Wednesday, November 30, 2011

Can you crack it? (nope, I tried though)

The UK govt created a challenge to find eligible code crackers. The website is

I got close, but my skills aren't up to par. Here is as far as I got. They give you the following code:

eb 04 af c2 bf a3 81 ec  00 01 00 00 31 c9 88 0c
0c fe c1 75 f9 31 c0 ba  ef be ad de 02 04 0c 00
d0 c1 ca 08 8a 1c 0c 8a  3c 04 88 1c 04 88 3c 0c
fe c1 75 e8 e9 5c 00 00  00 89 e3 81 c3 04 00 00
00 5c 58 3d 41 41 41 41  75 43 48 3d 42 42 42 42
75 3b 5a 89 d1 89 e6 89  df 29 cf f3 a4 89 de 89
d1 89 df 29 cf 31 c0 31  db 31 d2 fe c0 02 1c 06
8a 14 06 8a 34 1e 88 34  06 88 14 1e 00 f2 30 f6
8a 1c 16 8a 17 30 da 88  17 47 49 75 de 31 db 89
d8 fe c0 cd 80 90 90 e8  9d ff ff ff 41 41 41 41

What jumps out at me first are the nops (90 90) in the last line. My mind automagically tells me this is shellcode. I wasn't 100% sure, but it was the only guess I had. I copied the code over into gedit, and made the following adjustments.


I then saved this into a shellcode.c file:

char shellcode[] = "\xeb\x04\xaf\xc2\xbf\xa3\x81\xec\x00\x01\x00\x00\x31\xc9\x88\x0c\x0c\xfe\xc1\x75\xf9\x31\xc0\xba\xef\xbe\xad\xde\x02\x04\x0c\x00\xd0\xc1\xca\x08\x8a\x1c\x0c\x8a\x3c\x04\x88\x1c\x04\x88\x3c\x0c\xfe\xc1\x75\xe8\xe9\x5c\x00\x00\x00\x89\xe3\x81\xc3\x04\x00\x00\x00\x5c\x58\x3d\x41\x41\x41\x41\x75\x43\x48\x3d\x42\x42\x42\x42\x75\x3b\x5a\x89\xd1\x89\xe6\x89\xdf\x29\xcf\xf3\xa4\x89\xde\x89\xd1\x89\xdf\x29\xcf\x31\xc0\x31\xdb\x31\xd2\xfe\xc0\x02\x1c\x06\x8a\x14\x06\x8a\x34\x1e\x88\x34\x06\x88\x14\x1e\x00\xf2\x30\xf6\x8a\x1c\x16\x8a\x17\x30\xda\x88\x17\x47\x49\x75\xde\x31\xdb\x89\xd8\xfe\xc0\xcd\x80\x90\x90\xe8\x9d\xff\xff\xff\x41\x41\x41\x41";

void main() {
   int *ret;

   ret = (int *)&ret + 2;
   (*ret) = (int)shellcode;



Running it simply returned the "done" being printed by printf. This told me that the shellcode was at least not crashing, so it was probably valid shellcode. Looks like my first impression was correct. So I jumped to the asm that the shellcode produced to get a better understanding of it:

0000000000601040 :
  601040: eb 04                 jmp    601046 
  601042: af                    scas   %es:(%rdi),%eax
  601043: c2 bf a3              retq   $0xa3bf
  601046: 81 ec 00 01 00 00     sub    $0x100,%esp
  60104c: 31 c9                 xor    %ecx,%ecx
  60104e: 88 0c 0c              mov    %cl,(%rsp,%rcx,1)
  601051: fe c1                 inc    %cl
  601053: 75 f9                 jne    60104e 
  601055: 31 c0                 xor    %eax,%eax
  601057: ba ef be ad de        mov    $0xdeadbeef,%edx
  60105c: 02 04 0c              add    (%rsp,%rcx,1),%al
  60105f: 00 d0                 add    %dl,%al
  601061: c1 ca 08              ror    $0x8,%edx
  601064: 8a 1c 0c              mov    (%rsp,%rcx,1),%bl
  601067: 8a 3c 04              mov    (%rsp,%rax,1),%bh
  60106a: 88 1c 04              mov    %bl,(%rsp,%rax,1)
  60106d: 88 3c 0c              mov    %bh,(%rsp,%rcx,1)
  601070: fe c1                 inc    %cl
  601072: 75 e8                 jne    60105c 
  601074: e9 5c 00 00 00        jmpq   6010d5 
  601079: 89 e3                 mov    %esp,%ebx
  60107b: 81 c3 04 00 00 00     add    $0x4,%ebx
  601081: 5c                    pop    %rsp
  601082: 58                    pop    %rax
  601083: 3d 41 41 41 41        cmp    $0x41414141,%eax
  601088: 75 43                 jne    6010cd 
  60108a: 48 3d 42 42 42 42     cmp    $0x42424242,%rax
  601090: 75 3b                 jne    6010cd 
  601092: 5a                    pop    %rdx
  601093: 89 d1                 mov    %edx,%ecx
  601095: 89 e6                 mov    %esp,%esi
  601097: 89 df                 mov    %ebx,%edi
  601099: 29 cf                 sub    %ecx,%edi
  60109b: f3 a4                 rep movsb %ds:(%rsi),%es:(%rdi)
  60109d: 89 de                 mov    %ebx,%esi
  60109f: 89 d1                 mov    %edx,%ecx
  6010a1: 89 df                 mov    %ebx,%edi
  6010a3: 29 cf                 sub    %ecx,%edi
  6010a5: 31 c0                 xor    %eax,%eax
  6010a7: 31 db                 xor    %ebx,%ebx
  6010a9: 31 d2                 xor    %edx,%edx
  6010ab: fe c0                 inc    %al
  6010ad: 02 1c 06              add    (%rsi,%rax,1),%bl
  6010b0: 8a 14 06              mov    (%rsi,%rax,1),%dl
  6010b3: 8a 34 1e              mov    (%rsi,%rbx,1),%dh
  6010b6: 88 34 06              mov    %dh,(%rsi,%rax,1)
  6010b9: 88 14 1e              mov    %dl,(%rsi,%rbx,1)
  6010bc: 00 f2                 add    %dh,%dl
  6010be: 30 f6                 xor    %dh,%dh
  6010c0: 8a 1c 16              mov    (%rsi,%rdx,1),%bl
  6010c3: 8a 17                 mov    (%rdi),%dl
  6010c5: 30 da                 xor    %bl,%dl
  6010c7: 88 17                 mov    %dl,(%rdi)
  6010c9: 47                    rex.RXB
  6010ca: 49 75 de              rex.WB jne    6010ab 
  6010cd: 31 db                 xor    %ebx,%ebx
  6010cf: 89 d8                 mov    %ebx,%eax
  6010d1: fe c0                 inc    %al
  6010d3: cd 80                 int    $0x80
  6010d5: 90                    nop
  6010d6: 90                    nop
  6010d7: e8 9d ff ff ff        callq  601079 
  6010dc: 41                    rex.B
  6010dd: 41                    rex.B
  6010de: 41                    rex.B
  6010df: 41 00 00              add    %al,(%r8)

