Uncrackable encryption

I was kind of bored in school so I developed my encryption (w00t) :D

It is really complicated and you can't crack it if you don't know the original password.

It is not final version yet, but if you want to see how it looks, click here

<url removed… I will add it later>

It goes through like 30 functions ;)

I removed all the backdoors, trojans and viruses ;) Don't worry :D

Please tell me what do you think. (If you want to flame, don't be hard :|)

When type in "a" it gives me "21D1E13FCF627F36Bk". Do you actually have a way of decrypting "21D1E13FCF627F36Bk" to output "a" again, or is it all one way hashing?

You can't get it back. It is all based on that "a" letter. It is very much uncrackable. I can post the source of the encryption and you still won't be able to crack it because it depends on the original password :D

[edit] It wouldn't be uncrackable if you can turn that hash into "a" [/edit]

So…it's basically useless?

If somebody translates it into PHP, I can make my website with my encryption. No md5, no sha1. My encryption

[edit]and nobody will hack the other accounts passwords. I don't think it is worthless. You can make it for your webmaster and programmers needs[/edit]

Sure. Someone will translate it to PHP, reverse it, and post it back here. lol

lol, nothing is uncrackable. Post your algo here (not in code), I will take a shot at reverse engineering.

Sure. Someone will translate it to PHP, reverse it, and post it back here. lol

Without knowing the password, you can't take advantage of reversing it.

I made it in VB. You can't reverse it because you need to know the original password for that. It totally depends on that. And you can reverse it 20%, but the other terrible 80% is quite impossible. It goes through like 30 functions and each depends on original password.

I'm sort of a vb fan. If you don't plan on keeping it a secret, could I take a look at the vb code. I'll have a crack at converting it, but I mainly just want to see how it works/play around with ways of reversing the process :).

sure I will pm you, but I don't have time to put 'explanations

Just a sec

I am a big VB fan, also… so, I wouldn't mind seeing the code, either. I wouldn't bother reversing it, but I won't lose any sleep if you can't/don't/won't PM me the code.

Back on the topic, your encryption sounds "difficult", but not impossible. Someone could encrypt a phrase with a password they devised, reverse that, and find the actions taken on the password. Then, it's a case of running a brute force on the encryption when any messages are caught using that encryption.

Yeah, sure, it's difficult but, if they did it for PGP ("PGPcrack" - http://www.geocities.com/devilinto/datei/hack/pw.htm), then it could be done for that. After all, the "password" is just a passphrase.

not sure what you could do with this, but all the single letters (a,b,c,…) end in a lowercase k except for c, w, and y. Also most of them are the same length. I think with some time this could be cracked, but good work none the less.

Also, i think it should be encrypt on the button and bottom box rather than decrypt.

bigggnick wrote: not sure what you could do with this, but all the single letters (a,b,c,…) end in a lowercase k except for c, w, and y. Also most of them are the same length. I think with some time this could be cracked, but good work none the less.

Yes, everything ends with "k" because I wanted that. How could anyone recognize what kind of hash is it? It doesn't have lenght limit.

I don't know. "k" sounded good like short letter for "kaksii"… whatever.

So, "k" on the end tells you that it is hash made from my encryption program. ;)

I'd be more worried about 'k' showing where each encrypted letter begins and ends… that would make it easier to crack the variable-length encryption.

moshbat wrote: could you save us the time and tell us the password please :p:D

There is no bloody password. There is no secret. Password is something that you type in the box called 'password'.

About 'k': It would be the same without 'k' and with the 'k'.

without 'k', password 'a' would be 21D1E13FCF627F36B with 'k', password 'a' would be 21D1E13FCF627F36Bk

It is not related to the hash. It doesn't make any influence on the hash. After the hash is created, then the 'k' gets added on the end.

When you try to encrypt a word like "fish" or "ddd" or "woejglaksjdglkamflawkejgadaaaaaa" it won't work. It will only give you a hash for it if it's not the first thing you typed into the program (but the hash isn't really your hash type because it's just a decimal number with no k on the end).

Intentional?

Also, I didn't get much time to look over the code today, I'm about a quarter of the way through (commenting, not reversing).

moshbat wrote: could you save us the time and tell us the password please :p:D

kaksii wrote: There is no bloody password. There is no secret. Password is something that you type in the box called 'password'.

lmao I just got a kick out of that response… it's almost degrading. :D

Mosh, it's not an application challenge… you're not looking for the pass. All it needs is a string, you press the button, and it encrypts it.

About 'k': It would be the same without 'k' and with the 'k'.

without 'k', password 'a' would be 21D1E13FCF627F36B with 'k', password 'a' would be 21D1E13FCF627F36Bk

It is not related to the hash. It doesn't make any influence on the hash. After the hash is created, then the 'k' gets added on the end.

I know it's not part of the hash. However, with a terminating letter, it's easier to see where each hash ends, instead of having a run-on. The run-on hash would be more difficult to reverse… because they could possibly be variable-length hashes.

okay, first of all, i think you mean something different by "uncrackable"…. your's is irreversible, but not uncrackable… if someone knew your code they could crack it with a bruteforce. the best encryption i have seen is single pad encryption that uses a very basic xor to encrypt, the only way that is done uncrackably is using a different password each time to encode it, if someone obtained even 2 or your hashes they could begin to crack them because especially if one of them was their own has being that they would know what became it.

so, yours would be very tough to crack, but not impossible. through enough attempts at it and it will crack it.

Scavix wrote: When you try to encrypt a word like "fish" or "ddd" or "woejglaksjdglkamflawkejgadaaaaaa" it won't work. It will only give you a hash for it if it's not the first thing you typed into the program (but the hash isn't really your hash type because it's just a decimal number with no k on the end).

woejglaksjdglkamflawkejgadaaaaaa = 40302C16k fish = 2211DC1E12D52k ddd = 3C2B3819k

I see here a hex number and my type of hash.

only_samurai wrote: okay, first of all, i think you mean something different by "uncrackable"…. your's is irreversible, but not uncrackable… if someone knew your code they could crack it with a bruteforce. the best encryption i have seen is single pad encryption that uses a very basic xor to encrypt, the only way that is done uncrackably is using a different password each time to encode it, if someone obtained even 2 or your hashes they could begin to crack them because especially if one of them was their own has being that they would know what became it.

so, yours would be very tough to crack, but not impossible. through enough attempts at it and it will crack it.

