Wednesday, November 30, 2011

Can you crack it? (nope, I tried though)

The UK govt created a challenge to find eligible code crackers. The website is http://www.canyoucrackit.co.uk/.

I got close, but my skills aren't up to par. Here is as far as I got. They give you the following code:

eb 04 af c2 bf a3 81 ec  00 01 00 00 31 c9 88 0c
0c fe c1 75 f9 31 c0 ba  ef be ad de 02 04 0c 00
d0 c1 ca 08 8a 1c 0c 8a  3c 04 88 1c 04 88 3c 0c
fe c1 75 e8 e9 5c 00 00  00 89 e3 81 c3 04 00 00
00 5c 58 3d 41 41 41 41  75 43 48 3d 42 42 42 42
75 3b 5a 89 d1 89 e6 89  df 29 cf f3 a4 89 de 89
d1 89 df 29 cf 31 c0 31  db 31 d2 fe c0 02 1c 06
8a 14 06 8a 34 1e 88 34  06 88 14 1e 00 f2 30 f6
8a 1c 16 8a 17 30 da 88  17 47 49 75 de 31 db 89
d8 fe c0 cd 80 90 90 e8  9d ff ff ff 41 41 41 41

What jumps out at me first are the nops (90 90) in the last line. My mind automagically tells me this is shellcode. I wasn't 100% sure, but it was the only guess I had. I copied the code over into gedit, and made the following adjustments.

\xeb\x04\xaf\xc2\xbf\xa3\x81\xec\x00\x01\x00\x00\x31\xc9\x88\x0c
\x0c\xfe\xc1\x75\xf9\x31\xc0\xba\xef\xbe\xad\xde\x02\x04\x0c\x00
\xd0\xc1\xca\x08\x8a\x1c\x0c\x8a\x3c\x04\x88\x1c\x04\x88\x3c\x0c
\xfe\xc1\x75\xe8\xe9\x5c\x00\x00\x00\x89\xe3\x81\xc3\x04\x00\x00
\x00\x5c\x58\x3d\x41\x41\x41\x41\x75\x43\x48\x3d\x42\x42\x42\x42
\x75\x3b\x5a\x89\xd1\x89\xe6\x89\xdf\x29\xcf\xf3\xa4\x89\xde\x89
\xd1\x89\xdf\x29\xcf\x31\xc0\x31\xdb\x31\xd2\xfe\xc0\x02\x1c\x06
\x8a\x14\x06\x8a\x34\x1e\x88\x34\x06\x88\x14\x1e\x00\xf2\x30\xf6
\x8a\x1c\x16\x8a\x17\x30\xda\x88\x17\x47\x49\x75\xde\x31\xdb\x89
\xd8\xfe\xc0\xcd\x80\x90\x90\xe8\x9d\xff\xff\xff\x41\x41\x41\x41

I then saved this into a shellcode.c file:

char shellcode[] = "\xeb\x04\xaf\xc2\xbf\xa3\x81\xec\x00\x01\x00\x00\x31\xc9\x88\x0c\x0c\xfe\xc1\x75\xf9\x31\xc0\xba\xef\xbe\xad\xde\x02\x04\x0c\x00\xd0\xc1\xca\x08\x8a\x1c\x0c\x8a\x3c\x04\x88\x1c\x04\x88\x3c\x0c\xfe\xc1\x75\xe8\xe9\x5c\x00\x00\x00\x89\xe3\x81\xc3\x04\x00\x00\x00\x5c\x58\x3d\x41\x41\x41\x41\x75\x43\x48\x3d\x42\x42\x42\x42\x75\x3b\x5a\x89\xd1\x89\xe6\x89\xdf\x29\xcf\xf3\xa4\x89\xde\x89\xd1\x89\xdf\x29\xcf\x31\xc0\x31\xdb\x31\xd2\xfe\xc0\x02\x1c\x06\x8a\x14\x06\x8a\x34\x1e\x88\x34\x06\x88\x14\x1e\x00\xf2\x30\xf6\x8a\x1c\x16\x8a\x17\x30\xda\x88\x17\x47\x49\x75\xde\x31\xdb\x89\xd8\xfe\xc0\xcd\x80\x90\x90\xe8\x9d\xff\xff\xff\x41\x41\x41\x41";

void main() {
   int *ret;

   ret = (int *)&ret + 2;
   (*ret) = (int)shellcode;

   printf("done");

}

Running it simply returned the "done" being printed by printf. This told me that the shellcode was at least not crashing, so it was probably valid shellcode. Looks like my first impression was correct. So I jumped to the asm that the shellcode produced to get a better understanding of it:

0000000000601040 :
  601040: eb 04                 jmp    601046 
  601042: af                    scas   %es:(%rdi),%eax
  601043: c2 bf a3              retq   $0xa3bf
  601046: 81 ec 00 01 00 00     sub    $0x100,%esp
  60104c: 31 c9                 xor    %ecx,%ecx
  60104e: 88 0c 0c              mov    %cl,(%rsp,%rcx,1)
  601051: fe c1                 inc    %cl
  601053: 75 f9                 jne    60104e 
  601055: 31 c0                 xor    %eax,%eax
  601057: ba ef be ad de        mov    $0xdeadbeef,%edx
  60105c: 02 04 0c              add    (%rsp,%rcx,1),%al
  60105f: 00 d0                 add    %dl,%al
  601061: c1 ca 08              ror    $0x8,%edx
  601064: 8a 1c 0c              mov    (%rsp,%rcx,1),%bl
  601067: 8a 3c 04              mov    (%rsp,%rax,1),%bh
  60106a: 88 1c 04              mov    %bl,(%rsp,%rax,1)
  60106d: 88 3c 0c              mov    %bh,(%rsp,%rcx,1)
  601070: fe c1                 inc    %cl
  601072: 75 e8                 jne    60105c 
  601074: e9 5c 00 00 00        jmpq   6010d5 
  601079: 89 e3                 mov    %esp,%ebx
  60107b: 81 c3 04 00 00 00     add    $0x4,%ebx
  601081: 5c                    pop    %rsp
  601082: 58                    pop    %rax
  601083: 3d 41 41 41 41        cmp    $0x41414141,%eax
  601088: 75 43                 jne    6010cd 
  60108a: 48 3d 42 42 42 42     cmp    $0x42424242,%rax
  601090: 75 3b                 jne    6010cd 
  601092: 5a                    pop    %rdx
  601093: 89 d1                 mov    %edx,%ecx
  601095: 89 e6                 mov    %esp,%esi
  601097: 89 df                 mov    %ebx,%edi
  601099: 29 cf                 sub    %ecx,%edi
  60109b: f3 a4                 rep movsb %ds:(%rsi),%es:(%rdi)
  60109d: 89 de                 mov    %ebx,%esi
  60109f: 89 d1                 mov    %edx,%ecx
  6010a1: 89 df                 mov    %ebx,%edi
  6010a3: 29 cf                 sub    %ecx,%edi
  6010a5: 31 c0                 xor    %eax,%eax
  6010a7: 31 db                 xor    %ebx,%ebx
  6010a9: 31 d2                 xor    %edx,%edx
  6010ab: fe c0                 inc    %al
  6010ad: 02 1c 06              add    (%rsi,%rax,1),%bl
  6010b0: 8a 14 06              mov    (%rsi,%rax,1),%dl
  6010b3: 8a 34 1e              mov    (%rsi,%rbx,1),%dh
  6010b6: 88 34 06              mov    %dh,(%rsi,%rax,1)
  6010b9: 88 14 1e              mov    %dl,(%rsi,%rbx,1)
  6010bc: 00 f2                 add    %dh,%dl
  6010be: 30 f6                 xor    %dh,%dh
  6010c0: 8a 1c 16              mov    (%rsi,%rdx,1),%bl
  6010c3: 8a 17                 mov    (%rdi),%dl
  6010c5: 30 da                 xor    %bl,%dl
  6010c7: 88 17                 mov    %dl,(%rdi)
  6010c9: 47                    rex.RXB
  6010ca: 49 75 de              rex.WB jne    6010ab 
  6010cd: 31 db                 xor    %ebx,%ebx
  6010cf: 89 d8                 mov    %ebx,%eax
  6010d1: fe c0                 inc    %al
  6010d3: cd 80                 int    $0x80
  6010d5: 90                    nop
  6010d6: 90                    nop
  6010d7: e8 9d ff ff ff        callq  601079 
  6010dc: 41                    rex.B
  6010dd: 41                    rex.B
  6010de: 41                    rex.B
  6010df: 41 00 00              add    %al,(%r8)

