Calling those systems cryptosystems is a strectch. The fact that the researchers were able to attack it by extracting the cipher means it was operating under "security through obscurity". Real cryptographic systems don't.
In building a cryptographic system you should not only expect but ASSUME the attacker will have EVERYTHING except the private key/data. He has all public data, copies of other plaintext, copies of other cipher text, all initialization vectors, complete understanding of the algorithm and the system, whitepapers, all other cryptographic analysis and .... the system should STILL BE SECURE.
With SHA-256 there is nothing to "find".
Here is the representation of 1 round of the SHA-256 hash (64 rounds for final hash):
Here are the functions:
Here are the eight h values:
0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
Here are the 64 k values:
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
There are no secrets. Every part of the code is publicly available and has been vetted by cryptographers around the world.
So what does the failure of GMR mean?
"Security through obscurity is no security at all" is still alive and well. One would think after 3 decades of near continual hacks, breaks, and attacks on weak systems (WEP, GSM, CSS, etc) involving "obscurity" that companies would learn but they likely never will.