Definitely legitimate shellcode. The x86 asm gcc spits out is exactly what I wanted to see. Not only that, but do you see the 0xdeadbeef?

Once I knew I was in the right direction, I loaded the binary into gdb. I through a breakpoint on the printf line with
break printf
and ran the binary. I looked at the stack frame, traversed through the memory and found the strings I suspected were what we were supposed to be looking for. However, they seemed to be all multi-byte characters. I wasn't able to decipher any of them within the time limit. I had found out about the contest about 2 hours before it was over. This took me about an hour to get to traversing the stack for the strings, and I got stuck.

Oh well. Maybe next time if I have more time I can get a bit further.


  1. hmmm deadbeef is a classic MAC as it is one of the better words that can be represented as only hex numbers.
    So given deadbeef as a hex value plus the other 2 we have 12 hex values from 1-255
    They are too far and wide to be straight ascii values but maybe some sort of shift cipher?

    it's also possible that those might be the straight 12 ASCII chars to put into the license file and the code then does the cipher to export a useable /%x/%x/%x/key.txt url

  2. Ok so it passes the first "check" which thanks to you guys finding out the hex number is their name backwords.

    But if "gchq" is all you have then it fails at the next check. Which is a crypt loop that reads in what you have next, which would be the cyberwin, and compares that to a hardcoded string at address 00402040 which is "hqDTK7b8K2rvw". If that check fails then it throws an invalid key. So it seems to be hashing cyberwin into that string.


  3. using 'cghqcyberwin' instead of 'gchqcyberwin' renders the license invalid and the application terminates :(

  4. "flex, it is "cghqcyberwin" not "gchqcyberwin""

    The correct one is "gchqcyberwin".

    If you look at the hex it is "qhcg" and when they check it, I believe it is read through a loop backwards. ei: gchq


  5. Its not actually backwards though, that is how memory is loaded with Little-Endian, right?

  6. i think the application is just a url generator now that we know that gchqcyberwin is correct, its just the other end of the license that we need, those other 12 characters must be somewhere in the previous 2 stages, we just need to find them :(

  7. mov [esp+148h+var_144], offset aGetSXXXKey_txt ; "GET /%s/%x/%x/%x/key.txt HTTP/1.0\r\n\r\n"

    The three %x values will be represented in hex once they are populated and printed.

    I believe flex is correct, in that the app is a url generator. I have been going through the assembly but there doesn't seem to be anything else hidden in it.

  8. "Its not actually backwards though, that is how memory is loaded with Little-Endian, right?"

    May be correct, Things stored on the stack are normally first one last off. So if you think of a stack of plates, and your piling them on. The first one you put on, will only be able to come off after you take off all the others in the reverse order you put them on.

    Also yes, the first part we have is correct. I am heading home right now so I will be back to post in about 20min


  9. Found this on the russian exelab forum - posted by a guy who I think (lost in translation) who has solved it and giving hints for the others:

    What are the bytes can be changed in the first task so that it will not affect the receipt of references to the second task

  10. d2:ab:1f:05

    Gives you some weird control codes (ala LF and CR) but are valid ascii codes.

    The resulting codes aren't probably printable on this blog so here's a quick bit of code that'll dump them you can redirect that to license.txt



  11. gah it stripped the php tags
    try adding them to this

    $str = explode(':', 'd2:ab:1f:05:da:13:f1:10:de:ad:be:ef');

    echo "gchqcyberwin";

    foreach ($str as $elem) {
    echo chr(hexdec($elem));

  12. Damn Russians own at everything haxor related.

  13. Might be a bit late now, but still relevant.
    Noone noticed the typo in line 5 of the shell code above? The disassembly looks valid, but probably not give the right answer if you've copied this code.

    "48 3d" should be "58 3d"

    I tried running solving it on x86_64 fedora but just couldn't get anything useful due to lack of asm and shellcoding knowledge, and painfully fragmented web resources

  14. Im sorry to say but im going to have to go now, as i have uni in 5 hours ;) but i will be back tomrrow to check on your progress and help some more if needed ;) thanks guys, Flex.

  15. Ok im back. Hurry back flex I ma going to need your help. So I was stepping through the crypt function on my way back and I found some interesting output. I will post it as soon as its done (5 min?) may need help figuring it out.


  16. Bryon/Flex/anyone else - just made an IRC channel at mibbit - join and can discuss findings there etc if you want? Rather than trying to scroll through all these comments loL!


  17. I don't think the host is actually

    Google would have found it if that is the case:

    I think we need to find the actual host?
    At first I thought that cyberwin was related, but googling that only brings up some chinese website.

  18. Hey Dave, I couldn't find the IRC on mibbit. So this is what the crypt function spit out. The first of each line is the word cyberwin. Any idea on the following?

    c 1 18 0c 06 03 01

    y 3c 1e 0f 07 03 01

    b 1 18 0c 06 03 01

    e 2 19 0c 06 03 01

    r 9 1c 0e 07 03 01

    w ; 1d 0e 07 03 01

    i 4 1a 0d 06 03 01

    n 7 1b 0d 06 03 01


  19. Byron, just head over to
    put a nickname in, put channel as #canyoucrackit
    and you should be well away

    There's 6 of us in there discussing!


  20. So, for 2nd part, the VM code does this:
    int i;
    for(i=0;i<80;i++) mem[0x100+i]^=i+0xAA;
    for(i=0;i<51;i++) mem[0x1C0+i]^=i*3+0x32;

    As you can see, xor sequence is always in form of i*X+Y.

    So I did analysis for other chunks of binary data in memory, looking for X,Y that produce output with MSB=0 (looking for text).

    There is only one (!) possible combination for each block:
    for(i=0;i<112;i++) mem[0x150+i]^=i*5+31;
    for(i=0;i<128;i++) mem[0x200+i]^=i*5+31;
    for(i=0;i<128;i++) mem[0x280+i]^=i*5+111;

    Output is still not text, but all MSB bits are zero, except for 6 bytes near addr 0x280.

    Now let's see the firmware values:
    0xd2ab1f05 = 210 171 31 5 dec
    0xda13f110 = 218 19 241 16 dec

    Notice the 31 and 5 ...

    I think these firmware codes contain hints how to decrypt rest of the memory.

    For part3, we need two hex values and there are two (maybe 3) blocks in memory... maybe all codes for part3 are there.


  21. It seems the crypt stuff only gets used for the first part that converts into the string %x
    The other values get converted pretty much straight back to the hex values but shown as ascii if that makes sense.

    I.e trying the above php stuff I got a url of
    GET /hqDTK7b8K2rvw/51fabd2/10f113da/efbeadde/key.txt HTTP/1.0

    So it effectively reversed (little endianed?) whatever I had in the license.txt file this is on Win7 x64 if it makes a diff

  22. Hello,

  23. The answer is Pr0t3ct!on#cyber_security@12*12.2011+


  24. I think that would be a red herring mate, they need a safeguard in place for cheaters who just brute force it.

    I doubt they would make it that easy.

  25. How did you get "Pr0t3ct!on#cyber_security@12*12.2011+"


  26. Here is a clue for you

    the result of executing the program is the decrypted URL for stage3 (stage 2 if you exclude the base64 encoded data).

  27. So why would you take hex fields, use them as 12 characters in the license.txt file and then print that to the hex equivalent in the URL?

    Maybe we're looking for characters hidden somewhere?

    Anyone looked over the data/code for hidden characters?

    I tried the first codeset



    ????????????1??????u?1??????????????????<?????<???u??\???????????\X=AAAAuCX=BBBBu;Z??????)?????????)?1?1?1??????????4??4??????0??????0???GIu?1??????????????AAAABBBB2??????mp :?g??????f????????w?T8?????????????+???????/

    and there isn't much there. Anyone else have new ideas on where these 12 characters may be hidden? I mean it could be "firmware" itself, dates, ...


  28. the 3 dwords left over.

    Has anyone seen the last line.

    Dead Beef.

    this is a Hex Term.......

  29. Well I'm out for tonight.
    The code isn't hidden in the source anywhere (apart from the already cracked cipher/hash/first part).

    The the sections of the url will be completely random hex values. The only place they are is in the section of code/dump after the .exe url part dump here.

    the first 7z part suggests it's a 7z archive except it's not, at least not in it's raw form. So I think that just needs to be solved and out will pop a useable license.txt file complete with random values.

  30. Pr0t3ct!on#cyber_security@12*12.2011+

    Just incase you give up bitchesss ;)

  31. So has anyone unequivocally negated notions hypothesizing embedded indelible kruptós steganographically hidden in the strange image file you espouse as assembled code here?

  32. Which strange image file?



  34. What the fuck 25.000 libras... just pathetic.

  35. Any sucess on the last 12 chars?

  36. Not yet. Looking for the hidden info in the png file atm.

  37. Well I did find it in the header of cyber.png - Thats old news though.

  38. I didn't find this info any place else so I will post it here.

    Inside cyber.png you will find part of the info for a step. However no-one tells you HOW to find it. If you open cyber.png with hex editor you will see somewhere in the first few lines "iTXT" with "Comment" right after it. This is inside the header of the png file. Now copy everything between the iTXtComment and "IDAT"(The start of the image chunks) and paste it into a base64 decoder. Once it is decoded, Convert it into HEX, and there you have it. Post if you have any questions.


  39. hey guys! you are doing an excellent work! I am stuck on the keygen as you! :)



  41. I propose that there's more to the image file than the machine code and the hidden base64 string.

  42. > read our comments - we tried this combination

    In the disassembly at, the only relevant code is this one in sub_401090. In C it is something like this:

    struct var_38 {
    char x[12];
    unsigned var_24, var_28, var_24;
    unsigned var_48[3];
    memset(var_38, 0, sizeof(var_38)); /* sizeof = 0x18 */
    fscanf(var_4c, "%s", var_38);
    var_4c = NULL;
    /* crypt stuff does not need to be cracked, it does not modify var_38 and its output is used only as input to strcmp. Just bypass it/pretend it does not exist. */
    var_48[0] = var_38.var_2c;
    var_48[1] = var_38.var_28;
    var_48[2] = var_38.var_24;
    sub_401209(var_48, argv[1])


    and this one in sub_401209:

    static char *p = "hqDTK7b8K2rvw";
    sprintf(s, "GET /%s/%x/%x/%x/key.txt HTTP/1.0", p, arg1[0], arg1[1], arg1[2]);

    Just throw away the damn .exe and try putting the three words (the unused four bytes in stage1---that's not 0xdeadbeef!---and the firmware words) in the URL.

  43. In Level1, when you decrypt the URL, there is an extra DWORD that gets decrypted (right after the HTTP/) and its DE3DBB2F or 2FBB3DDE (depending on the endianness).

    I think it's a safe to assume that the first DWORD is either DE3DBB2F or 2FBB3DDE.

    We just need to find the 2nd and 3rd DWORDS (probably from Level 2).

  44. Nope, the first dword is already in the thread, but you didn't listen. It's in the code, not in the output.

    The 256 bytes after the HTTP/1.0 are the decryption key and they are a combination of DEADBEEF, some more XORing and a sequence from 00 to FF. But they do not matter.

  45. Cracking part 1:

  46. for me "gchqcyberwin" works.

    "cghqcyberwin" leads to output:
    error: license.txt invalid

  47. What do you post in the form at stage 1?

  48. Posting to the form is the final stage, not the first...

  49. whats the answer to that then!


    I solved it.