Definitely legitimate shellcode. The x86 asm gcc spits out is exactly what I wanted to see. Not only that, but do you see the 0xdeadbeef?

Once I knew I was in the right direction, I loaded the binary into gdb. I through a breakpoint on the printf line with
break printf
and ran the binary. I looked at the stack frame, traversed through the memory and found the strings I suspected were what we were supposed to be looking for. However, they seemed to be all multi-byte characters. I wasn't able to decipher any of them within the time limit. I had found out about the contest about 2 hours before it was over. This took me about an hour to get to traversing the stack for the strings, and I got stuck.

Oh well. Maybe next time if I have more time I can get a bit further.

402 comments:

  1. hmmm deadbeef is a classic MAC as it is one of the better words that can be represented as only hex numbers.
    So given deadbeef as a hex value plus the other 2 we have 12 hex values from 1-255
    They are too far and wide to be straight ascii values but maybe some sort of shift cipher?

    it's also possible that those might be the straight 12 ASCII chars to put into the license file and the code then does the cipher to export a useable /%x/%x/%x/key.txt url

    ReplyDelete
  2. Ok so it passes the first "check" which thanks to you guys finding out the hex number is their name backwords.

    But if "gchq" is all you have then it fails at the next check. Which is a crypt loop that reads in what you have next, which would be the cyberwin, and compares that to a hardcoded string at address 00402040 which is "hqDTK7b8K2rvw". If that check fails then it throws an invalid key. So it seems to be hashing cyberwin into that string.

    Bryon

    ReplyDelete
  3. using 'cghqcyberwin' instead of 'gchqcyberwin' renders the license invalid and the application terminates :(

    ReplyDelete
  4. "flex, it is "cghqcyberwin" not "gchqcyberwin""

    The correct one is "gchqcyberwin".

    If you look at the hex it is "qhcg" and when they check it, I believe it is read through a loop backwards. ei: gchq

    Bryon

    ReplyDelete
  5. Its not actually backwards though, that is how memory is loaded with Little-Endian, right?

    ReplyDelete
  6. i think the application is just a url generator now that we know that gchqcyberwin is correct, its just the other end of the license that we need, those other 12 characters must be somewhere in the previous 2 stages, we just need to find them :(

    ReplyDelete
  7. mov [esp+148h+var_144], offset aGetSXXXKey_txt ; "GET /%s/%x/%x/%x/key.txt HTTP/1.0\r\n\r\n"

    The three %x values will be represented in hex once they are populated and printed.

    I believe flex is correct, in that the app is a url generator. I have been going through the assembly but there doesn't seem to be anything else hidden in it.

    ReplyDelete
  8. "Its not actually backwards though, that is how memory is loaded with Little-Endian, right?"

    May be correct, Things stored on the stack are normally first one last off. So if you think of a stack of plates, and your piling them on. The first one you put on, will only be able to come off after you take off all the others in the reverse order you put them on.

    Also yes, the first part we have is correct. I am heading home right now so I will be back to post in about 20min

    Bryon

    ReplyDelete
  9. Found this on the russian exelab forum - posted by a guy who I think (lost in translation) who has solved it and giving hints for the others:

    What are the bytes can be changed in the first task so that it will not affect the receipt of references to the second task

    ReplyDelete
  10. d2:ab:1f:05
    da:13:f1:10
    de:ad:be:ef

    Gives you some weird control codes (ala LF and CR) but are valid ascii codes.

    The resulting codes aren't probably printable on this blog so here's a quick bit of code that'll dump them you can redirect that to license.txt

    [code]

    {/code]

    ReplyDelete
  11. gah it stripped the php tags
    try adding them to this

    $str = explode(':', 'd2:ab:1f:05:da:13:f1:10:de:ad:be:ef');

    echo "gchqcyberwin";

    foreach ($str as $elem) {
    echo chr(hexdec($elem));
    }

    ReplyDelete
  12. Damn Russians own at everything haxor related.

    ReplyDelete
  13. Might be a bit late now, but still relevant.
    Noone noticed the typo in line 5 of the shell code above? The disassembly looks valid, but probably not give the right answer if you've copied this code.

    "48 3d" should be "58 3d"

    I tried running solving it on x86_64 fedora but just couldn't get anything useful due to lack of asm and shellcoding knowledge, and painfully fragmented web resources

    ReplyDelete
  14. Im sorry to say but im going to have to go now, as i have uni in 5 hours ;) but i will be back tomrrow to check on your progress and help some more if needed ;) thanks guys, Flex.

    ReplyDelete
  15. Ok im back. Hurry back flex I ma going to need your help. So I was stepping through the crypt function on my way back and I found some interesting output. I will post it as soon as its done (5 min?) may need help figuring it out.

    Bryon

    ReplyDelete
  16. Bryon/Flex/anyone else - just made an IRC channel at mibbit - join and can discuss findings there etc if you want? Rather than trying to scroll through all these comments loL!

    http://cbe004.chat.mibbit.com/
    #canyoucrackit

    :)

    ReplyDelete
  17. I don't think the host is actually canyoucrackit.co.uk

    Google would have found it if that is the case:
    https://www.google.com/search?q=site:canyoucrackit.co.uk&hl=en&prmd=imvns&filter=0&biw=1680&bih=871

    I think we need to find the actual host?
    At first I thought that cyberwin was related, but googling that only brings up some chinese website.

