Didier Stevens

Tuesday 6 May 2008

A Little PDF Puzzle

Filed under: Forensics,PDF — Didier Stevens @ 8:24

I have a little PDF puzzle this week. Find the passphrase in this PDF document and post a comment with your solution. There’s a very simple solution just requiring Notepad (and your favorite PDF reader).

9 Comments »

  1. 5 0 obj
    <<
    /Length 89
    /Filter /ASCII85Decode
    >>
    stream
    6<#'\7PQ#@1a#b0+>GQ(+?(u.+B2ko-rakk+E1b1F)Yf5@<6!&BlbCgDI[]uD.RU,@;I&dE+EC!ATK:C<,*OE;u~>
    endstream
    endobj

    which reads:
    The passphrase is Incremental Updates

    is that it?

    Comment by pdp — Tuesday 6 May 2008 @ 9:12

  2. Open the PDF and there’s a part which says filter used for decoding the steam is ASCII85Decode.

    Use an online ASCII85 decoder to decode both streams in the PDF gives you the 20 character password :)

    Comment by Roys — Tuesday 6 May 2008 @ 9:13

  3. Hei,

    “The passphrase is Incremental Updates” :)

    Nice puzzle and hope to see more of these soon.

    Regards,
    Daniel

    Comment by Daniel Radu — Tuesday 6 May 2008 @ 9:21

  4. Congrats to all, the passphrase is indeed “Incremental Updates”. “Incremental Updates” is a feature of the PDF language I want to highlight in a new post tomorrow.

    Now, which one of you didn’t use an ASCII85 decoder (except for the one in your PDF reader)? You still have till tomorrow (GMT+2) to post a solution without using an external ASCII85 decoder (I suppose none of you can read ASCII85 :-) ).

    Comment by Didier Stevens — Tuesday 6 May 2008 @ 10:10

  5. No, we don’t need an ascii85 decoder.

    Look at the file:
    - there are two Cross Reference tables
    - there are two streams
    - a pdf reader is able to show one stream only

    The encoded strings are similar, the initial part are the same. The initial part is used to specify some text’s option (i.e. where to put the text). Second stream (text with xxx) will be written over the first one (text with password).
    In the end, to see the right text I removed some bytes from the end of the file. These are the bytes I did cut:

    5 0 obj
    <>
    stream
    6GQ(+?(u.+B2ko-rakk+E1b1F)Yf5@<6!&BlbD!=BJ[-=BJ[-=BJ[-=BJ[-=BI!p
    endstream
    endobj

    xref
    0 1
    0000000000 65535 f
    5 1
    0000000935 00000 n
    trailer
    <>
    startxref
    1110
    %%EOF

    Comment by zairon — Tuesday 6 May 2008 @ 10:19

  6. Excellent zairon. Delete everything after the first occurence of %%EOF, and you’ve recovered the previous version of the PDF document. And this version contains the passphrase.

    Comment by Didier Stevens — Tuesday 6 May 2008 @ 10:31

  7. [...] by zairon under Cryptography, General, Reverse Engineering   There was a challenge today at Didier Stevens’s blog . It’s a pdf puzzle, the goal is to find out the passphrase hidden inside the [...]

    Pingback by Some minutes of fun with pdf file « My infected computer — Tuesday 6 May 2008 @ 12:41

  8. [...] Qui il link dove prendere altre info Lo citerò solo quando avrete trovato la soluzione [↩] Tags: [...]

    Pingback by PDF Puzzle - Trova la passphrase | Andrea Lazzari's blog — Tuesday 6 May 2008 @ 16:18

  9. [...] PDF — Didier Stevens @ 8:22 I’m quite pleased with the feedback I received for my Little PDF Puzzle, thanks [...]

    Pingback by Solving a Little PDF Puzzle « Didier Stevens — Wednesday 7 May 2008 @ 8:22


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 199 other followers

%d bloggers like this: