Wednesday, November 30, 2011

Can you crack it? (nope, I tried though)

The UK govt created a challenge to find eligible code crackers. The website is http://www.canyoucrackit.co.uk/.

I got close, but my skills aren't up to par. Here is as far as I got. They give you the following code:

eb 04 af c2 bf a3 81 ec  00 01 00 00 31 c9 88 0c
0c fe c1 75 f9 31 c0 ba  ef be ad de 02 04 0c 00
d0 c1 ca 08 8a 1c 0c 8a  3c 04 88 1c 04 88 3c 0c
fe c1 75 e8 e9 5c 00 00  00 89 e3 81 c3 04 00 00
00 5c 58 3d 41 41 41 41  75 43 48 3d 42 42 42 42
75 3b 5a 89 d1 89 e6 89  df 29 cf f3 a4 89 de 89
d1 89 df 29 cf 31 c0 31  db 31 d2 fe c0 02 1c 06
8a 14 06 8a 34 1e 88 34  06 88 14 1e 00 f2 30 f6
8a 1c 16 8a 17 30 da 88  17 47 49 75 de 31 db 89
d8 fe c0 cd 80 90 90 e8  9d ff ff ff 41 41 41 41

What jumps out at me first are the nops (90 90) in the last line. My mind automagically tells me this is shellcode. I wasn't 100% sure, but it was the only guess I had. I copied the code over into gedit, and made the following adjustments.

\xeb\x04\xaf\xc2\xbf\xa3\x81\xec\x00\x01\x00\x00\x31\xc9\x88\x0c
\x0c\xfe\xc1\x75\xf9\x31\xc0\xba\xef\xbe\xad\xde\x02\x04\x0c\x00
\xd0\xc1\xca\x08\x8a\x1c\x0c\x8a\x3c\x04\x88\x1c\x04\x88\x3c\x0c
\xfe\xc1\x75\xe8\xe9\x5c\x00\x00\x00\x89\xe3\x81\xc3\x04\x00\x00
\x00\x5c\x58\x3d\x41\x41\x41\x41\x75\x43\x48\x3d\x42\x42\x42\x42
\x75\x3b\x5a\x89\xd1\x89\xe6\x89\xdf\x29\xcf\xf3\xa4\x89\xde\x89
\xd1\x89\xdf\x29\xcf\x31\xc0\x31\xdb\x31\xd2\xfe\xc0\x02\x1c\x06
\x8a\x14\x06\x8a\x34\x1e\x88\x34\x06\x88\x14\x1e\x00\xf2\x30\xf6
\x8a\x1c\x16\x8a\x17\x30\xda\x88\x17\x47\x49\x75\xde\x31\xdb\x89
\xd8\xfe\xc0\xcd\x80\x90\x90\xe8\x9d\xff\xff\xff\x41\x41\x41\x41

I then saved this into a shellcode.c file:

char shellcode[] = "\xeb\x04\xaf\xc2\xbf\xa3\x81\xec\x00\x01\x00\x00\x31\xc9\x88\x0c\x0c\xfe\xc1\x75\xf9\x31\xc0\xba\xef\xbe\xad\xde\x02\x04\x0c\x00\xd0\xc1\xca\x08\x8a\x1c\x0c\x8a\x3c\x04\x88\x1c\x04\x88\x3c\x0c\xfe\xc1\x75\xe8\xe9\x5c\x00\x00\x00\x89\xe3\x81\xc3\x04\x00\x00\x00\x5c\x58\x3d\x41\x41\x41\x41\x75\x43\x48\x3d\x42\x42\x42\x42\x75\x3b\x5a\x89\xd1\x89\xe6\x89\xdf\x29\xcf\xf3\xa4\x89\xde\x89\xd1\x89\xdf\x29\xcf\x31\xc0\x31\xdb\x31\xd2\xfe\xc0\x02\x1c\x06\x8a\x14\x06\x8a\x34\x1e\x88\x34\x06\x88\x14\x1e\x00\xf2\x30\xf6\x8a\x1c\x16\x8a\x17\x30\xda\x88\x17\x47\x49\x75\xde\x31\xdb\x89\xd8\xfe\xc0\xcd\x80\x90\x90\xe8\x9d\xff\xff\xff\x41\x41\x41\x41";

void main() {
   int *ret;

   ret = (int *)&ret + 2;
   (*ret) = (int)shellcode;

   printf("done");

}

Running it simply returned the "done" being printed by printf. This told me that the shellcode was at least not crashing, so it was probably valid shellcode. Looks like my first impression was correct. So I jumped to the asm that the shellcode produced to get a better understanding of it:

0000000000601040 :
  601040: eb 04                 jmp    601046 
  601042: af                    scas   %es:(%rdi),%eax
  601043: c2 bf a3              retq   $0xa3bf
  601046: 81 ec 00 01 00 00     sub    $0x100,%esp
  60104c: 31 c9                 xor    %ecx,%ecx
  60104e: 88 0c 0c              mov    %cl,(%rsp,%rcx,1)
  601051: fe c1                 inc    %cl
  601053: 75 f9                 jne    60104e 
  601055: 31 c0                 xor    %eax,%eax
  601057: ba ef be ad de        mov    $0xdeadbeef,%edx
  60105c: 02 04 0c              add    (%rsp,%rcx,1),%al
  60105f: 00 d0                 add    %dl,%al
  601061: c1 ca 08              ror    $0x8,%edx
  601064: 8a 1c 0c              mov    (%rsp,%rcx,1),%bl
  601067: 8a 3c 04              mov    (%rsp,%rax,1),%bh
  60106a: 88 1c 04              mov    %bl,(%rsp,%rax,1)
  60106d: 88 3c 0c              mov    %bh,(%rsp,%rcx,1)
  601070: fe c1                 inc    %cl
  601072: 75 e8                 jne    60105c 
  601074: e9 5c 00 00 00        jmpq   6010d5 
  601079: 89 e3                 mov    %esp,%ebx
  60107b: 81 c3 04 00 00 00     add    $0x4,%ebx
  601081: 5c                    pop    %rsp
  601082: 58                    pop    %rax
  601083: 3d 41 41 41 41        cmp    $0x41414141,%eax
  601088: 75 43                 jne    6010cd 
  60108a: 48 3d 42 42 42 42     cmp    $0x42424242,%rax
  601090: 75 3b                 jne    6010cd 
  601092: 5a                    pop    %rdx
  601093: 89 d1                 mov    %edx,%ecx
  601095: 89 e6                 mov    %esp,%esi
  601097: 89 df                 mov    %ebx,%edi
  601099: 29 cf                 sub    %ecx,%edi
  60109b: f3 a4                 rep movsb %ds:(%rsi),%es:(%rdi)
  60109d: 89 de                 mov    %ebx,%esi
  60109f: 89 d1                 mov    %edx,%ecx
  6010a1: 89 df                 mov    %ebx,%edi
  6010a3: 29 cf                 sub    %ecx,%edi
  6010a5: 31 c0                 xor    %eax,%eax
  6010a7: 31 db                 xor    %ebx,%ebx
  6010a9: 31 d2                 xor    %edx,%edx
  6010ab: fe c0                 inc    %al
  6010ad: 02 1c 06              add    (%rsi,%rax,1),%bl
  6010b0: 8a 14 06              mov    (%rsi,%rax,1),%dl
  6010b3: 8a 34 1e              mov    (%rsi,%rbx,1),%dh
  6010b6: 88 34 06              mov    %dh,(%rsi,%rax,1)
  6010b9: 88 14 1e              mov    %dl,(%rsi,%rbx,1)
  6010bc: 00 f2                 add    %dh,%dl
  6010be: 30 f6                 xor    %dh,%dh
  6010c0: 8a 1c 16              mov    (%rsi,%rdx,1),%bl
  6010c3: 8a 17                 mov    (%rdi),%dl
  6010c5: 30 da                 xor    %bl,%dl
  6010c7: 88 17                 mov    %dl,(%rdi)
  6010c9: 47                    rex.RXB
  6010ca: 49 75 de              rex.WB jne    6010ab 
  6010cd: 31 db                 xor    %ebx,%ebx
  6010cf: 89 d8                 mov    %ebx,%eax
  6010d1: fe c0                 inc    %al
  6010d3: cd 80                 int    $0x80
  6010d5: 90                    nop
  6010d6: 90                    nop
  6010d7: e8 9d ff ff ff        callq  601079 
  6010dc: 41                    rex.B
  6010dd: 41                    rex.B
  6010de: 41                    rex.B
  6010df: 41 00 00              add    %al,(%r8)

Definitely legitimate shellcode. The x86 asm gcc spits out is exactly what I wanted to see. Not only that, but do you see the 0xdeadbeef?

