Leaderboard

The tool I used was something I wrote before in C# with the original intent to brute force hashes from mix files. When we started digging into these secret password hashes, I added the obfuscate algorithm into it. http://nyerguds.arsaneus-design.com/project_stuff/2014/CnCMixNameFinder/ I'm not sure if I got the latest version of my tool uploaded (it's possible that the uploaded version does not contain the dictionary attack support), but anyway, it's a rather unoptimised C# desktop app. It doesn't have any kind of special way to distribute loads; it's plain CPU-powered, without multi-core processing or anything like that. To do parallel hacking, I generally just started it 8 times, assigned each instance to another core manually in Windows Task Manager, and gave each instance another range to go over. I mean, it was originally just meant to brute-force hashes from mix files, which means pure ASCII filenames up to 8 characters of which the extension is generally already known. So yea, for that purpose, it was good enough Note that the Obfuscate algorithm I use was partially rewritten by Tomsons26, with findings which I think were based on earlier reverse-engineering. Toms noticed that certain operations cancelled each other out, and have no effect on the end result. So the c# code I have is in fact more optimised than the version in the original code, and thus, more suitable for brute force operations. [edit] Ugh, seems the whole Obfuscate method isn't in the currently released code yet. I'll upload it asap.

Oh wow, a lot of these are unknown. I brute forced on these a lot, but I never thought of including underscores or exclamation marks, because the algorithm just substitutes them for alphanumeric characters anyway. Never made the obvious realisation that that didn't mean they didn't use them. I found JURASSIC, FUNFUN, GONEWILD, CHOMPCHOMP, and a few others you got as well; basically, purely alphanumeric dictionary stuff. The #2 one you're missing matches "RAPATTACK", but I have no clue about #8 either. #4 actually has a lot of fun dictionary matches, but none seemed very plausible. I like the "ANKYLOSAURTOWEL" one though "OBWAN" is completely confirmed. First of all, it's obviously a Star Wars reference, and secondly, It's Joe Bostic's developer password, and Joe has always used "Joe B Wan" as online nickname. In fact if you look in the Petroglyph Discord, "Joebwan" is his nickname there. PARM_EDITORERIK (0xC2AA509B) matches "SUPEREDIT", so that seems extremely plausible too. Red Alert also has a bunch of hashes like it. I got a spreadsheet on which I keep track of everything found and confirmed so far: https://docs.google.com/spreadsheets/d/1EnkKM28eDt1VbhtFKHnD1PCm-FmboygiuIyehFfSudo/edit#gid=0