    ReplyDelete
  18. Hey Dave, I couldn't find the IRC on mibbit. So this is what the crypt function spit out. The first of each line is the word cyberwin. Any idea on the following?

    c 1 18 0c 06 03 01

    y 3c 1e 0f 07 03 01

    b 1 18 0c 06 03 01

    e 2 19 0c 06 03 01

    r 9 1c 0e 07 03 01

    w ; 1d 0e 07 03 01

    i 4 1a 0d 06 03 01

    n 7 1b 0d 06 03 01

    Bryon

    ReplyDelete
  19. Byron, just head over to http://cbe004.chat.mibbit.com/
    put a nickname in, put channel as #canyoucrackit
    and you should be well away

    There's 6 of us in there discussing!

    :)

    ReplyDelete
  20. So, for 2nd part, the VM code does this:
    int i;
    for(i=0;i<80;i++) mem[0x100+i]^=i+0xAA;
    for(i=0;i<51;i++) mem[0x1C0+i]^=i*3+0x32;

    As you can see, xor sequence is always in form of i*X+Y.

    So I did analysis for other chunks of binary data in memory, looking for X,Y that produce output with MSB=0 (looking for text).

    There is only one (!) possible combination for each block:
    for(i=0;i<112;i++) mem[0x150+i]^=i*5+31;
    for(i=0;i<128;i++) mem[0x200+i]^=i*5+31;
    for(i=0;i<128;i++) mem[0x280+i]^=i*5+111;

    Output is still not text, but all MSB bits are zero, except for 6 bytes near addr 0x280.

    Now let's see the firmware values:
    0xd2ab1f05 = 210 171 31 5 dec
    0xda13f110 = 218 19 241 16 dec

    Notice the 31 and 5 ...

    I think these firmware codes contain hints how to decrypt rest of the memory.

    For part3, we need two hex values and there are two (maybe 3) blocks in memory... maybe all codes for part3 are there.

    rx0

    ReplyDelete
  21. It seems the crypt stuff only gets used for the first part that converts into the string %x
    The other values get converted pretty much straight back to the hex values but shown as ascii if that makes sense.

    I.e trying the above php stuff I got a url of
    GET /hqDTK7b8K2rvw/51fabd2/10f113da/efbeadde/key.txt HTTP/1.0

    So it effectively reversed (little endianed?) whatever I had in the license.txt file this is on Win7 x64 if it makes a diff

    ReplyDelete
  22. Hello,
    PLEASE CAN SOMEONE TELL ME WHICH BOOK TO READ TO KNOW MORE ABOUT CODING, PLEASE TAKE TIME TO SEND TO MY EMAIL.... JNNESON AT GMAIL DOT COME .... PLEASE I AM A NEW LEARNER BUT HOME STUDY NO MONEY TO GO TO BIG SCHOOL FOR IT. THANKS

    ReplyDelete
  23. The answer is Pr0t3ct!on#cyber_security@12*12.2011+

    ;)

    ReplyDelete
  24. I think that would be a red herring mate, they need a safeguard in place for cheaters who just brute force it.

    I doubt they would make it that easy.

    ReplyDelete
  25. How did you get "Pr0t3ct!on#cyber_security@12*12.2011+"

    Bryon

    ReplyDelete
  26. Here is a clue for you

    the result of executing the program is the decrypted URL for stage3 (stage 2 if you exclude the base64 encoded data).

    ReplyDelete
  27. So why would you take hex fields, use them as 12 characters in the license.txt file and then print that to the hex equivalent in the URL?

    Maybe we're looking for characters hidden somewhere?

    Anyone looked over the data/code for hidden characters?

    I tried the first codeset

    eb:04:af:c2:bf:a3:81:ec:00:01:00:00:31:c9:88:0c:0c:fe:c1:75:f9:31:c0:ba:ef:be:ad:de:02:04:0c:00:d0:c1:ca:08:8a:1c:0c:8a:3c:04:88:1c:04:88:3c:0c:fe:c1:75:e8:e9:5c:00:00:00:89:e3:81:c3:04:00:00:00:5c:58:3d:41:41:41:41:75:43:58:3d:42:42:42:42:75:3b:5a:89:d1:89:e6:89:df:29:cf:f3:a4:89:de:89:d1:89:df:29:cf:31:c0:31:db:31:d2:fe:c0:02:1c:06:8a:14:06:8a:34:1e:88:34:06:88:14:1e:00:f2:30:f6:8a:1c:16:8a:17:30:da:88:17:47:49:75:de:31:db:89:d8:fe:c0:cd:80:90:90:e8:9d:ff:ff:ff:41:41:41:41:42:42:42:42:32:00:00:00:91:D8:F1:6D:70:20:3A:AB:67:9A:0B:C4:91:FB:C7:66:0F:FC:CD:CC:B4:02:FA:D7:77:B4:54:38:AB:1F:0E:E3:8E:D3:0D:EB:99:C3:93:FE:D1:2B:1B:11:C6:11:EF:C8:CA:2F

    or

    ????????????1??????u?1??????????????????<?????<???u??\???????????\X=AAAAuCX=BBBBu;Z??????)?????????)?1?1?1??????????4??4??????0??????0???GIu?1??????????????AAAABBBB2??????mp :?g??????f????????w?T8?????????????+???????/

    and there isn't much there. Anyone else have new ideas on where these 12 characters may be hidden? I mean it could be "firmware" itself, dates, ...

    MikeS

    ReplyDelete
  28. the 3 dwords left over.
    d2:ab:1f:05
    da:13:f1:10
    de:ad:be:ef

    Has anyone seen the last line.
    de:ad:be:ef
    DE AD BE EF

    Dead Beef.

    this is a Hex Term.......

    ReplyDelete
  29. Well I'm out for tonight.
    The code isn't hidden in the source anywhere (apart from the already cracked cipher/hash/first part).

    The the sections of the url will be completely random hex values. The only place they are is in the section of code/dump after the .exe url part
    http://pastebin.com/6AfAzjDK dump here.

    the first 7z part suggests it's a 7z archive except it's not, at least not in it's raw form. So I think that just needs to be solved and out will pop a useable license.txt file complete with random values.

    ReplyDelete
  30. Pr0t3ct!on#cyber_security@12*12.2011+

    Just incase you give up bitchesss ;)

    ReplyDelete
  31. So has anyone unequivocally negated notions hypothesizing embedded indelible kruptós steganographically hidden in the strange image file you espouse as assembled code here?

    ReplyDelete
  32. Which strange image file?

    Bryon

    ReplyDelete
  33. http://www.canyoucrackit.co.uk/15b436de1f9107f3778aad525e5d0b20.js

    ReplyDelete
  34. What the fuck 25.000 libras... just pathetic.

    ReplyDelete
  35. Any sucess on the last 12 chars?

    ReplyDelete
  36. Not yet. Looking for the hidden info in the png file atm.

    ReplyDelete
  37. Well I did find it in the header of cyber.png - Thats old news though.

    ReplyDelete
  38. I didn't find this info any place else so I will post it here.

