Wednesday, November 30, 2011

Can you crack it? (nope, I tried though)

The UK govt created a challenge to find eligible code crackers. The website is http://www.canyoucrackit.co.uk/.

I got close, but my skills aren't up to par. Here is as far as I got. They give you the following code:

eb 04 af c2 bf a3 81 ec  00 01 00 00 31 c9 88 0c
0c fe c1 75 f9 31 c0 ba  ef be ad de 02 04 0c 00
d0 c1 ca 08 8a 1c 0c 8a  3c 04 88 1c 04 88 3c 0c
fe c1 75 e8 e9 5c 00 00  00 89 e3 81 c3 04 00 00
00 5c 58 3d 41 41 41 41  75 43 48 3d 42 42 42 42
75 3b 5a 89 d1 89 e6 89  df 29 cf f3 a4 89 de 89
d1 89 df 29 cf 31 c0 31  db 31 d2 fe c0 02 1c 06
8a 14 06 8a 34 1e 88 34  06 88 14 1e 00 f2 30 f6
8a 1c 16 8a 17 30 da 88  17 47 49 75 de 31 db 89
d8 fe c0 cd 80 90 90 e8  9d ff ff ff 41 41 41 41

What jumps out at me first are the nops (90 90) in the last line. My mind automagically tells me this is shellcode. I wasn't 100% sure, but it was the only guess I had. I copied the code over into gedit, and made the following adjustments.

\xeb\x04\xaf\xc2\xbf\xa3\x81\xec\x00\x01\x00\x00\x31\xc9\x88\x0c
\x0c\xfe\xc1\x75\xf9\x31\xc0\xba\xef\xbe\xad\xde\x02\x04\x0c\x00
\xd0\xc1\xca\x08\x8a\x1c\x0c\x8a\x3c\x04\x88\x1c\x04\x88\x3c\x0c
\xfe\xc1\x75\xe8\xe9\x5c\x00\x00\x00\x89\xe3\x81\xc3\x04\x00\x00
\x00\x5c\x58\x3d\x41\x41\x41\x41\x75\x43\x48\x3d\x42\x42\x42\x42
\x75\x3b\x5a\x89\xd1\x89\xe6\x89\xdf\x29\xcf\xf3\xa4\x89\xde\x89
\xd1\x89\xdf\x29\xcf\x31\xc0\x31\xdb\x31\xd2\xfe\xc0\x02\x1c\x06
\x8a\x14\x06\x8a\x34\x1e\x88\x34\x06\x88\x14\x1e\x00\xf2\x30\xf6
\x8a\x1c\x16\x8a\x17\x30\xda\x88\x17\x47\x49\x75\xde\x31\xdb\x89
\xd8\xfe\xc0\xcd\x80\x90\x90\xe8\x9d\xff\xff\xff\x41\x41\x41\x41

I then saved this into a shellcode.c file:

char shellcode[] = "\xeb\x04\xaf\xc2\xbf\xa3\x81\xec\x00\x01\x00\x00\x31\xc9\x88\x0c\x0c\xfe\xc1\x75\xf9\x31\xc0\xba\xef\xbe\xad\xde\x02\x04\x0c\x00\xd0\xc1\xca\x08\x8a\x1c\x0c\x8a\x3c\x04\x88\x1c\x04\x88\x3c\x0c\xfe\xc1\x75\xe8\xe9\x5c\x00\x00\x00\x89\xe3\x81\xc3\x04\x00\x00\x00\x5c\x58\x3d\x41\x41\x41\x41\x75\x43\x48\x3d\x42\x42\x42\x42\x75\x3b\x5a\x89\xd1\x89\xe6\x89\xdf\x29\xcf\xf3\xa4\x89\xde\x89\xd1\x89\xdf\x29\xcf\x31\xc0\x31\xdb\x31\xd2\xfe\xc0\x02\x1c\x06\x8a\x14\x06\x8a\x34\x1e\x88\x34\x06\x88\x14\x1e\x00\xf2\x30\xf6\x8a\x1c\x16\x8a\x17\x30\xda\x88\x17\x47\x49\x75\xde\x31\xdb\x89\xd8\xfe\xc0\xcd\x80\x90\x90\xe8\x9d\xff\xff\xff\x41\x41\x41\x41";

void main() {
   int *ret;

   ret = (int *)&ret + 2;
   (*ret) = (int)shellcode;

   printf("done");

}

Running it simply returned the "done" being printed by printf. This told me that the shellcode was at least not crashing, so it was probably valid shellcode. Looks like my first impression was correct. So I jumped to the asm that the shellcode produced to get a better understanding of it:

