How can I reverse engineer the encode/decode method used here?

Question

I have the page to encode and I have the page to decode.

I don't, however, have the knowledge on how to do it myself without the web pages.

What I'm trying to do is figure out how to encode a hoplink like:

http://geoffreyf6.earth4.hop.clickbank.net

into

http://8e5250ieuas1d9b9bo6c6p8xat.hop.clickbank.net/

The encode/decode pages are here:

http://www.clickbank.com/hoplink_encoding.htm
http://www.clickbank.com/hoplink_decoding.htm

Now, I know I could just hit their website to encode (and I already have code to do this) but I'm wondering what is going on behind the scenes.

There are 26 characters in the output so a letter substitution seems to be out of the question.

There are chars like x, t, and so on so it can't be in hex (plus it's too short for that).

I don't think it is using any type of hash because this has to be 100% unique and all hashes have a chance of a collision right?

Any ideas on how to figure this out?

G-Man

Answer 1

The chance of a hash collision for a proper hashing algorithm are really, really low; I'm guessing it's a hash, perhaps with a sequence of alternate hash algorithm in case there is a collision.

UPDATE: As in, it would theoretically require 2^128 attempts before you could reasonably expect a collision using SHA-256 (I say theoretically because I seem to recall hearing about some attacks on SHA-256 that reduce this number, though not to insecure levels using current hardware).

Answer 2

Entering the same details in the form gives a different encoding each time, so encoding/decoding is actually a misnomer. More likely, they're saving the record, together with this identifier, whatever it is, and use it for lookup either. Which means that

a) the value is somewhat arbitrary

b) you won't be able to bypass their "encoder"