.

is it possible to reverse engineer a Java hash.

<<

wlandymore

Newbie
Newbie

Posts: 34

Joined: Thu Mar 15, 2012 9:48 am

Post Wed Apr 11, 2012 10:13 am

is it possible to reverse engineer a Java hash.

Well it's probably possible, but I have an applet that is asking for a 6 digit password and then performing a function if the password is correct. I've been looking through the code (someone else wrote it) and I have found a hash in there around the 'passwordField' variable, etc.

S(aGd0ci0jNG9wc2d1dmRmaSY7MCswLURpaXV6Yik=)

Because this is just a simple 6 digit password it has to be a static value, so I figured the password has been hashed to keep it from appearing in the code as plain text. However, is there a way to reverse engineer that?
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Apr 11, 2012 10:25 am

Re: is it possible to reverse engineer a Java hash.

Since you have the code, you should be able to see what operations are being performed on the password that's submitted. Just write a loop from 000000 to 999999 that performs those same operations, compares that with the value you have, and prints out the value if there's a match. Of course, that is assuming what you posted is indeed the value that's used to validate the password.
The day you stop learning is the day you start becoming obsolete.
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Wed Apr 11, 2012 10:48 am

Re: is it possible to reverse engineer a Java hash.

You need to know what hash algorithm was used.  Once you know that you can brute force it with something like this:

String realhash = \    
   "S(aGd0ci0jNG9wc2d1dmRmaSY7MCswLURpaXV6Yik=)";
for (Integer x=0; x<1000000; x++)
{
   String mypass = String.format(%06d", x);
   String myhash = hash(mypass);
   if myhash.equals(realhash)
   {
       System.out.println("The password is " + mypass);
   }
}

My syntax may be a little off (I'm not a Java programmer), but that code shows essentially what you need to do.
BS in IT, CISSP, MS in IS Management (in progress)
<<

wlandymore

Newbie
Newbie

Posts: 34

Joined: Thu Mar 15, 2012 9:48 am

Post Wed Apr 11, 2012 1:46 pm

Re: is it possible to reverse engineer a Java hash.

Hey guys,

Thanks for the ideas.

Yeah, I'm not a java programmer either which is why I'm finding it so hard. The code they have here is also very non-descript so I can see it making the box that has the numbers 0-9 and then the reference to the password field, but everything else is basically nameless variables. When I decompile the thing I can see SHA1-digest in a couple of spots....
<<

wlandymore

Newbie
Newbie

Posts: 34

Joined: Thu Mar 15, 2012 9:48 am

Post Wed Apr 11, 2012 1:52 pm

Re: is it possible to reverse engineer a Java hash.

it looks like the hash would be without the brackets as well. That kind of hash should be 40 chars I think so if the brackets were taken out of the original and just having the stuff between them you get:

aGd0ci0jNG9wc2d1dmRmaSY7MCswLURpaXV6Yik=

And that's the 40. Just need to reverse it....
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Apr 11, 2012 2:03 pm

Re: is it possible to reverse engineer a Java hash.

Creating hashes that are not reversible and don't collide are the main objectives of a quality hashing algorithm. There's not going to be a simple way to reverse it.

You need to take a trial-and-error approach as I stated earlier and unicityd provided an actual example for.

Edit: Also, that appears to be base64 encoded, and it can be successfully base64-decoded. That's why you need to understand what is being done with the password string before you can code a comparison mechanism.
Last edited by dynamik on Wed Apr 11, 2012 2:16 pm, edited 1 time in total.
The day you stop learning is the day you start becoming obsolete.
<<

wlandymore

Newbie
Newbie

Posts: 34

Joined: Thu Mar 15, 2012 9:48 am

Post Wed Apr 11, 2012 2:16 pm

Re: is it possible to reverse engineer a Java hash.

Okay, thanks for the help.

I wasn't really under the impression it would be 'easy' but at least what you guys have given me helps to narrow down the focus of my efforts.

Thanks again.
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Wed Apr 11, 2012 4:49 pm

Re: is it possible to reverse engineer a Java hash.

The hash you pasted in is too long for SHA-1 and too short for SHA-256.  Please double-check it and let me know if it's right.  I'm curious.
BS in IT, CISSP, MS in IS Management (in progress)
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Sat Apr 14, 2012 1:10 pm

Re: is it possible to reverse engineer a Java hash.

Are you sure its a hash and not just base64 encoded? That looks very base64ish.  Decoded to text =

hgtr-#4opsguvdfi&;0+0-Diiuzb)
<<

wlandymore

Newbie
Newbie

Posts: 34

Joined: Thu Mar 15, 2012 9:48 am

Post Tue Apr 17, 2012 1:00 pm

Re: is it possible to reverse engineer a Java hash.

yeah, I've been messing around with this and I used a base64 to hex converter and got:

307FD8658A395B5F103654DE62181973A0F89D45ED71E4B3E77C1B58F9417B91C2E902E6E682D692188BDF64C068CF69C5B94230B64608E7ABB09A976CD6DC8CFA0A5766EF20CEAF2BCDE0EE55899983F6D61EAF3E6E28A749597DEDA0AB2DF5

Then I was trying something like padBuster which seemed to be making some progress but never finishes. It says it's decrypting some bytes but never makes it to the end.
<<

wlandymore

Newbie
Newbie

Posts: 34

Joined: Thu Mar 15, 2012 9:48 am

Post Tue Apr 17, 2012 5:22 pm

Re: is it possible to reverse engineer a Java hash.

hgtr-#4opsguvdfi&;0+0-Diiuzb) ... not a whole lot to go on. :)

I've been hunting through the class files to see if I can figure out how it got to that point so I can reverse it from there....

Return to Programming

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software