0000000000601040 :
  601040: eb 04                 jmp    601046 
  601042: af                    scas   %es:(%rdi),%eax
  601043: c2 bf a3              retq   $0xa3bf
  601046: 81 ec 00 01 00 00     sub    $0x100,%esp
  60104c: 31 c9                 xor    %ecx,%ecx
  60104e: 88 0c 0c              mov    %cl,(%rsp,%rcx,1)
  601051: fe c1                 inc    %cl
  601053: 75 f9                 jne    60104e 
  601055: 31 c0                 xor    %eax,%eax
  601057: ba ef be ad de        mov    $0xdeadbeef,%edx
  60105c: 02 04 0c              add    (%rsp,%rcx,1),%al
  60105f: 00 d0                 add    %dl,%al
  601061: c1 ca 08              ror    $0x8,%edx
  601064: 8a 1c 0c              mov    (%rsp,%rcx,1),%bl
  601067: 8a 3c 04              mov    (%rsp,%rax,1),%bh
  60106a: 88 1c 04              mov    %bl,(%rsp,%rax,1)
  60106d: 88 3c 0c              mov    %bh,(%rsp,%rcx,1)
  601070: fe c1                 inc    %cl
  601072: 75 e8                 jne    60105c 
  601074: e9 5c 00 00 00        jmpq   6010d5 
  601079: 89 e3                 mov    %esp,%ebx
  60107b: 81 c3 04 00 00 00     add    $0x4,%ebx
  601081: 5c                    pop    %rsp
  601082: 58                    pop    %rax
  601083: 3d 41 41 41 41        cmp    $0x41414141,%eax
  601088: 75 43                 jne    6010cd 
  60108a: 48 3d 42 42 42 42     cmp    $0x42424242,%rax
  601090: 75 3b                 jne    6010cd 
  601092: 5a                    pop    %rdx
  601093: 89 d1                 mov    %edx,%ecx
  601095: 89 e6                 mov    %esp,%esi
  601097: 89 df                 mov    %ebx,%edi
  601099: 29 cf                 sub    %ecx,%edi
  60109b: f3 a4                 rep movsb %ds:(%rsi),%es:(%rdi)
  60109d: 89 de                 mov    %ebx,%esi
  60109f: 89 d1                 mov    %edx,%ecx
  6010a1: 89 df                 mov    %ebx,%edi
  6010a3: 29 cf                 sub    %ecx,%edi
  6010a5: 31 c0                 xor    %eax,%eax
  6010a7: 31 db                 xor    %ebx,%ebx
  6010a9: 31 d2                 xor    %edx,%edx
  6010ab: fe c0                 inc    %al
  6010ad: 02 1c 06              add    (%rsi,%rax,1),%bl
  6010b0: 8a 14 06              mov    (%rsi,%rax,1),%dl
  6010b3: 8a 34 1e              mov    (%rsi,%rbx,1),%dh
  6010b6: 88 34 06              mov    %dh,(%rsi,%rax,1)
  6010b9: 88 14 1e              mov    %dl,(%rsi,%rbx,1)
  6010bc: 00 f2                 add    %dh,%dl
  6010be: 30 f6                 xor    %dh,%dh
  6010c0: 8a 1c 16              mov    (%rsi,%rdx,1),%bl
  6010c3: 8a 17                 mov    (%rdi),%dl
  6010c5: 30 da                 xor    %bl,%dl
  6010c7: 88 17                 mov    %dl,(%rdi)
  6010c9: 47                    rex.RXB
  6010ca: 49 75 de              rex.WB jne    6010ab 
  6010cd: 31 db                 xor    %ebx,%ebx
  6010cf: 89 d8                 mov    %ebx,%eax
  6010d1: fe c0                 inc    %al
  6010d3: cd 80                 int    $0x80
  6010d5: 90                    nop
  6010d6: 90                    nop
  6010d7: e8 9d ff ff ff        callq  601079 
  6010dc: 41                    rex.B
  6010dd: 41                    rex.B
  6010de: 41                    rex.B
  6010df: 41 00 00              add    %al,(%r8)

Definitely legitimate shellcode. The x86 asm gcc spits out is exactly what I wanted to see. Not only that, but do you see the 0xdeadbeef?

Once I knew I was in the right direction, I loaded the binary into gdb. I through a breakpoint on the printf line with
break printf
and ran the binary. I looked at the stack frame, traversed through the memory and found the strings I suspected were what we were supposed to be looking for. However, they seemed to be all multi-byte characters. I wasn't able to decipher any of them within the time limit. I had found out about the contest about 2 hours before it was over. This took me about an hour to get to traversing the stack for the strings, and I got stuck.

Oh well. Maybe next time if I have more time I can get a bit further.

395 comments:

  1. Hi, I took some time on the same challenge myself. Some hints that might help you go further, for a start check the image with something like xnview and you will get a base64 encoded string. With http://pastebin.com/cqzbkw4H and the decoded info from image you will have a url for the second part, that is really interesting. I found myself stuck on the second, you might be able to proceed further.

    ReplyDelete
  2. QkJCQjIAAACR2PFtcCA6q2eaC8SR+8dmD/zNzLQC+td3tFQ4qx8O447TDeuZw5P+0SsbEcYR
    78jKLw==

    ReplyDelete
  3. there's also a stegoencrypted message in the png file

    ReplyDelete
  4. how the algoritm ?? solution is available this problem very hard

    ReplyDelete
  5. where does the solution STEGO encrypted

    ReplyDelete
  6. I got it!! The Base64 threw me. The answer is...

    GET /15b436de1f9107f3778aad525e5d0b20.js HTTP/1.1

    What do I do with that?

    MikeS

    ReplyDelete
  7. Never mind. I got the next part... :) it was obvious. I was just tired...

    MikeJSS

    ReplyDelete
  8. Well what is it then! ;P

    ReplyDelete
  9. http://www.canyoucrackit.co.uk/15b436de1f9107f3778aad525e5d0b20.js

    ReplyDelete
  10. Embarassing - been so long since I took any classes on CPUs. Gonna take a while to write this next part.

    MikeS

    ReplyDelete
  11. Solution to part 2 apparently here

    http://pastebin.com/pJmZYbMy

    Any ideas?

    ReplyDelete
  12. http://www.canyoucrackit.co.uk/QkJCQjIAAACR2PFtcCA6q2eaC8SR+8dmD/zNzLQC+td3tFQ4qx8O447TDeuZw5P+0SsbEcYR78jKLw==

    HMMMM.......

    ReplyDelete
  13. For those that need some help, here's my code run http://ideone.com/XnePp with code from Petter Wahlman and help from Nicolas,

    MikeS

    ReplyDelete
  14. MikeS part 2 solution here .... http://pastebin.com/pJmZYbMy

    ReplyDelete
  15. found a virtual machine here

    http://pastebin.com/kMhhEgqm

    ReplyDelete
  16. Is the keyword "GovernmentMurderingForeignersToSecureLucrativeContractsForCorruptUKBanksAndCorporations"?

    ReplyDelete
  17. That's it! http://pastebin.com/kMhhEgqm

    I had started with http://freesourcecode.wikispaces.com/CPU+emulator+16+bit and may still try and go that route for fun.

