Hacker News new | past | comments | ask | show | jobs | submit login

The core of this is 'find X' such that

  md5(md5(...10,000 times...(md5(X + salt)...)) = hash
where salt and hash are known. X is derived from the names of programs existing on a Windows machine with a particular format.

Or, find a way to calculate

  md5(md5(...10,000 times...(md5(X + salt')...))
given that hash is known and salt' but X is not.

Or alternatively, attempt a known plain text attack against RC4. Given that a certain amount of plain text is known (4 bytes) at the start of the RC4 payload then it's likely that the first few bytes of the keystream are known and an attack could be mounted via weakness in the RC4 key schedule.




Well, wasn't MD5 broken?

It should be possible to do a brute force search using a couple of days of EC2 or (insert your favorite cloud provider) here. And by bruteforce you can try text search, or just go for the raw bytes. Not sure a collision can work in this case as well.


To recover X + salt you'd be looking at a preimage attack of MD5. I am only aware of one preimage attack against MD5 and it's only theoretical.

The input to the RC4 key generator is an MD5 hash which means you'd be looking at doing a brute force attack against an input of 2^128 bits. Assuming you find the answer on average in 2^127 and you are looking at an enormous search space.

According to a recent article EC2 has about 500,000 machines. Now assume that I buy them all and I am able on each machine to check 1,000,000,000 values as inputs to RC4 per second then I should have the answer in 800,000 times the age of the universe. But I think my credit card will have been cancelled first.


What about sourcing all known \Program Files\ paths out of search engine indexes which meet the criteria and brute forcing.

Microsoft exception reporting must have a list of all apps ever seen too?


There is one aspect there that may or may not be important

I don't know if the "Program files" path (or the full path) is added to the hash calculation, but at least in Windows XP this is localized

Or who knows, the secret is that it only works in systems where Program files is in D:/


I'd try to bruteforce X (to match the hash), not RC4 at first (though it may be easier)

PBKDF2 is SHA-1 and 4096 rounds, this shouldn't be impossible

Bonus points if you use FPGAs to calculate MD5s


The question is how large that search space is. If you can get a reliable list of directory names and file names then it might be small, but if you are left iterating characters in filenames (and this appears to be Unicode) then I'd imagine you'd run into the same situation.

I'd be much more tempted to look at the fact that the first four bytes of the RC4 key stream appear to be recoverable and look at key recovery from that.


PBKDF2 uses a hash function which need not be SHA-1 and applies it a variable number of rounds with a recommended minimum of 1000.


Even with a reverse-md5^10000 oracle, you'd only get some bits that hash to the same hash as the mysterious pair of strings. Unfortunately the decryption key is derived from the pair of strings themselves, not from their hash. Reverting md5 is not enough to retrieve the decryption key.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: