Results 1 to 15 of 15

Thread: Password or string obfuscator/deobfuscator

  1. #1
    Join Date
    Sep 2010
    Posts
    5,762
    Mentioned
    136 Post(s)
    Quoted
    2739 Post(s)

    Default Password or string obfuscator/deobfuscator

    I have a lot of passwords for a lot of different websites so I decided to create a simba script that can store your password (without storing your password in plain text, and not using one of the existing simba scramblers in simba, because you can also reverse most of them).

    How it works


    This script using a very simple algorithm: It inserts random characters based off the keycode you entered, resulting in a scrambled string. For example lets say you have the string 'hello' and choose to use '1865' as your keycode. It will insert 1 random character before 'h', 8 random characters before 'e', 6 random characters before 'l' and so on.




    The first script, outputs a string for you to store. Simply put the password you want to store into 'crunchString' and select a pin you want to use to deobfiscate the string.

    string obfiscater
    Simba Code:
    const
      keyCode = 1865;
      crunchString = 'Hello55';
      //leave inject alone
      inject = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM';

    procedure crunch;
    var
      newStr, keyCodeString:string;
      i, len, len2, k, count, strLength, rem, loopCount, a, d:integer;
    begin
      keyCodeString := IntToStr(keyCode);
      rem := length(crunchString) mod length(keyCodeString);

      for i := 1 to length(keyCodeString) do
        len := len + strToInt(keyCodeString[i]);

      for i := 1 to rem do
        len2 := len2 + strtoInt(keyCodeString[i]);

      loopCount := round(length(crunchString) / length(keyCodeString));
      strLength := (loopCount * len) + len2 + length(crunchString);
      setLength(newStr, strLength);
      i := 0;
        for a := 1 to loopCount do
          for d := 1 to length(keyCodeString) do
          begin
            for k := 1 to (StrToInt(keyCodeString[d])) do
            begin
              i := i + 1;
              newStr[i] := inject[random(length(inject)) + 1];
            end;
            i := i + 1;
            count := count + 1;
            newStr[i] := crunchString[count];
          end;
        for a := 1 to rem do
        begin
          for k := 1 to StrToInt(keyCodeString[a]) do
          begin
            i := i + 1;
            newStr[i] := inject[random(length(inject)) + 1];
          end;
          i := i + 1;
          count := count + 1;
          newStr[i] := crunchString[count];
        end;
      writeln(newStr);
    end;

    begin
      try
        crunch;
      except
      end;
    end.



    When you want to deob the string, input it into this script:

    deob
    Simba Code:
    const
      password = '';
      keyCode = 1865;


    type
      TPassword = record
        keyCode:integer;
        contents:string;
      end;

    function TPassword.parse():string;
    var
      newStr, keyCodeString:string;
      count, d, codeCount, l, l2:integer;
    begin
      keyCodeString := IntToStr(self.keyCode);
      l := length(self.contents);
      l2 := length(keyCodeString);
      while (codeCount < l) do
        for d := 1 to l2 do
        begin
          setLength(newStr, length(newStr) + 1);
          count := count + 1;
          codeCount := codeCount + StrToInt(keyCodeString[d]) + 1;
          newStr[count] := self.contents[codeCount];
        end;
        d := 0;
      result := newStr;
      writeln(newStr);
    end;

    var pass:TPassword;

    begin
      pass.contents := password;
      pass.keycode := keyCode;
      try
        pass.parse();
      except
      end;
    end.



    You can only unscramble the string if you know the keycode you used to scramble it with. I'm working on a GUI for it ATM

  2. #2
    Join Date
    Feb 2011
    Location
    The Future.
    Posts
    5,600
    Mentioned
    396 Post(s)
    Quoted
    1598 Post(s)

    Default

    Quote Originally Posted by rj View Post
    Not using one of the existing simba scramblers in simba, because you can also reverse most of them.
    Lol.. I hate to be the bearer of bad news, but did you realise that you are also reversing your own algorithm? Hence obfuscation and deobfuscation? The exact same thing Simba does..