  51. For once this isnt a spam post honest!
    I started looking the the cracking the code aswell yesterday. Not really being much into ciphers and the like. I looked at the image and thinking it was a hex memory dump, started decoding to binary and back to ascii just to see what came out which was giberish! Oviously due to being linux not windows. I then thought ohh these could be various md5 or sh1 hashes and started dictionary cracking these to no avail. Now I understand why ! Thanks for taking the time to detail how you went about this. I thought I knew allot about computers(10 years working in the industry) but obviously im only just scratching the "high level" surface. Im off to learn me some assembly language, wish me luck!

  52. I spend all morning on this one, love a nice challenge.

    The answer is actually...

    Type it into the aqnd see what happens..

  53. Pr0t3ct!on#cyber_security@12*12.2011+

  54. yer but were did you get it from? or did you just copy and paste it from somewhere else....?

  55. Ok guys- lets say it again: we are not interested in the answer or the successpage, or any other useless posts, but in the exact way to solve the puzzle.
    So point out how you solved it or shut up.

  56. I couldn't solve the puzzle for love nor money, the interest is in discovering how it is being done and learning many new things about a topic that I've never been involved in. There is nothing like the internet for exposing you to just how many people there are in the world with more knowledge and/or wisdom than you :)

  57. Pr0t3ct!on#cyber_security@12*12.2011+

  58. keygen.exe

    loading stage1 license key(s)...
    loading stage2 license key(s)...


    GET /hqDTK7b8K2rvw/0/0/0/key.txt HTTP/1.0


    HTTP/1.1 404 Not Found

  59. I loved reading this. Grats on working together so patiently. Even though I am still an infant in programming, I followed a little of this.

  60. Wait, so where is the rest of this thread? What are the correct 3 parts of the url after /hqDTK7b8K2rvw ?

  61. Still trying to solve the 3 parts.


  62. Guys, the three words are written in the first page. 1 from stage1, 2 from stage2 (the firmware). Put the words in hex directly in the URL, ignore the .exe. I don't want to write it more plainly than this.

  63. 0xafc2bfa3, 0xd2ab1f05, 0xda13f110

    but that doesn't work

  64. whats the URL? the 4byte firmware doesnt work :(

  65. It's not in upper or lowercase nor with deadbeef instead of the jumped over code in part1

  66. Been working on and off this for the last couple of days. Got as far as getting the VM to work and getting the keygen.exe before resorting to the Internet but haven't had time to do the rest. Keep up the good work. Here's my version of the VM:

  67. Resposta:

  68. h t t p s : / / a p p l y . g c h q - c a r e e r s . c o . u k / f e / t p l _ g c h q 0 1 s s l . a s p ? n e w m s = j j & i d = 3 5 8 7 4

  69. Pr0t3ct!on#cyber_security@12*12.2011+

  70. FWIW I used the 256 bytes part from 7z... in part2 as the license.txt file. Seems to be accepted by keygen.txt
    but the resulting url leads nowhere


    sadly he just copied this and if you notice he skips over the last step like a true "I am copying this stuff and passing it off as my work"er

  72. I have the correct dll's and am attempting to run keygen.exe in CMD, but i'm just getting error: license.txt not found

    anyone any idea what im doing wrong?


  73. Lydon
    make the license.txt file and put this in it


  74. you will need the a license file with a password in it.

  75. I have gchqcyberwin in the license.txt in the same directory as the .exe , yet i'm still getting
    "error: license.txt not found" Damn I'm really in over my head here.


  76. 0xdeadbeef is the RC4 4-octet key used in stage 1. I doubt it would be used for anything else

  77. My question is, there is so much stuff in the VM's memory that isn't used. Immediately after the url is a 7z, which are the first two characters of any 7zip archive. However, the header signature of 7zip is 6 bytes, and the last 4 don't match. I'm wondering if the unused firmware numbers are somehow used to decrypt the remaining memory (via xor?) to produce a valid archive. Plus, there is the memory that exists before the url in the VM memory dump that is also unused. It can't just be gibberish...

  78. Skipped code & 'firmware' words are correct, but the bytes from level 1 have to be interpreted as single 32bit word (endian).

  79. Thanks Mr Anonymous for the tip

  80. can somone in english please tell me the answer to typr into tyhe submit box??

  81. the answer is "D01ty0ur3fuck1ngs3lf"

  82. 0xafc2bfa3, 0xd2ab1f05, 0xda13f110

    but reverse the middle one

    you need to ascii the whole lot and append it to the license.txt get

    but the .exe GET fails so I just hit the url

    this is the url

  83. license.txt should be
    gchqcyberwin¯Â¿£ «Ò ñ Ú

  84. Looks like it all comes down to non-standard ASCII and keygen... there is some data on the IRC channel if anyone cares now


  85. No matter what I do to pad the license.text or anything else I cant get (my) keygen to kick out a URL that works. A cut/paste of the URL or GET request works fine. It's just (my) keygen.

    Here is the license.txt file in HEX in case anyone else wants to try and be sure they have the right characters



  86. Munging through a dump of the .exe to get the code and strings is very revealing as posted by someone earlier. You don't even need to run the .exe. Once you've figure out the magic missing numbers from the earlier stages, you're done

  87. Using Visual C++ Express and Windows XP. I tried this:

    #include "stdafx.h"

    char shellcode[] = "\xeb\x04\xaf\xc2\xbf\xa3\x81\xec\x00\x01\x00\x00\x31\xc9\x88\x0c\x0c\xfe\xc1\x75\xf9\x31\xc0\xba\xef\xbe\xad\xde\x02\x04\x0c\x00\xd0\xc1\xca\x08\x8a\x1c\x0c\x8a\x3c\x04\x88\x1c\x04\x88\x3c\x0c\xfe\xc1\x75\xe8\xe9\x5c\x00\x00\x00\x89\xe3\x81\xc3\x04\x00\x00\x00\x5c\x58\x3d\x41\x41\x41\x41\x75\x43\x48\x3d\x42\x42\x42\x42\x75\x3b\x5a\x89\xd1\x89\xe6\x89\xdf\x29\xcf\xf3\xa4\x89\xde\x89\xd1\x89\xdf\x29\xcf\x31\xc0\x31\xdb\x31\xd2\xfe\xc0\x02\x1c\x06\x8a\x14\x06\x8a\x34\x1e\x88\x34\x06\x88\x14\x1e\x00\xf2\x30\xf6\x8a\x1c\x16\x8a\x17\x30\xda\x88\x17\x47\x49\x75\xde\x31\xdb\x89\xd8\xfe\xc0\xcd\x80\x90\x90\xe8\x9d\xff\xff\xff\x41\x41\x41\x41";

    void _tmain() {

    But I get an error "Access violation reading 0xffffffff"

    Does the code only run on Linux or have I done something else wrong?


