[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Beginning of process of decrypting net-nanny files (fwd)



Article 425292 of alt.religion.scientology:
Newsgroups: alt.religion.scientology
Subject: Beginning of process of decrypting net-nanny files
Date: Thu, 02 Jul 1998 00:28:03 -0700
Lines: 100
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit



There are three files with the netnanny, called d32l.dll,
n32l.dll, and p32l.dll.                                    
These are not really dlls, but are almost certainly the
database of words and phrases that the netnanny is interested
in.

If you look at these files, there is a total of 1037 lines,
each of which has from 10 or so to 60 or so characters.
It turns out (see below) that two characters in the data file
almost certainly map to 1 character of the plaintext, so
the phrases are 5 to 30 characters long.  1037 phrases of
5 to 30 characters seems about right.

If you look closely at the text, you'll see that they letters
alternate between the ranges of 32-63 and 96-127 (decimal).
That is, a line begins "1{7}.f#f".  The 1, 7, ., and #
are all in the range 32-63, and the {, }, f, and f are in the
range 96-127.  Each of these letters, then, can take one of
32 values, or five bits.  If you combine these, you find that
there are only 512 combinations used of the pairs of letters,
instead of the expected 1024 (=2^10).  It turns out that if
you construct a 10 bit word with the first 5 bits from the
first character and the second 5 from the second character,
then you find that the middle two bits are always either both 
0 or both 1.  So, there are 512 possibilities.

These 512 numbers are fairly uniformly distributed, so this is
not a simple substitution cipher.  Interestingly, though, again,
using the above construction of a 10 bit number from the two five
bit pairs, you find that the high order bits change very slowly
if at all from character to character. This is the beginning of
d32l.dll (fair use quotation of two lines from the file)

1101110001
1100110100
1100110011
0011001110
0011110000
0001110101
0010000000
0010000001
0010001111
0011001010
0001000100
0001001101
0000001110 
0010000101
0000001000
0111110101
0110110111

0110001111
0111111110
0110000101
0110111110
0110110010
0101110110
0101000010
0101111000
0110001110
0100001110
0100111011
1011000001
1011111000
1011111000
1001110010
1010000111
1010110111    
1010001000
1000111000
1011001111
1011111101
1010001011
1010111001
1101000111
1101110101
1100000011
1100110001
1100111111
1111001101
1111111011
1110001001

Note that the middle two bits are always the same, and the high
order bits seem to be changing slowly, but slowly upwards.

My guess is that some value is being added to the plaintext character,
and this value is incremented every plaintext character.  Further,
perhaps, there is a exclusive or being performed.  In any case, I hope
that this gets other people moving in the right direction.  
Suggested words to look for, that seem to have tweaked the nanny, are
xenu hemet zinjifar helena kobrin mark ingber grady ward mirele
rnewman wollersheim andreas heldal-lund operation clambake
"gilman hot springs" motherfucker cocksucker