Once I knew I was in the right direction, I loaded the binary into gdb. I through a breakpoint on the printf line with 
break printf
and ran the binary. I looked at the stack frame, traversed through the memory and found the strings I suspected were what we were supposed to be looking for. However, they seemed to be all multi-byte characters. I wasn't able to decipher any of them within the time limit. I had found out about the contest about 2 hours before it was over. This took me about an hour to get to traversing the stack for the strings, and I got stuck.

Oh well. Maybe next time if I have more time I can get a bit further.
Posted by Brandon Perry at 11:38 PM
Labels: ,

395 comments:

  1. Nicolas KrassasWednesday, November 30, 2011 11:54:00 PM

    Hi, I took some time on the same challenge myself. Some hints that might help you go further, for a start check the image with something like xnview and you will get a base64 encoded string. With http://pastebin.com/cqzbkw4H and the decoded info from image you will have a url for the second part, that is really interesting. I found myself stuck on the second, you might be able to proceed further.

    ReplyDelete
  2. AnonymousThursday, December 01, 2011 2:15:00 AM

    QkJCQjIAAACR2PFtcCA6q2eaC8SR+8dmD/zNzLQC+td3tFQ4qx8O447TDeuZw5P+0SsbEcYR
    78jKLw==

    ReplyDelete
  3. AnonymousThursday, December 01, 2011 3:01:00 AM

    there's also a stegoencrypted message in the png file

    ReplyDelete
  4. AnonymousThursday, December 01, 2011 3:15:00 AM

    how the algoritm ?? solution is available this problem very hard

    ReplyDelete
  5. AnonymousThursday, December 01, 2011 3:21:00 AM

    where does the solution STEGO encrypted

    ReplyDelete
  6. AnonymousThursday, December 01, 2011 4:17:00 AM

    I got it!! The Base64 threw me. The answer is...

    GET /15b436de1f9107f3778aad525e5d0b20.js HTTP/1.1

    What do I do with that?

    MikeS

    ReplyDelete
  7. AnonymousThursday, December 01, 2011 4:21:00 AM

    Never mind. I got the next part... :) it was obvious. I was just tired...

    MikeJSS

    ReplyDelete
  8. AnonymousThursday, December 01, 2011 5:06:00 AM

    Got it

    ReplyDelete
  9. AnonymousThursday, December 01, 2011 5:07:00 AM

    Well what is it then! ;P

    ReplyDelete
  10. AnonymousThursday, December 01, 2011 5:35:00 AM

    http://www.canyoucrackit.co.uk/15b436de1f9107f3778aad525e5d0b20.js

    ReplyDelete
  11. AnonymousThursday, December 01, 2011 5:39:00 AM

    Embarassing - been so long since I took any classes on CPUs. Gonna take a while to write this next part.

    MikeS

    ReplyDelete
  12. AnonymousThursday, December 01, 2011 5:39:00 AM

    Solution to part 2 apparently here

    http://pastebin.com/pJmZYbMy

    Any ideas?

    ReplyDelete
  13. AnonymousThursday, December 01, 2011 5:49:00 AM

    http://www.canyoucrackit.co.uk/QkJCQjIAAACR2PFtcCA6q2eaC8SR+8dmD/zNzLQC+td3tFQ4qx8O447TDeuZw5P+0SsbEcYR78jKLw==

    HMMMM.......

    ReplyDelete
  14. AnonymousThursday, December 01, 2011 5:57:00 AM

    For those that need some help, here's my code run http://ideone.com/XnePp with code from Petter Wahlman and help from Nicolas,

    MikeS

    ReplyDelete
  15. AnonymousThursday, December 01, 2011 5:59:00 AM

    MikeS part 2 solution here .... http://pastebin.com/pJmZYbMy

    ReplyDelete
  16. AnonymousThursday, December 01, 2011 5:59:00 AM

    found a virtual machine here

    http://pastebin.com/kMhhEgqm

    ReplyDelete
  17. AnonymousThursday, December 01, 2011 6:12:00 AM

    Is the keyword "GovernmentMurderingForeignersToSecureLucrativeContractsForCorruptUKBanksAndCorporations"?

    ReplyDelete
  18. AnonymousThursday, December 01, 2011 6:12:00 AM

    That's it! http://pastebin.com/kMhhEgqm

    I had started with http://freesourcecode.wikispaces.com/CPU+emulator+16+bit and may still try and go that route for fun.

    Too tired tonight (its 4am). Will work on it tomorrow if I have time. I didn't realize how long this puzzle had been running (code was posted Nov 22?). I just found it earlier this morning. Thanks to Petter and Nicolas for some fun...

    MikeS

    ReplyDelete
  19. AnonymousThursday, December 01, 2011 6:38:00 AM

    Anyone know the answer to stage 2?

    ReplyDelete
  20. AnonymousThursday, December 01, 2011 6:52:00 AM

    Anyone have problems with the Python in http://pastebin.com/kMhhEgqm
    ?

    ReplyDelete
  21. AnonymousThursday, December 01, 2011 6:57:00 AM

    line 72. an index isnt being populated (or an error isnt being handled properly)

    ReplyDelete
  22. PhillThursday, December 01, 2011 7:06:00 AM

    Full traceback:


    Traceback (most recent call last):
    File "test.py", line 120, in
    vm=VirtualMachine(mem)
    File "test.py", line 26, in __init__
    self.execute(self.vm_cpu.vm_ip)
    File "test.py", line 72, in execute
    self.vm_cpu.vm_reg[vm_operand1]^=vm_operand2
    IndexError: list index out of range

    ReplyDelete
  23. AnonymousThursday, December 01, 2011 7:09:00 AM

    one of the previous instructions:

    104 jmpe r9,A1

    is it referring to register 9? but that doesn't exist! what am i missing?

    ReplyDelete
  24. PhillThursday, December 01, 2011 7:17:00 AM

    Either something's wrong or it should overflow?

    ReplyDelete
  25. AnonymousThursday, December 01, 2011 7:22:00 AM

    18 jmp r0,10

    shouldn't this have only one operand?

    ReplyDelete
  26. PhillThursday, December 01, 2011 7:25:00 AM

    The more I look at this python the more it seems half written

    ReplyDelete
  27. AnonymousThursday, December 01, 2011 7:26:00 AM

    The final instruction of the first block of 256 bytes (jmp r0,10), jumps to the beginning of the second block. But it seems only the first byte of the second block is 'decrypted' (98 has become 32, via xor). The code that follows may be still encrypted, as it is clear it cannot run (invalid opcodes).

    I think something went wrong with the first part of the code. It should have been a loop that decrypted the second block.

    ReplyDelete
  28. AnonymousThursday, December 01, 2011 7:35:00 AM

    I wish I knew where to start =[

    ReplyDelete
  29. AnonymousThursday, December 01, 2011 7:44:00 AM

    that seems like a fair assessment. before the (jmp r0,10) there is (xor r0,r0), which seems like a pointless command.

    ReplyDelete
  30. AnonymousThursday, December 01, 2011 7:50:00 AM

    Can anyone shed more light on the meaning of "QkJCQjIAAACR2PFtcCA6q2eaC8SR+8dmD/zNzLQC+td3tFQ4qx8O447TDeuZw5P+0SsbEcYR
    78jKLw=="

    I was half tempted to use the png file as the key and the above for the decryption text. Just to see what happened.

    ReplyDelete
  31. AnonymousThursday, December 01, 2011 7:53:00 AM

    it's in base64, once decoded it is used in the first stage to decrypt.

    ReplyDelete
  32. AnonymousThursday, December 01, 2011 8:13:00 AM

    what does a jmpe instruction do?

    ReplyDelete
  33. MikeBThursday, December 01, 2011 8:18:00 AM

    after the first xor r0,r0, the next command should be:
    jmp` r16:r0

    the reference for the jump is jmp r2:r1 but the first operand is r16, which obviously doesn't exist, and the second operand is r0, which got set to 0 in the previous xor... Anyone got any further?

    ReplyDelete
  34. MikeBThursday, December 01, 2011 8:19:00 AM

    "what does a jmpe instruction do?"

    In the reference, it says:
    // jmpe r1
    // => if (fl == 0) jmp r1
    // else nop

    ReplyDelete
  35. PhillThursday, December 01, 2011 8:20:00 AM

    in the second block or the first?

    0x06 | jmpe | r1 | r2:r1

    ReplyDelete
  36. MikeBThursday, December 01, 2011 8:33:00 AM

    second block (mod 1)

    My modified python for this is:
    #self.vm_cpu.vm_ip=self.vm_cpu.vm_reg[cs]*vm_segment_size+(vm_operand2-self.vm_cpu.vm_reg[cs])*vm_segment_size+self.vm_cpu.vm_reg[vm_operand1]
    self.vm_cpu.vm_ip=self.vm_cpu.vm_reg[vm_operand2]*0x10+self.vm_cpu.vm_reg[vm_operand1]

    But it dies here instead

    ReplyDelete
  37. AnonymousThursday, December 01, 2011 8:35:00 AM

    0x00, 0x10

    it's mod 0, so shouldn't it be jmp r0, which is 0, so go back to the beginning?

    ReplyDelete
  38. AnonymousThursday, December 01, 2011 8:37:00 AM

    oh, my bad, i misread that. you're right, it goes to r16...

    ReplyDelete
  39. AnonymousThursday, December 01, 2011 8:38:00 AM

    is that how many characters the key word is.... 16?

    ReplyDelete
  40. AnonymousThursday, December 01, 2011 8:44:00 AM

    http://www.telegraph.co.uk/news/uknews/defence/8928088/GCHQ-spy-recruitment-code-solved.html

    Its been solved.

    ReplyDelete
  41. AnonLoopThursday, December 01, 2011 8:51:00 AM

    I still think the first part of the code decrypts the seconde block (as noted above). For that to happen an additional instruction before xor r0,r0 is needed: a jump to 0x04. This can be done with jmp r1. So I put the instruction 0x01 0x00 (jmp r1) before the xor (0x80 0x00). The code is now longer therefore the jump to 0x14 needs to change to 0x16. (Begin second line: 0x30, 0x14 -> 0x30, 0x16

    Now the code decrypts the second block. It appears the code in the second block does a similar decryption. I am stuck there.

    ReplyDelete
  42. AnonymousThursday, December 01, 2011 8:51:00 AM

    still intrigued though. i'll be interested to see the solution.

    16 is the number of a register that the program says to jump to that doesn't exist...

    ReplyDelete
  43. AnonymousThursday, December 01, 2011 8:52:00 AM

    This was solved in a matter of hours when it was launched on thursday apparently.

    ReplyDelete
  44. AnonymousThursday, December 01, 2011 8:54:00 AM

    thats today

    ReplyDelete
  45. MikeBThursday, December 01, 2011 8:55:00 AM

    I'm pretty sure line 43 and 44 are incorrect, but I'm not sure on how to correct them. I don't know how the jump works with regards to the code and data segments, but it appears that register 16 is always trying to be used.

    ReplyDelete
  46. AnonymousThursday, December 01, 2011 9:00:00 AM

    Thursday last week it was launched.

    ReplyDelete
  47. AnonymousThursday, December 01, 2011 9:07:00 AM

    Can someone please just post the answer here... it's killing me

    ReplyDelete
  48. MikeBThursday, December 01, 2011 9:10:00 AM

    This comment has been removed by the author.

    ReplyDelete
  49. MikeBThursday, December 01, 2011 9:12:00 AM

    Ignore my previous comment!

    AnonLoop: if you unindent line 105 and 106 one space (the instruction only uses one operand when mod 0) it seems to decrypt a lot more blocks :)

    You have to remove your changes to the memory because it calls jmp r1 now

    Seems to break a little when it's done decrypting...

    ReplyDelete
  50. MikeBThursday, December 01, 2011 9:28:00 AM

    Bit of decryption and we get this in the output from the VM

    GET /da75370fe15c4148bd4ceec861fbdaa5.exe HTTP/1.0

    Rename it to keygen.exe and we get this when we run it (on Windows only)

    keygen.exe

    usage: keygen.exe hostname

    We need to get a hostname from somewhere and I'm guessing the firmware numbers give us something

    ReplyDelete
  51. AnonymousThursday, December 01, 2011 9:35:00 AM

    nice work, mike

    ReplyDelete
  52. AnonymousThursday, December 01, 2011 9:44:00 AM

    I'm a software developer and I'm in awe of you guys!

    ReplyDelete
  53. AnonymousThursday, December 01, 2011 9:45:00 AM

    It looks like it needs a licence.txt file too.

    ReplyDelete
  54. MikeBThursday, December 01, 2011 9:48:00 AM

    Here's some strings from the keygen.exe


    keygen.exe
    usage: keygen.exe hostname
    r
    license.txt
    error: license.txt not found
    %s
    loading stage1 license key(s)...
    loading stage2 license key(s)...
    error: license.txt invalid
    error: gethostbyname() failed
    error: connect("%s") failed
    GET /%s/%x/%x/%x/key.txt HTTP/1.0
    request:
    %s
    error: send() failed
    response:

    quite interesting!

    ReplyDelete
  55. AnonymousThursday, December 01, 2011 9:51:00 AM

    interesting. i wonder where they come from.

    what's the significance of the cpu firmware?

    firmware: [0xd2ab1f05, 0xda13f110]

    ReplyDelete
  56. MikeBThursday, December 01, 2011 9:55:00 AM

    the whole output is:

    1♦3¬@☻Ç♥R r☺s☺▓P0¶└☺Ç ►►

    2 u♀32@☻Ç♥R r☺s♥▓ ├░ 0←└☺  u►☺ ╠
    }▼§`MMR}♫'m►mZ♠VG¶B♫Â▓▓µÙ┤âÄÎÕÈ┘├­Çò±ééÜ¢òñìÜ+0iJieU∟{i∟n♦t5!&/`♥N7▲3T9µ║┤ó¡ñ┼ò╚┴õèýþÆïÞü­¡ÿñð└ì¼"Re~'+Z↕a

    ☺zk↔gGET /da75370fe15c4148bd4ceec861fbdaa5.exe HTTP/1.0 7z◄▼↔h%2w▲b#[GUS0◄B÷±▒µ├╠°┼õ╠└Ëà²ÜÒµüÁ╗Î═
    ☻0(5§ §¦ý©Ô¹Ï╦ÏÐïıé┘ܱƽުÍðî¬Êö¤EFg }D¶kEmT♥↨`bUZJfa◄Whu♣b6}☻"B2║Ô╣ÔÍ╣ ├ÚèÅ┴Åß©ñû±Åü▒ìë╠Èxvar>7#Vsqyc◄ iz¶h
    ♣!▲2'YÀ¤½¦ı╠ùô‗þ└Ù Úú┐í½ï╗××îá┴øZ//NN

    Could be some significance from the firmware version in that

    ReplyDelete
  57. PhillThursday, December 01, 2011 9:56:00 AM

    needs cygwin

    ReplyDelete
  58. AnonLoopThursday, December 01, 2011 9:59:00 AM

    After the url something starts with 7z. Might be a 7zipped file ....

    ReplyDelete
  59. AnonymousThursday, December 01, 2011 10:03:00 AM

    coding is both the image itself and the comment below it.

    SD

    ReplyDelete
  60. AnonymousThursday, December 01, 2011 10:08:00 AM

    Hey guys, I still don't get where is bug in the VM? Its trying to use register like r9 (which doesn't exists so operand which was deccrypted was bed. So he read bad memory and decrypt it bad. Where was the bug in this implementation?

    ReplyDelete
  61. MikeBThursday, December 01, 2011 10:11:00 AM

    My code (only slightly modified): http://pastebin.com/ze9JDtZ2

    ReplyDelete
  62. AnonymousThursday, December 01, 2011 10:16:00 AM

    Keep it simple http://www.canyoucrackit.co.uk/soyoudidit.asp

    ReplyDelete
  63. PhillThursday, December 01, 2011 10:25:00 AM

    confirmed:


    13ª@Rrs²P0À2u
    ¬"Re~'+Za
    zkgGET /da75370fe15c4148bd4ceec861fbdaa5.exe HTTP/1.07zh%2wb#[GUS0BöñÌÔxvar>7#Vsqyc izh!2'Y·Ï«ÝÕÌòçÀëÿé£//NN Á
    0(5µ»×Í£Ýì¸âûØËØÑÕÙñ«è¦ÖЪÒÏEFg }DkEmT`bUZJfaWhub6}"B2ºâ¹âÖ¹ÿÃéÁḤñ±

    ReplyDelete
  64. AnonymousThursday, December 01, 2011 10:39:00 AM

    http://translate.google.co.uk/translate?hl=en&sl=ru&u=http://exelab.ru/f/index.php%3Faction%3Dvthread%26forum%3D7%26topic%3D19240%26page%3D-1&ei=NK3XTqrdD4qX8QOk_cTRDQ&sa=X&oi=translate&ct=result&resnum=1&ved=0CCEQ7gEwAA&prev=/search%3Fq%3D%2522loading%2Bstage1%2Blicense%2Bkey(s)...%2522%26hl%3Den%26biw%3D896%26bih%3D465%26prmd%3Dimvns

    try and make sense of that...

    ReplyDelete
  65. AnonymousThursday, December 01, 2011 11:00:00 AM

    I did a C++ version of the VM which gives you the executable address - it's here if anyone's interested: http://pastebin.com/DQvEfWvt

    ReplyDelete
  66. AnonymousThursday, December 01, 2011 11:12:00 AM

    The Russians seem to be creating the license.txt from scratch, starting apparently with the letters cghq...

    ReplyDelete
  67. AnonymousThursday, December 01, 2011 11:16:00 AM

    and 'cyberwin' which they got through a brute force dictionary attack?

    apparently some of the unused code from the first section goes into it...?

    a little confused.

    ReplyDelete
  68. EdThursday, December 01, 2011 11:18:00 AM

    On a side note, "using a Brutus" sounds pretty homoerotic.

    ReplyDelete
  69. Paul G. MatuszykThursday, December 01, 2011 11:30:00 AM

    it takes you to the following website:
    www.canyoucrackit.co.uk/15b436de1f9107f3778aad525e5d0b20.js

    ReplyDelete
  70. AnonymousThursday, December 01, 2011 11:39:00 AM

    Cheers Oracle but we passed that a little while back.

    ReplyDelete
  71. AnonymousThursday, December 01, 2011 11:44:00 AM

    ho do you reassembly the idata data bss .. files?

    ReplyDelete
  72. AnonymousThursday, December 01, 2011 12:10:00 PM

    porcoddio

    ReplyDelete
  73. AnonymousThursday, December 01, 2011 12:25:00 PM

    did a C++ version of the VM which gives you the executable address - it's here if anyone's interested: http://pastebin.com/DQvEfWvt

    ^^^^^^^^^^^^^^^^^^^^^

    whoever wrote this, how do you get the url, ive compiled it, it runs fine without errors but i am unsure of where to find the url?

    ReplyDelete
  74. AnonymousThursday, December 01, 2011 1:18:00 PM

    Just dump the contents of the memory and you'll see it. The third part seems much harder, I'm still stuck. :(

    ReplyDelete
  75. AnonymousThursday, December 01, 2011 1:33:00 PM

    MikeS back again

    Part 1: Combine the image OCR and Base64 comment (with the "0A" linefeed) to Ox and x86 execute to get to Part 2
    Part 2: Write a simple CPU emulator and execute Part 2 to get to Part 3
    Part 3: That's where I am now. Wading around in DLLs with the .exe file...

    ReplyDelete
  76. AnonymousThursday, December 01, 2011 1:51:00 PM

    i got the exe working fine, managed to get the licence file written fine but just not sure what to use as the hostname, as canyoucrackit.co.uk returns a 404 error =s

    any suggestions?

    ReplyDelete
  77. AnonymousThursday, December 01, 2011 2:01:00 PM

    404 comes from a web server. In order to get a 404 you must have connected to a service running on the requested host. Thus, your hostname is likely correct ;)

    ReplyDelete
  78. AnonymousThursday, December 01, 2011 2:07:00 PM

    I had to use the DLLs from http://rghost.net/30201021?r=404, http://www.dlldll.com didn't work

    I'm stuck with the license file...

    MikeS

    ReplyDelete
  79. AnonymousThursday, December 01, 2011 2:10:00 PM

    Did you generate proper password? There is crypt() function which checks if the return string is the same like SALT. Does anyone did it?

    ReplyDelete
  80. FlexThursday, December 01, 2011 2:10:00 PM

    i know what 404 is lol, but that will return on any hostname as its just performing a get request, the problem is that theres a host somewhere that contains a file called key.txt thats what the keygen is trying to download, im just not sure what host its stored on. the file tries to download the following url:

    *yourhostname*/hqDTK7b8K2rvw/0/0/0/key.txt

    but its not on the canyoucrackit.co.uk server

    ReplyDelete
  81. AnonymousThursday, December 01, 2011 2:13:00 PM

    If you append further data to license.txt it varies the numbers in the /0/0/0/ part of the URL so I think the hostname is correct, but there is something more to the license.txt file.

    ReplyDelete
  82. FlexThursday, December 01, 2011 2:16:00 PM

    ah i see that makes sense, i wonder what could be missing from the license file

    ReplyDelete
  83. AnonymousThursday, December 01, 2011 2:20:00 PM

    hqDTK7b8K2rvw <- this is salt and result. pseudocode is:

    x=crypt(,hqDTK7b8K2rvw)
    if (strcmp(x,hqDTK7b8K2rvw)
    auth=1

    the problem is to find x - i'm trying to brute force but i this is wrong way...