    Too tired tonight (its 4am). Will work on it tomorrow if I have time. I didn't realize how long this puzzle had been running (code was posted Nov 22?). I just found it earlier this morning. Thanks to Petter and Nicolas for some fun...

    MikeS

    ReplyDelete
  18. Anyone know the answer to stage 2?

    ReplyDelete
  19. Anyone have problems with the Python in http://pastebin.com/kMhhEgqm
    ?

    ReplyDelete
  20. line 72. an index isnt being populated (or an error isnt being handled properly)

    ReplyDelete
  21. Full traceback:


    Traceback (most recent call last):
    File "test.py", line 120, in
    vm=VirtualMachine(mem)
    File "test.py", line 26, in __init__
    self.execute(self.vm_cpu.vm_ip)
    File "test.py", line 72, in execute
    self.vm_cpu.vm_reg[vm_operand1]^=vm_operand2
    IndexError: list index out of range

    ReplyDelete
  22. one of the previous instructions:

    104 jmpe r9,A1

    is it referring to register 9? but that doesn't exist! what am i missing?

    ReplyDelete
  23. Either something's wrong or it should overflow?

    ReplyDelete
  24. 18 jmp r0,10

    shouldn't this have only one operand?

    ReplyDelete
  25. The more I look at this python the more it seems half written

    ReplyDelete
  26. The final instruction of the first block of 256 bytes (jmp r0,10), jumps to the beginning of the second block. But it seems only the first byte of the second block is 'decrypted' (98 has become 32, via xor). The code that follows may be still encrypted, as it is clear it cannot run (invalid opcodes).

    I think something went wrong with the first part of the code. It should have been a loop that decrypted the second block.

    ReplyDelete
  27. I wish I knew where to start =[

    ReplyDelete
  28. that seems like a fair assessment. before the (jmp r0,10) there is (xor r0,r0), which seems like a pointless command.

    ReplyDelete
  29. Can anyone shed more light on the meaning of "QkJCQjIAAACR2PFtcCA6q2eaC8SR+8dmD/zNzLQC+td3tFQ4qx8O447TDeuZw5P+0SsbEcYR
    78jKLw=="

    I was half tempted to use the png file as the key and the above for the decryption text. Just to see what happened.

    ReplyDelete
  30. it's in base64, once decoded it is used in the first stage to decrypt.

    ReplyDelete
  31. what does a jmpe instruction do?

    ReplyDelete
  32. after the first xor r0,r0, the next command should be:
    jmp` r16:r0

    the reference for the jump is jmp r2:r1 but the first operand is r16, which obviously doesn't exist, and the second operand is r0, which got set to 0 in the previous xor... Anyone got any further?

    ReplyDelete
  33. "what does a jmpe instruction do?"

    In the reference, it says:
    // jmpe r1
    // => if (fl == 0) jmp r1
    // else nop

    ReplyDelete
  34. in the second block or the first?

    0x06 | jmpe | r1 | r2:r1

    ReplyDelete
  35. second block (mod 1)

    My modified python for this is:
    #self.vm_cpu.vm_ip=self.vm_cpu.vm_reg[cs]*vm_segment_size+(vm_operand2-self.vm_cpu.vm_reg[cs])*vm_segment_size+self.vm_cpu.vm_reg[vm_operand1]
    self.vm_cpu.vm_ip=self.vm_cpu.vm_reg[vm_operand2]*0x10+self.vm_cpu.vm_reg[vm_operand1]

    But it dies here instead

    ReplyDelete
  36. 0x00, 0x10

    it's mod 0, so shouldn't it be jmp r0, which is 0, so go back to the beginning?

    ReplyDelete
  37. oh, my bad, i misread that. you're right, it goes to r16...

    ReplyDelete
  38. is that how many characters the key word is.... 16?

    ReplyDelete
  39. http://www.telegraph.co.uk/news/uknews/defence/8928088/GCHQ-spy-recruitment-code-solved.html

    Its been solved.

    ReplyDelete
  40. I still think the first part of the code decrypts the seconde block (as noted above). For that to happen an additional instruction before xor r0,r0 is needed: a jump to 0x04. This can be done with jmp r1. So I put the instruction 0x01 0x00 (jmp r1) before the xor (0x80 0x00). The code is now longer therefore the jump to 0x14 needs to change to 0x16. (Begin second line: 0x30, 0x14 -> 0x30, 0x16

    Now the code decrypts the second block. It appears the code in the second block does a similar decryption. I am stuck there.

    ReplyDelete
  41. still intrigued though. i'll be interested to see the solution.

    16 is the number of a register that the program says to jump to that doesn't exist...

    ReplyDelete
  42. This was solved in a matter of hours when it was launched on thursday apparently.

    ReplyDelete
  43. I'm pretty sure line 43 and 44 are incorrect, but I'm not sure on how to correct them. I don't know how the jump works with regards to the code and data segments, but it appears that register 16 is always trying to be used.

    ReplyDelete
  44. Thursday last week it was launched.

    ReplyDelete
  45. Can someone please just post the answer here... it's killing me

    ReplyDelete
  46. This comment has been removed by the author.

    ReplyDelete
  47. Ignore my previous comment!

    AnonLoop: if you unindent line 105 and 106 one space (the instruction only uses one operand when mod 0) it seems to decrypt a lot more blocks :)

    You have to remove your changes to the memory because it calls jmp r1 now

    Seems to break a little when it's done decrypting...

    ReplyDelete
  48. Bit of decryption and we get this in the output from the VM

    GET /da75370fe15c4148bd4ceec861fbdaa5.exe HTTP/1.0

    Rename it to keygen.exe and we get this when we run it (on Windows only)

    keygen.exe

    usage: keygen.exe hostname

    We need to get a hostname from somewhere and I'm guessing the firmware numbers give us something

    ReplyDelete
  49. I'm a software developer and I'm in awe of you guys!

    ReplyDelete
  50. It looks like it needs a licence.txt file too.

    ReplyDelete
  51. Here's some strings from the keygen.exe


    keygen.exe
    usage: keygen.exe hostname
    r
    license.txt
    error: license.txt not found
    %s
    loading stage1 license key(s)...
    loading stage2 license key(s)...
    error: license.txt invalid
    error: gethostbyname() failed
    error: connect("%s") failed
    GET /%s/%x/%x/%x/key.txt HTTP/1.0
    request:
    %s
    error: send() failed
    response:

    quite interesting!

    ReplyDelete
  52. interesting. i wonder where they come from.

    what's the significance of the cpu firmware?

    firmware: [0xd2ab1f05, 0xda13f110]

    ReplyDelete
  53. the whole output is:

    1♦3¬@☻Ç♥R r☺s☺▓P0¶└☺Ç ►►

    2 u♀32@☻Ç♥R r☺s♥▓ ├░ 0←└☺  u►☺ ╠
    }▼§`MMR}♫'m►mZ♠VG¶B♫Â▓▓µÙ┤âÄÎÕÈ┘├­Çò±ééÜ¢òñìÜ+0iJieU∟{i∟n♦t5!&/`♥N7▲3T9µ║┤ó¡ñ┼ò╚┴õèýþÆïÞü­¡ÿñð└ì¼"Re~'+Z↕a

    ☺zk↔gGET /da75370fe15c4148bd4ceec861fbdaa5.exe HTTP/1.0 7z◄▼↔h%2w▲b#[GUS0◄B÷±▒µ├╠°┼õ╠└Ëà²ÜÒµüÁ╗Î═
    ☻0(5§ §¦ý©Ô¹Ï╦ÏÐïıé┘ܱƽުÍðî¬Êö¤EFg }D¶kEmT♥↨`bUZJfa◄Whu♣b6}☻"B2║Ô╣ÔÍ╣ ├ÚèÅ┴Åß©ñû±Åü▒ìë╠Èxvar>7#Vsqyc◄ iz¶h
    ♣!▲2'YÀ¤½¦ı╠ùô‗þ└Ù Úú┐í½ï╗××îá┴øZ//NN

    Could be some significance from the firmware version in that

    ReplyDelete
  54. After the url something starts with 7z. Might be a 7zipped file ....

    ReplyDelete
  55. coding is both the image itself and the comment below it.

    SD

    ReplyDelete
  56. Hey guys, I still don't get where is bug in the VM? Its trying to use register like r9 (which doesn't exists so operand which was deccrypted was bed. So he read bad memory and decrypt it bad. Where was the bug in this implementation?

    ReplyDelete
  57. My code (only slightly modified): http://pastebin.com/ze9JDtZ2

    ReplyDelete
  58. Keep it simple http://www.canyoucrackit.co.uk/soyoudidit.asp

    ReplyDelete
  59. confirmed:


    13ª@Rrs²P0À2u
    ¬"Re~'+Za
    zkgGET /da75370fe15c4148bd4ceec861fbdaa5.exe HTTP/1.07zh%2wb#[GUS0BöñÌÔxvar>7#Vsqyc izh!2'Y·Ï«ÝÕÌòçÀëÿé£//NN Á
    0(5µ»×Í£Ýì¸âûØËØÑÕÙñ«è¦ÖЪÒÏEFg }DkEmT`bUZJfaWhub6}"B2ºâ¹âÖ¹ÿÃéÁḤñ±

    ReplyDelete
  60. http://translate.google.co.uk/translate?hl=en&sl=ru&u=http://exelab.ru/f/index.php%3Faction%3Dvthread%26forum%3D7%26topic%3D19240%26page%3D-1&ei=NK3XTqrdD4qX8QOk_cTRDQ&sa=X&oi=translate&ct=result&resnum=1&ved=0CCEQ7gEwAA&prev=/search%3Fq%3D%2522loading%2Bstage1%2Blicense%2Bkey(s)...%2522%26hl%3Den%26biw%3D896%26bih%3D465%26prmd%3Dimvns

    try and make sense of that...

    ReplyDelete
  61. I did a C++ version of the VM which gives you the executable address - it's here if anyone's interested: http://pastebin.com/DQvEfWvt

    ReplyDelete
  62. The Russians seem to be creating the license.txt from scratch, starting apparently with the letters cghq...

    ReplyDelete
  63. and 'cyberwin' which they got through a brute force dictionary attack?

    apparently some of the unused code from the first section goes into it...?

    a little confused.

    ReplyDelete
  64. On a side note, "using a Brutus" sounds pretty homoerotic.

    ReplyDelete
  65. it takes you to the following website:
    www.canyoucrackit.co.uk/15b436de1f9107f3778aad525e5d0b20.js

    ReplyDelete
  66. Cheers Oracle but we passed that a little while back.

    ReplyDelete
  67. ho do you reassembly the idata data bss .. files?

    ReplyDelete
  68. did a C++ version of the VM which gives you the executable address - it's here if anyone's interested: http://pastebin.com/DQvEfWvt

    ^^^^^^^^^^^^^^^^^^^^^

    whoever wrote this, how do you get the url, ive compiled it, it runs fine without errors but i am unsure of where to find the url?

    ReplyDelete
  69. Just dump the contents of the memory and you'll see it. The third part seems much harder, I'm still stuck. :(

    ReplyDelete
  70. MikeS back again

    Part 1: Combine the image OCR and Base64 comment (with the "0A" linefeed) to Ox and x86 execute to get to Part 2
    Part 2: Write a simple CPU emulator and execute Part 2 to get to Part 3
    Part 3: That's where I am now. Wading around in DLLs with the .exe file...

    ReplyDelete
  71. i got the exe working fine, managed to get the licence file written fine but just not sure what to use as the hostname, as canyoucrackit.co.uk returns a 404 error =s

    any suggestions?

