Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 24 Jul 2012 16:11:51 -0400
From: Rich Rumble <>
To:, Hank Leininger <>,
Subject: Re: Re: Crack Me If You Can 2012

On Sun, Jul 22, 2012 at 6:18 PM, Hank Leininger <> wrote:
> Last year the challenge files contained simple hashes, and were scored
> by turning in the plaintexts for those hashes--this year we want the
> plaintext that cracked open the challenge file, which will be worth a
> big chunk of points.  There's nothing inside the challenge files but
> instructions on making that submission.
If any of the challenges are older Microsoft Office products, and
there are different ways to "crack" them open, how do we prove/show
our work? For instance a Outlook PST file uses a crc32 password check,
advertees -> D6E4663B
a1sellers ->  D6E4663B
each is just as likely a password, and each works equally well to open
a pst, there are (dozens of)other collisions as well.
Also Word/Excel/PowerPoint and older PDF documents password to open
uses an RC4 40-bit key space by default, and there exist many
different rainbowtables/ophcrack tables that find collisions and
simply remove the protection on the document, most don't tell you what
the collision was/is.
I can't recall, I haven't done it in a while, but older zip files were
subject to known-plaintext attacks, what (BIG) if someone used that to
decrypt a zip archive, but doesn't know the password...I just want it
understood that there is "more than one way to skin a cat", and if key
collisions/exhaustion aren't eligible for points we should know. But
as long as the challenges are all rot-13, I'm all set :)
To summarize:
What if I open the challenge, but don't know the password, how do I
show my work and get points?

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.