I'd like to decode this string:
X-OVH-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrfeelgedrvdduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfenuceurghilhhouhhtmecufedttdenucgohfhorhgsihguuggvnhfjughrucdlhedttddm
How can I do this?
Is it possible to decode a SPAMCAUSE field in a mail header?
Asked Answered
I improved the given Python solutions by Ikraider and DoubleYou and added a JavaScript solution, too.
Python:
def Decode(msg):
return ''.join([chr(ord(msg[i * 2]) + ord(msg[i * 2 + 1]) - 1768 + ord(msg[i * 2 + 1 - (i & 1)]) * 16) for i in range(len(msg) // 2)])
print(Decode('gggruggvucftvghtrhho'))
JavaScript:
function Decode(msg)
{
return Array(msg.length >> 1).fill(0).map((_, i) => String.fromCharCode(msg[i * 2].charCodeAt(0) + msg[i * 2 + 1].charCodeAt(0) - 1768 + (msg[i * 2 + 1 - (i & 1)].charCodeAt(0) << 4))).join('');
}
console.log(Decode('gggruggvucftvghtrhho'));
Precious ! And for lazy people, a quick fiddle to test your data online - jsfiddle.net/rfgb3qme/2 –
Piranesi
Short and works great. Nice. –
Crowfoot
There is a Tor hidden service you can use to decode the tag located at http://6jbnmws2zq2m2fsfmpwnssgsrxovohgggphymkd4df2pgcw7ccrdy6ad.onion
According to it, the X-OVH-SPAMCAUSE you gave translates to this:
Vade Retro 01.394.21 AS+AV+AP+RT Profile: OVH; Bailout: 300; ^ForbiddenHdr (500)
It's definitely not a good answer, because admitting to having reverse engineered the cipher they use would get me in trouble assuming I did that ; but he asked for a tool to decipher it and the tor hidden service I pointed to works for that. (I guess an appropriate answer would be "there is no legal way to do that") –
Mussolini
@Mussolini What is illegal about the Tor hidden service? Tor nodes are not inherently illegal (at least not in the United States). –
Galvano
@Galvano nothing wrong with having a tor service; but the original site that did it (=provide a decryption service) got taken down by vadesecure. Anyway that doesn't seem to have stopped others to post similar code publicly -- and it doesn't look like vadesecure took the bait yet, so it's probably going to stay public at this point :) –
Mussolini
Starting from lkraider's great Python answer, I improved the accuracy. It turns out that the offset characters (c..g) are alternately appended and prepended. So instead of just checking if one of them is in the pair, it is necessary to differentiate between, e.g., fh and hf, by keeping track of even or odd pairs.
def decode(msg):
text = ""
for i in range(0, len(msg), 2):
# add position as extra parameter
text += unrot(msg[i: i + 2], i // 2)
return text
def unrot(pair, pos, key=ord('x')):
# "even" position => 2nd char is offset
if pos % 2 == 0:
# swap letters in pair
pair = pair[1] + pair[0]
# treat 1st char as offset
offset = (ord('g') - ord(pair[0])) * 16
# map to original character
return chr(sum(ord(c) for c in pair) - key - offset)
print(decode('gggruggvucftvghtrhho'))
https://gist.github.com/DoubleYouEl/e3de97293ce3d5452b3be7a336a06ad7
Tested on many sources of Spamcause fields with success. –
Gustation
Looks to be some obfuscation by rotating chars. I made an attempt at it using Python. It's not perfect but mostly seems to work:
def decode(msg):
text = []
for i in range(0, len(msg), 2):
text.append(unrot(msg[i: i + 2]))
return str.join('', text)
def unrot(pair, key=ord('x')):
offset = 0
for c in 'cdefgh':
if c in pair:
offset = (ord('g') - ord(c)) * 16
break
return chr(sum(ord(c) for c in pair) - key - offset)
print(decode('gggruggvucftvghtrhho'))
https://gist.github.com/lkraider/9530798a695586fc1580d0728966f6f0
© 2022 - 2024 — McMap. All rights reserved.