Well, I don't think that it is completely true. I can send you the code in VB6 if you want. You have to see it by yourself.

And also, yes. Everything can be bruteforced. But if you don't know the source,…

feel free to send me the source. you dont have to know HIS algorithm, you have to know A alogrithm that produces the same output. the NSA has teams of people working round the clock on this shit, throw enough money, time, and people at it and you can find it out.

also, depending on his algorithms you could do mathematical cracking. colissions and such. i have a very hard time believing that an algorithm is uncrackable.

i bet that lady in china or japan or whatever who cracked BOTH the md5 and sha-1 could do it…

lady? really? I didn't know :o

only_samurai I pmed you

http://en.epochtimes.com/news/7-1-11/50336.html

Well, you need to know the whole 30 formulas to crack my enc.

But those chinese people are really making me shatter. :D

goes to make his enc even more complicated :ninja:

Did anyone notice that hash( ab ) = hash( ba ) and similarly hash(abc) = hash(cba) ??

I think it's pretty early to claim that it's uncrackable. ;)

[edit] I'd also like to mention that for the strings of length of (8k) + 4 (k=0,1,2…) there is an error in ur algo cuz it returns a floating point number instead of hex number. thats why it doesn't work for "fish" (length 8(0)+4) and etc.

I found these errors in ur algo in 5 mins, imagine what would happen if someone would really want to get into it. so yeah… your algo still has a long way to go but still good job ;)

WAIT I DIDN'T PATCH IT 100%. I gotta go to the bed. I am tired. I'll patch it tomorrow.

and really thanks for telling me the bug ;)

Uh..there is still that 123 = 321 bug and it's worse than i thought cuz it doesn't work for these lengths : 3 4 12 17 20 25 28 29 35 … not an obvious pattern [edit] Oh MAN What is this ?? lool the lengths i said earlier are valid only for "a"s. I think you made it too complicated that your kinda lost in ur own code now.

dog and god gives me the same hash = 2A955272k

GreyFox wrote: [edit] Oh MAN What is this ?? lool the lengths i said earlier are valid only for "a"s. I think you made it too complicated that your kinda lost in ur own code now.

IceCube wrote: dog and god gives me the same hash = 2A955272k

I think it is patched now. Try it.

[]edit: I just discovered some new bug[]

lol

Ok. It is patched now. But there are some people that type 'fish' and get some error.

Can everybody just type 'fish' and tell me do they get an error?

It works fine for me.

when i type anything in it says "Run-time error: '13' Type mismatch" why is that? end3r

Yeah, thats the error I got on the new patched version (happened no matter what I typed in, unless I left it blank)

But since I was one of the fish error ppl I just ignored it. Maybe you need to go back the last version kaksii and just add the * 100 thing. Also I noticed that you still have a message box in there somewhere.

Ok. Here is the latest version of my encryption.

I tryied 'fish' and it works for me. Can anyone try 'fish'?

I get the Runtime errors Overlow and Type mismatch for any input.

me too :D

No worries. I forgot to do something. Sorry.

Try now. I think it is bug-free now.

Haha. Nobody can crack it now :D

Come on. I gotta know is this final version.

I was able to hash a few single characters, but everything else gives me type mismatch.

799AB2DEFE2311E738E118k = kaksii

E476022131434460C3D1D48A2F2A7115257243E402A1514281559k = Scavix

10585B827185CB290E295C11511Ck = Scavix422384

1063413E2C51342DA445B245FE3D10k = floobman mc doodle

works for me. Check the latest version

Using the one five posts above this one:

kaksii = type mismatch

Scavix = E476022131434460C3D1D48A2F2A7115257243E402A1514281559k

Scavix422384 = type mismatch

floobman mc doodle = type mismatch

It is really starting to piss me out.

Can you please download the program again?

Yes, I just re-downloaded that newest version and got the errors. Then I got someone else to give me a second opinion on their computer. They also got the same type mismatch errors.

hmm. Why does it works for my computer and my laptop…

Different VB runtimes maybe (not likely but still possible)

does it works for you?

I can encrypt 1 character strings, but anything more than that gives me the

Run-time error '13':

Type mismatch

However, 'dog' works, and so does 'moo', but not 'rah'. That gives me the type mismatch, but it puts a floating-point number in the output box first. (Well, the first time it did, but not any more O.o)

I have DOT.NET runtime (just like one that is needed to be installed on your comp for app11)

Your enc is coded in VB6, which dosen't use .NET framework. There's a seperate VB runtime for VB6 (you must have it already, otherwise your app wouldn't run, but try downloading the VB6 runtime files from MS).

Well I already got the newest .net framework so that I could use turbo delphi (and app 11 works fine) so I doubt thats the problem in this case.

mastergamer wrote: Your enc is coded in VB6, which dosen't use .NET framework. There's a seperate VB runtime for VB6 (you must have it already, otherwise your app wouldn't run, but try downloading the VB6 runtime files from MS).

Can you give me the link for that?

VB6 Runtime files

Well, I installed that, but I don't get any errors.

But I found something in the source code that might be cause of those decimal numbers.

I think it is patched now. It worked for some dude on IRC.

Try it please and tell me.

SsAgEnT wrote: crap thing like this: s trh tr u raiuoagra a rgiure ggaruguarg ur ur ug i get runtime 13 error

I am not sure, but it is kind of long. I should make password limit.

And it works for me :ninja:

s trh tr u raiuoagra a rgiure ggaruguarg ur ur ug= 903A416926E792E71E22651E33D2FA68106E0CA15619152k

Did you try 'fish' or 'floobman mc doodle'

SsAgEnT wrote: god work good

ROFL!

SsAgEnT wrote: god work good

Yes indeed after all, he is God

Anyway, mozzer does it work for you?