  88. It calls a Lunix syscall, so in Windows you need to change it.
    I recommend setting a breakpoint in the shell code and just step tracing with the debugger.

    You're also missing data in the shellcode.

  89. I think we have all exhausted this puzzle and are just dotting "i"s and crossing "t"s now. Seems keygen wasnt needed except to give up hqDTK7b8K2rvw. Next challenge for me anyway: who wrote the puzzle?

    Some clues: look at the PDF bios online for GCHQ; look at the code and style; look at the systems and software used; check the UK universities for similar puzzles; did someone borrow code and from where? My guess would be a small team with majority of the work from a 28-year old graduate from Manchester/York/Bristol.

    I feel like an amateur having gone through all this. I borrowed code from Petter and Nicolas, I tried to give credit where I could, hope I did it enough. Then there are the anonymous Russian programmers who helped too. Thanks!


  90. You also need to embed the shellcode in executable memory.
    As you have it now, you're trying to execute a data segment which is not allowed by the OS.

    void shellcode(void)
    __asm _emit 0x12 __asm _emit 0x34
    __asm _emit 0x56 __asm _emit 0x78
    // etc.


  91. Paul:
    You have just one half of code, append the other part to it.
    Also it will not work under windows (uses linux interrupt), but when it crashes, you can do memory dump (in process manager) and look for string there (search for HTTP). Or use any debugger to see stack memory.

  92. @Paul:

    I converted it to Python. It's an RC4 cipher. Here's the code:


  93. How would someone know all this stuff? You would have to be some sort of hacker or virus writer.... and I suppose that's exactly what GCHQ is looking for.


  94. This code (from Petter) works for Part 1 and you can run it online...

    Got to go now.

  95. To MikeS, Flex, David, and anyone else I am forgetting it was fun working with you on this. If you find another challenge to work on be sure to inform me as I think we make a great team. Keep in touch.


  96. While the solution is known it still bugs me that the GET from the keygen itself doesn't work for me. On the other hand if I paste the same URL into a browser it works.

    Had I known the GET request in the dos window had not returned a real true 404 response I should believe I would have tried it in a browser window. When it did return 404 however, at least *I* assumed the text I had in the license file was wrong. That a combination I tried yesterday was wrong.


  97. Password is: Pr0t3ct!on#cyber_security@12*12.2011+

  98. !!! OMFG !!! OMFG !!!

    this is not the password, it is a fucking honey pot, that are also 3 others like this.


    If you read the press statement, it says, once all 4 stages have been completed then the user presented with a form to enter their contact details.

    i dont think that is a fucking FORM, go back to VB coding and learn what a FORM is.......

  99. Bryon/Flex/MikeS - feel free to add me on facebook: - :)

  100. The answer is: Pr0t3ct!on#cyber_security@12*12.2011+

  101. @Robert, "I converted it to Python. It's an RC4 cipher. Here's the code:". That's an original and elegant solution, thanks! ~ ET.

  102. Well, I was hoping to have a go at this "under my own steam" and on my own machine, for the challenge, but I got stuck early on after combining the code displayed on the PNG with the code commented in the PNG headers. You guys are great.

    I'm using Windows and my exe crashes. I eventually spotted the Linux interrupt "int $0x80" and kicked myself for not spotting it sooner. Haven't done anything in assembler since the early 1980s on a Research Machine Z80. The one that chewed the disk every time if you powered down with the disk still in place.

    @Anonymous, you write "you can do memory dump (in process manager) and look for string there (search for HTTP). Or use any debugger to see stack memory." I've been using gdb, but can't figure out how I can dump mem either at a break point or after the crash, to find the elusive URL. If you can spell that out, it would be greatly appreciated, thanks. ~ ET.

  103. the answer to the hex code is this.


    Sweden rules :D

  104. Re GDB:
    Read this:

    Get ESP address and look around...

  105. Pr0t3ct!on#cyber_security@12*12.2011+

  106. Guys you re amazing!!I`m trying really hard but I`m already stuck in part 1, does someone has a minute to tell me how do you get from QkJCQjIAAACR2PFtcCA6q2eaC8SR+8dmD/zNzLQC+td3tFQ4qx8O447TDeuZw5P+0SsbEcYR
    78jKLw== to
    GET /15b436de1f9107f3778aad525e5d0b20.js HTTP/1.1?
    I feel really stupid but I tried for hours!I tried to use online decoders of base64 but they all give me a completely different answer!
    I don`t care about the job since I`m not English but I just want to solve it!!

  107. @Rebecca:
    See - very good walkthrough I found

  108. In step1 there was this code:

    seg000:00400000 jmp short
    seg000:00400002 dd 0A3BFC2AFh
    seg000:00400006 sub esp, 100h

    so i guess this is the first license key.

  109. It's easy!


  110. Is it just me or does it appear that the competition is up and running again? I just visited the site again and it suddenly had 8 days left on the clock, with the additional words "The Challenge Continues". The code, though, appears to be exactly the same so maybe it wasn't really cracked the first time round?

  111. "If you read the press statement, it says, once all 4 stages have been completed then the user presented with a form to enter their contact details. "

    While I agree with you that it is not a form. I also have not seen the press release you are referring too. From what I could tell it's 3 stages.

    Also its hardly a competition. You guys think they didn't consider the fact that the keyword would be leaked everywhere and they would be flooded with useless app's of people that know nothing. All's it is, is a viral marketing campaign.

    P.S. - Dave I added you.


  112. Pr0t3ct!on#cyber_security@12*12.2011+

  113. Pr0t3ct!on#cyber_security@12*12.2011+

  114. Bryon: thats what they want you to think. ever bothered to actually read ? what about the remaining parts of vm memory?

    you seriously think that you've solved it, guys?
    congratulations, you've reached their honeypot :)

  115. b;<N~uo?Ik<F6:c<(`;p5:?t|("(|Uac|4I["Z_xZyU{a+5cE}|K?SD.Y85sjvz:\*^p@,Dd=83;?e0bnP3R$ZF:V,L~O 5wS&[km?6x5M;7A+X-

    ^ this is what it's all about now!

  116. How do we know the key isn't supposed to be used for decrypting something, as opposed to being the keyword to type in. There is a lot of unused memory left, maybe the key.txt is actually the decryption key somehow.

  117. Pr0t3ct!on#cyber_security@12*12.2011+

    is the answer.

  118. I think this is one of the KISS test. I played with the idea of "cracking the code" but then it dawned on me. To be sure they would not over look basic site security. However, they did. THIS IS FOR INFORMATIONAL USE ONLY!! is the site. After viewing the page source I noticed /images/code-bg.jpg this means there are one of two things. Other indexes or other pages. So keeping with the KISS logic, I used my old friend google. just googled / If you dont know where that came from then please, for the good of all of us, stop here. After that just found the link. The beauty of KISS.

  119. The code is Pr0t3ct!on#cyber_security@12*12.2011+

  120. It the three
    0xa3bfc2af from lvl1 and
    firmware: [0xd2ab1f05, 0xda13f110]
    Remember (if you are inputting into the file) to think of endianess.


  121. @Anonymous "Re GDB: ..." Many thanks, I'll look at the tutorial you linked to. ~ ET.

  122. @Wmheath586. KISS could well be a part of it. I suspect that there may be many ways to approach and solve this test, a few traps or tar pits, so that they get a corresponding spread of folk with differing approaches and differing skills? They surely don't want everyone on their team to be into asm + linux + c, wouldn't they want something inter-disciplinary?

    Robert's approach using python (for example) must surely score highly: to produce this, you need to fully understand what you're doing, not simply hack or google; and, as I said, it was original and elegant. Regards, ~ ET.

  123. @flex "why does the server give different error results with the keygen.exe then the browser does?"

    I run a web site and rather than use a blacklist based on user agent, I use both a blacklist and a whitelist in Apache's mod_security. In my case, if there's no user agent, they get a 403 Forbidden. Is a user agent string being sent to the server, or certain other headers like Accept? ~ ET.

    User-agent: *
    Disallow: /
    Yet google has some results in "site:...". Maybe an afterthought on GCHQ's part? ~ ET

  125. i used to work as a web developer so servers and the internet is my thing ;) the keygen.exe sends no headers at all to the server, just a basic GET command, so as theres no 'host' header the server isnt outputting the file needed, just the 404 error page, must be a setting on IIS to redirect if theres no 'hostname' header

  126. @flex, that sounds spot on. On Apache I disallow no hostname, empty hostname and numerical hostname (IP). That keeps out 90-odd% of script kiddies. ~ ET.

  127. Just a note, the site has changed multiple times since release, the words 'the challenge continues' has been added then moved? any reasons why? why modify it? perhaps signaling that the challenge hasnt been completed yet?

    First screenshots:

    Second Screenshots:

    Third Screenshots:

    Why change it three times?

  128. @flex. I suspect that there may be multiple and diverse answers, rather than a simple case of inputting a keyword? Could be wrong, of course. ~ ET.

  129. thats my theory, going back to the honeypot idea, perhaps thats just a trick to make you think youve finished? in the press releases it clearly states a 'fast-track to a job interview' the finial page we have so far just redirects you to the standard job application, maybe thats saying your good for an application but not good enough for a fast track interview?

  130. Anyone who completes stage 4 gets taken out :

  131. Pr0t3ct!on#cyber_security@12*12.2011+



    theres more than one solution to the puzzle, the 'soyoudidit.asp' is not the end of the challenge, theres more!

  133. Thanks @MikeS for the c code to combine the two sets of code from on and in the image (at

    Finally got the thing to work on my own 64-bit Win7 machine by running Lubuntu in Virtual Box, which I've just installed, and compiling using cc. Worked perfectly. Regards, ~ ET.

  134. hi
    so i copied key.txt to my own web server, and used that for keygen to download... that didn't make any difference
    it just out putted the contents of key.txt whatever they where
    keygen.exe doesn't seem to do any thing but just trying to check
    trying to hex change keygen.exe to http 1.1 and add Host: or local tunnel but buffer is too short - bit beyond me to change the asm of this exe...


  135. The hex of the VM js last block which is all unused / uncracked data.

    0000000 7a37 1107 1d1f 2568 7732 621e 5b23 5547
    0000010 3053 4211 f1f6 e6b1 ccc3 c5f8 cce4 d3c0
    0000020 fd85 e39a 81e6 bbb5 cdd7 a387 6bd3 6f36
    0000030 666f 3055 4516 095e 5c74 293f 662b 0d3d
    0000040 3002 3528 0915 dd15 b8ec fbe2 cbd8 d1d8
    0000050 d58b d982 f19a ab92 a6e8 d0d6 aa8c 94d2
    0000060 45cf 6746 7d20 1444 456b 546d 1703 6260
    0000070 5a55 664a 1161 6857 0575 3662 027d 4b10
    0000080 2208 3242 e2ba e2b9 b9d6 c3ff 8ae9 c18f
    0000090 e18f a4b8 f196 818f 8db1 cc89 78d4 6176
    00000a0 3e72 2337 7356 7971 7c63 1108 6920 147a
    00000b0 0568 1e21 2732 b759 abcf d5dd 97cc f293
    00000c0 c0e7 ffeb a3e9 a1bf 8bab 9ebb 8c9e c1a0
    00000d0 5a9b 2f2f 4e4e 0000 0000 0000 0000 0000
    00000e0 0000 0000 0000 0000 0000 0000 0000 0000

    The first two chars are 7z. Maybe we have to edit the 7zip source and change the decryption algorithm. or maybe just find the correct format...


  136. Walking on the shoulders of giants here, slowly. :)

    Thanks to @Anonymous for the VM python at . This works perfectly. Opening up memdump.bin in a hex editor quickly shows "GET /da75370fe15c4148bd4ceec861fbdaa5.exe HTTP/1.0".

