HACKVent 2014 - Day 09 writeup
I’ve sign up for the Hackvent event made by the guys from www.hacking-lab.com, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).
Here’s the write-up for the ninth challenge, in which we will learn how to spy on our girlfriend by reading her text messages.
iPhorensics Part :
For the Day 09 Hackvent challenge, we were given the following instructions :
I dont’t know what the file consist of, so I run
strings on it and I directly get
SQLite format 3. So it’s a SQLite Database. I could have installed a database browser, but it wasn’t needed it since every info was here :
__kIMMessagePartAttributeName NSNu 7EA9C4B7-DC8D-41FE-9577-DA4EE85C3E15==Nn0EUp68lYbS2LeMKMhEaYbS2Leyzoa1PouWzYw9JoiRQJFS3qT10IIuxY3Szq streamtyped NSMutableAttributedString NSAttributedString NSObject NSMutableString NSString p sprl jhlzhy zhshk NSDictionary __kIMMessagePartAttributeName NSNumber NSValue SMSe:AFF414A2-007E-4753-B7B1-395C0BFA3ADB 7EA9C4B7-DC8D-41FE-9577-DA4EE85C3E15 chat message handle USMS;-;+41796666666- AFF414A2-007E-4753-B7B1-395C0BFA3ADBbplist00 CKChatWatermarkMessageID_ CKChatWatermarkTime I+41796666666SMSE:2FE6EFB3-EA2E-43D3-88D3-504515DECECE USMS;-;+4179666ROT13- AFF414A2-007E-4753-B7B1-395C0BFA3ADBbplist00 CKChatWatermarkMessageID_ CKChatWatermarkTime I+4179666ROT13SMSE:2FE6EFB3-EA2E-43D3-88D3-504515DECECE SMS;-;+41796666666 SMS;-;+4179666ROT13 !+41796666666chSMS0796666666 #+4179666ROT13chSMS079666ROT13 +41796666666SMS +4179666ROT13SMS +41796666666 +4179666ROT13
It’s a SMS sent by
+41796666666 containing the text
At first I was looking for GSM PDU encodings - in fact Iphone text messages are plaintext stored - to try to make sense with the sms payload. While looking at encoding examples , I get the idea to reverse the string :
It obviously is a base64 string, the two ending “=” characters being a padding. However it does not translate into a proper ascii text. That’s where another hint comes to play :
+4179666ROT13. This cell phone number is not valid, and it tells me somewhere a ROT13 encryption has been applied. By rot13’ing the string and then base64-decoding it we get :
Two Tone Army Part :
The wav file is a serie of dial tones - also known as Dual tone multifrequency dialing (DTMF) , from the times where phones had sounds when pressing the numbers to dial. Decoding a dial audio sequence was a movie trope for hackers.
This executable, once the wav file is converted to a 44110 Hz PCM signal can automatically decode the dtmf sequence and output this number sequence :
That’s ASCII characters separated by a “sharp” symbol. When translating into their representation, we get