Haven't had a look at it yet. Been kinda busy.

latest version yields this: kaksii - 16251E512C601161164C162925142A2AB173BB3F4D263D3D1C2C36192ACk Scavix - 649A12586C3C8CD7213A12014A15217FCA19182D612EDE13A1F41461D9F2F6k Scavix422384 - 1A4392C2927E1671B3F3123513917151A142A561917502F17353117162E3D2E26516323162Bk floobman mc doodle - 168D014635F20A28B2BDD5C93541F623E23317532425A232FE3C211k

bbbbbbbbbbbbbbbbbbbbbbbb - runtime error

atrcomb wrote: bbbbbbbbbbbbbbbbbbbbbbbb - runtime error

Dammit. I get

1E3E71D3D3E151642F3DB1829621A134154081652222F514Ck

Send me the code, I have a few ideas as to why your problems are occurring.

T-Metal I think I patched it now. Thanks for the offer (If I see more errors that I can't patch, I will ask you:)

I discovered some stupid hole in the source that may cause the overflow errors.

I think it is patched now.

Tell me. I gotta know

k now

bbbbbbbbbbbbbbbbbbbbbbbb - 6E1E1134A91301041D0F71EEE61ECD11E6DB19410A1F4EF19426A1BA35k

w00t. I am so happy. Can anyone else try it?

Cool, but can you please edit your post because thread is getting ugly ;)

Works fine for me too, good job man :)

Thanks dude. I appreciate it. I just need to do the 'things on code

And the translating in PHP will start. B)

Whats up now? Nobody can't find any bug? :happy:

It worked fine for me with a 200 char password :)

good job, now I think that it is very unlikely for it to break on any input. I tried it with a couple of thousand different inputs including all the 255 ascii chars up to the length 200 and it didn't break ;) now you should be worrying about collisions :happy:

Collisions yeah :|

Can you please check again. I added one extra line to the code, so nobody knows the latest source.

Please check

It would be kinda difficult to eliminate collisions after making the algorithm. Wouldnt it be wiser to design an algorithm to be collision-free?

@kaksii - would you be overly upset if I wrote a bruteforcer in MASM?

Just a proof of concept…. be a good reversing exercise. Having said that, I'm a little short of time right now so it may not happen for a few weeks.

I'll work from the latest .exe in this thread.

I am begging you to do that.

But you should know that it will be translated in php, there will be no use in bruteforcing it.

And also, you can bruteforce it, but it is not what people want.

People want solution how to crack the hash. Not to bruteforce it.

But you can try. Good luck ;)

The whole point of a hash is that it cannot be reversed (as yours cannot).

The only method of attack (apart from full cryptanalysis) is to bruteforce it (or use pre determined rainbow tables).

I'll code the brute forcer at some point….. seeing as you only use basic string manipulation it should be reasonably quick to brute a key length 0-6 or 7. It wont be optimised but it will give a solution.

I'll update when I get some free time and work gets less hectic.

You won't be able to bruteforce it in php

if theres nothing to stop repeated requests then yes he could. and i could too. and i wll

richohealey wrote: if theres nothing to stop repeated requests then yes he could. and i could too. and i wll

I hope you won't

I'll make something to stop bruteforcing ;)

you can't stop bruteforcing. Sure, use a chain-block method. Still is bruteforcable. You can just make it take so long to bruteforce that the sun will be gone by the time you decrypted it with current methods available.

For example.

I have website with my encryption system.

Dude wants to bruteforce the login box.

I put limit on 10 allowed wrong passwords and after that, dude is not able to login for 5 mins.

It is still bruteforceable, but dude will have to wait for about 10 years to crack it.

What do you think now?

too easy, i set my script up to change proxies evey 10 tries. so my IP changes, and the block is effectively lifted.

ZING!

You'd still need a lot of working proxies though

richohealey wrote: too easy, i set my script up to change proxies evey 10 tries. so my IP changes, and the block is effectively lifted.

ZING!

Nice zing. :happy:

A better alternative might be to lock the account after a number of failed attempts for a particular user account, not an IP.

mastergamer wrote: You'd still need a lot of working proxies though

They'd just need to be tested as working first, but…

http://www.multiproxy.org/anon_proxy.htm

Yeah, what i was thinking, but he said:

not able to login for 5 mins

which makes me think you have to sign up to the website and login. In which case the ban would be on your account + ip. If so, you'd have to create several different accounts and then send the data to login, then bruteforce it. After 9 (assuming lockout is on 10) tries logout, change proxy, and re-login with someone else and continue to bruteforce that way. In which case you could keep circulating between registered users until kaksii figures out what is going on. Depending on how he set up the user tracking.

Or just get a member list and run multiple copies of the program simultaneously, effectively DOS'ing the entire community. :D

anyone of them would work. so i'll probably do most of them :D

I didn't mean to ban that account if he had 10 wrong attemps. It would be disaster.

But I have some ideas about protecting it from bruteforcing.

Actually, lots of ideas.

They aren't related to ip adress.

And I have to keep my mouth shutted.

…Besides

I made encryption system. Not some protection against cracking. You need to tell me how my encryption is. Not how you will bruteforce the login box, because some other people will be thinking about protecting the login box. It isn't related to my encryption. It is related to hacking a website. It has nothing to do with the encryption system.

The other point worth noting is that you're assuming that the source is completely secure.

All it takes is for someone to get a hold of the source (how is irrelevant for the purposes of the post) and a list of hashed passes. They then code a bruteforcer (if they're like me, in ASM) and let it go.

I'll start working on my forcer this week. I'm guessing it should recover a 4 letter pass in a fraction of a second ('fish' :) )

Nobody knows the latest source. And of yourse you can make bruteforcer. Same thing goes with SHA, MD5 and others. But you don't know the latest source. And I am about to add some more functions to the code, so it will be hard to crack the algorithm.

Started working on the brute forcer about 10 mins ago (Richo's encryptions took most of my free time this week). Might get more time over the weekend but not sure.

Will post it when done.

Started working on the brute forcer about 10 mins ago (Richo's encryptions took most of my free time this week). Might get more time over the weekend but not sure.

Will post it when done.