    Quote Originally Posted by rj View Post
    You can only unscramble the string if you know the keycode you used to scramble it with. I'm working on a GUI for it ATM
    :S Take a look at Simba's encryption algorithms. It does exactly this.
    Last edited by Brandon; 03-14-2015 at 11:28 PM.
    I am Ggzz..
    Hackintosher

  3. #3
    Join Date
    Sep 2010
    Posts
    5,762
    Mentioned
    136 Post(s)
    Quoted
    2739 Post(s)

    Default

    Quote Originally Posted by Brandon View Post
    Lol.. I hate to be the bearer of bad news, but did you realise that you are also reversing your own algorithm? Hence obfuscation and deobfuscation? The exact same thing Simba does..




    :S Take a look at Simba's encryption algorithms. It does exactly this.
    You have to know the keypin that you used to deob it though, with simbas you obfiscate and the deob, with this one you obfiscate, give it a number, and if its the same number you deobed it with you will get the string back

    idk how easy it is to crack but I was bored and figured it's better than storing plain text

  4. #4
    Join Date
    Nov 2011
    Location
    England
    Posts
    3,072
    Mentioned
    296 Post(s)
    Quoted
    1094 Post(s)

    Default

    Quote Originally Posted by rj View Post
    You have to know the keypin that you used to deob it though, with simbas you obfiscate and the deob, with this one you obfiscate, give it a number, and if its the same number you deobed it with you will get the string back

    idk how easy it is to crack but I was bored and figured it's better than storing plain text
    uh.... I think you dont know the difference between a hash and encryption.

  5. #5
    Join Date
    Feb 2011
    Location
    The Future.
    Posts
    5,600
    Mentioned
    396 Post(s)
    Quoted
    1598 Post(s)

    Default

    Olly is right.. You're mixing up hashing and encryption.


    @OP: Hashing is where you just apply an algorithm to the blocks of data without a key or anything special. Once done, it's irreversible to some extent. Usually hashes can be broken using a rainbow table or look up table but sometimes the time complexity can be extremely large (taking forever to reverse). Some hashes have loop holes such that it can be broken in a shorter amount of time.


    Encryption: You take the blocks of data and apply an algorithm to it using a special key/pass-phrase. The algorithm is always reversible given that you have the correct key/pass-phrase. Some algorithms have loop holes where you can crack it and figure out the original block of data OR the key/pass-phrase. This is called single key encryption.

    There is also public and private key encryption (double key encryption) aka Alice and Bob: http://en.wikipedia.org/wiki/Alice_and_Bob Simba doesn't support this kind.


    Simba has both hashes and single key encryption algorithms:




    Your algorithm is a bit naive. Many before you have done the same thing.. It's easy to break and in an extremely short amount of time compared to recognised algorithms.

    Simba's RC2 may not be strong, but it's stronger than yours by quite a lot. You also won't need a lot of code and you can apply whatever hash you want as well. You're better off applying the same concept of your algorithm to Simba's but there's not really a need.


    Also, the only way to have cryptographically strong passwords is to never store them at all. Usually a developer only stores the salted hashed version of the password and username. Then when you log in, it applies the same algorithm to your credentials and compares that to the salt + hash already stored. This way, if the database gets compromised, the password isn't stored in reversible text. You'll NEVER be able to do this for RS because the password is required to log in via Script.


    I hate to discourage you, but you're wasting your time.. to put it bluntly. Just use what's in Simba already. You have a better chance doing that. Better yet, use nothing. If you don't want to store the password, just don't. Your way requires you to enter the password into the script manually anyway. Why bother encrypting and decrypting then?
    Last edited by Brandon; 03-15-2015 at 02:47 AM.
    I am Ggzz..
    Hackintosher

  6. #6
    Join Date
    Sep 2010
    Posts
    5,762
    Mentioned
    136 Post(s)
    Quoted
    2739 Post(s)

    Default

    Quote Originally Posted by Brandon View Post
    Olly is right.. You're mixing up hashing and encryption.