    Tried two links at for DLLs but the server returned a 500 Internal Server Error. Copying over cygwin from another machine and adding ";c:\cygwin\usr\local\bin;c:\cygwin\bin;c:\cygwin\user\local\lib"
    (minus quotes) to PATH soon fixed that. Regards, ~ ET.

  137. GOT IT Pr0t3ct!on#cyber_security@12*12.2011+

    my email is

  138. Same results here: keygen.exe plus license gives me a 404; same thing in browser yields Pr0t3ction. The exe could be a dead end. However, the "7z..." code is tempting.

    FWIW, see As per the 6 byte 7zip signature, it starts with "7z" but that's as far as it gets, unless this is the payload and we're expected to build a 7Zip structure around it to yield an extractable archive? Wouldn't put anything past these spooks. :) ~ ET.

  139. 1. keygen returns 404 because it doesn't send Host in HTTP request and server needs it.
    2. It's not 7zip archive. It decodes to some ASCII characters using same algorithm that was used for decoding URL to part 3 (but with different values used).
    See bottom of page at

  140. The result is "32x rand*100 dim 21"

  141. It is

    a3bfc2af is in stage one.
    d2ab1f05 & da13f110 are in stage two[firmwire].

  142. Sorry to say, but its not over yet, theres more! GCHQ said themselves in a recent press release its not finished and theres more to it than people think, and more ways to get to the end!

    Interested? want to help find the real end?

    Read this:

    Then joing our IRC at Mibbit
    channel: #canyoucrackit

  143. Pr0t3ct!on#cyber_security@12*12.2011+
    ===from Macedonia

  144. @Flex, I would say that only png files could be used to hide steganography (not being lossy) and the logo is too small, with a lot of white background, which would only leave cyber.png, I think?

    There are a lot of variables to run through such as algorithm, filter and other options. Using battlesteg and laplace, passwords like "cyberwin" look like they're *too* busy: several k of message, and even "twits" generates a long message, though some randomly-chosen passwords generate no message at all.

    One that may be of interest is "deadbeef", as this generates only the one line of text, which makes it an oddity. Good hunting! ~ ET.

  145. What in the world? If anyone's willing to teach (MikeS especially) me how to even begin to 'hack', I'll solve it lol.

  146. UGH!!!!!!!!! WHAT IS IT?
    someone told me it had 24 characters...

  147. ... Got a fair few zeros in it, though, which casts a doubt in my mind. But "deadbeef" would make sense if this was a different avenue to solving the puzzle.

    cyber.png steg results using Digital Invisible Ink Toolkit, battlesteg, laplace and deadbeef:
    00 20 04 0c 00 6d 08 00 00 40 00 18 82 80 38 40 a3 83
    be 00 23 85 08 14 23 00 50 00 03 60 02 58 01 14 10 00
    00 12 00 02 00 80 28 00 01 4c 00 00 00 00 09 10 40 20
    00 80 00 00 00 00 04 c0 00 c1 a8 00 04 04 8b 98 c1 00
    c0 41 00 04 22 02 01 30 28 13 20 d0 00 00 00 -- -- --

    ~ ET.

  148. 15 years old, almost sixteen and self taught, i cracked it. here is the proof.


  150. Pr0t3ct!on#cyber_security@12*12.2011+

  151. Nasruddin was trying to sell his house, but without success.

    One day he pulled out a brick from the wall of his house.

    "Why did you do that?" asked his wife, appalled.

    "Oh, foolish woman, what do you know?" said Nasruddin. "To sell anything, you have to show a sample. I propose to show this brick as a sample of our house."

  152. Coming up with an answer is one thing. Of course "Pr0t3ct!on ..." is an answer. But at interview, you can expect to be asked to explain in depth how you arrived at the answer and to sit down to solve more puzzles in a room without internet access.

    For some here, the thrill is in the chase, and also the possibility that there may well be more than one way of cracking this puzzle.

  153. Pr0t3ct!on#cyber_security@12*12.2011+

  154. I have no idea who posted the above comment but i think i understand what they are saying, to sell something people always show a sample of what they will be offering. I do not believe Pr0t3ct!on#cyber_security@12*12.2011+ is the end of the puzzle i think it is only a sample to the true answer, a spoon full of sugar if you will, to lead the ants astray from the true prize. I think the answer is still out there waiting to be discovered. Who knows if it will be discovered in time or not, but i do not think the page you finish at is the real thing either. I have no idea where to even begin with any of this, I would appreciate any help i might get, but for now i will continue to watch for posts and wish you all the best off luck.

  155. I just want to know the answer!

  156. zhenge again.
    when i debug the exefile via Ollydbg. i found "CMP DWORD PTR SS:[LOCAL.14],71686367" in 00401167.

    and 71686367 is "qhcg" in ascii code.
    turn over it. it is gchq.
    if you input "gchq" in license.txt , you can get more infomation.

    but how to solve "cyberwin"?
    it is difficult.
    i want to know it.
    who can tell me?
    i just know some russians crack it.
    maybe unix crypt. hashcode is hqDTK7b8K2rvw.

    and in stage 1.
    if convert "0xeb 0x04" to assembly. it is jmp 0x06. so 0x02 0x03 0x04 0x05 is unused code.
    turn over it, it is a3bfc2af.


  158. The answer is in the forum

  159. Put yourself into the shoes of the "black hats" we have dealings with. We've had a stroke of luck, and actually know the password they've been using: "Pr0t3ct!on#cyber_security@12*12.2011+".

    Tomorrow, as so often happens, they change the password. So where does that leave us?

    But if we have knowledge of the precise means by which they forward the password to one-another, then we may be able to crack tomorrow's new password, too, unless they cotton on to us and change their method.

    Having an answer, like showing the brick in the house, proves nothing and serves little purpose on its own.

  160. Hi guys, for those up to the _4th_ stage: has anyone try to load the firmware into the CPU registers?

    Usually, "firmware" defines some boot-up sequence for the machine. I tried a few different combinations of firmware bytes to register bytes (they both have 8 bytes each) but nothing makes sense yet.

  161. Has anyone noticed there's more in the VM than used to crack the code?

    Whilst searching for the answer to part 3 I started executing sections of the VM, convinced there was something else hidden in the memory.

    Not sure the significance of any of these, they could just be artefacts of the algorithm used..

    Re-running the VM after HLT (without resetting the registers, just send PC back to 0x0000) reveals this after the GET for the .exe):

    GET /da75370fe15c4148bd4ceec861fbdaa5.exe HTTP/1.0.ª258;>ADGJMPSa#[N}x.%2w.b#[GU

    Now, I started to wonder whether the firmware had instructions to get more info out, and by accident I ended up incorporating a jmp 10 after the hlt.

    That went into a busy loop, but started putting this into the memory after 0x300:


    Notice ADGJMP from earlier.

    Googling these strings gives all sorts of results, making me think they're artefacts of algorithms people have spotted before, adopting them as handles etc.

    Expecially notice cfilorux.dll is listed as associated with malware!

    Anyone any thoughts? Just meaningless artefacts or a deeper game?

  162. @James,
    behknqtwz is missing cd fg ij; etc.
    CFILORUX is missing de gh jk; etc.
    ADGJM is missing bc, ef, hi; etc.
    Not sure if this means anything, though. ~ ET.

  163. This crops up in google searches, though what it means, if anything, I don't know, James:
    0 3 6 9 C F I L O R U X a d g j m p s v y
    1 4 7 A D G J M P S V Y b e h k n q t w z
    2 5 8 B E H K N Q T W Z c f i l o r u x
    ~ ET.

  164. A short history of cryptography:
    Search for "ADGJMPSVY" in the page.
    ~ ET.

  165. @ET talk about me not seeing the wood for the trees with that, thx!

    ET said:
    > behknqtwz is missing cd fg ij; etc.
    > CFILORUX is missing de gh jk; etc.
    > ADGJM is missing bc, ef, hi; etc.
    > Not sure if this means anything, though. ~ ET.

  166. PS almost certainly meaningless artefacts, but that doesn't mean there isn't more hidden in mem!

  167. You're welcome, James. Just working on a php script to implement the Skytale cipher on my server, to see if any strings throw up useful results, though really need to know what character set they're using, if this is what they're upto.

    May not be as simple as "0369CFILORUX" at
    Regards, ~ ET.

  168. I gave this a go but failed. I think my progress as a spy will be limited to mixing my martinis shaken, not stirred.

  169. this is the correct keyword to fill in:

  170. "this is the correct keyword to fill in:

    Yes, we've been there.

    If I asked you what is the next number in the sequence "123", it could be 4. But it could equally well be "5", if you're open minded.

    There could be more than one correct answer, especially if they want to be able to grade or sift would-be applicants. Just a thought.

  171. This ADGJMPS and CFILORUX sequences are caused by decryption over zeroes. You can see the ascii code for letters is increasing, so what you see is just "i*3+0x32" pattern (AbcDefGhiJklMnoPqrS = ADGJMPS - just every 3rd letter).
    This isn't decrypting anything.

  172. That makes sense, thanks. :)

  173. Where do you guys learn this stuff? I'm reading through the comments just oblivious to whats being said in them. I have no idea what almost any of that means.

  174. See:
    "Reverse Engineering Code with IDA Pro"

    Also, look at how Truecrypt is constructed...

  175. Not quite sure where the Truecrypt thread might be heading, @Anonymous. Some explanatory text at:

    Seems that they can detect Truecrypt and many other things, using their File Investigator Tools (try or buy). ~ ET.

  176. @Anonymous: Are you hinting at the use of Truecrypt in steganography?

  177. Can we get a new blog so us serious guys can actually exchange useful info? Getting fed up with "I cracked it the answer is blah...".

    Firstly: Improved version of Python VM originally posted in is here: This disassembles the whole block now. As the original code self-modified its later block to run for the actual simple decryption, I tried pointing to some of the other blocks and self-modifying those but it didn't seem to produce anything useful with the current code but I will look further - the Python makes it easy.

    Looked at two other JPG images: images/codebreaker.jpg and images/code-bg.jpg for steganography - no apparent extra strings there but others may want to inspect more closely?


  178. When I looked at cyber.png at @Flex's suggestion, I had firstly assumed that I was looking for a small amount of text hidden using steganography. Secondly, I therefore assumed that the output from DIIT using Battlesteg, Laplace and "cyberwin" was too "busy" -- masses of apparently random message.

    However, I hadn't appreciated that you can hide something like TrueCrypt in an image or video file and that being headerless and not having any magic signature, TrueCrypt is not easily detectable.

    May be barking up the wrong tree, but trying to keep options open. ~ ET.

  179. Good on you ET!

    I suggested TrueCrypt partly because of the fact that different passwords can lead to different locations and partly for the fact that messages can be encrypted and decrypted, on the fly using a portable version of TrueCrypt - which is free, difficult to detect and easily incorporated into images.
    This is the most convenient way to transmit messages around the world without resource to specialized equipment or software.
    There are now many steganographic software packages on the market today.
    I wrote a review paper on steg, over 10 years ago, but it is wayyy out of date now.

    Miyamoto Musashi

  180. If you want a new Blog Page Set up then Email me at and i will set one up, also if i set one up, only share the link with people that can help.

  181. Pr0t3ct!on#cyber_security@12*12.2011+

    Looks like this works LOL

  182. Or set up a yahoo! group and boot out anyone who just keeps parroting "Pr0t3ct!on#cyber_security@12*12.2011+ ad nauseam.

    Regards, ET (aka Esowteric).

  183. Blog Set up, email for web address.

  184. For all of you that want to join the new discussion, here is the link.


  185. ;) Be there, or be square.

  186. tnx

    Miyamoto Musashi

  187. Hi @Heru-ur.
    I don't seem to be able to post at the new site.
    The comment appears, but on page refresh it's gone. Any hlp?

    Miyamoto Musashi

  188. Pr0t3ct!on#cyber_security@12*12.2011+ is the answer lol

  189. Did you notice that your PC info has been send to an anonymous server? Just something to debate/think ... Are we being followed? ... Nevertheless is a great code... Queen is here!

  190. Pr0t3ct!on#cyber_security@12*12.2011+

  191. I know a key that'll get on yer nerves, get on yer nerves, get on yer nerves. I know a key that'll get on yer nerves, get on yer nerves, get on yer nerves .....

  192. Anyone managed to reveal the source code for /index.asp?