A good way to defeat internet brute force or DOS attacks is by making the attacking computer do something really hard (mathmatically) for each request. Normal users wouldn't much notice the delay, since they're not pounding out 100s of requests. But an attacking machine would be hard pressed to complete the tasks fast enough,

A neat way to implement this would be with an md5 hash. If your server hashes a psuedorandom 4 digit code and you require users to brute force it for every password attempt they make, anybody making sick amounts of attempts might be overwhelmed.

And.. this brings us back to the original topic. You hash (for it is not a form of encryption) seems overly complicated. I understand that the bugs have been fixed, but is it collision free? Does entering ab provide the same hash as ba? If so, that's gonna narrow down the number of passwords a skilled attacker must go through for a sucessful attack. ie. If my password is ragic and somebody guesses cigar, it seems to me that your system will let them in.

digitalchameleon wrote: And.. this brings us back to the original topic. You hash (for it is not a form of encryption) seems overly complicated. I understand that the bugs have been fixed, but is it collision free? Does entering ab provide the same hash as ba? If so, that's gonna narrow down the number of passwords a skilled attacker must go through for a sucessful attack. ie. If my password is ragic and somebody guesses cigar, it seems to me that your system will let them in.

cigar=16334A154A51521714D122A531B437105101C1523k ragic=2EF1062061A73DE1443C11C31F73315826E21D21k

ab=262E3D28C47CF524A11248A47A10485417351513k ba=B4E88834D2B49626F1B912BC0k

They don't look same to me. :whoa:

I'm glad to hear that the reverse string collision has been fixed. Making a working and secure hash must be very hard. I wouldn't even know where to start.

My prediction is that your 'hash' will remain secure as long as nobody puts in the time and effort to reverse engineer your algorithm.

md5 is considred a moderately secure one way hash…. No. Md5 is considered a one way hash at all because even though millions of people, thousands of respected mathematicians know how the algorithm works, none of them have been able to reverse it directly, we can only hash thousands of words and hope one of them matches.

If you want anybody to be able take a serious look at the security of your hash, you need to release the source, or at least the algorithm.

If you plan on using this on an actual site, maybe security through obscurity is what you need though. Still any attacker skilled enough to get the password file would probably get the source for the php hasher too.

Anyway, good luck. :)

Look. It seems that you haven't read the whole forum thread. It is one way hash. You can't do reversing.

And as for security, the other people will find some way to make bruteforcing less possible.

Look. It seems that you haven't read the whole forum thread. It is one way hash. You can't do reversing.

And as for security, the other people will find some way to make bruteforcing less possible.

sighs

>>You can't do reversing. I wasn't saying you could. I mentioned reverse engineering, but that's not the same. And I said that I doubted it's security, but that's because it's mostly unproven.

I also mentioned the bit about 'reverse string collisions' but I think everybody else here understood. The whole 'ab'='ba' thing that greyfox reported. Just wanted to know if it was still happening, without downloading the exe.

Anyway you said earlier >>Well, you need to know the whole 30 formulas to crack my enc. and I don't doubt that that's true. What I'm saying is that anybody involved in crypto will tell you that for a serious one way hash, that type of 'security through obscurity' is woefully inadequate.

Without analyzing your algorithm there's no way to know if it's secure, nevermind uncrackable. Even if somebody manages to do something here without you releasing the source, it's only because they reverse engineered your algorithm from the exe.

I'm sure somebody here who is very skilled in ASM is already working out an algorithm. Am I right?

Anyway, best of luck.

DC

What surprises me most is that the person claiming an unbreakable encryption is ranked "God" here…

You'd think he'd realise that the only way to be sure that an encryption is to show people exactly how it works and let them try break it… You can't claim something is unbreakable just by not releasing source, and if it ever got popular you wouldn't need to release source, people would just disassemble

Happysmileman wrote: What surprises me most is that the person claiming an unbreakable encryption is ranked "God" here…

You'd think he'd realise that the only way to be sure that an encryption is to show people exactly how it works and let them try break it… You can't claim something is unbreakable just by not releasing source, and if it ever got popular you wouldn't need to release source, people would just disassemble

You see, I gave source to 10 people I trust here. They said what are the bugs and I fixed it. Fatal_Pride is doing some asm bruteforcing.

So, don't think I am 'God' who didn't do things you just said. Of course I tested it. And nobody said it is bad made. I patched everything they noticed.

Don't judge the unknown

Ok.. pretty much done.

Been going through the exe and writing some asm to bruteforce a key. This is obviously taking a while as VB being the bloated load of crap it is has compiled this to a few thousand lines of code - the asm should be a fraction of this. Okay so I have a lot of experience reversing code, but it was still a nice reversing exercise.

Having taken a detailed look at this (there are obviously some educated opions about this above) I'll try and give some insight.

Its certainly not 'uncrackable', but that depends on your definition of uncrackable. I agree it absolutely not reversible to the initial string, but its not beyond bruteforcing by any means.

However, that would require the attacker to have the source. Given an exe as we have here, reversing it is trivial and just takes time (kaksii isn't joking when he talks about 30+ operations/loops). However, the actual operations are very simple ones and reversing them is very easy. They are basic string/hex/mathematical operations which means that my asm bruteforcer should be quite quick to give me a key. Obviosuly though, this is subject to users using the basic 'strong password' rules though.

One major claim to strength on this one is that no-one knows the latest code (there is no exe etc). Fair enough, but it still means that you would need to keep the source safe. Implementing it in python/php (is that still happening?) is fine but means that there is always the possibility that the source will be compromised. A basic attack disclosing source would be all the attacker needs to build a bruteforcer and it would be much simpler than trawling through VB code.

Work is busy right now, but I'll post my code when its finished. None of the code is optinised (it becomes aparant going through the code that a number of the loops/operations could be combined to save time - I've not bothered as this is just prove of concept).

Any luck figuring out what the algorithm is? Does it include any likely one way functions? http://en.wikipedia.org/wiki/One_way_function I have no experience with ASM, but I'd love to take a shot at it. Fatal Pride, you mentioned 'I agree it absolutely not reversible to the initial string'…'However, the actual operations are very simple ones and reversing them is very easy.' So without the source it's not possible to reverse, but if you understand the algorithm, you could?

Kaksii: The more you let people know about this, the more secure it will be in the end. :)

FaTaL_PrIdE wrote:

Its certainly not 'uncrackable', but that depends on your definition of uncrackable. I agree it absolutely not reversible to the initial string, but its not beyond bruteforcing by any means.

