{"id":6916,"date":"2025-04-19T00:01:44","date_gmt":"2025-04-19T07:01:44","guid":{"rendered":"https:\/\/c-for-dummies.com\/blog\/?p=6916"},"modified":"2025-04-26T08:47:20","modified_gmt":"2025-04-26T15:47:20","slug":"silicon-valley-encryption-part-ii","status":"publish","type":"post","link":"https:\/\/c-for-dummies.com\/blog\/?p=6916","title":{"rendered":"Silicon Valley Encryption, Part II"},"content":{"rendered":"<p>When Alexander faced the challenge of untangling the Gordian Knot, he just sliced it with his sword. Brilliant. Alas, untangling obfuscated C code takes more than a swift swipe of a blade.<br \/>\n<!--more--><br \/>\nFrom <a href=\"https:\/\/c-for-dummies.com\/blog\/?p=6909\">last week&#8217;s Lesson<\/a>, I presented highly obfuscated code from the HBO series Silicon Valley. It appears in a scene from the show where programmers attempt to decipher the Pied Piper compression algorithm. They marvel at a number in the code and wonder what does it mean?<\/p>\n<p>It means nothing, of course, as it&#8217;s an easter egg. If you run the code, it outputs the message <code>DREAM_ON_ASSHOLES<\/code>, just one of many cyber-pranks in the series.<\/p>\n<p>Here is the original code from last week&#8217;s Lesson:<\/p>\n<h3><a href=\"https:\/\/github.com\/dangookin\/C-For-Dummies-Blog\/blob\/master\/2025_04_12-Lesson.c\" rel=\"noopener\" target=\"_blank\">2025_04_12-Lesson.c<\/a><\/h3>\n<pre class=\"screen\">\r\n#include &lt;stdio.h&gt;\r\n#include &lt;stdlib.h&gt;\r\n\r\ntypedef unsigned long u64;\r\n\r\n<span class=\"comments\">\/* Start here *\/<\/span>\r\ntypedef void enc_cfg_t;\r\ntypedef int enc_cfg2_t;\r\ntypedef __int128_t dcf_t;\r\n\r\nenc_cfg_t _ctx_iface(dcf_t s, enc_cfg2_t i){\r\n    int c = (((s &amp; ((dcf_t)0x1FULL &lt;&lt; i * 5)) &gt;&gt; i * 5 ) + 65);\r\n    printf(\"%c\",c); }\r\n    enc_cfg2_t main() {\r\n    for (int i=0; i&lt;17; i++){\r\n        _ctx_iface(0x79481E6BBCC01223 + ((dcf_t)0x1222DC &lt;&lt; 64), i);\r\n    }\r\n}\r\n<span class=\"comments\">\/* End here *\/<\/span><\/pre>\n<p>To make the code more readable, I first removed the <em>typedef<\/em> statements, restoring the original data types <em>int<\/em> and <em>void<\/em>.<\/p>\n<p>The <em>__int128_t<\/em> typedef caught me off guard. In <em>gcc<\/em> and <em>clang<\/em>, <em>__int128_t<\/em> is a valid C language data type, representing a 128-bit integer value. It&#8217;s similar to a <em>long long int<\/em>, but not the same from what I gather. Regardless it&#8217;s non-standard. As a bonus, it&#8217;s delightfully cryptic, so I decided to <em>typedef<\/em> it myself and call it <em>bignum<\/em>.<\/p>\n<p>I reformatted the rest of the code and broke apart some of the complex expressions. Here&#8217;s my result, which isn&#8217;t any more understandable, just a modicum more readable:<\/p>\n<h3><a href=\"https:\/\/github.com\/dangookin\/C-For-Dummies-Blog\/blob\/master\/2025_04_19-Lesson.c\" rel=\"noopener\" target=\"_blank\">2025_04_19-Lesson.c<\/a><\/h3>\n<pre class=\"screen\">\r\n#include &lt;stdio.h&gt;\r\n#include &lt;stdlib.h&gt;\r\n\r\ntypedef __int128_t bignum;\r\n\r\nvoid iface(bignum s, int i)\r\n{\r\n    bignum w = (bignum)0x1FULL &lt;&lt; i * 5;\r\n    bignum x = (s &amp; w) &gt;&gt; i * 5;\r\n    int c = x + 65;\r\n\r\n    printf(\"%c\",c);\r\n}\r\n\r\nint main()\r\n{\r\n    int i;\r\n    bignum hidden_value,modifier,result;\r\n\r\n    <span class=\"comments\">\/* hidden value is 17 digits long *\/<\/span>\r\n    hidden_value = 0x79481E6BBCC01223;\r\n    modifier = (bignum)0x1222DC &lt;&lt; 64;\r\n    result = hidden_value + modifier;\r\n\r\n    for ( i=0; i&lt;17; i++ )\r\n    {\r\n        iface(result, i);\r\n    }\r\n}<\/pre>\n<p>It still bothers me that the <em>main()<\/em> function lacks a <em>return<\/em> statement, but that&#8217;s the least of this code&#8217;s puzzles.<\/p>\n<p>The program parses through the value 0x79481E6BBCC01223 and outputs the string DREAM_ON_ASSHOLES. One of the keys is this statement:<\/p>\n<p><code>int c = x + 65;<\/code><\/p>\n<p>ASCII code 65 is the letter &#8216;A&#8217;. So whatever is happening with the original number, the code extracts values from zero through 25 representing letters of the uppercase alphabet, plus the underscore. The true puzzle is how it gets to this point.<\/p>\n<p>One frustrating step along the way is this expression from the original code:<\/p>\n<p><code>0x79481E6BBCC01223 + ((dcf_t)0x1222DC &lt;&lt; 64)<\/code><\/p>\n<p>The value 0x1222DC (a 128-bit integer) is shifted left 64 bits. When I ran this expression through a programmer&#8217;s calculator, the result was an overflow. The problem is that the actual value being manipulated, the code to decode, is the result of the above expression. This complexity further obfuscates the original value. It also frustrates me because I can&#8217;t find a programmer&#8217;s calculator that yields the actual value being manipulated.<\/p>\n<p>My untangled code (above) generates the same output as the original. But true understanding requires that I reverse engineer the code. At some point in time, someone working on the show came up with the means to encrypt the string <code>DREAM_ON_ASSHOLES<\/code> and arrive at the value 0x79481E6BBCC01223. If I can repeat this process in reverse, it might help understand what&#8217;s really going on.<\/p>\n<p>I make the attempt in <a href=\"https:\/\/c-for-dummies.com\/blog\/?p=6923\">next week&#8217;s Lesson<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The first step to figuring out &#8220;how they did it&#8221; is to de-obfuscate the code. <a href=\"https:\/\/c-for-dummies.com\/blog\/?p=6916\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-6916","post","type-post","status-publish","format-standard","hentry","category-main"],"_links":{"self":[{"href":"https:\/\/c-for-dummies.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/6916","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/c-for-dummies.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/c-for-dummies.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/c-for-dummies.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/c-for-dummies.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6916"}],"version-history":[{"count":6,"href":"https:\/\/c-for-dummies.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/6916\/revisions"}],"predecessor-version":[{"id":6970,"href":"https:\/\/c-for-dummies.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/6916\/revisions\/6970"}],"wp:attachment":[{"href":"https:\/\/c-for-dummies.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6916"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/c-for-dummies.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6916"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/c-for-dummies.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6916"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}