    ReplyDelete
  72. 404 comes from a web server. In order to get a 404 you must have connected to a service running on the requested host. Thus, your hostname is likely correct ;)

    ReplyDelete
  73. I had to use the DLLs from http://rghost.net/30201021?r=404, http://www.dlldll.com didn't work

    I'm stuck with the license file...

    MikeS

    ReplyDelete
  74. Did you generate proper password? There is crypt() function which checks if the return string is the same like SALT. Does anyone did it?

    ReplyDelete
  75. i know what 404 is lol, but that will return on any hostname as its just performing a get request, the problem is that theres a host somewhere that contains a file called key.txt thats what the keygen is trying to download, im just not sure what host its stored on. the file tries to download the following url:

    *yourhostname*/hqDTK7b8K2rvw/0/0/0/key.txt

    but its not on the canyoucrackit.co.uk server

    ReplyDelete
  76. If you append further data to license.txt it varies the numbers in the /0/0/0/ part of the URL so I think the hostname is correct, but there is something more to the license.txt file.

    ReplyDelete
  77. ah i see that makes sense, i wonder what could be missing from the license file

    ReplyDelete
  78. hqDTK7b8K2rvw <- this is salt and result. pseudocode is:

    x=crypt(,hqDTK7b8K2rvw)
    if (strcmp(x,hqDTK7b8K2rvw)
    auth=1

    the problem is to find x - i'm trying to brute force but i this is wrong way...

    ReplyDelete
  79. Did anyone manage to get the license.txt working? Keeps giving "error: license.txt invalid" here.

    ReplyDelete
  80. put this 'gchqcyberwin' in the license file to get it working, however it needs more information appended to it in order to get the correct download directory for the key file, thats what were trying to figure out

    ReplyDelete
  81. I had a whitespace between the words. That broke the license.txt :(

    ReplyDelete
  82. yeah whitespace breaks it, it says loading stage 1 and stage 2 licences, i wonder if this has anything to do with the first 2 tasks?

    ReplyDelete
  83. I'm still stuck on the license file but for those that are further along, the .exe is going to want to fill this in:

    GET /%s/%x/%x/%x/key.txt

    So you need a string and 3 unsigned hex to find the hidden file...

    MikeS

    ReplyDelete
  84. I wonder if the first 2 stages have anything to do with the license key.

    ReplyDelete
  85. thanks MikeS, the license file requests 16 characters after the 'gchqcyberwin', any more than 16 characters after that gets ignored, as far as i can tell anyway

    ReplyDelete
  86. MikeS again. OK now I got the first part of the license file with your help. Thanks! So now it is down to the 3 unsigned hex, I think.

    C:\Documents and Settings\mikes\Desktop>da75370fe15c4148bd4ceec861fbdaa5.exe ca
    nyoucrackit.co.uk

    keygen.exe

    loading stage1 license key(s)...
    loading stage2 license key(s)...

    request:

    GET /hqDTK7b8K2rvw/0/0/0/key.txt HTTP/1.0

    response:

    HTTP/1.1 404 Not Found
    Content-Type: text/html; charset=us-ascii
    Server: Microsoft-HTTPAPI/2.0
    Date: Thu, 01 Dec 2011 20:32:05 GMT
    Connection: close
    Content-Length: 315

    [snip some HTML]

    ReplyDelete
  87. yeah the application converts the 16 characters after the 'gchqcygwin' to unsigned hex values, i think it might have something to do with the first and second tasks but im not sure how theyre linked

    ReplyDelete
  88. thats what were trying to figure out =D

    ReplyDelete
  89. Anyway its interesting with whom I'm cooperating ;)

    ReplyDelete
  90. Who cares about that link? We want to solve it ;).

    R.

    ReplyDelete
  91. thats true, i found the link this morning, ive just been trying to solve it all day ;)

    ReplyDelete
  92. How did you solve the gethostbyname() problem? Is this a cygwin library issue?

    $ ./keygen.exe http://www.canyoucrackit.co.uk

    keygen.exe

    loading stage1 license key(s)...
    loading stage2 license key(s)...

    error: gethostbyname() failed

    ReplyDelete
  93. remove the http://www. and it wil work fine

    ReplyDelete
  94. You need to have an internet connection stefan.

    greetings,

    R.

    ReplyDelete
  95. Here ya go.

    Pr0t3ct!on#cyber_security@12*12.2011+

    ReplyDelete
  96. How? i see the last number are hexdump from the license.txt. How did you manage to create it proper? :)

    ReplyDelete
  97. so thats hte password, but wheres the location of the key file? the the data to go into the end of the license.txt?

    ReplyDelete
  98. with the way you guys are talking, i'm not sure if there's a keyword that can be entered on that page.. is there?

    ReplyDelete
  99. oh! yeah! there is!! cool!!

    ReplyDelete
  100. but wheres the keyfile? and how did you find it?

    ReplyDelete
  101. So how did you solve the rest of the license file?

    R.

    ReplyDelete
  102. Thats what im wondering? i think it had something to do with the characters that were removed from the first set of values (the content of the image and the png headers) but what was it?

    ReplyDelete
  103. I'm thinking about second level. There was unused this values:

    firmware: [0xd2ab1f05, 0xda13f110]

    Hm...

    ReplyDelete
  104. ive tried paying with them but with no success rate so far :(

    ReplyDelete
  105. I've been watching you guys this afternoon, quite impressive. Are you self taught or did you study Computer science at Uni?

    N.

    ReplyDelete
  106. MikeS here. I'm stuck but I do see this behavior:

    So for (1) gchqcyberwinDA13F110D2AB1F05

    GET /hqDTK7b8K2rvw/42413244/35304631/33314144/key.txt HTTP/1.0

    and for (2) gchqcyberwinD2AB1F05DA13F110

    GET /hqDTK7b8K2rvw/33314144/30313146/42413244/key.txt HTTP/1.0

    Note %x1 and %x3 are swapped. Any help? Decompile needed maybe, dont have time...

