[RevEng] Challenge: Ukrainian receipts: the solution

The challenge.

Nobody solved it correctly, this is really a disaster! Guys! Yes, I write for noobs, but can't you try a bit harder?

The solution is: notice a string at the bottom, which in fact, base64 string. These strings has very distinctive 'AAA' substrings, corresponds to strings of zero bytes. All strings are ended with '=' suffix, which is distinctive feature of base64.

Let's try to decode: 

echo -ne ABoAAA07AAAAABYAEUjZAAYnvQ6wHKILn4wT93M= | base64 -d | xxd -g1
echo -ne ABoAAAH4AAAAABYADk9lAACGrgJ1Ko0ankqDEGY= | base64 -d | xxd -g1
echo -ne ABoAAAHYAAAAABYADG+jAAPEiQCzHY/HYfugwpU= | base64 -d | xxd -g1
echo -ne ABoAAAKgAAAAABYADnv3AAAM8QAjKo0f72IzSZc= | base64 -d | xxd -g1
echo -ne ABoAAALyAAAAABYAEWNJAAS6xQBRHZAlOlrsHZc= | base64 -d | xxd -g1
echo -ne ABoAAANdAAAAABYAEL3oAAFB+wA6HY/+dOKjkbo= | base64 -d | xxd -g1
echo -ne ABoAAAOzAAAAABYAELgGAAD1XQCqHY/+dn4i9nO= | base64 -d | xxd -g1
echo -ne ABoAAAP5AAAAABYAE2kDAAA7PAAWKop7Sp/gSRU= | base64 -d | xxd -g1
echo -ne ABoAAAPSAAAAABYAE2kDAAA8RgAWKop7SoZ1Ali= | base64 -d | xxd -g1
echo -ne ABoAAAQrAAAAABYAEWl7AAVAtQDhHZAjlK8lhOM= | base64 -d | xxd -g1
echo -ne ABoAAARhAAAAABYAEWI7AAVDOQDiHZAjlFcqkrQ= | base64 -d | xxd -g1
echo -ne ABoAAAS9AAAAABYAE5GaAAANGwALL9UuDNbZfW4= | base64 -d | xxd -g1
echo -ne ABoAAASVAAAAABYAEHziAARNyWjAL9OolRM1eo0= | base64 -d | xxd -g1
echo -ne ABoAAAUiAAAAABYAEWNJAAS3KwBRHZAlOMSBrps= | base64 -d | xxd -g1
echo -ne ABoAAAVOAAAAABYAE2kDAAA2+wAVKop7SpAlDeo= | base64 -d | xxd -g1
echo -ne ABoAAAWKAAAAABYAESzFAADx6gIdL9O5ZcJNuwY= | base64 -d | xxd -g1
echo -ne ABoAAAcDAAAAABYAERCPAAFEVgi3L9O1sHjClto= | base64 -d | xxd -g1
echo -ne ABoAAAczAAAAABYAEJ33AAKX2g2WL90s+Yt+Hsw= | base64 -d | xxd -g1
echo -ne ABoAAAdAAAAAABYAERDcAAFNKAkml902EqIDZXE= | base64 -d | xxd -g1

(Note: some typos are inevitably here.)

Each string contains 29 bytes: 

00 1a 00 00 0d 3b 00 00 00 00 16 00 11 48 d9 00 06 27 bd 0e b0 1c a2 0b 9f 8c 13 f7 73
00 1a 00 00 01 d8 00 00 00 00 16 00 0c 6f a3 00 03 c4 89 00 b3 1d 8f c7 61 fb a0 c2 95
00 1a 00 00 01 f8 00 00 00 00 16 00 0e 4f 65 00 00 86 ae 02 75 2a 8d 1a 9e 4a 83 10 66
00 1a 00 00 02 a0 00 00 00 00 16 00 0e 7b f7 00 00 0c f1 00 23 2a 8d 1f ef 62 33 49 97
00 1a 00 00 02 f2 00 00 00 00 16 00 11 63 49 00 04 ba c5 00 51 1d 90 25 3a 5a ec 1d 97
00 1a 00 00 03 5d 00 00 00 00 16 00 10 bd e8 00 01 41 fb 00 3a 1d 8f fe 74 e2 a3 91 ba
00 1a 00 00 03 b3 00 00 00 00 16 00 10 b8 06 00 00 f5 5d 00 aa 1d 8f fe 76 7e 22 f6 73
00 1a 00 00 03 d2 00 00 00 00 16 00 13 69 03 00 00 3c 46 00 16 2a 8a 7b 4a 86 75 02 58
00 1a 00 00 03 f9 00 00 00 00 16 00 13 69 03 00 00 3b 3c 00 16 2a 8a 7b 4a 9f e0 49 15
00 1a 00 00 04 2b 00 00 00 00 16 00 11 69 7b 00 05 40 b5 00 e1 1d 90 23 94 af 25 84 e3
00 1a 00 00 04 61 00 00 00 00 16 00 11 62 3b 00 05 43 39 00 e2 1d 90 23 94 57 2a 92 b4
00 1a 00 00 04 95 00 00 00 00 16 00 10 7c e2 00 04 4d c9 68 c0 2f d3 a8 95 13 35 7a 8d
00 1a 00 00 04 bd 00 00 00 00 16 00 13 91 9a 00 00 0d 1b 00 0b 2f d5 2e 0c d6 d9 7d 6e
00 1a 00 00 05 22 00 00 00 00 16 00 11 63 49 00 04 b7 2b 00 51 1d 90 25 38 c4 81 ae 9b
00 1a 00 00 05 4e 00 00 00 00 16 00 13 69 03 00 00 36 fb 00 15 2a 8a 7b 4a 90 25 0d ea
00 1a 00 00 05 8a 00 00 00 00 16 00 11 2c c5 00 00 f1 ea 02 1d 2f d3 b9 65 c2 4d bb 06
00 1a 00 00 07 03 00 00 00 00 16 00 11 10 8f 00 01 44 56 08 b7 2f d3 b5 b0 78 c2 96 da
00 1a 00 00 07 33 00 00 00 00 16 00 10 9d f7 00 02 97 da 0d 96 2f dd 2c f9 8b 7e 1e cc
00 1a 00 00 07 40 00 00 00 00 16 00 11 10 dc 00 01 4d 28 09 26 97 dd 36 12 a2 03 65 71
                                       ------------ 16 or 0x10 bytes -----------------
         -------------------------- 26 or 0x1a bytes ---------------------------------
            ----------------------- 25 or 0x19 bytes ---------------------------------

Clearly, the first low-entropy half (many 'A' in base64 strings) is some kind of header. First 3 bytes (00 1a 00) is possibly length of subsequent block.

Second half is not encrypted, I think, despite the fact that some receipts has the 'MAC=base64' prefix. (Think about it: why I don't believe encryption is used here?)

The answer (or solution) I expected: "each receipt has base64-encoded string of some low-entropy data, unlikely it's encrypted".

A reverse engineer, cryptographer or one of infosec folks should quickly spot these baes64 strings, like I did.

(the post first published at 20251120.)

List of my other blog posts. Subscribe to my news feed,
If you enjoy my work, you can support it on patreon.
Some time ago (before 24-Mar-2025) there was Disqus JS script for comments. I dropped it --- it was so motley, distracting, animated, with too much ads. I never liked it. Also, comments din't appeared correctly (Disqus was buggy). Also, my blog is too chamberlike --- not many people write comments here. So I decided to switch to the model I once had at least in 2020 --- send me your comments by email (don't forget to include URL to this blog post) and I will copy&paste it here manually.
Let's party like it's ~1993-1996, in this ultimate, radical and uncompromisingly primitive pre-web1.0-style blog and website. This website is best viewed under lynx/links/elinks/w3m.