    ReplyDelete
  84. AnonymousThursday, December 01, 2011 2:23:00 PM

    Did anyone manage to get the license.txt working? Keeps giving "error: license.txt invalid" here.

    ReplyDelete
  85. FlexThursday, December 01, 2011 2:25:00 PM

    put this 'gchqcyberwin' in the license file to get it working, however it needs more information appended to it in order to get the correct download directory for the key file, thats what were trying to figure out

    ReplyDelete
  86. AnonymousThursday, December 01, 2011 2:27:00 PM

    I had a whitespace between the words. That broke the license.txt :(

    ReplyDelete
  87. FlexThursday, December 01, 2011 2:30:00 PM

    yeah whitespace breaks it, it says loading stage 1 and stage 2 licences, i wonder if this has anything to do with the first 2 tasks?

    ReplyDelete
  88. AnonymousThursday, December 01, 2011 2:30:00 PM

    I'm still stuck on the license file but for those that are further along, the .exe is going to want to fill this in:

    GET /%s/%x/%x/%x/key.txt

    So you need a string and 3 unsigned hex to find the hidden file...

    MikeS

    ReplyDelete
  89. AnonymousThursday, December 01, 2011 2:34:00 PM

    I wonder if the first 2 stages have anything to do with the license key.

    ReplyDelete
  90. FlexThursday, December 01, 2011 2:35:00 PM

    thanks MikeS, the license file requests 16 characters after the 'gchqcyberwin', any more than 16 characters after that gets ignored, as far as i can tell anyway

    ReplyDelete
  91. AnonymousThursday, December 01, 2011 2:37:00 PM

    MikeS again. OK now I got the first part of the license file with your help. Thanks! So now it is down to the 3 unsigned hex, I think.

    C:\Documents and Settings\mikes\Desktop>da75370fe15c4148bd4ceec861fbdaa5.exe ca
    nyoucrackit.co.uk

    keygen.exe

    loading stage1 license key(s)...
    loading stage2 license key(s)...

    request:

    GET /hqDTK7b8K2rvw/0/0/0/key.txt HTTP/1.0

    response:

    HTTP/1.1 404 Not Found
    Content-Type: text/html; charset=us-ascii
    Server: Microsoft-HTTPAPI/2.0
    Date: Thu, 01 Dec 2011 20:32:05 GMT
    Connection: close
    Content-Length: 315

    [snip some HTML]

    ReplyDelete
  92. FlexThursday, December 01, 2011 2:43:00 PM

    yeah the application converts the 16 characters after the 'gchqcygwin' to unsigned hex values, i think it might have something to do with the first and second tasks but im not sure how theyre linked

    ReplyDelete
  93. AnonymousThursday, December 01, 2011 2:46:00 PM

    Anyone got the keyword?

    ReplyDelete
  94. FlexThursday, December 01, 2011 2:50:00 PM

    thats what were trying to figure out =D

    ReplyDelete
  95. AnonymousThursday, December 01, 2011 2:51:00 PM

    Anyway its interesting with whom I'm cooperating ;)

    ReplyDelete
  96. AnonymousThursday, December 01, 2011 2:52:00 PM

    Who cares about that link? We want to solve it ;).

    R.

    ReplyDelete
  97. FlexThursday, December 01, 2011 2:55:00 PM

    thats true, i found the link this morning, ive just been trying to solve it all day ;)

    ReplyDelete
  98. stefanThursday, December 01, 2011 3:01:00 PM

    How did you solve the gethostbyname() problem? Is this a cygwin library issue?

    $ ./keygen.exe http://www.canyoucrackit.co.uk

    keygen.exe

    loading stage1 license key(s)...
    loading stage2 license key(s)...

    error: gethostbyname() failed

    ReplyDelete
  99. FlexThursday, December 01, 2011 3:02:00 PM

    remove the http://www. and it wil work fine

    ReplyDelete
  100. AnonymousThursday, December 01, 2011 3:02:00 PM

    You need to have an internet connection stefan.

    greetings,

    R.

    ReplyDelete
  101. AnonymousThursday, December 01, 2011 3:02:00 PM

    Remove http://

    ReplyDelete
  102. AnonymousThursday, December 01, 2011 3:03:00 PM

    Here ya go.

    Pr0t3ct!on#cyber_security@12*12.2011+

    ReplyDelete
  103. AnonymousThursday, December 01, 2011 3:07:00 PM

    How? i see the last number are hexdump from the license.txt. How did you manage to create it proper? :)

    ReplyDelete
  104. FlexThursday, December 01, 2011 3:08:00 PM

    so thats hte password, but wheres the location of the key file? the the data to go into the end of the license.txt?

    ReplyDelete
  105. AnonymousThursday, December 01, 2011 3:10:00 PM

    with the way you guys are talking, i'm not sure if there's a keyword that can be entered on that page.. is there?

    ReplyDelete
  106. AnonymousThursday, December 01, 2011 3:11:00 PM

    oh! yeah! there is!! cool!!

    ReplyDelete
  107. AnonymousThursday, December 01, 2011 3:12:00 PM

    but wheres the keyfile? and how did you find it?

    ReplyDelete
  108. AnonymousThursday, December 01, 2011 3:16:00 PM

    So how did you solve the rest of the license file?

    R.

    ReplyDelete
  109. FlexThursday, December 01, 2011 3:18:00 PM

    Thats what im wondering? i think it had something to do with the characters that were removed from the first set of values (the content of the image and the png headers) but what was it?

    ReplyDelete
  110. AnonymousThursday, December 01, 2011 3:22:00 PM

    I'm thinking about second level. There was unused this values:

    firmware: [0xd2ab1f05, 0xda13f110]

    Hm...

    ReplyDelete
  111. FlexThursday, December 01, 2011 3:23:00 PM

    ive tried paying with them but with no success rate so far :(

    ReplyDelete
  112. AnonymousThursday, December 01, 2011 3:25:00 PM

    I've been watching you guys this afternoon, quite impressive. Are you self taught or did you study Computer science at Uni?

    N.

    ReplyDelete
  113. AnonymousThursday, December 01, 2011 3:27:00 PM

    MikeS here. I'm stuck but I do see this behavior:

    So for (1) gchqcyberwinDA13F110D2AB1F05

    GET /hqDTK7b8K2rvw/42413244/35304631/33314144/key.txt HTTP/1.0

    and for (2) gchqcyberwinD2AB1F05DA13F110

    GET /hqDTK7b8K2rvw/33314144/30313146/42413244/key.txt HTTP/1.0

    Note %x1 and %x3 are swapped. Any help? Decompile needed maybe, dont have time...

    ReplyDelete
  114. FlexThursday, December 01, 2011 3:33:00 PM

    thats strange, theyre swapped when the first two strongs are swapped, perhaps it converts the first 8 characters for %x1, then the next 8 letters starting from position 4, giving you %x2, then again from position 8 giving you the last 8 characters as %x3, maybe? thats the only way i could think of as giving the first and last the same but reversed and the middle different.

    And N. i am a bit of both, self taught then studied IT Practitioners (software) at college and am now in my first year studying computer security at uni.

    ReplyDelete
  115. AnonymousThursday, December 01, 2011 3:37:00 PM

    Thank you for your response. Best of luck with deciphering the remainder of the code.

    N.

    ReplyDelete
  116. AnonymousThursday, December 01, 2011 3:38:00 PM

    N.
    17 year old computer hobbyist here. Student.
    Self taught.
    I am completely stuck on stage 3, though.

    ReplyDelete
  117. AnonymousThursday, December 01, 2011 3:40:00 PM

    Hi Flex. So that behavior also leads me to believe we're looking for two sets of 8 characters that will blow out to the 3 sets of 8-bit integers in the hidden directory. I only have D2AB1F05 and DA13F110 handy, so I'm sort of stuck in a groove I cant escape.

    MikeS

    ReplyDelete
  118. AnonymousThursday, December 01, 2011 3:41:00 PM

    Stage 3? Still quite an advanced stage in the process. Keep at it, you'll get there.

    N.

    ReplyDelete
  119. AnonymousThursday, December 01, 2011 3:49:00 PM

    There is buffer overflow bug :D I just exploit it ;P

    ReplyDelete
  120. AnonymousThursday, December 01, 2011 3:50:00 PM

    WTF?

    ReplyDelete
  121. FlexThursday, December 01, 2011 3:51:00 PM

    Hi Mike, thats what im thinking but i have the same issue, only those two spare sets of characters but im not sure if they are the correct ones, its the part that says loading stage 1 license key(s) and loading stage 2 license key(s) that intreagues me im wondering if it requires a set of 8 characters from stage one and a set of 8 characters from stage 2 perhaps? the question is, which ones?

    ReplyDelete
  122. AnonymousThursday, December 01, 2011 3:56:00 PM

    I have done RE whole binary. THere is no other special information. Now our problem is not as technical like before but some trick Like in the 1 level. We dumped .png file to get correct pattern. THe same trick should be here i think ;)

    ReplyDelete
  123. AnonymousThursday, December 01, 2011 4:01:00 PM

    OMG. Try this

    gchqcyberwin1111111111111111111111111111111111111111111111111111

    and see if you get this

    3 [main] da75370fe15c4148bd4ceec861fbdaa5 1172 exception::handle: Exceptio
    n: STATUS_ACCESS_VIOLATION
    776 [main] da75370fe15c4148bd4ceec861fbdaa5 1172 open_stackdumpfile: Dumping
    stack trace to da75370fe15c4148bd4ceec861fbdaa5.exe.stackdump
    125327 [main] da75370fe15c4148bd4ceec861fbdaa5 1172 exception::handle: Exceptio
    n: STATUS_ACCESS_VIOLATION
    136541 [main] da75370fe15c4148bd4ceec861fbdaa5 1172 exception::handle: Error wh
    ile dumping state (probably corrupted stack)

    Doesn't happen with 1's replaced with 0's

    MikeS

    ReplyDelete
  124. AnonymousThursday, December 01, 2011 4:05:00 PM

    O told you it has buffer overflow. Use 'A' instead of numbers ;) Kurwa glupcy ;p

    ReplyDelete
  125. AnonymousThursday, December 01, 2011 4:13:00 PM

    Eh parla porco dio!

    ReplyDelete
  126. AnonymousThursday, December 01, 2011 4:14:00 PM

    http://www.canyoucrackit.co.uk/soyoudidit.asp ;)

    ReplyDelete
  127. AnonymousThursday, December 01, 2011 4:14:00 PM

    It's 4 bytes from stage 1 and 8 bytes from stage 2

    ReplyDelete
  128. AnonymousThursday, December 01, 2011 4:19:00 PM

    So?

    ReplyDelete
  129. AnonymousThursday, December 01, 2011 4:21:00 PM

    I'm stuck on buffer overflow attack. Not my cup of tea... I'm getting hints as to the algorithm license.text -> args but not much help so far.

    MikeS

    ReplyDelete
  130. AnonymousThursday, December 01, 2011 4:30:00 PM

    probably deadbeef + [0xd2ab1f05, 0xda13f110] but i don't know how to circulate it ;)

    ReplyDelete
  131. AnonymousThursday, December 01, 2011 4:31:00 PM

    There is nothing hidden in that keygen.exe, nor anything that can be used for buffer overflow attack.
    It just reads the txt file, checks first 4 chars, then hash, then uses 3 DWORDs to make GET request.

    ReplyDelete
  132. FlexThursday, December 01, 2011 4:32:00 PM

    From what i can see its just converting the last 12 characters (not 16 as i thought earlier, dont know where i got 16 from) to the hex value (as in the ascii table) but re-arranging them for some reason :s

    ReplyDelete
  133. AnonymousThursday, December 01, 2011 4:38:00 PM

    Memory from stage 2 contains 2 binary blocks that may need further decoding. There are values that weren't used for code.
    ofs 0x132 - 0x1BF and ofs 0x200 to end
    At first I though 2nd block is encrypted 7z zip archive, because it starts with 7z, but it fails to open it.

    ReplyDelete
  134. AnonymousThursday, December 01, 2011 4:41:00 PM

    Yes, I got misled perhaps on the buffer attack.

    a maps to 41 in args
    z maps to 5a in args

    etc.

    But now its just a guessing game on the characters, not do much fun for the very last step...

    MikeS

    ReplyDelete
  135. AnonymousThursday, December 01, 2011 4:43:00 PM

    lol MikeS... it's just %08X, ASCII to hex mapping, nothing special...
    0xDE 0xAD 0xC0 0xDE => /dec0adde/ in url

    ReplyDelete
  136. AnonymousThursday, December 01, 2011 4:49:00 PM

    Yes, agreed. But now I have to fiddle with the "firmware" and other spare bytes to guess the URL. No idea what the combination is on this lock. Not so much fun as the rest of it...

    MikeS

    ReplyDelete
  137. AnonymousThursday, December 01, 2011 4:52:00 PM

    dec 0
    add 0x0E

    ReplyDelete
  138. AnonymousThursday, December 01, 2011 4:53:00 PM

    Except I guess the 7z maybe has to go in there... that's perhaps a clue. Anyone get the rest?

    Mike

    ReplyDelete
  139. AnonymousThursday, December 01, 2011 4:59:00 PM

    http://www.canyoucrackit.co.uk/15b436de1f9107f3778aad525e5d0b20.js:( theirs anouther part

    ReplyDelete
  140. AnonymousThursday, December 01, 2011 5:00:00 PM

    Hmm - just cant figure our thse characters for the license.txt - anyone got there and willing to throw me a few tips?

    ReplyDelete
  141. AnonymousThursday, December 01, 2011 5:00:00 PM

    Some ppl are so stupid... amazing ;)

    ReplyDelete
  142. AnonymousThursday, December 01, 2011 5:14:00 PM

    What is the URL for the key.txt file? :>

    ReplyDelete
  143. FlexThursday, December 01, 2011 5:15:00 PM

    why does everybody insist on posting that link? we dont care about the finishing page, were just trying to figure out how the puzzle is solved ;)

    ReplyDelete
  144. AnonymousThursday, December 01, 2011 5:19:00 PM

    hey guys....
    why you complicate your life by yourself and don't go to have a bit fun?
    don't you see the site being developed in asp (grrrr) so all is bullshit and there is no any code behind this stuff....
    none of real hacker will never fall into this shit...
    by the way, if someone want to know solution just ask to zerolab.eu

    ReplyDelete
  145. FlexThursday, December 01, 2011 5:23:00 PM

    that site 'zerolab.eu' doesnt seem very professional, plus the grammar on the homepage is apalling, doesnt seem like my sorta place, sorry.

    But thanks for your help ;)

    ReplyDelete
  146. AnonymousThursday, December 01, 2011 5:25:00 PM

    This is fascinating, you guys are incredible! I found the challenge this morning at work and I got stage 1 to work before I looked online, but stage 2 i got stuck on so looked around and started reading this, and its WELL over my head! credit to you! hope you get it finished!

    ReplyDelete
  147. FlexThursday, December 01, 2011 5:28:00 PM

    Thankyou for your kind comments, they are greatly appreciated, and i hope we do too, would be interesting to find out how it works, i bet its something really basic that weve overlooked ;)

    ReplyDelete
  148. AnonymousThursday, December 01, 2011 5:31:00 PM

    I'm starting to be tired... ;/

    ReplyDelete
  149. AnonymousThursday, December 01, 2011 5:34:00 PM

    0x804a042 : 0xa3bfc2af

    I think this is the byte from 1 level ... ;)

    ReplyDelete
  150. AnonymousThursday, December 01, 2011 5:41:00 PM

    My head really hurts. If someone cracks send the answer here and how it can be solved.

    ReplyDelete
  151. FlexThursday, December 01, 2011 5:43:00 PM

    Ill keep working on it and ill post if i get any updates ;)

    ReplyDelete
  152. AnonymousThursday, December 01, 2011 5:53:00 PM

    I tried 0xa3bfc2af and the firmware DWORDs backwards and forwards in varying order, but no luck. It's something else.

    ReplyDelete
  153. AnonymousThursday, December 01, 2011 5:58:00 PM

    if this is true:
    "It's 4 bytes from stage 1 and 8 bytes from stage 2"
    probably other 2 bytes are not from firmware. I would steel keep 0xa3bfc2af. Btw. have you tried all possibilities in the order of bytes and where are they placed in URL ? (miexed) ?

    ReplyDelete
  154. AnonymousThursday, December 01, 2011 6:04:00 PM

    Yes I have. Also tried them backwards and forwards. I'm pretty sure, like you, that the first DWORD is correct and that the other 2 are something else from the VM.

    ReplyDelete
  155. AnonymousThursday, December 01, 2011 6:07:00 PM

    OK, time to put heads together maybe? and get our Hex, ASCII, DWORDs sorted? Are we agreed we are now looking for 12 characters (printable...?) for the remainder of license.txt and we're trying to map them from firmware: [0xd2ab1f05, 0xda13f110] and/or what else? Just a suggestion to try and move along...

    MikeS

    ReplyDelete
  156. FlexThursday, December 01, 2011 6:09:00 PM

    12 characters correct, and i read in a russian forum that its done using characters from stage one only, but im not sure how accurate that is.

    ReplyDelete
  157. AnonymousThursday, December 01, 2011 6:11:00 PM

    I come from a Wintel administrators background with a lot of VBScript and some VB, VB.NET, Powershell and limited Visual C#.NET experience, i.e. high level languages.

    I'd love to be able to work through this, but I got stuck at the first hurdle (part 1) as although I know what hex is I've never looked into ASM or low level languages.

    The more of this thread I read, the more it seems to be going over my head. Makes me feel like a right dunce as I used to consider myself quite clever in the Wintel IT field but I'm lost with this ....

    Anyone got any reading / self-training material that would help me crack this myself?

    ReplyDelete
  158. AnonymousThursday, December 01, 2011 6:15:00 PM

    Remember that the exe is "GET /%s/%x/%x/%x/key.txt HTTP/1.0". How does %x print numbers? :)

    BTW, hqDTK7b8K2rvw is there in clear in the .exe file. Just disassemble it, do not try to run it (unlike the other parts)!

    ReplyDelete
  159. AnonymousThursday, December 01, 2011 6:16:00 PM

    Flex: Oh... you're ahead of me then. Time to use Google and Babelfish Russian. Need to break for a bit. I was wondering how to map all those spare hex bytes to 12 ASCII characters...

    MikeS

    ReplyDelete
  160. FlexThursday, December 01, 2011 6:26:00 PM

    i wouldnt say ahead, ive just been doing some reading, my brain has turned to mush, ive been staring at the same peices of code for far too long :(

    ReplyDelete
  161. AnonymousThursday, December 01, 2011 6:27:00 PM

    Hi, I am still getting the:

    error: license.txt not found

    However I have the text file with that name in the same folder as the kegen.exe only way I can get it past that part is if I debug it and NOP the check. Which doesnt really help me. Any ideas?

    Bryon

    ReplyDelete
  162. AnonymousThursday, December 01, 2011 6:35:00 PM

    Just copy my structure/naming?

    C:\Documents and Settings\mikes\Desktop>da75370fe15c4148bd4ceec861fbdaa5.exe ca
    nyoucrackit.co.uk

    Use the dll's that I linked to?

    Else stuff like spaces in dir trees etc...

    MikeS

    ReplyDelete
  163. AnonymousThursday, December 01, 2011 6:40:00 PM

    Interesting it won't work via CP. However it is working through my debugger with no modifications. So I guess that will work for now. Trying to figure out the 3 we need now.

    Bryon

    ReplyDelete
  164. AnonymousThursday, December 01, 2011 6:45:00 PM

    Awesome bed time reading and great job guys! hope you will figure that last part out. hm so where is the key.txt..... ;) and people should stop posting that soyoudidit crap here :D

    ReplyDelete
  165. AnonymousThursday, December 01, 2011 6:47:00 PM

    %x prints in hex
    Did you try adding "hqDTK7b8K2rvw" after the "gchqcyberwin" in the license,txt file?

    S.

    ReplyDelete
  166. AnonymousThursday, December 01, 2011 6:49:00 PM

    fyi ^ im from Finland so its almost 3am here :D

    ReplyDelete
  167. FlexThursday, December 01, 2011 6:51:00 PM

    still no luck :( and yes we have tried that with no luck, unfortunately, and its almost 1am here in england ;)

    ReplyDelete
  168. AnonymousThursday, December 01, 2011 6:54:00 PM

    I am stuck on part 3, it took me about 20 mins to part 1 and 2 and the evil part 3 showed its head. you guys have given me some great ideas but so far none have worked. this is killing me.

    ReplyDelete
  169. AnonymousThursday, December 01, 2011 7:01:00 PM

    just throwing ideas out, but the 7z stands out. Are the two firmware pieces supposed to be decompressed using the 7z algorithm? That would expand it, possibly revealing the third piece?

    Also, I don't understand where the "cyberwin" piece came from, could someone explain? Thanks

    ReplyDelete
  170. AnonymousThursday, December 01, 2011 7:04:00 PM

    running the .exe on windows give me the error

    The program can't start because cygcrypt-0.dll is missing from your computer. Try reinstalling the program to fix this problem.

    what does this mean, and is it any help.

    ReplyDelete
  171. AnonymousThursday, December 01, 2011 7:06:00 PM

    I downloaded the dll's from http://rghost.net/30201021?r=404

    but I'm still getting this error

    C:\Users\USERNAME\Downloads>keygen.exe canyoucrackit.co.uk

    keygen.exe

    error: license.txt not found

    ReplyDelete
  172. AnonymousThursday, December 01, 2011 7:08:00 PM

    download these dlls and put them in the same folder. run it again.

    http://rghost.net/download/30201021/d0f7bf27aa4264b891ca256c885c026c625bf8ff/fe2aa2b65cae764381d417c9fac5e8443c965338/dlls.rar

    ReplyDelete
  173. AnonymousThursday, December 01, 2011 7:09:00 PM

    "Also, I don't understand where the "cyberwin" piece came from, could someone explain? Thanks"

    I am working on that right now.

    Bryon

    ReplyDelete
  174. AdraenThursday, December 01, 2011 7:11:00 PM

    If anyone is interested this is my attempt at the VM. http://friendpaste.com/5wW773R1uMVkTdEM8lmd4X

    There is something wrong though, after the jmpe the DS (data segment) is incremented by 12 and therefore fall out of range, could me a mis-understanding of the jmpe instruction.