    ReplyDelete
  107. thats strange, theyre swapped when the first two strongs are swapped, perhaps it converts the first 8 characters for %x1, then the next 8 letters starting from position 4, giving you %x2, then again from position 8 giving you the last 8 characters as %x3, maybe? thats the only way i could think of as giving the first and last the same but reversed and the middle different.

    And N. i am a bit of both, self taught then studied IT Practitioners (software) at college and am now in my first year studying computer security at uni.

    ReplyDelete
  108. Thank you for your response. Best of luck with deciphering the remainder of the code.

    N.

    ReplyDelete
  109. N.
    17 year old computer hobbyist here. Student.
    Self taught.
    I am completely stuck on stage 3, though.

    ReplyDelete
  110. Hi Flex. So that behavior also leads me to believe we're looking for two sets of 8 characters that will blow out to the 3 sets of 8-bit integers in the hidden directory. I only have D2AB1F05 and DA13F110 handy, so I'm sort of stuck in a groove I cant escape.

    MikeS

    ReplyDelete
  111. Stage 3? Still quite an advanced stage in the process. Keep at it, you'll get there.

    N.

    ReplyDelete
  112. There is buffer overflow bug :D I just exploit it ;P

    ReplyDelete
  113. Hi Mike, thats what im thinking but i have the same issue, only those two spare sets of characters but im not sure if they are the correct ones, its the part that says loading stage 1 license key(s) and loading stage 2 license key(s) that intreagues me im wondering if it requires a set of 8 characters from stage one and a set of 8 characters from stage 2 perhaps? the question is, which ones?

    ReplyDelete
  114. I have done RE whole binary. THere is no other special information. Now our problem is not as technical like before but some trick Like in the 1 level. We dumped .png file to get correct pattern. THe same trick should be here i think ;)

    ReplyDelete
  115. OMG. Try this

    gchqcyberwin1111111111111111111111111111111111111111111111111111

    and see if you get this

    3 [main] da75370fe15c4148bd4ceec861fbdaa5 1172 exception::handle: Exceptio
    n: STATUS_ACCESS_VIOLATION
    776 [main] da75370fe15c4148bd4ceec861fbdaa5 1172 open_stackdumpfile: Dumping
    stack trace to da75370fe15c4148bd4ceec861fbdaa5.exe.stackdump
    125327 [main] da75370fe15c4148bd4ceec861fbdaa5 1172 exception::handle: Exceptio
    n: STATUS_ACCESS_VIOLATION
    136541 [main] da75370fe15c4148bd4ceec861fbdaa5 1172 exception::handle: Error wh
    ile dumping state (probably corrupted stack)

    Doesn't happen with 1's replaced with 0's

    MikeS

    ReplyDelete
  116. O told you it has buffer overflow. Use 'A' instead of numbers ;) Kurwa glupcy ;p

    ReplyDelete
  117. http://www.canyoucrackit.co.uk/soyoudidit.asp ;)

    ReplyDelete
  118. It's 4 bytes from stage 1 and 8 bytes from stage 2

    ReplyDelete
  119. I'm stuck on buffer overflow attack. Not my cup of tea... I'm getting hints as to the algorithm license.text -> args but not much help so far.

    MikeS

    ReplyDelete
  120. probably deadbeef + [0xd2ab1f05, 0xda13f110] but i don't know how to circulate it ;)

    ReplyDelete
  121. There is nothing hidden in that keygen.exe, nor anything that can be used for buffer overflow attack.
    It just reads the txt file, checks first 4 chars, then hash, then uses 3 DWORDs to make GET request.

    ReplyDelete
  122. From what i can see its just converting the last 12 characters (not 16 as i thought earlier, dont know where i got 16 from) to the hex value (as in the ascii table) but re-arranging them for some reason :s

    ReplyDelete
  123. Memory from stage 2 contains 2 binary blocks that may need further decoding. There are values that weren't used for code.
    ofs 0x132 - 0x1BF and ofs 0x200 to end
    At first I though 2nd block is encrypted 7z zip archive, because it starts with 7z, but it fails to open it.

    ReplyDelete
  124. Yes, I got misled perhaps on the buffer attack.

    a maps to 41 in args
    z maps to 5a in args

    etc.

    But now its just a guessing game on the characters, not do much fun for the very last step...

    MikeS

    ReplyDelete
  125. lol MikeS... it's just %08X, ASCII to hex mapping, nothing special...
    0xDE 0xAD 0xC0 0xDE => /dec0adde/ in url

    ReplyDelete
  126. Yes, agreed. But now I have to fiddle with the "firmware" and other spare bytes to guess the URL. No idea what the combination is on this lock. Not so much fun as the rest of it...

    MikeS

    ReplyDelete
  127. Except I guess the 7z maybe has to go in there... that's perhaps a clue. Anyone get the rest?

    Mike

    ReplyDelete
  128. http://www.canyoucrackit.co.uk/15b436de1f9107f3778aad525e5d0b20.js:( theirs anouther part

    ReplyDelete
  129. Hmm - just cant figure our thse characters for the license.txt - anyone got there and willing to throw me a few tips?

    ReplyDelete
  130. Some ppl are so stupid... amazing ;)

    ReplyDelete
  131. What is the URL for the key.txt file? :>

    ReplyDelete
  132. why does everybody insist on posting that link? we dont care about the finishing page, were just trying to figure out how the puzzle is solved ;)

    ReplyDelete
  133. hey guys....
    why you complicate your life by yourself and don't go to have a bit fun?
    don't you see the site being developed in asp (grrrr) so all is bullshit and there is no any code behind this stuff....
    none of real hacker will never fall into this shit...
    by the way, if someone want to know solution just ask to zerolab.eu

    ReplyDelete
  134. that site 'zerolab.eu' doesnt seem very professional, plus the grammar on the homepage is apalling, doesnt seem like my sorta place, sorry.

    But thanks for your help ;)

    ReplyDelete
  135. This is fascinating, you guys are incredible! I found the challenge this morning at work and I got stage 1 to work before I looked online, but stage 2 i got stuck on so looked around and started reading this, and its WELL over my head! credit to you! hope you get it finished!