    @OP: Hashing is where you just apply an algorithm to the blocks of data without a key or anything special. Once done, it's irreversible to some extent. Usually hashes can be broken using a rainbow table or look up table but sometimes the time complexity can be extremely large (taking forever to reverse). Some hashes have loop holes such that it can be broken in a shorter amount of time.


    Encryption: You take the blocks of data and apply an algorithm to it using a special key/pass-phrase. The algorithm is always reversible given that you have the correct key/pass-phrase. Some algorithms have loop holes where you can crack it and figure out the original block of data OR the key/pass-phrase. This is called single key encryption.

    There is also public and private key encryption (double key encryption) aka Alice and Bob: http://en.wikipedia.org/wiki/Alice_and_Bob Simba doesn't support this kind.


    Simba has both hashes and single key encryption algorithms:




    Your algorithm is a bit naive. Many before you have done the same thing.. It's easy to break and in an extremely short amount of time compared to recognised algorithms.

    Simba's RC2 may not be strong, but it's stronger than yours by quite a lot. You also won't need a lot of code and you can apply whatever hash you want as well. You're better off applying the same concept of your algorithm to Simba's but there's not really a need.


    Also, the only way to have cryptographically strong passwords is to never store them at all. Usually a developer only stores the salted hashed version of the password and username. Then when you log in, it applies the same algorithm to your credentials and compares that to the salt. This way, if the database gets compromised, the password isn't stored in reversible text. You'll NEVER be able to do this for RS because the password is required to log in via Script.
    is that why most websites change your password for you, because they don't actually know your password?

  7. #7
    Join Date
    Feb 2011
    Location
    The Future.
    Posts
    5,600
    Mentioned
    396 Post(s)
    Quoted
    1598 Post(s)

    Default

    Quote Originally Posted by rj View Post
    is that why most websites change your password for you, because they don't actually know your password?
    Websites do this when you register:


    Enter Username: Foo
    Enter Password: Bar

    Store In Database:

    USR EMAIL HASH
    Foo whatever@gmail.com Hash(Hash(Foo) + Hash(Bar) + KnownRandomSalt)


    Then whenever you attempt to log in, you enter your credentials:


    Username: Foo
    Password: Bar

    and the server does (pseudo-code):

    Code:
    if (find((Hash(Hash(Foo) + Hash(Bar) + KnownRandomSalt)))
    {
        User logged in successfully.
        Store Username in cookie or session or database (so that when you close tabs and revisit the website, you're still logged in).
    }
    As you see, the database never actually has your password stored. It only has a hashed + salted version of it. Every time you attempt to log in, it applies the same algorithm to your credentials and compares it to the stored one. Only some databases store usernames and passwords and it's quite dangerous to do (see Sony hacks lately).


    Whenever you need to recover your password, they don't give you the old password. What they do is they email you a unique link that you click on and allow you to enter a new one. They basically rely on the assumption that your email is secure and not compromised.
    Last edited by Brandon; 03-15-2015 at 02:19 AM.
    I am Ggzz..
    Hackintosher

  8. #8
    Join Date
    Feb 2012
    Location
    Discord
    Posts
    3,114
    Mentioned
    37 Post(s)
    Quoted
    538 Post(s)

    Default

    I'm not quite sure what I'm most impressed by this post... but I think its the fact I'v actually seen psuedo code outside of my school project... (it still seems like a stupid concept though tbh... feel free to enlighten me)
    I remember reading about most of this stuff when we had the villavu hack and our database was downloaded and cracked

  9. #9
    Join Date
    Feb 2011
    Location
    The Future.
    Posts
    5,600
    Mentioned
    396 Post(s)
    Quoted
    1598 Post(s)

    Default

    Quote Originally Posted by The Killer View Post
    I'm not quite sure what I'm most impressed by this post... but I think its the fact I'v actually seen psuedo code outside of my school project... (it still seems like a stupid concept though tbh... feel free to enlighten me)
    I remember reading about most of this stuff when we had the villavu hack and our database was downloaded and cracked

    I don't remember villavu's database being cracked. Besides, what's more stupid: Storing the data as plain text or encrypted text with a key? OR storing just the salted hash?

