc3RhcnRlZGRhdGluZw==`,
    // DECODED (remove spaces + Base64)
    // Base64: namethecompanywherebonniewasemployedwhenwestarteddating
    // Add missing spaces:Name the company where bonnie was employed when we started dating
    // Answer: GTE

    [6 ] `multbqncannqenabrhfgacnqogehchetbkkebmsqgkncchebr`,
    // DECODED (by "xenex"): Substitution cipher (Key: GTE, the answer of the previous question)
    // Letter  : ABCDEFGHIJKLMNOPQRSTsUVWXYZ
    // Becomes : GTEABCDFHIJKLMNOPQRSUVWXYZ
    // Decoded: numberofdoorcodesihadforpacificbellcentraloffices
    // Spaces: Number of door codes I had for Pacific Bell central offices
    // Answer: 11

    [7 ] `'siass nuhmil sowsra amnapi waagoc ifinti dscisf iiiesf ahgbao staetn itmlro`,
    // DECODED (Column transposition)
    // 'siass
    // nuhmil
    // sowsra
    // amnapi
    // waagoc
    // ifinti
    // dscisf
    // iiiesf
    // ahgbao
    // staetn
    // itmlro
    // From left to right and bottom up:
    // i said i wasn't this famous magician while being a smart ass top rison officials
    // Answer:  "David Copperfield" (thanks to kahoot :) !).

    [8 ] `tvifafwawehes hsesoonvtlimaeloemtcagmen irnoerrldony`,
    [9 ] `gnkusr ooursnsisti ttnotoihiec rolwaintmlk ovtgp`,
    // Very likely a Vigenere encryption, should try to use vigenere.exe on that

    [10] `ow gw ty kc qb eb nm ht ud pc iy ty ik tu zo dp gl qt hd`,
    // DECODED by Kahootbird (Fairplay cipher) 
    // mybrotheradamlistenedtothistypeofmusic
    // My brother adam listened to this type of music
    // Solved with this tool

    [11] `idniidhsubrseognteiuignuhrzdalrd ietfetinmeablnigorcsnuatoieclei`,
    // DECODED (Column transposition by kahoot)
    // The trick was to add a return carriage after the space:
    // idniidhsubrseognteiuignuhrzdalrd 
    // ietfetinmeablnigorcsnuatoieclei
    // Now read top to bottom and left to right:
    // i identified this number as belonging to eric using unauthorized caller id 
    // Answer: 310-837-5412
    
    [12] `qclgjq'acrjcrlmqnyrcpgursmzyddmbcnngrgmfupceylyk`,

    [13] `c2VuaWxzJ2RhZHltbm9zcGF0ZXJpd2VodHRjZW5ub2NlcmRuYXNlbGVnbmFzb2xvdHlsZm90ZGFob2h3dG5lZ2F5dGlydWNlc2xsZWJjYXBlaHQ=`,
    // DECODED (remove space + inverse + Base64):
    // Base64: senils'dadymnospateriwehttcennocerdnaselegnasolotylfotdahohwtnegaytirucesllebcapeht
    // Reverse: thepacbellsecurityagentwhohadtoflytolosangelesandreconnectthewiretapsonmydad'slines
    // Add missing spaces: the pacbell security agent who had to fly to los angeles and reconnect the wiretaps on my dad's lines
    // Answer: Darrell Santos

    [14] `ud mn cf ub mw re lb is ba of gx ty qc qh il ea ym nx bz ub he cf th is`,
    [15] `7\3|2\9|3\5|4/0/8/2|6\7/0/4\4\5/6/6\5/7/8/9|7\8/7|9\5/9\2\3\5\7/8|2/0/8|2/6|6|2|7\7\7\0\4\9|`,
    [16] `100 0000 10 1 01 001 00 1000 1 010 11 000 0 0000 11 000 00011 10000 11111 11110 11000 00111 10000 11111 10000 11111`,
    // DECODED: This is Morse code but each letter the translation ('1' -> '.', '0' ->'-') is reversed to ('1' -> '-', '0' ->'.')!
    // Unmorsed: WHATNUMBERISTHIS8659221010
    // Added spaces: WHAT NUMBER IS THIS 8659221010
    // Added dashes: WHAT NUMBER IS THIS 865-922-1010
    // It seems for the number the pattern must be changed again:
    // Q: WHAT NUMBER IS THIS 310-477-6565:
    // A: The LA Headquarters of the FBI.

    [17] `6365696a647a727573697775716d6d6e736e69627a74736a6f7969706469737967647163656c6f71776c66646d63656d78626c6879746d796f6d71
         747765686a6a71656d756c70696b6a627965696a71`,
    [18] `hranmoafignwoeoeiettwsoeheneteelaefnbaethscrdniyajspwrl`,
    [19] `yo kb pn oc ox rh oq kb oh kp ge gs yt yt hg sa li mt ob sa po po mk pl md`,
    [20] `77726e6b7668656a77676b6b276c6d6b6274616672656567776c6a7368697a70726f6d79656c`,
    [21] `opoybdpmwoqbcpqcygagpcgxbpusapdluscplchxwoisgyeasdcpopdhadfyaethis`,
    [22] `1001 0111 01 00 0 0 101 011 1111 1110 1011 1111 101 0110 1111 1101 110 010 100 0 0100 11 1011 1011 000 10 101 01`,
        // this is NOT Morse code :( !

    [23] `anhgynnrtfafaqgmbhsuuzkzfbhbfk`,
    [24] `nhyitekmnryoogmwefehocttntoauttosumooalgei`,
    [25] `11 01000 000 111 010 0 011 0010 000 010 11 10 1101 01 01 1 000 1  1111 01 0 011 1   010 1 1000 000 010  01 00 01 01 
          011 00 1101 0010 1 010 1 10 0 001101 110010  001101 110010 001101 100 0000 1 10 101  0 111 0 10 010 0101 0000 11 10 
          001 10 1 011 00 100 1 10 0 00 0 00 1 000`,
        // this is NOT Morse code :( !

    [26] `laeaslarhawpuiolshawzadxijxkjgvvbaxavlowyuuhdsxausmrmbulbegukseq`,
    [27] `qnxpnebielnudqqpbibecua3m'llswhmmhrdzucclsfvqmdunepbkreezkarsnngpkgmscdnkr`,
    [28] `70776d61766374666f2770636d6167797a786977786f78656a7974696465737073786f65696f64706a6f766b636165686573677069637a617886172`,
    [29] `eyiyibemhemijixvpyiocjkxdwwxdazvtkaazrvl`,
    [30] `usygbjmqeauidgttlcflcflgqmfqhyhwurqmbxzoqmnpmjhlneqsctmglahp`,
    [31] `tpdwxjw'viyegmzbecfvpcqtuwdinpfhzvvfadzbkfoevcnseozxffdlvrdo'jwsjkzllzwapfrvhuaqz`,
    [32] `010 1 0001 101 0 111 000 100001 01 101 001 00 111 00 00 1111 000 01 111 1 10 000 0000 1001 000 11 0000 0 111 0 0 
          0101 010 110 111 111 0 1111 1 101 111 1101 110 01 00 010 111 000 0100 111 01 100 00`,
        // this is NOT Morse code :( !

    [33] `eafeihchqqlndcinrarnfhqdvmlqnmcrlphaccqmqefkzhlslnstmqgmma`,
    [34] `ifdmnbbnqitnsobmmmtthdkhqbqzpo"nduqz"zhnemccxhyaninaxanf`,
    [35] `kgqmicewdnfmastcefkxlkqshgrfsspotxuesqvcohxttpcuvhnxawypuwzdt`,
    [36] `0\6\2/7\4/2\4\8\2|8|6|7\0\4\3/2|8/7/3\2/2/5|6/4|8\7\6\6\3\2|3/3\7/4|6/0/3|7/0\6|8|9/4\4/6/5/3|5|0\8\9\7/4|4/4|8\5/3/3|5|8|4/0\5|8/2/`,
    [37] `001101 110010 001101 110010 001101 110010 001101 110010 111 00 011 00 10 110 0000 11 00 1001 110 0100 111 10 11 00 1101 
          1001 0100 10 100 11 01 101 0010 11 101 0010 11 101 011 111 000 100 010 1001 001 1 101 01 010 1010 01 0 1110 10 0111 010 010`
        // this is NOT Morse code :( !



Chapters 16

Chapter 16 was morse code but with alternating translation patter (1 -> '.', 0 ->'-') OR (1 -> '-', 0 ->'.'):


    100 0000 10 1 01 001 00 1000 1 010 11 000 0 0000 11 000 00011 10000 11111 11110 11000 00111 10000 11111 10000 11111
    
    .-- ---- .- . -. --. -- .--- . -.- .. --- - ---- .. --- ---.. .---- ..... ....- ..--- --... .---- ..... .---- .....
    W*AENGMJEKIOT*IO8154271515

    -.. .... -. - .- ..- .. -... - .-. -- ... . .... -- ... ...-- -.... ----- ----. --... ..--- -.... ----- -.... -----
    DHNTAUIBTRMSEHMS3609726060
    
    
    WHATNUMBERISTHIS8659221010

    WHAT NUMBER IS THIS 865-922-1010


This is just a ridiculous encryption pattern...I am not sure I am going to attempt to crack the rest of the code since there is no educational value in pursuing.

Chapters 17, 24, 33 and 36

The hardcover featured a code similar to those and it turned out to be Morse code. I tried to convert those but no dice.
Same thing trying to use CrackKevin.exe on the resulting unmorsed strings.

Overall impression

The codes from the hardcoder edition allowed to learn a lot about difference encoding/encryption but it seems those are more about designing crazy translations (i.e: alternating morse code, reverse on top of base64...)...so the educational aspect of the challenges is much less perspectible here. Since there is a price at the end I can understand why it is done this way but I don't think I will keep on working on them if I am not going to lean anything.

EDIT (June 20, 2012) : After collaborating with a few other cryptanalyst (xenex and Kahootbird) I have to admit there is a real educational value in working on those ie: learning more about "column transposition" and Atbash.

Interesting approach

I have received an email from kahoot:



    Another note of interest,  I made a program to solve vigenere ciphers
    via a word/name based attack of words/names used in the book. I have an
    electronic copy of Ghost In The Wires as well as a hardback.. I
    copy/pasted a chapter into a text file, ran it through the same Bible word
    sorter as on my site to organize every word/name alphabetically and lower
    case, then put it through a vigenere cipher program I made and tested.
    What this effectively done is allowed me to look at the output of about a
    hundred or so words tried from the corrosponding chapter as the problem
    briefly for a solution. I tried it for problems [7] and [9] from chapters
    8 and 10 you'd labelled as "should try vigenere.exe".. no luck.

    I'm attaching the C source file zipped with a few text files you could try
    should you want to verify what I'm saying or try for any of the ciphers or
    just look at the code.

    Sufficed to say problems [7] and [9] you have labelled as "probably
    vigenere" are probably not vigenere. At least not from text from the same
    chapter..

    I know it's not a solution but I hope that's helpful nonetheless..

    kahootbird
    
    

Comments

 

Fabien Sanglard @2012