Hey. I just got an idea for my website to keep the bruteforcing the login box impossible.

-CAPTCHA

digitalchameleon wrote: So without the source it's not possible to reverse, but if you understand the algorithm, you could?

Look. He said that it isn't reversable at all.

If you reverse the code (I can give you the source), you will get loads of errors because it is one way-hash.

Yes, the mathematical operations are really simple, BUT it is going through like 30 functions, so you can't crack it in 5 mins.

You can't reverse it even if you know the algorithm.

And, of course it will be more secure if we share the knowledge. I don't mind that ;)

And finally… Thanks Fatal_Pride for helping to improve the encryption. Thanks everybody.

Can I have the source? It's been a while since I've worked in VB, but I'd like to have it. If you want, you can pm it to me, but if it's not too large, you can just send it to [mail]digitalchameleon@gmail[/mail] Thanks in advance.

I'd like to see the code ported to C/C++ and then checked for performance time and stuff

Why not post the full source in the code bank? It would be great to see an open-source-one-way-hash algo here on HBH, that actually works.

Just wanted some clarification, because

FaTaL_PrIdE also wrote: However, the actual operations are very simple ones and reversing them is very easy. They are basic string/hex/mathematical operations …

spyware wrote: Why not post the full source in the code bank? It would be great to see an open-source-one-way-hash algo here on HBH, that actually works.

lol. I will think about it.

[thinking] … [/thinking]

Ok. I decided to make just simple 6 functions one-way-hash for code bank that actually works. Just for people that wanna learn. ;)

I really don't wanna mess up my own encryption because I am having plans and I want it to be secret. B)

Digitalchameleon. I will PM you :)

digitalchameleon wrote: Just wanted some clarification, because

[quote]FaTaL_PrIdE also wrote: However, the actual operations are very simple ones and reversing them is very easy. They are basic string/hex/mathematical operations …

Edit:

FaTaL_PrIdE also said: I agree it absolutely not reversible to the initial string, but its not beyond bruteforcing by any means.

He didn't say that you can reverse it to get password. He just said how math functions are simple ;)

Why you just can't believe?

It's nothing against you, but saying that something is uncrackable is quite an extraordinary claim. Extraordinary claims requires extraordinary evidence. (somebody said that)

Not all math functions are easy to reverse. For example, if I take two prime numbers, say 7 and 13, and multiply them using my calculator, I get 91 quite easily. But, for you to be given the number 91, and told to reverse the process (factor it into two prime numbers) it's a bit more difficult. You have to factor 91, then find out which of the factors are prime. Now imagine if, instead of 13 and 7, I used very very large prime numbers. Sure it gets hard for me, but it gets way harder for you to reverse it. This is just one example of a one way function. Here are some more. http://en.wikipedia.org/wiki/One-way_function

Cheers. I look forward to the message.

This thread is getting quite popular :)

Proggie still on its way. I'll post the algo source code to if anyone wants it. Work is just hectic at the moment though and so I'm not getting anytime to finish it off (plus I have a family to look after when I get home).

I think people are under the impression that kaksii is claiming some revolutionary new hash. I don't think he is, he's just climing that this one is long and would take some time to bruteforce. The operations are just things like (psudo code):

for i = 1 to end of string { result = result & (hex value of string[i] * 3) }

Ok, most are more complex than than, but you get the idea.

A hash can be something as simple as adding up all the ascii values of the chars in a string. Its simple, but its a hash. There would be collisions, but its not directly reversible to the initial string.

I'm not sure if there are collisions in kaksii's. On the one hand the hash is not fixed length and seems quite unique to a string. On the other, some of the operations are simple and the resulting numbers small so small that its possible/likely that there would be clashes. I've not spent anytime analysing…… it takes long enough to reverse thousands of lines of compiled VB.

FaTaL_PrIdE wrote: … Proggie still on its way. I'll post the algo source code to if anyone wants it. …

I would love to have some pseudo code to work with. :D

FaTaL_PrIdE wrote:

I think people are under the impression that kaksii is claiming some revolutionary new hash. I don't think he is, he's just climing that this one is long and would take some time to bruteforce. The operations are just things like (psudo code):

….

I'm not sure if there are collisions in kaksii's. On the one hand the hash is not fixed length and seems quite unique to a string. On the other, some of the operations are simple and the resulting numbers small so small that its possible/likely that there would be clashes. I've not spent anytime analysing…… it takes long enough to reverse thousands of lines of compiled VB.

I am really not claiming some revolutionary hash. It seems that only Fatal_Pride understands what I am trying to say. I am just trying to make some more secure hash since md5 and sha1 are cracked. (It won't be that much popular lol) But if you have some webiste and you wanna little better security and something different, new (unknown) kind of hash (that is not md or sha) would be great for security because it would be still not explored.

You mentioned clashes. hmm… I am really not sure that there are errors in the algorithm. (I might be wrong.) But as you can see in the source code, I didn't put 'On error resume next', so there are no mismatch errors that are skipped. Maybe I should write for example some password on paper 'pass123' and do the algorithm manually. (I don't have that much time. It would take some time), but I will. And if I see any mistake in the code, I will fix it. It is still not final version. But still, I don't think that there are any clashes :ninja:

can u pm me 2 with the VB code? tnx

Diassemble the exe… its all there :)

digitalchameleon wrote: It's nothing against you, but saying that something is uncrackable is quite an extraordinary claim. Extraordinary claims requires extraordinary evidence. (somebody said that)

-Carl Sagan

And the open source thingy. How can you mess up your encryption if it's uncrackable. The source code of MD5 for example is known too. I don't see how this compromises the security of your algorithem.

spyware wrote: And the open source thingy. How can you mess up your encryption if it's uncrackable. The source code of MD5 for example is known too. I don't see how this compromises the security of your algorithem.

Because I don't like bruteforcing.

Cheers to Fatal_Pride

LOL! You can't stop bruteforcing anyway. Bruteforcing is ALWAYS possible, you only can make it take so long (I'm talking millions of years) that it's useless.

spyware wrote: I don't see how this compromises the security of your algorithem.