    Inside cyber.png you will find part of the info for a step. However no-one tells you HOW to find it. If you open cyber.png with hex editor you will see somewhere in the first few lines "iTXT" with "Comment" right after it. This is inside the header of the png file. Now copy everything between the iTXtComment and "IDAT"(The start of the image chunks) and paste it into a base64 decoder. Once it is decoded, Convert it into HEX, and there you have it. Post if you have any questions.

    Bryon

    ReplyDelete
  39. hey guys! you are doing an excellent work! I am stuck on the keygen as you! :)

    dsa

    ReplyDelete
  40. http://www.gchq.gov.uk/Challenges/Pages/Break-Some-Code-Puzzle-1.aspx

    ReplyDelete
  41. I propose that there's more to the image file than the machine code and the hidden base64 string.

    ReplyDelete
  42. > read our comments - we tried this combination

    In the disassembly at http://pastebin.com/NFRx5jC1, the only relevant code is this one in sub_401090. In C it is something like this:

    struct var_38 {
    char x[12];
    unsigned var_24, var_28, var_24;
    };
    unsigned var_48[3];
    memset(var_38, 0, sizeof(var_38)); /* sizeof = 0x18 */
    fscanf(var_4c, "%s", var_38);
    fclose(var_4c);
    var_4c = NULL;
    /* crypt stuff does not need to be cracked, it does not modify var_38 and its output is used only as input to strcmp. Just bypass it/pretend it does not exist. */
    var_48[0] = var_38.var_2c;
    var_48[1] = var_38.var_28;
    var_48[2] = var_38.var_24;
    sub_401209(var_48, argv[1])

    ...

    and this one in sub_401209:

    static char *p = "hqDTK7b8K2rvw";
    sprintf(s, "GET /%s/%x/%x/%x/key.txt HTTP/1.0", p, arg1[0], arg1[1], arg1[2]);

    Just throw away the damn .exe and try putting the three words (the unused four bytes in stage1---that's not 0xdeadbeef!---and the firmware words) in the URL.

    ReplyDelete
  43. In Level1, when you decrypt the URL, there is an extra DWORD that gets decrypted (right after the HTTP/) and its DE3DBB2F or 2FBB3DDE (depending on the endianness).

    I think it's a safe to assume that the first DWORD is either DE3DBB2F or 2FBB3DDE.

    We just need to find the 2nd and 3rd DWORDS (probably from Level 2).

    ReplyDelete
  44. Nope, the first dword is already in the thread, but you didn't listen. It's in the code, not in the output.

    The 256 bytes after the HTTP/1.0 are the decryption key and they are a combination of DEADBEEF, some more XORing and a sequence from 00 to FF. But they do not matter.

    ReplyDelete
  45. Cracking part 1: http://raofe.blogspot.com/2011/12/can-you-crack-it.html

    ReplyDelete
  46. for me "gchqcyberwin" works.

    "cghqcyberwin" leads to output:
    error: license.txt invalid

    ReplyDelete
  47. What do you post in the form at stage 1?

    ReplyDelete
  48. Posting to the form is the final stage, not the first...

    ReplyDelete
  49. whats the answer to that then!

    ReplyDelete
  50. http://www.canyoucrackit.co.uk/soyoudidit.asp

    I solved it.

    ReplyDelete
  51. For once this isnt a spam post honest!
    I started looking the the cracking the code aswell yesterday. Not really being much into ciphers and the like. I looked at the image and thinking it was a hex memory dump, started decoding to binary and back to ascii just to see what came out which was giberish! Oviously due to being linux not windows. I then thought ohh these could be various md5 or sh1 hashes and started dictionary cracking these to no avail. Now I understand why ! Thanks for taking the time to detail how you went about this. I thought I knew allot about computers(10 years working in the industry) but obviously im only just scratching the "high level" surface. Im off to learn me some assembly language, wish me luck!

    ReplyDelete
  52. I spend all morning on this one, love a nice challenge.

    The answer is actually...
    Pr0t3ct!on#cyber_security@12*12.2011+

    Type it into the canyoucrackit.co.uk aqnd see what happens..

    ReplyDelete
  53. Pr0t3ct!on#cyber_security@12*12.2011+

    ReplyDelete
  54. yer but were did you get it from? or did you just copy and paste it from somewhere else....?

    ReplyDelete
  55. Ok guys- lets say it again: we are not interested in the answer or the successpage, or any other useless posts, but in the exact way to solve the puzzle.
    So point out how you solved it or shut up.

    ReplyDelete
  56. I couldn't solve the puzzle for love nor money, the interest is in discovering how it is being done and learning many new things about a topic that I've never been involved in. There is nothing like the internet for exposing you to just how many people there are in the world with more knowledge and/or wisdom than you :)

    ReplyDelete
  57. Pr0t3ct!on#cyber_security@12*12.2011+

    ReplyDelete
  58. keygen.exe

    loading stage1 license key(s)...
    loading stage2 license key(s)...

    request:

    GET /hqDTK7b8K2rvw/0/0/0/key.txt HTTP/1.0

    response:

    HTTP/1.1 404 Not Found

    ReplyDelete
  59. I loved reading this. Grats on working together so patiently. Even though I am still an infant in programming, I followed a little of this.

    ReplyDelete
  60. Wait, so where is the rest of this thread? What are the correct 3 parts of the url after /hqDTK7b8K2rvw ?

    ReplyDelete
  61. Still trying to solve the 3 parts.

    R.

    ReplyDelete
  62. Guys, the three words are written in the first page. 1 from stage1, 2 from stage2 (the firmware). Put the words in hex directly in the URL, ignore the .exe. I don't want to write it more plainly than this.

    ReplyDelete
  63. 0xafc2bfa3, 0xd2ab1f05, 0xda13f110

    but that doesn't work

    ReplyDelete
  64. whats the URL? the 4byte firmware doesnt work :(

    ReplyDelete
  65. It's not http://www.canyoucrackit.co.uk/hqDTK7b8K2rvw/afc2bfa3/d2ab1f05/da13f110/key.txt in upper or lowercase nor with deadbeef instead of the jumped over code in part1

    ReplyDelete
  66. Been working on and off this for the last couple of days. Got as far as getting the VM to work and getting the keygen.exe before resorting to the Internet but haven't had time to do the rest. Keep up the good work. Here's my version of the VM: http://pastebin.com/Uz8QBFkg

    ReplyDelete
  67. Resposta:

    https://apply.gchq-careers.co.uk/fe/tpl_gchq01ssl.asp?newms=jj&id=35874

    ReplyDelete
  68. h t t p s : / / a p p l y . g c h q - c a r e e r s . c o . u k / f e / t p l _ g c h q 0 1 s s l . a s p ? n e w m s = j j & i d = 3 5 8 7 4

    ReplyDelete
  69. Pr0t3ct!on#cyber_security@12*12.2011+

    ReplyDelete
  70. FWIW I used the 256 bytes part from 7z... in part2 as the license.txt file. Seems to be accepted by keygen.txt
    but the resulting url leads nowhere

    ReplyDelete
  71. http://blog.pi3.com.pl/?p=213

    sadly he just copied this and if you notice he skips over the last step like a true "I am copying this stuff and passing it off as my work"er

    ReplyDelete
  72. I have the correct dll's and am attempting to run keygen.exe canyoucrackit.co.uk in CMD, but i'm just getting error: license.txt not found

    anyone any idea what im doing wrong?

    -Lyndon

    ReplyDelete
  73. Lydon
    make the license.txt file and put this in it

    gchqcyberwin

    ReplyDelete
  74. you will need the a license file with a password in it.

    ReplyDelete
  75. I have gchqcyberwin in the license.txt in the same directory as the .exe , yet i'm still getting
    "error: license.txt not found" Damn I'm really in over my head here.

    -Lyndon

    ReplyDelete
  76. 0xdeadbeef is the RC4 4-octet key used in stage 1. I doubt it would be used for anything else

    ReplyDelete
  77. My question is, there is so much stuff in the VM's memory that isn't used. Immediately after the url is a 7z, which are the first two characters of any 7zip archive. However, the header signature of 7zip is 6 bytes, and the last 4 don't match. I'm wondering if the unused firmware numbers are somehow used to decrypt the remaining memory (via xor?) to produce a valid archive. Plus, there is the memory that exists before the url in the VM memory dump that is also unused. It can't just be gibberish...

    ReplyDelete
  78. Skipped code & 'firmware' words are correct, but the bytes from level 1 have to be interpreted as single 32bit word (endian).

    ReplyDelete
  79. Thanks Mr Anonymous for the tip

    ReplyDelete
  80. can somone in english please tell me the answer to typr into tyhe submit box??

    ReplyDelete
  81. the answer is "D01ty0ur3fuck1ngs3lf"

    ReplyDelete
  82. 0xafc2bfa3, 0xd2ab1f05, 0xda13f110

    but reverse the middle one
    051fabd2

    you need to ascii the whole lot and append it to the license.txt

    then...you get

    http://www.canyoucrackit.co.uk/hqDTK7b8K2rvw/a3bfc2af/d2ab1f05/da13f110/key.txt

    but the .exe GET fails so I just hit the url






    this is the url
    http://www.canyoucrackit.co.uk/hqDTK7b8K2rvw/a3bfc2af/d2ab1f05/da13f110/key.txt

    ReplyDelete
  83. license.txt should be
    gchqcyberwin¯Â¿£ «Ò ñ Ú

    ReplyDelete
  84. Looks like it all comes down to non-standard ASCII and keygen... there is some data on the IRC channel if anyone cares now

    MikeS

    ReplyDelete
  85. No matter what I do to pad the license.text or anything else I cant get (my) keygen to kick out a URL that works. A cut/paste of the URL or GET request works fine. It's just (my) keygen.

    Here is the license.txt file in HEX in case anyone else wants to try and be sure they have the right characters

    67636871637962657277696EAFC2BFA305ABD210F113DA

    MikeS

    ReplyDelete
  86. Munging through a dump of the .exe to get the code and strings is very revealing as posted by someone earlier. You don't even need to run the .exe. Once you've figure out the magic missing numbers from the earlier stages, you're done

    ReplyDelete
  87. Using Visual C++ Express and Windows XP. I tried this:

    #include
    #include "stdafx.h"

    char shellcode[] = "\xeb\x04\xaf\xc2\xbf\xa3\x81\xec\x00\x01\x00\x00\x31\xc9\x88\x0c\x0c\xfe\xc1\x75\xf9\x31\xc0\xba\xef\xbe\xad\xde\x02\x04\x0c\x00\xd0\xc1\xca\x08\x8a\x1c\x0c\x8a\x3c\x04\x88\x1c\x04\x88\x3c\x0c\xfe\xc1\x75\xe8\xe9\x5c\x00\x00\x00\x89\xe3\x81\xc3\x04\x00\x00\x00\x5c\x58\x3d\x41\x41\x41\x41\x75\x43\x48\x3d\x42\x42\x42\x42\x75\x3b\x5a\x89\xd1\x89\xe6\x89\xdf\x29\xcf\xf3\xa4\x89\xde\x89\xd1\x89\xdf\x29\xcf\x31\xc0\x31\xdb\x31\xd2\xfe\xc0\x02\x1c\x06\x8a\x14\x06\x8a\x34\x1e\x88\x34\x06\x88\x14\x1e\x00\xf2\x30\xf6\x8a\x1c\x16\x8a\x17\x30\xda\x88\x17\x47\x49\x75\xde\x31\xdb\x89\xd8\xfe\xc0\xcd\x80\x90\x90\xe8\x9d\xff\xff\xff\x41\x41\x41\x41";

    void _tmain() {
    ((int(*)(void))(&shellcode))();
    printf("done");
    getchar();
    }

    But I get an error "Access violation reading 0xffffffff"

    Does the code only run on Linux or have I done something else wrong?

    Paul

    ReplyDelete
  88. It calls a Lunix syscall, so in Windows you need to change it.
    I recommend setting a breakpoint in the shell code and just step tracing with the debugger.

    You're also missing data in the shellcode.

    ReplyDelete
  89. I think we have all exhausted this puzzle and are just dotting "i"s and crossing "t"s now. Seems keygen wasnt needed except to give up hqDTK7b8K2rvw. Next challenge for me anyway: who wrote the puzzle?

    Some clues: look at the PDF bios online for GCHQ; look at the code and style; look at the systems and software used; check the UK universities for similar puzzles; did someone borrow code and from where? My guess would be a small team with majority of the work from a 28-year old graduate from Manchester/York/Bristol.

    I feel like an amateur having gone through all this. I borrowed code from Petter and Nicolas, I tried to give credit where I could, hope I did it enough. Then there are the anonymous Russian programmers who helped too. Thanks!

    MikeS

    ReplyDelete
  90. You also need to embed the shellcode in executable memory.
    As you have it now, you're trying to execute a data segment which is not allowed by the OS.

    void shellcode(void)
    {
    __asm _emit 0x12 __asm _emit 0x34
    __asm _emit 0x56 __asm _emit 0x78
    // etc.
    }

    main()
    {
    shellcode();
    }

    ReplyDelete
  91. Paul:
    You have just one half of code, append the other part to it.
    Also it will not work under windows (uses linux interrupt), but when it crashes, you can do memory dump (in process manager) and look for string there (search for HTTP). Or use any debugger to see stack memory.

    ReplyDelete
  92. @Paul:

    I converted it to Python. It's an RC4 cipher. Here's the code: http://pastebin.com/FCt4XqP5

    Robert

    ReplyDelete
  93. How would someone know all this stuff? You would have to be some sort of hacker or virus writer.... and I suppose that's exactly what GCHQ is looking for.

    Paul.

    ReplyDelete
  94. This code (from Petter) works for Part 1 and you can run it online...

    http://ideone.com/XnePp

    Got to go now.

    ReplyDelete
  95. To MikeS, Flex, David, and anyone else I am forgetting it was fun working with you on this. If you find another challenge to work on be sure to inform me as I think we make a great team. Keep in touch.

    Bryon

    ReplyDelete
  96. While the solution is known it still bugs me that the GET from the keygen itself doesn't work for me. On the other hand if I paste the same URL into a browser it works.

    Had I known the GET request in the dos window had not returned a real true 404 response I should believe I would have tried it in a browser window. When it did return 404 however, at least *I* assumed the text I had in the license file was wrong. That a combination I tried yesterday was wrong.

    http://tinypic.com/r/axfy47/5

    *sigh*

    ReplyDelete
  97. Password is: Pr0t3ct!on#cyber_security@12*12.2011+

    ReplyDelete
  98. !!! OMFG !!! OMFG !!!

    this is not the password, it is a fucking honey pot, that are also 3 others like this.

    Pr0t3ct!on#cyber_security@12*12.2011+

    If you read the press statement, it says, once all 4 stages have been completed then the user presented with a form to enter their contact details.

    i dont think that is a fucking FORM, go back to VB coding and learn what a FORM is.......

    ReplyDelete
  99. Bryon/Flex/MikeS - feel free to add me on facebook: facebook.com/dclarke196 - :)

    ReplyDelete
  100. The answer is: Pr0t3ct!on#cyber_security@12*12.2011+

    ReplyDelete
  101. @Robert, "I converted it to Python. It's an RC4 cipher. Here's the code: http://pastebin.com/FCt4XqP5". That's an original and elegant solution, thanks! ~ ET.

    ReplyDelete
  102. Well, I was hoping to have a go at this "under my own steam" and on my own machine, for the challenge, but I got stuck early on after combining the code displayed on the PNG with the code commented in the PNG headers. You guys are great.

    I'm using Windows and my exe crashes. I eventually spotted the Linux interrupt "int $0x80" and kicked myself for not spotting it sooner. Haven't done anything in assembler since the early 1980s on a Research Machine Z80. The one that chewed the disk every time if you powered down with the disk still in place.

    @Anonymous, you write "you can do memory dump (in process manager) and look for string there (search for HTTP). Or use any debugger to see stack memory." I've been using gdb, but can't figure out how I can dump mem either at a break point or after the crash, to find the elusive URL. If you can spell that out, it would be greatly appreciated, thanks. ~ ET.

    ReplyDelete
  103. the answer to the hex code is this.

    Pr0t3ct!on#cyber_security@12*12.2011+

    Sweden rules :D

    ReplyDelete
  104. Re GDB:
    Read this: http://www.unknownroad.com/rtfm/gdbtut/gdbadvanced.html

    Get ESP address and look around...

    ReplyDelete
  105. Pr0t3ct!on#cyber_security@12*12.2011+

    ReplyDelete
  106. Guys you re amazing!!I`m trying really hard but I`m already stuck in part 1, does someone has a minute to tell me how do you get from QkJCQjIAAACR2PFtcCA6q2eaC8SR+8dmD/zNzLQC+td3tFQ4qx8O447TDeuZw5P+0SsbEcYR
    78jKLw== to
    GET /15b436de1f9107f3778aad525e5d0b20.js HTTP/1.1?
    I feel really stupid but I tried for hours!I tried to use online decoders of base64 but they all give me a completely different answer!
    I don`t care about the job since I`m not English but I just want to solve it!!
    Thanks
    Rebecca

    ReplyDelete
  107. @Rebecca:
    See http://www.r00t.cz/Misc/CanYouCrackIt - very good walkthrough I found

    ReplyDelete
  108. In step1 there was this code:

    seg000:00400000 jmp short
    seg000:00400002 dd 0A3BFC2AFh
    seg000:00400006 sub esp, 100h

    so i guess this is the first license key.

    ReplyDelete
  109. It's easy!

    Pr0t3ct!on#cyber_security@12*12.2011+

    ReplyDelete
  110. Is it just me or does it appear that the competition is up and running again? I just visited the site again and it suddenly had 8 days left on the clock, with the additional words "The Challenge Continues". The code, though, appears to be exactly the same so maybe it wasn't really cracked the first time round?

    ReplyDelete
  111. "If you read the press statement, it says, once all 4 stages have been completed then the user presented with a form to enter their contact details. "

    While I agree with you that it is not a form. I also have not seen the press release you are referring too. From what I could tell it's 3 stages.

    Also its hardly a competition. You guys think they didn't consider the fact that the keyword would be leaked everywhere and they would be flooded with useless app's of people that know nothing. All's it is, is a viral marketing campaign.

    P.S. - Dave I added you.

    Bryon

    ReplyDelete
  112. Pr0t3ct!on#cyber_security@12*12.2011+

    ReplyDelete
  113. Pr0t3ct!on#cyber_security@12*12.2011+

    ReplyDelete
  114. Bryon: thats what they want you to think. ever bothered to actually read http://www.r00t.cz/Misc/CanYouCrackIt ? what about the remaining parts of vm memory?

    you seriously think that you've solved it, guys?
    congratulations, you've reached their honeypot :)

    ReplyDelete
  115. b;<N~uo?Ik<F6:c<(`;p5:?t|("(|Uac|4I["Z_xZyU{a+5cE}|K?SD.Y85sjvz:\*^p@,Dd=83;?e0bnP3R$ZF:V,L~O 5wS&[km?6x5M;7A+X-
    (^.?,%Ugu;O4x;"?<Dh<uy<tTPYcO|ui:9S-5YhY0!vU(k3e`rL.5ms;C`~o`6hW]TA[fqh_k4smCk}{$a;gY9_y?z76gZ'n0AOi3eY6Li\b8W%(
    J~cHR)j*2I3`&bu!gV;L9j4pA%^eB::{0%qjE)RcVax:/xsk}*.=u[\KT@IWk9/N7aHpA_$5H'LCW76XHtRA*krs|WZxu|U;d^&!]V

    ^ this is what it's all about now!

    ReplyDelete
  116. How do we know the key isn't supposed to be used for decrypting something, as opposed to being the keyword to type in. There is a lot of unused memory left, maybe the key.txt is actually the decryption key somehow.

    ReplyDelete
  117. Pr0t3ct!on#cyber_security@12*12.2011+

    is the answer.

    ReplyDelete
  118. I think this is one of the KISS test. I played with the idea of "cracking the code" but then it dawned on me. To be sure they would not over look basic site security. However, they did. THIS IS FOR INFORMATIONAL USE ONLY!! www.canyoucrackit.co.uk is the site. After viewing the page source I noticed /images/code-bg.jpg this means there are one of two things. Other indexes or other pages. So keeping with the KISS logic, I used my old friend google. just googled / site:www.canyoucrackit.co.uk If you dont know where that came from then please, for the good of all of us, stop here. After that just found the link. The beauty of KISS.

    ReplyDelete
  119. The code is Pr0t3ct!on#cyber_security@12*12.2011+

    ReplyDelete
  120. It the three
    0xa3bfc2af from lvl1 and
    firmware: [0xd2ab1f05, 0xda13f110]
    Remember (if you are inputting into the file) to think of endianess.

    //P

    ReplyDelete
  121. @Anonymous "Re GDB: ..." Many thanks, I'll look at the tutorial you linked to. ~ ET.

    ReplyDelete
  122. @Wmheath586. KISS could well be a part of it. I suspect that there may be many ways to approach and solve this test, a few traps or tar pits, so that they get a corresponding spread of folk with differing approaches and differing skills? They surely don't want everyone on their team to be into asm + linux + c, wouldn't they want something inter-disciplinary?

    Robert's approach using python (for example) must surely score highly: to produce this, you need to fully understand what you're doing, not simply hack or google; and, as I said, it was original and elegant. Regards, ~ ET.

    ReplyDelete
  123. @flex "why does the server give different error results with the keygen.exe then the browser does?"

    I run a web site and rather than use a blacklist based on user agent, I use both a blacklist and a whitelist in Apache's mod_security. In my case, if there's no user agent, they get a 403 Forbidden. Is a user agent string being sent to the server, or certain other headers like Accept? ~ ET.

    ReplyDelete
  124. http://www.canyoucrackit.co.uk/robots.txt
    User-agent: *
    Disallow: /
    Yet google has some results in "site:...". Maybe an afterthought on GCHQ's part? ~ ET

    ReplyDelete
  125. i used to work as a web developer so servers and the internet is my thing ;) the keygen.exe sends no headers at all to the server, just a basic GET command, so as theres no 'host' header the server isnt outputting the file needed, just the 404 error page, must be a setting on IIS to redirect if theres no 'hostname' header

    ReplyDelete
  126. @flex, that sounds spot on. On Apache I disallow no hostname, empty hostname and numerical hostname (IP). That keeps out 90-odd% of script kiddies. ~ ET.

    ReplyDelete
  127. Just a note, the site has changed multiple times since release, the words 'the challenge continues' has been added then moved? any reasons why? why modify it? perhaps signaling that the challenge hasnt been completed yet?

    First screenshots:
    http://www.guardian.co.uk/media/2011/dec/01/gchq-computer-hackers-ad

    Second Screenshots:
    http://techmash.co.uk/20762/2011/12/02/crack-the-code-for-25000-gchq-job/

    Third Screenshots:
    http://www.theblaze.com/stories/is-this-the-coolest-job-audition-ever-can-you-crack-it/

    Why change it three times?

    ReplyDelete
  128. @flex. I suspect that there may be multiple and diverse answers, rather than a simple case of inputting a keyword? Could be wrong, of course. ~ ET.

    ReplyDelete
  129. thats my theory, going back to the honeypot idea, perhaps thats just a trick to make you think youve finished? in the press releases it clearly states a 'fast-track to a job interview' the finial page we have so far just redirects you to the standard job application, maybe thats saying your good for an application but not good enough for a fast track interview?

    ReplyDelete
  130. Anyone who completes stage 4 gets taken out : http://earth101.net/?wc

    ReplyDelete
  131. Pr0t3ct!on#cyber_security@12*12.2011+

    ReplyDelete
  132. http://www.theinquirer.net/inquirer/news/2129647/workaround-gchq-cracking-challenge

    ^^^^^^^^^^^^^^^^^^^
    EVERYBODY READ THIS

    theres more than one solution to the puzzle, the 'soyoudidit.asp' is not the end of the challenge, theres more!

    ReplyDelete
  133. Thanks @MikeS for the c code to combine the two sets of code from on and in the image (at http://ideone.com/XnePp).

    Finally got the thing to work on my own 64-bit Win7 machine by running Lubuntu in Virtual Box, which I've just installed, and compiling using cc. Worked perfectly. Regards, ~ ET.

    ReplyDelete
  134. hi
    so i copied key.txt to my own web server, and used that for keygen to download... that didn't make any difference
    it just out putted the contents of key.txt whatever they where
    keygen.exe doesn't seem to do any thing but just trying to check
    trying to hex change keygen.exe to http 1.1 and add Host: www.canyoucrackit.co.uk:80 or local tunnel but buffer is too short - bit beyond me to change the asm of this exe...

    ~BH

    ReplyDelete
  135. The hex of the VM js last block which is all unused / uncracked data.


    0000000 7a37 1107 1d1f 2568 7732 621e 5b23 5547
    0000010 3053 4211 f1f6 e6b1 ccc3 c5f8 cce4 d3c0
    0000020 fd85 e39a 81e6 bbb5 cdd7 a387 6bd3 6f36
    0000030 666f 3055 4516 095e 5c74 293f 662b 0d3d
    0000040 3002 3528 0915 dd15 b8ec fbe2 cbd8 d1d8
    0000050 d58b d982 f19a ab92 a6e8 d0d6 aa8c 94d2
    0000060 45cf 6746 7d20 1444 456b 546d 1703 6260
    0000070 5a55 664a 1161 6857 0575 3662 027d 4b10
    0000080 2208 3242 e2ba e2b9 b9d6 c3ff 8ae9 c18f
    0000090 e18f a4b8 f196 818f 8db1 cc89 78d4 6176
    00000a0 3e72 2337 7356 7971 7c63 1108 6920 147a
    00000b0 0568 1e21 2732 b759 abcf d5dd 97cc f293
    00000c0 c0e7 ffeb a3e9 a1bf 8bab 9ebb 8c9e c1a0
    00000d0 5a9b 2f2f 4e4e 0000 0000 0000 0000 0000
    00000e0 0000 0000 0000 0000 0000 0000 0000 0000

    The first two chars are 7z. Maybe we have to edit the 7zip source and change the decryption algorithm. or maybe just find the correct format...

    ~BH

    ReplyDelete
  136. Walking on the shoulders of giants here, slowly. :)

    Thanks to @Anonymous for the VM python at http://pastebin.com/Uz8QBFkg . This works perfectly. Opening up memdump.bin in a hex editor quickly shows "GET /da75370fe15c4148bd4ceec861fbdaa5.exe HTTP/1.0".

    Tried two links at rghost.net for DLLs but the server returned a 500 Internal Server Error. Copying over cygwin from another machine and adding ";c:\cygwin\usr\local\bin;c:\cygwin\bin;c:\cygwin\user\local\lib"
    (minus quotes) to PATH soon fixed that. Regards, ~ ET.

    ReplyDelete
  137. GOT IT Pr0t3ct!on#cyber_security@12*12.2011+

    my email is namit2saxena@gmail.com

    ReplyDelete
  138. Same results here: keygen.exe plus license gives me a 404; same thing in browser yields Pr0t3ction. The exe could be a dead end. However, the "7z..." code is tempting.

    FWIW, see http://docs.bugaco.com/7zip/7zFormat.txt. As per the 6 byte 7zip signature, it starts with "7z" but that's as far as it gets, unless this is the payload and we're expected to build a 7Zip structure around it to yield an extractable archive? Wouldn't put anything past these spooks. :) ~ ET.