I also tried using the Z3 theorem prover to find inputs that hash to the desired codes, with limited success. It does find working preimages, but it's slow and the preimages it finds are obviously random hash collisions, not the inputs intended by the developers. The only one I saw that looked remotely plausible was "OBWAN" for 0xABDD0362 (PARM_CHEATJOE), but that's not as clearly correct as known cheat strings like "SUPER" and "WIZARD". I'm no Z3 expert, so maybe the program can be improved. The source code is attached. The program actually finds the right answer for some already solved codes like 0x59E975CE (PARM_EASY), 0x5D9F6F24 (PARM_6PLAYER), and 0x6F4BE7CA (PARM_CHEAT), as well as collisions of different lengths. "unsat" means there are no solutions of the given length. 0x59E975CE 1 unsat 2 unsat 3 unsat 4 'EASY' 5 unsat 6 'Y%KZJ`' 7 'F9H]JC-' 8 '&76FX=$"' 9 '||MQL6K:]' 10 '-K#?S132:L' 11 '9E#}3T{((__' 12 'N.HZ}FC^V~_{' 13 '`!=A["$M99|\'%' 14 '`OX_:^N~{S@<M|' 15 '9B}81"^B""V0A)8' 16 '^}^L%2JERWJ^C{|{' 0x5D9F6F24 1 '6' 2 unsat 3 unsat 4 '2E0~' 5 '>@!,\\' 6 'V9J>\\+' 7 '`7~^1#3' 8 'X2D*@+WD' 9 ">.0|1PC&'" 10 "20MO:'^'BA" 11 '8:#3;~%(?`=' 12 '-:,81?^DR=~(' 13 '(JW01VX[*EB2G' 14 '=~3OX0*~"E~)U1' 15 '^`~NY.)#$;~RTLH' 16 '3[~]<4H=3\\Q)|B7}' 0x6F4BE7CA 1 unsat 2 unsat 3 unsat 4 unsat 5 'CHEAT' 6 'Z##T4I' 7 'XTVJAV/' 8 '1!,"%CV\'' 9 'S|Q.4"@AM' 10 '}<N_6{K42.' 11 'U>;LE|FT=]*' 12 'W(V/{O}N#{MG' 13 '{LA6T%FG~"1FJ' 14 'GW0/C{~{QAFZ`8' 15 ';%Z79T0R2\\^({}~' 16 '+"$_AS-|$""}]$"<' But for the unsolved codes I tried, it just finds random collisions. "OBWAN" for 0xABDD0362 might be plausible, the rest are definitely not the intended strings. 0xABDD0362 1 unsat 2 unsat 3 unsat 4 unsat 5 'OBWAN' 6 '/*5<F^' 7 "1U_T=U'" 8 '2D[Y@".&' 9 '`N01IX?TQ' 10 ',`51%/FLOP' 11 'V:7D.Y.J88"' 12 'P=![(,&MLFQ}' 13 ',}=1|0$0MR!O}' 14 "C.Y(6~G'({O+#$" 15 'Y}^!|QU?JB_F1{{' 16 "E,^6@A18EP(0'%=!" 0xBE79088C 1 unsat 2 unsat 3 unsat 4 unsat 5 'MS"Q_' 6 ']SFY~(' 7 'M7PH7,@' 8 '%/@.:*^:' 9 "'UY9P,GE." 10 '`}7)&FE3?}' 11 '9B}~1`^&NN?' 12 '+OI?FC+;U6VN' 13 '^UF12WF;L?.S,' 14 'OW\\"+0$1#0;?D{' 15 'IB`]Q"|@R1P]`@[' 16 '8K0=&B!T-+`W$\\Q`' Restricting the input to alphabetic characters (rather than the full isgraph character set allowed by the hash algorithm), the discovered solutions are still not meaningful. 0x63CE7584 1 unsat 2 unsat 3 unsat 4 unsat 5 unsat 6 unsat 7 unsat 8 'BEJSVLBD' 9 'UPPBHLNVD' 10 'HTFXNEVSCB' 11 'YSJKBROQCWG' 12 'XCHGECOCIZJF' 13 'EEYODOQOHSLDH' 14 'WMHGPUIBMCJYFC' 15 'LHYFDQPQIWXOCYW' 16 'KBOEMFKNMFYXCLXF' 0xBE79088C 1 unsat 2 unsat 3 unsat 4 unsat 5 unsat 6 unsat 7 'CWNUNHO' 8 'UQHZIWBM' 9 'HKBIDGEDV' 10 'POHEEEXMUA' 11 'EUEJHDXZJXB' 12 'GIJCGTNWWGNM' 13 'IKHJTZQMRDKDC' 14 'CWWKBBDFKJTFDO' 15 'LMMMJUXDYWHTXXF' 16 'GXTTNVXSTLWTYYWX' 0xE0F651B9 1 unsat 2 unsat 3 unsat 4 unsat 5 'QEPOT' 6 'IYTMPD' 7 'UTAMDKK' 8 'WPZEYWLH' 9 'QFFEYFYOM' 10 'JLZHNNLSDC' 11 'LWZKHYJVDEX' 12 'BRZFFZVDEZBA' 13 'AEFLMWRBAEJJM' 14 'AEHZPMQEGENLHJ' 15 'QVEZCRMTARMXEBG' 16 'CMXGQWXUKSNTKEXX' 0xF7867BF0 1 unsat 2 unsat 3 unsat 4 unsat 5 unsat 6 unsat 7 unsat 8 'BFNEYHMI' 9 'YUOWEELIL' 10 'PVDILKVDND' 11 'EFVQLUYXBDT' 12 'MLDDWBNDWBDD' 13 'IVAJGNJCNTDGF' 14 'HKZGTFIQSVSYFB' 15 'CTZUXWQLPVVDEUV' 16 'JJFENREYWBNUADFY' cnc_obfuscate_z3.py.zip