    I don't think it's a stupid idea at all.. It's dumb to double hash yes, but other than that, the concept of hashing the password is better than not doing it at all.

    http://security.stackexchange.com/qu...hash-passwords

    http://stackoverflow.com/a/326706/1462718
    Last edited by Brandon; 03-15-2015 at 05:06 PM.
    I am Ggzz..
    Hackintosher

  10. #10
    Join Date
    Dec 2011
    Location
    East Coast, USA
    Posts
    4,231
    Mentioned
    112 Post(s)
    Quoted
    1869 Post(s)

    Default

    Quote Originally Posted by Brandon View Post
    I don't remember villavu's database being cracked. Besides, what's more stupid: Storing the data as plain text or encrypted text with a key? OR storing just the salted hash?
    Wasn't really a "hack" but the database was compromised at one point

    https://tribot.org/forums/topic/1568...t-is-going-on/
    GitLab projects | Simba 1.4 | Find me on IRC or Discord | ScapeRune scripts | Come play bot ScapeRune!

    <BenLand100> we're just in the transitional phase where society reclassifies guns as Badâ„¢ before everyone gets laser pistols

  11. #11
    Join Date
    Feb 2012
    Location
    Discord
    Posts
    3,114
    Mentioned
    37 Post(s)
    Quoted
    538 Post(s)

    Default

    Quote Originally Posted by Brandon View Post
    I don't remember villavu's database being cracked. Besides, what's more stupid: Storing the data as plain text or encrypted text with a key? OR storing just the salted hash?

    I don't think it's a stupid idea at all.. It's dumb to double hash yes, but other than that, the concept of hashing the password is better than not doing it at all.

    http://security.stackexchange.com/qu...hash-passwords

    http://stackoverflow.com/a/326706/1462718
    Quote Originally Posted by KeepBotting View Post
    Wasn't really a "hack" but the database was compromised at one point

    https://tribot.org/forums/topic/1568...t-is-going-on/
    Deob'ed would be a better term then... and Brandon... I was just on about the idea of pseudo code itself... nothing to do with hashing

  12. #12
    Join Date
    Aug 2015
    Location
    USA
    Posts
    7
    Mentioned
    0 Post(s)
    Quoted
    2 Post(s)

    Default

    Does this always require a password. I mean if I start it now.

  13. #13
    Join Date
    Dec 2007
    Posts
    2,112
    Mentioned
    71 Post(s)
    Quoted
    580 Post(s)

    Default

    lol @The Killer; pseudo code is mainly used to explain shit, as Brandon has explained to op. If you're talking about the whole bs that you have to write pseudo code before you write actual code then yes, its bs, so far at work i have wrote exactly 0 lines pseudo code.

  14. #14
    Join Date
    Feb 2012
    Location
    Discord
    Posts
    3,114
    Mentioned
    37 Post(s)
    Quoted
    538 Post(s)

    Default

    Quote Originally Posted by Kasi View Post
    lol @The Killer; pseudo code is mainly used to explain shit, as Brandon has explained to op. If you're talking about the whole bs that you have to write pseudo code before you write actual code then yes, its bs, so far at work i have wrote exactly 0 lines pseudo code.
    Kid, why are you quoting me on something I posted 5 months ago... gold scrub... (but yes I'm on about the latter)

  15. #15
    Join Date
    Jun 2016
    Posts
    1
    Mentioned
    0 Post(s)
    Quoted
    0 Post(s)

    Default

    One of the most important securtity tip for people who want to secure their stuff on computers. Never EVER try to invent a new security algorithm. Alot of smarter people already did a lot of them and also some of them are carckable. Do you think you can make a better one? I'll tell you, you are not going to make one

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •