I applied for a forensic investigator role a while back and to be honest the technical questionnaire has completely knocked me for six. I was presented with this table of a Encoded/obfuscated command and control cmd message and asked to identify the encoding and if possible decrypt it.
`=_9gnq’tnmclpp. 60 3D 5F 39 67 6E 71 27 74 6E 6D 63 6C 70 70 07
`=_9jw`hmaj`.. 60 3D 5F 39 6A 77 60 68 6D 61 6A 60 03 07
`=_9`c#pjightt.. 60 3D 5F 39 60 63 23 70 6A 69 67 68 74 74 03 07
`=_9w~sb#elhw)jij. 60 3D 5F 39 77 7E 73 62 23 65 6C 68 77 29 6A 69 6A 07
On the left you have the messages shown in ASCII and on the right the Hex values..
I think I have obviously applied for a job that is way out of my capability. Is this an easy question for people on here?
People ask you those kind of questions during interview to see how you think more than if you can solve the problem they put to you.
I'm a little unclear as to the background to the problem you were given, but the first thing I notice is that the first few bytes of each line are the same - this is interesting, and could be an indication that we're dealing with XOR "encryption" with a single static byte - no rolling multi byte xoring for us to have to deal with here.
If we know (or can make a good guess at) any of the plaintext we can deduce the key used and decrypt the message. From what you said it seems likely that the plaintext starts "c\" - so you might be able to make a little more headway with that info.
I don't think anyone expects candidates to know everything, but obviously the more you know the better. Interviews are just as much an opportunity for you to check out a prospective employer as it is for them to see if you would fit within their team.
Besides what Xennith stated, all the "lines" ends in 07h.
There are only 26 unique numbers.
It is not uue, Base64, ROT13, nibble flipped or EBCDIC.
The first thing I noticed is that it's all 7 bit ASCII. No values over 7F.
Thanks for the replies.
I thought it was C\ for the first few bytes but I couldn't for the life of me figure anything else out.
I wasn't given any other background about the problem just that table and that it was encoded command and control entries.
I would love to know what the commands are and how someone would work it out.
Well you can do it by hand with a calculator - if I'm right then you can XOR the first byte with "C" (case sensitive) to determine the key, then XOR that key with every subsequent byte to get the plaintext.
I've got some python knocking around somewhere at work to do this stuff but its simple enough to do by hand.
Xennith - How did you figure out it was XOR?? Is this just from experience. These are things that would never even come into my mind but something I have now noted to research and understand.
Python also being on that list 😉
Xennith - How did you figure out it was XOR?? Is this just from experience. These are things that would never even come into my mind but something I have now noted to research and understand.
Python also being on that list 😉
gilly_uk, I worked backwards by using
http//
trwmte, thats amazing how hard would it be to reverse the encoding? I really need to start reading this stuff up I just wonder how much stuff I have overlooked when it comes to encoded messages etc.
The text is actually XORed with 03 for "odd" bytes and 07 for "even" bytes.
And no, it is not "C", it is "c".
See the little spreadsheet here
http//
decodes to
c\>dir windows
c\>ipconfig
c\>cd windows
c\>type boot.ini
Seemingly you have to GUESS that the last character is always 0 (WHY?) and that makes for the "even" bytes, then you have to GUESS again that 03 is the other XOR key for the "odd" ones. 😯
In any case I see it as a rather pointless kind of test for a forensic investigator. ?
jaclaz