    No idea if its better or worse than the existing one

    ReplyDelete
  175. AnonymousThursday, December 01, 2011 7:12:00 PM

    now i get, license2.txt not found

    Heru-ur

    ReplyDelete
  176. FlexThursday, December 01, 2011 7:14:00 PM

    The cyberwin is the original text that was used for the 'hqDTK7b8K2rvw' found in the exe, the 'hqDTK7b8K2rvw' is a hash of cyberwin, and the hq is the salt used for the hash (as far as i can tell)

    ReplyDelete
  177. AnonymousThursday, December 01, 2011 7:15:00 PM

    Cracking effort guys. I've gotten as far as Stage 3, but it's had me stumped the last hour! This thing is driving me mad, determined to get/know the solution! Keep up the good work.

    IAB.

    ReplyDelete
  178. DaveThursday, December 01, 2011 7:18:00 PM

    I'm also stumped now - been trying different variations of the license.txt (gchqcyberwin + 12 characters) but can't get any useful results - Flex, you got anywhere yet?

    ReplyDelete
  179. AnonymousThursday, December 01, 2011 7:20:00 PM

    Looking at the two russian pages:
    http://tinyurl.com/76kceg5
    http://tinyurl.com/8axwjxb

    It appears that the cyberwin came from decrypting a hash:
    if crypt (buff +4, 'hqDTK7b8K2rvw') == 'hqDTK7b8K2rvw' ...

    Maybe? The translation is not clear.

    ReplyDelete
  180. AnonymousThursday, December 01, 2011 7:28:00 PM

    The html page displayed in the console by running the exe is different from the html page displayed in my browser by going here: http://www.canyoucrackit.co.uk/hqDTK7b8K2rvw/0/0/0/key.txt

    ReplyDelete
  181. FlexThursday, December 01, 2011 7:34:00 PM

    Sorry had a break to make some sandwiches :) and yeah the cyberwin came from decrypting the hash using rainbow tables, and yes it is correct cause if you notice changing any portion of the 'gchqcyberwin' renders the license invalid. The additional 12 characters must come from somewhere.

    Quote from russian pages:
    'Of course. And I've already written. All bytes are first assignment used in solving the entire Challenge. What are the bytes can be changed in the first task so that it will not affect the receipt of references to the second task? So you get the name of the directory ...'

    this must be some sort of clue? i think he means what are the bytes in the first stage that arent used? im not entirely sure :s

    ReplyDelete
  182. FlexThursday, December 01, 2011 7:37:00 PM

    and as for the different results for the application, it probably detects the user agent and if its not a recognised web browser it will output a basic message, i used to develop websites and this is a feature many sites use, it makes it more convienient for mobile browsers or text based requests from small applications such as this one

    ReplyDelete
  183. AnonymousThursday, December 01, 2011 7:38:00 PM

    This is the part in the keygen that determines if the license is valid:


    00401167 |. 817D C8 676368>CMP DWORD PTR SS:[EBP-38],71686367

    EBP-38 contains the license in your file. And it is comparing it to 71686367

    Bryon

    ReplyDelete
  184. AnonymousThursday, December 01, 2011 7:41:00 PM

    May or may not be useful. The exe decompiled:

    http://pastebin.com/KZghnNr8

    This is interesting:
    __size32 _impure_ptr = 0x4178;// 4 bytes

    It is used near the bottom.

    ReplyDelete
  185. FlexThursday, December 01, 2011 7:41:00 PM

    strange, comparing 'gchqcyberwin' to 71686367 wouldnt match unless it was hashed or encoded in some way before comparing?

    ReplyDelete
  186. AnonymousThursday, December 01, 2011 7:44:00 PM

    Exactly what I was thinking Flex, but at the moment I see nothing like that. I will have to keep digging.

    Bryon

    ReplyDelete
  187. DaveThursday, December 01, 2011 7:46:00 PM

    Perhaps - http://www.unicodemap.org/details/0x4178/index.html ?

    Relates to the: __size32 _impure_ptr = 0x4178;// 4 bytes

    ReplyDelete
  188. AdraenThursday, December 01, 2011 7:54:00 PM

    http://friendpaste.com/2kkvmGB4yeC7X47omjJeqM

    I know the C version is working already but this one is now working. Previous version wasn't working because I wasn't using the code segment

    ReplyDelete
  189. AnonymousThursday, December 01, 2011 7:55:00 PM

    Bryon is on to something for sure. Also, in case it isnt clear, the 71686367h is in hex, not decimal.

    Here is the exe disassembled. Look at line 146.

    http://pastebin.com/NFRx5jC1

    ReplyDelete
  190. FlexThursday, December 01, 2011 7:55:00 PM

    and how many server requests would we have to make before the server starts shutting off communications, theres so many combinations youll never manage to do it before you get booted off the server for using up too much bandwidth :(

    ReplyDelete
  191. DaveThursday, December 01, 2011 7:59:00 PM

    The hex line that Bryon mentioned converts to qhcg
    lol - coincdence?>!

    ReplyDelete
  192. FlexThursday, December 01, 2011 8:00:00 PM

    the numbers 71686367 convert to 'qhcg' which is an anagram for gchq, i wonder if thats got something to do with the 12 characters at the end being converted to hex then re-ordered, perhaps its the same method used here?

    ReplyDelete
  193. FlexThursday, December 01, 2011 8:01:00 PM

    and by anagram i mean its backwards ;)

    ReplyDelete
  194. DaveThursday, December 01, 2011 8:02:00 PM

    Its not an anagram, it's just reversed - so maybe they're hinting that we need to reverse what we're trying. Let's focus on what what we have 'left' to use:
    deadbeef
    the two firmware codes

    someone mentioned some unused bytes from part 1??

    ReplyDelete
  195. AnonymousThursday, December 01, 2011 8:03:00 PM

    read our comments - we tried this combination

    ReplyDelete
  196. AnonymousThursday, December 01, 2011 8:10:00 PM

    flex, it is "cghqcyberwin" not "gchqcyberwin"

    ReplyDelete
  197. AnonymousThursday, December 01, 2011 8:10:00 PM

    hmmm deadbeef is a classic MAC as it is one of the better words that can be represented as only hex numbers.
    So given deadbeef as a hex value plus the other 2 we have 12 hex values from 1-255
    They are too far and wide to be straight ascii values but maybe some sort of shift cipher?

    it's also possible that those might be the straight 12 ASCII chars to put into the license file and the code then does the cipher to export a useable /%x/%x/%x/key.txt url

    ReplyDelete
  198. AnonymousThursday, December 01, 2011 8:12:00 PM

    Ok so it passes the first "check" which thanks to you guys finding out the hex number is their name backwords.

    But if "gchq" is all you have then it fails at the next check. Which is a crypt loop that reads in what you have next, which would be the cyberwin, and compares that to a hardcoded string at address 00402040 which is "hqDTK7b8K2rvw". If that check fails then it throws an invalid key. So it seems to be hashing cyberwin into that string.

    Bryon

    ReplyDelete
  199. FlexThursday, December 01, 2011 8:16:00 PM

    using 'cghqcyberwin' instead of 'gchqcyberwin' renders the license invalid and the application terminates :(

    ReplyDelete
  200. AnonymousThursday, December 01, 2011 8:17:00 PM

    "flex, it is "cghqcyberwin" not "gchqcyberwin""

    The correct one is "gchqcyberwin".

    If you look at the hex it is "qhcg" and when they check it, I believe it is read through a loop backwards. ei: gchq

    Bryon

    ReplyDelete

Subscribe to: Post Comments (Atom)