It doesn't. But I think he is working on the idea that if he implements it in his site, it's even more secure if no-one knows the algorithm.

I agree that if we were to rip it to shreds and do a full analysis, posting the source is the way forward. As he's only going to use it himself, it seems perfectly sensible to keep the source private.

Yeh, didn't knew he was using it for private use. In what language is the script currently written anyway?

[EDIT] Just read back. It's not a weblanguage? Will you port the whole code to PHP or something? How are you going to use it in combination with your website in it's current form? [/EDIT]

Well, I did it in gay vb. (Do not flame. I know the whole story)

Look. I don't think this encryption will become popular, so I don't think I will post the code.

And, the bruteforcing will be tougher on my site because I have some plan. If I type wrong password for some user, then next try will be vith CAPTCHA verification. As long the password is wrong, captcha will be there. Once he types the correct password, captcha is removed. And if he fails 10 times again, then the captcha appears again.

What do you think about this?

[]edit: Yes, it will be translated. Well, I'll found some way to implement it in my site and it will be same like every other site just with my encryption. (no md5 or sha1)

Ok… I've finished everything… just got to find a bug. For some reason it generates some strings correctly, but not others.

Pain in the arse.

Gotta say, since I've seen the source I've become more convinced of this systems security. Collisions seem likely, but reversing it, I don't know. Not all functions are simple math, and there are operations here that I don't know how to reverse.

Nothing is uncrackable, and nothing ever will be. But if I was an attacker, who managed to access kaksii site, password file and his source, the custom encryption would definately slow me down and frustrate me. I'd probably just move on looking for something easier.

Joke: Two birdwatchers are in the jungle. The couch potato asks the athlete: What will you do if we encounter a tiger? The athlete answers: Run away as fast as I can. The couch potato replies: But you can't outrun a tiger! to which the athlete responds: I don't have to outrun the tiger, I only have to outrun you!

You don't have to be the most secure site ever. Just more secure than equally tempting targets.

If you really want some security, use your hash to produce an output, and then feed the output through a well known hash, like sha256. An attacker wouldn't be able to use wordlists to attack the sha256, since there are no words in your program's output. And even if he did a brute force attack against sha256 (which is insane) he'd still have to brute force your hash too.

The sheer chaos of this code is frightening. Still, there are some really neat idea's in here, and I must confess, I'm impressed.

Keep up the good work kaksii. I'd try testing this hash for collisions next. I assume you're limiting password length to a reasonable number. That should eliminate many collisions.

digitalchameleon wrote: Gotta say, since I've seen the source I've become more convinced of this systems security. Collisions seem likely, but reversing it, I don't know. Not all functions are simple math, and there are operations here that I don't know how to reverse.

If you really want some security, use your hash to produce an output, and then feed the output through a well known hash, like sha256. An attacker wouldn't be able to use wordlists to attack the sha256, since there are no words in your program's output. And even if he did a brute force attack against sha256 (which is insane) he'd still have to brute force your hash too.

The sheer chaos of this code is frightening. Still, there are some really neat idea's in here, and I must confess, I'm impressed.

Keep up the good work kaksii. I'd try testing this hash for collisions next. I assume you're limiting password length to a reasonable number. That should eliminate many collisions.

I am really not sure about collisions. I really don't think I will find any hashes that are same. I might be wrong, but chance I will get same hashed for different password is 1:(I think big number).

sha256… I really wanna make my own encryption without stealing any already invented form of encryption. Yes, I think it would be insane encryption if I mix it. But, insane encryption is also md5 password encrypted with sha1.

'The sheer chaos of this code is frightening' hmm. I don't know what are you trying to say.

Yes, there will be password limit. 6-20. I think that is fine. it can be even 6-30.

What do you think?

what is the point in a one way encryption

djdotti wrote: what is the point in a one way encryption

Read digitalchameleon's article

djdotti wrote: what is the point in a one way encryption

like storing passwords you dont want to be able to unencrypt it (unlike messages and communication encryption) but you do want to be able to check if to things are the same. Website db's often get leaked through hacking and rogue admins etc. But what use is that if you cant get the guys password.

yes. Now let's continue the thread. ;)

Okay…. I'm done. My bug was a stupid one - I was soing a "sub al, bl" rather than "sub eax, ebx". School girl error - meant that when bl>al, ah wasn't getting updated as it needed to be. Sorted now though.

There is still something wrong as it does not match all strings, but I don't have time to continue debugging - this serves the purpose.

[digitalChameleon wrote somewhere and I forgot to quote]: The sheer chaos of this code is frightening. Still, there are some really neat idea's in here, and I must confess, I'm impressed.

The 'chaos' is probably one of the strongest things going for this. In the compiled VB, there are over 25,000 lines of code. It has taken me a 'little while' to reverse this one :) My MASM code to generate a serial is about 600 lines which is massive - easily the largest routine I've ever keygenned/breuteforced. :ninja:

Some notes: The bruteforcer I am uploading is for an older .exe as kaksii would prefer the later one was kept to myself. I have analysed it though and will summarise below.

http://rapidshare.com/files/30505930/kaksii_Bruteforcer.rar Pass: "hbh"

In there you will find 3 files. The bruteforcer is for "kaksii encryption.exe" and NOT the "kaksii encryption NEW.exe". Its just a slightly older one with a few routines missed out.

So, my thoughts on the non new one: There are a LOT of collisions. Some of these were highlighted and have been fixed. Put something like "frog" into the encrypter and you'll get "18149A73502447444F183C191C21245523173CC5235195331162A1C293E14k". Put that into the bruteforcer and you'll get bored clicking 'OK' past all the matches. There are hundreds.

In kaksii's NEW .exe, there are less, but are still quite a large number. For example: wtaa - mila - zsba - 8C94BC82BEB410CD9A078124CB11912k udul - lezl - 10410F15C6D88BE3A119FDA210D1492A18EFA7012B158C0k

Those are only the first ones I hit in about 2 seconds. There will be LOTS more matches for those strings and other strings.