    ReplyDelete
  136. Thankyou for your kind comments, they are greatly appreciated, and i hope we do too, would be interesting to find out how it works, i bet its something really basic that weve overlooked ;)

    ReplyDelete
  137. I'm starting to be tired... ;/

    ReplyDelete
  138. 0x804a042 : 0xa3bfc2af

    I think this is the byte from 1 level ... ;)

    ReplyDelete
  139. My head really hurts. If someone cracks send the answer here and how it can be solved.

    ReplyDelete
  140. Ill keep working on it and ill post if i get any updates ;)

    ReplyDelete
  141. I tried 0xa3bfc2af and the firmware DWORDs backwards and forwards in varying order, but no luck. It's something else.

    ReplyDelete
  142. if this is true:
    "It's 4 bytes from stage 1 and 8 bytes from stage 2"
    probably other 2 bytes are not from firmware. I would steel keep 0xa3bfc2af. Btw. have you tried all possibilities in the order of bytes and where are they placed in URL ? (miexed) ?

    ReplyDelete
  143. Yes I have. Also tried them backwards and forwards. I'm pretty sure, like you, that the first DWORD is correct and that the other 2 are something else from the VM.

    ReplyDelete
  144. OK, time to put heads together maybe? and get our Hex, ASCII, DWORDs sorted? Are we agreed we are now looking for 12 characters (printable...?) for the remainder of license.txt and we're trying to map them from firmware: [0xd2ab1f05, 0xda13f110] and/or what else? Just a suggestion to try and move along...

    MikeS

    ReplyDelete
  145. 12 characters correct, and i read in a russian forum that its done using characters from stage one only, but im not sure how accurate that is.

    ReplyDelete
  146. I come from a Wintel administrators background with a lot of VBScript and some VB, VB.NET, Powershell and limited Visual C#.NET experience, i.e. high level languages.

    I'd love to be able to work through this, but I got stuck at the first hurdle (part 1) as although I know what hex is I've never looked into ASM or low level languages.

    The more of this thread I read, the more it seems to be going over my head. Makes me feel like a right dunce as I used to consider myself quite clever in the Wintel IT field but I'm lost with this ....

    Anyone got any reading / self-training material that would help me crack this myself?

    ReplyDelete
  147. Remember that the exe is "GET /%s/%x/%x/%x/key.txt HTTP/1.0". How does %x print numbers? :)

    BTW, hqDTK7b8K2rvw is there in clear in the .exe file. Just disassemble it, do not try to run it (unlike the other parts)!

    ReplyDelete
  148. Flex: Oh... you're ahead of me then. Time to use Google and Babelfish Russian. Need to break for a bit. I was wondering how to map all those spare hex bytes to 12 ASCII characters...

    MikeS

    ReplyDelete
  149. i wouldnt say ahead, ive just been doing some reading, my brain has turned to mush, ive been staring at the same peices of code for far too long :(

    ReplyDelete
  150. Hi, I am still getting the:

    error: license.txt not found

    However I have the text file with that name in the same folder as the kegen.exe only way I can get it past that part is if I debug it and NOP the check. Which doesnt really help me. Any ideas?

    Bryon

    ReplyDelete
  151. Just copy my structure/naming?

    C:\Documents and Settings\mikes\Desktop>da75370fe15c4148bd4ceec861fbdaa5.exe ca
    nyoucrackit.co.uk

    Use the dll's that I linked to?

    Else stuff like spaces in dir trees etc...

    MikeS

    ReplyDelete
  152. Interesting it won't work via CP. However it is working through my debugger with no modifications. So I guess that will work for now. Trying to figure out the 3 we need now.

    Bryon

    ReplyDelete
  153. Awesome bed time reading and great job guys! hope you will figure that last part out. hm so where is the key.txt..... ;) and people should stop posting that soyoudidit crap here :D

    ReplyDelete
  154. %x prints in hex
    Did you try adding "hqDTK7b8K2rvw" after the "gchqcyberwin" in the license,txt file?

    S.

    ReplyDelete
  155. fyi ^ im from Finland so its almost 3am here :D

    ReplyDelete
  156. still no luck :( and yes we have tried that with no luck, unfortunately, and its almost 1am here in england ;)

    ReplyDelete
  157. I am stuck on part 3, it took me about 20 mins to part 1 and 2 and the evil part 3 showed its head. you guys have given me some great ideas but so far none have worked. this is killing me.

    ReplyDelete
  158. just throwing ideas out, but the 7z stands out. Are the two firmware pieces supposed to be decompressed using the 7z algorithm? That would expand it, possibly revealing the third piece?

    Also, I don't understand where the "cyberwin" piece came from, could someone explain? Thanks

    ReplyDelete
  159. running the .exe on windows give me the error

    The program can't start because cygcrypt-0.dll is missing from your computer. Try reinstalling the program to fix this problem.

    what does this mean, and is it any help.

    ReplyDelete
  160. I downloaded the dll's from http://rghost.net/30201021?r=404

    but I'm still getting this error

    C:\Users\USERNAME\Downloads>keygen.exe canyoucrackit.co.uk

    keygen.exe

    error: license.txt not found

    ReplyDelete
  161. download these dlls and put them in the same folder. run it again.

    http://rghost.net/download/30201021/d0f7bf27aa4264b891ca256c885c026c625bf8ff/fe2aa2b65cae764381d417c9fac5e8443c965338/dlls.rar

    ReplyDelete
  162. "Also, I don't understand where the "cyberwin" piece came from, could someone explain? Thanks"

    I am working on that right now.

    Bryon

    ReplyDelete
  163. If anyone is interested this is my attempt at the VM. http://friendpaste.com/5wW773R1uMVkTdEM8lmd4X

    There is something wrong though, after the jmpe the DS (data segment) is incremented by 12 and therefore fall out of range, could me a mis-understanding of the jmpe instruction.