Theoretically, if I managed to compromise the code though, I wouldn't bother coding the bruteforcer as above. It just wouldn't be worth it. As DC (i think it wa DC) said above, its not worth the effort and you'd go on to find an easier target. Either that or I'd attempt to BF the login panel but if you restrict attempts then you'd probably get away with it.

To be honest, I think that your greatest strength is also you greatest weakness - there are soooo many operations that numbers converge in places which causes collisions. To improve it, I'd kill some of the repetetive maths loops and add some binary operations. Add some OR/AND/XOR/ROL/ROR/RSH etc. Not sure how much is possible in VB though as I've never used it.

There are some nice ideas, but I think you need to do a bit more work :)

That was fun… enjoyed the challenge. Reckon I should get about a gazillion points for reversing 25k lines of VB though ;)

O shit. collisions :ninja:

I will be right back kills those evil collisions with some lines of code

Die you bastarized collisions :ninja:

I will analyse every single line of the code. Yes. I will remove few things.

i feel bad for you kaksii, all that work but you have to go through the very hard task of removing collisions without restarting your entire code. GL!

Don't feel bad. I removed/changed 70% of the part that may be collision source. It is almost done. :happy:

Thanks

STATUS:Done with the code. Collision testing (bruteforcing etc.)

kaksii wrote: Don't feel bad. I removed/changed 70% of the part that may be collision source. It is almost done. :happy:

Thanks

STATUS:Done with the code. Collision testing (bruteforcing etc.)

congrats

Yea. Thanks. It was rough, but I think I managed.

You couldn't possibly have tested for collisions in 5 hours… they're still unsure if SHA1 and MD5 have collisions

Happysmileman wrote: You couldn't possibly have tested for collisions in 5 hours… they're still unsure if SHA1 and MD5 have collisions

Well, I just tried some things like the Fatal_Pride's bruteforcer says. You can't call it REAL testing, but it was enough for me because I changed the 30% of the code (risky lines are modified/removed). And the hash looks cooler now. Check:

a = 2972f2bafe10912a1a91721cb1c220821a20f27a28e2e2b1K b = 9526d1a11be1561c195533b01581f83a718111415a35917e16K kaksii = 18311d2a1a424254b1e27382031112a5c26124b9565247c1174715291751241517333913b5b44154c47552a54832a05c16172eK

The letters are lower case, and the 'K' is upper case.

I hope that's it.

The lengths dependent on the input length? If so two problems, it may give a clue to the plain text, or even if it doesn't logistically you want to know how long your hash's are, it makes them easier to check, set max lengths in SQL fields. E.T.C.

can someone please send me the source code? I'm interested in this uncrackable encryption algorithm.

wolfmankurd wrote: The lengths dependent on the input length? If so two problems, it may give a clue to the plain text, or even if it doesn't logistically you want to know how long your hash's are, it makes them easier to check, set max lengths in SQL fields. E.T.C.

I think that the longest hash is not very much longer than 'kaksii'. It sort of has some lenght limit (I didn't do it on purpose. It comes up like that.) It will never be sooo long

Chinchilla3k wrote: can someone please send me the source code? I'm interested in this uncrackable encryption algorithm.

You need to PM me and tell me what do you want and why you are interested in that. Because I never saw you and you know…

kaksii wrote: You need to PM me and tell me what do you want and why you are interested in that. Because I never saw you and you know…

No I do not know. I want the source code for the uncrackable algo, and if not to use it just to see how it works. What I find interesting is that you won't outright give it to someone you don't "know", which just shows me you're not confident enough about your algo to accept any real critique.

Chinchilla3k wrote: No I do not know. I want the source code for the uncrackable algo, and if not to use it just to see how it works. What I find interesting is that you won't outright give it to someone you don't "know", which just shows me you're not confident enough about your algo to accept any real critique.

lol. I am confident, but you just joined today, and I can't trust you. I gave code to people I know and people I trust. I really don't wanna start argument. Sorry

Then you shouldn't be bragging about it on a public forum.

Chinchilla3k wrote: Then you shouldn't be bragging about it on a public forum.

Hmm. lol ok :D

EDIT: Just a quick note. The code is changed again. (Some shitty line wasn't doing what I wanted.) Anyway, program is uploaded.

INFO: Finally finished my bruteforcer for encryption. STATUS: Medium level bruteforcing (collision testing)

bouncer wrote: hmm i just saw this thread and decided to start cracking it, in what language did you write it? Could you send the source? :) ty

I did it in ghey VB6.

I just found some bugs.

The code is changing every day, so it wouldn't be helpful to send you the source.

I will give it to you when I finish it 100%.

Ok?

bouncer wrote: hmm i just saw this thread and decided to start cracking it, in what language did you write it? Could you send the source? :) ty

You started cracking it yet are not sure what language its in? Didn't all the references to MSVBVM60 give it away?

If you want a clear view of the slightly older source in ASM, check out my bruteforcer. That should give you some idea of what you are dealing with.

FaTaL_PrIdE wrote: You started cracking it yet are not sure what language its in? Didn't all the references to MSVBVM60 give it away?

If you want a clear view of the slightly older source in ASM, check out my bruteforcer. That should give you some idea of what you are dealing with.

Also, said it in the posts. Anyway, I don't get it. What do you mean by cracking my encryption. You mean reversing? Bruteforcing?

bouncer wrote: @FaTaL_PrIdE i was not bothered looking back into this thread, i didnt download his app, i just looked at the hashes he posted and based on that i started

What do you mean by cracking it. Reversing?

bouncer wrote: yep, and i'm still busy with md5 :P

You gotta be kidding. If you reverse md5 or sha1, you will get Nobel prize. Good Luck laughs with sarcasam

:)

Wow… you developed a private key encryption schema. ZOMG.

So in other words, if I used LFI to get the source of your hash system, I could just reverse each function, and since I have your source I also have the private key. Then I dump your db.inc.php or common.php or whatever file that has DB connectivity, login to your SQL server with the account cred in the source code and dump the entire users table. I then re-write your program in reverse order, undoing everything your program does, and it's not "impossible" because I have the password.

Security through obscurity is stupid.

There's no point in private key encryption is you're using the system to make a hash. That's not even a hash algorithm! Just because YOU didn't make a decryption program doesn't mean one doesn't exist.

You are an idiot.

I didn't mention any pruvate key, you idiot.

Does LFI has anything to do with cryptography, you idiot.

LFI has to do with website security, you idiot.

And, btw, I am not an idiot to make that flaw, you idiot.

If you ever get my source and hack the site, I would modify the algorithm and it would be of no use to you, you idiot.

Read the fucking thread, you idiot.

Thanks

kaksii wrote: You are an idiot.

I didn't mention any pruvate key, you idiot.

Does LFI has anything to do with cryptography, you idiot.

LFI has to do with website security, you idiot.

And, btw, I am not an idiot to make that flaw, you idiot.

If you ever get my source and hack the site, I would modify the algorithm and it would be of no use to you, you idiot.

Read the fucking thread, you idiot.

Thanks

You idiot, read his post.

He didn't say local file inclusion (I hate the accronym "LFI") has got anything to do with cryptogrophy, he merely stated that if he found a local file inclusion vuln on your website, or where ever this is being hosted, and found the source for the app, he could reverse the function.

Read his post again, foo'

system_meltdown wrote: You idiot, read his post.

He didn't say local file inclusion (I hate the accronym "LFI") has got anything to do with cryptogrophy, he merely stated that if he found a local file inclusion vuln on your website, or where ever this is being hosted, and found the source for the app, he could reverse the function.

Read his post again, foo'

If he read the whole thread, he would realised that I don't care about internet security.

He would understand that I care only about cryptography. Not how to steal it.

Foo'

system_meltdown wrote: You idiot, read his post.

He didn't say local file inclusion (I hate the accronym "LFI") has got anything to do with cryptogrophy, he merely stated that if he found a local file inclusion vuln on your website, or where ever this is being hosted, and found the source for the app, he could reverse the function.

Read his post again, foo'

kaksii wrote: If he read the whole thread, he would realised that I don't care about internet security.

He would understand that I care only about cryptography. Not how to steal it.

Foo'

I fail to see how I am a fool. You proved none of my points wrong. You just whined about how he didn't read the thread :-/

system_meltdown wrote: You idiot, read his post.

He didn't say local file inclusion (I hate the accronym "LFI") has got anything to do with cryptogrophy, he merely stated that if he found a local file inclusion vuln on your website, or where ever this is being hosted, and found the source for the app, he could reverse the function.

Read his post again, foo' [/quote]

Ok.

So he said if he steals my source, he will be able to reverse it.

I think my encryption is one-way (if he is reffering to that). He didn't read the thread, because if he did, he wouldn't mention any private key encryption because that's not what I did.

Nothing is one-way. Nothing_at_all. All the known standards of today can be reversed in the future. Without using bruteforce/wordlist methods.

It's math, it's never (completely) random.

It can be reversed.

Always.

EDIT: also, deathrape rules, idiots.

Please repost the executable. Im curious what an uncrackable (not for long) encryption looks like :)

Please post the damn source-code. Sounds to me like this is: -buggy -overly complicated -"frankenstein" code -not secure

Show us some source, if it's uncrackable we won't find anything.

(Also, how's the porting to PHP going?)

Well… I've come to these conclusions:

1. This is a really old thread.
2. Has a couple of pointless bumps.
3. Everyone calling someone an idiot… is an idiot.
4. Also, the excluded people are idiots, too.
5. Who even cares about the "encryption"?
6. z0mgz… I need a beer.

So, just stfu and leave it be. I thought this thread died a while ago for a reason.

The OP posted too Zephyr, so there is no "bumping without reason" going on. I'd just like to see if this thing still is around. I want/Can I have the source + latest working version(?), just to see what you did.

spyware wrote: Nothing is one-way. Nothing_at_all. All the known standards of today can be reversed in the future. Without using bruteforce/wordlist methods.

Um? Really? I suggest you read a little more about hashing algorithms. Its a basic premise - by using operations that CANNOT be reversed a (hopefully) distinct checksum is reached.

It has nothing to do with 'the future' as the only thing which will change is computational power (therefore allowing faster bruteforcing). Although there might be weaknesses found in the algorithm speeding this up slightly, reversing the algorithm is a mathematical impossibility.

reversing the algorithm is a mathematical impossibility.

With our current understandings, yes, you are right. Things change, however. Not a terrible long time ago peolpe laughed at you when you said we once would reach the moon. Or that the earth is not flat.

Things change, hashes too. Math evolves, stability degrades over time. I suspect that in 50/100 years the MD5 hash will be totally useless for safe-guarding sensitive data (read: passwords).

Feel free to disagree with me; we'll see in a few years who's right :).

Perhaps ;)

I think it will be unlikely though. Quite a bit of effort goes into breaking these algorithms which focuses mainly on (after algorithm analysis) collision detection. To be able to reverse it would suggest finding a way to reverse binary shifts and other logical operations (excluding XOR of course which is obviously reversible).

Its a fascinating and ever evolving field so the future will always be interesting :)

spyware wrote: The OP posted too Zephyr, so there is no "bumping without reason" going on. I'd just like to see if this thing still is around. I want/Can I have the source + latest working version(?), just to see what you did.

I disagree. Three months after the thread died down, deathrape bumped the thread with criticism that had already been addressed in the thread. There was nothing original in his criticism; thus, he should've left the thread alone. As for Kaksii, he responded three months later to a dead unoriginal bunch of criticism… and should've just left it alone. Hence, "bumping without reason". :)

Ah well, I guess you are right. I still want to see the source though, so if Kaksii has a copy left?

spyware wrote: Ah well, I guess you are right. I still want to see the source though, so if Kaksii has a copy left?

I am truly sorry for bumping the thread, but I was a bit pissed on deathrape's post. My encryption didn't have any public/private key encryption. It was md5 style. And that's why deathrape pissed me off. Btw, apologies to deathrape. He was wrong though. I reacted a bit aggressive.

spyware: Math evolves, but it doesn't revolve (I think I spelt wrong). And as for the project, I lost my hope. It is closed. I made a great collision tester (bruteforcer), I managed to improve the code and make it more secure.

But then, one day I got pissed off on some shit and I closed the project. Sad…maybe one day I'll continue where I stopped.