    No idea if its better or worse than the existing one

    ReplyDelete
  164. now i get, license2.txt not found

    Heru-ur

    ReplyDelete
  165. The cyberwin is the original text that was used for the 'hqDTK7b8K2rvw' found in the exe, the 'hqDTK7b8K2rvw' is a hash of cyberwin, and the hq is the salt used for the hash (as far as i can tell)

    ReplyDelete
  166. Cracking effort guys. I've gotten as far as Stage 3, but it's had me stumped the last hour! This thing is driving me mad, determined to get/know the solution! Keep up the good work.

    IAB.

    ReplyDelete
  167. I'm also stumped now - been trying different variations of the license.txt (gchqcyberwin + 12 characters) but can't get any useful results - Flex, you got anywhere yet?

    ReplyDelete
  168. Looking at the two russian pages:
    http://tinyurl.com/76kceg5
    http://tinyurl.com/8axwjxb

    It appears that the cyberwin came from decrypting a hash:
    if crypt (buff +4, 'hqDTK7b8K2rvw') == 'hqDTK7b8K2rvw' ...

    Maybe? The translation is not clear.

    ReplyDelete
  169. The html page displayed in the console by running the exe is different from the html page displayed in my browser by going here: http://www.canyoucrackit.co.uk/hqDTK7b8K2rvw/0/0/0/key.txt

    ReplyDelete
  170. Sorry had a break to make some sandwiches :) and yeah the cyberwin came from decrypting the hash using rainbow tables, and yes it is correct cause if you notice changing any portion of the 'gchqcyberwin' renders the license invalid. The additional 12 characters must come from somewhere.

    Quote from russian pages:
    'Of course. And I've already written. All bytes are first assignment used in solving the entire Challenge. What are the bytes can be changed in the first task so that it will not affect the receipt of references to the second task? So you get the name of the directory ...'

    this must be some sort of clue? i think he means what are the bytes in the first stage that arent used? im not entirely sure :s

    ReplyDelete
  171. and as for the different results for the application, it probably detects the user agent and if its not a recognised web browser it will output a basic message, i used to develop websites and this is a feature many sites use, it makes it more convienient for mobile browsers or text based requests from small applications such as this one

    ReplyDelete
  172. This is the part in the keygen that determines if the license is valid:


    00401167 |. 817D C8 676368>CMP DWORD PTR SS:[EBP-38],71686367

    EBP-38 contains the license in your file. And it is comparing it to 71686367

    Bryon

    ReplyDelete
  173. May or may not be useful. The exe decompiled:

    http://pastebin.com/KZghnNr8

    This is interesting:
    __size32 _impure_ptr = 0x4178;// 4 bytes

    It is used near the bottom.

    ReplyDelete
  174. strange, comparing 'gchqcyberwin' to 71686367 wouldnt match unless it was hashed or encoded in some way before comparing?

    ReplyDelete
  175. Exactly what I was thinking Flex, but at the moment I see nothing like that. I will have to keep digging.

    Bryon

    ReplyDelete
  176. Perhaps - http://www.unicodemap.org/details/0x4178/index.html ?

    Relates to the: __size32 _impure_ptr = 0x4178;// 4 bytes

    ReplyDelete
  177. http://friendpaste.com/2kkvmGB4yeC7X47omjJeqM

    I know the C version is working already but this one is now working. Previous version wasn't working because I wasn't using the code segment

    ReplyDelete
  178. Bryon is on to something for sure. Also, in case it isnt clear, the 71686367h is in hex, not decimal.

    Here is the exe disassembled. Look at line 146.

    http://pastebin.com/NFRx5jC1

    ReplyDelete
  179. and how many server requests would we have to make before the server starts shutting off communications, theres so many combinations youll never manage to do it before you get booted off the server for using up too much bandwidth :(

    ReplyDelete
  180. The hex line that Bryon mentioned converts to qhcg
    lol - coincdence?>!

    ReplyDelete
  181. the numbers 71686367 convert to 'qhcg' which is an anagram for gchq, i wonder if thats got something to do with the 12 characters at the end being converted to hex then re-ordered, perhaps its the same method used here?

    ReplyDelete
  182. and by anagram i mean its backwards ;)

    ReplyDelete
  183. Its not an anagram, it's just reversed - so maybe they're hinting that we need to reverse what we're trying. Let's focus on what what we have 'left' to use:
    deadbeef
    the two firmware codes

    someone mentioned some unused bytes from part 1??

    ReplyDelete
  184. read our comments - we tried this combination

    ReplyDelete
  185. flex, it is "cghqcyberwin" not "gchqcyberwin"

    ReplyDelete
  186. hmmm deadbeef is a classic MAC as it is one of the better words that can be represented as only hex numbers.
    So given deadbeef as a hex value plus the other 2 we have 12 hex values from 1-255
    They are too far and wide to be straight ascii values but maybe some sort of shift cipher?

    it's also possible that those might be the straight 12 ASCII chars to put into the license file and the code then does the cipher to export a useable /%x/%x/%x/key.txt url

    ReplyDelete
  187. Ok so it passes the first "check" which thanks to you guys finding out the hex number is their name backwords.

    But if "gchq" is all you have then it fails at the next check. Which is a crypt loop that reads in what you have next, which would be the cyberwin, and compares that to a hardcoded string at address 00402040 which is "hqDTK7b8K2rvw". If that check fails then it throws an invalid key. So it seems to be hashing cyberwin into that string.

    Bryon

    ReplyDelete
  188. using 'cghqcyberwin' instead of 'gchqcyberwin' renders the license invalid and the application terminates :(

    ReplyDelete
  189. "flex, it is "cghqcyberwin" not "gchqcyberwin""

    The correct one is "gchqcyberwin".

    If you look at the hex it is "qhcg" and when they check it, I believe it is read through a loop backwards. ei: gchq

    Bryon

    ReplyDelete