    ReplyDelete
  139. 1. keygen returns 404 because it doesn't send Host in HTTP request and server needs it.
    2. It's not 7zip archive. It decodes to some ASCII characters using same algorithm that was used for decoding URL to part 3 (but with different values used).
    See bottom of page at http://www.r00t.cz/Misc/CanYouCrackIt

    ReplyDelete
  140. The result is "32x rand*100 dim 21"

    ReplyDelete
  141. It is
    /hqDTK7b8K2rvw/a3bfc2af/d2ab1f05/da13f110/key.txt

    a3bfc2af is in stage one.
    d2ab1f05 & da13f110 are in stage two[firmwire].

    ReplyDelete
  142. Sorry to say, but its not over yet, theres more! GCHQ said themselves in a recent press release its not finished and theres more to it than people think, and more ways to get to the end!

    Interested? want to help find the real end?

    Read this: http://pastebin.com/CW65K4yb

    Then joing our IRC at Mibbit

    http://cbe004.chat.mibbit.com/
    channel: #canyoucrackit

    ReplyDelete
  143. Pr0t3ct!on#cyber_security@12*12.2011+
    ===from Macedonia

    ReplyDelete
  144. @Flex, I would say that only png files could be used to hide steganography (not being lossy) and the logo is too small, with a lot of white background, which would only leave cyber.png, I think?

    There are a lot of variables to run through such as algorithm, filter and other options. Using battlesteg and laplace, passwords like "cyberwin" look like they're *too* busy: several k of message, and even "twits" generates a long message, though some randomly-chosen passwords generate no message at all.

    One that may be of interest is "deadbeef", as this generates only the one line of text, which makes it an oddity. Good hunting! ~ ET.

    ReplyDelete
  145. What in the world? If anyone's willing to teach (MikeS especially) me how to even begin to 'hack', I'll solve it lol.

    ReplyDelete
  146. UGH!!!!!!!!! WHAT IS IT?
    someone told me it had 24 characters...

    ReplyDelete
  147. ... Got a fair few zeros in it, though, which casts a doubt in my mind. But "deadbeef" would make sense if this was a different avenue to solving the puzzle.

    cyber.png steg results using Digital Invisible Ink Toolkit, battlesteg, laplace and deadbeef:
    00 20 04 0c 00 6d 08 00 00 40 00 18 82 80 38 40 a3 83
    be 00 23 85 08 14 23 00 50 00 03 60 02 58 01 14 10 00
    00 12 00 02 00 80 28 00 01 4c 00 00 00 00 09 10 40 20
    00 80 00 00 00 00 04 c0 00 c1 a8 00 04 04 8b 98 c1 00
    c0 41 00 04 22 02 01 30 28 13 20 d0 00 00 00 -- -- --

    ~ ET.

    ReplyDelete
  148. 15 years old, almost sixteen and self taught, i cracked it. here is the proof.
    http://www.canyoucrackit.co.uk/soyoudidit.asp
    brenden

    ReplyDelete
  149. http://canyoucrackit.co.uk/soyoudidit.asp

    ReplyDelete
  150. Pr0t3ct!on#cyber_security@12*12.2011+
    http://canyoucrackit.co.uk/soyoudidit.asp

    ReplyDelete
  151. Nasruddin was trying to sell his house, but without success.

    One day he pulled out a brick from the wall of his house.

    "Why did you do that?" asked his wife, appalled.

    "Oh, foolish woman, what do you know?" said Nasruddin. "To sell anything, you have to show a sample. I propose to show this brick as a sample of our house."

    ReplyDelete
  152. Coming up with an answer is one thing. Of course "Pr0t3ct!on ..." is an answer. But at interview, you can expect to be asked to explain in depth how you arrived at the answer and to sit down to solve more puzzles in a room without internet access.

    For some here, the thrill is in the chase, and also the possibility that there may well be more than one way of cracking this puzzle.

    ReplyDelete
  153. Pr0t3ct!on#cyber_security@12*12.2011+

    ReplyDelete
  154. I have no idea who posted the above comment but i think i understand what they are saying, to sell something people always show a sample of what they will be offering. I do not believe Pr0t3ct!on#cyber_security@12*12.2011+ is the end of the puzzle i think it is only a sample to the true answer, a spoon full of sugar if you will, to lead the ants astray from the true prize. I think the answer is still out there waiting to be discovered. Who knows if it will be discovered in time or not, but i do not think the page you finish at is the real thing either. I have no idea where to even begin with any of this, I would appreciate any help i might get, but for now i will continue to watch for posts and wish you all the best off luck.

    ReplyDelete
  155. I just want to know the answer!

    ReplyDelete
  156. zhenge again.
    when i debug the exefile via Ollydbg. i found "CMP DWORD PTR SS:[LOCAL.14],71686367" in 00401167.

    and 71686367 is "qhcg" in ascii code.
    turn over it. it is gchq.
    if you input "gchq" in license.txt , you can get more infomation.

    but how to solve "cyberwin"?
    it is difficult.
    i want to know it.
    who can tell me?
    i just know some russians crack it.
    maybe unix crypt. hashcode is hqDTK7b8K2rvw.

    and in stage 1.
    if convert "0xeb 0x04" to assembly. it is jmp 0x06. so 0x02 0x03 0x04 0x05 is unused code.
    turn over it, it is a3bfc2af.

    ReplyDelete
  157. SO WHATS THE ANSWER PLZZZZZZZZZZZZZZ

    ReplyDelete
  158. The answer is in the forum

    ReplyDelete
  159. Put yourself into the shoes of the "black hats" we have dealings with. We've had a stroke of luck, and actually know the password they've been using: "Pr0t3ct!on#cyber_security@12*12.2011+".

    Tomorrow, as so often happens, they change the password. So where does that leave us?

    But if we have knowledge of the precise means by which they forward the password to one-another, then we may be able to crack tomorrow's new password, too, unless they cotton on to us and change their method.

    Having an answer, like showing the brick in the house, proves nothing and serves little purpose on its own.

    ReplyDelete
  160. Hi guys, for those up to the _4th_ stage: has anyone try to load the firmware into the CPU registers?

    Usually, "firmware" defines some boot-up sequence for the machine. I tried a few different combinations of firmware bytes to register bytes (they both have 8 bytes each) but nothing makes sense yet.

    ReplyDelete
  161. Has anyone noticed there's more in the VM than used to crack the code?

    Whilst searching for the answer to part 3 I started executing sections of the VM, convinced there was something else hidden in the memory.

    Not sure the significance of any of these, they could just be artefacts of the algorithm used..

    Re-running the VM after HLT (without resetting the registers, just send PC back to 0x0000) reveals this after the GET for the .exe):

    GET /da75370fe15c4148bd4ceec861fbdaa5.exe HTTP/1.0.ª258;>ADGJMPSa#[N}x.%2w.b#[GU

    Now, I started to wonder whether the firmware had instructions to get more info out, and by accident I ended up incorporating a jmp 10 after the hlt.

    That went into a busy loop, but started putting this into the memory after 0x300:

    #&),/258;>ADGJM
    PSVY\_behknqtwz}
    ...........¡¤§ª­
    °³¶¹¼¿ÂÅÈËÎÑÔ×ÚÝ
    àãæéìïòõøûþ.....
    ......"%(+.147:=
    @CFILORUX[^adgjm
    psvy|...........
     £¦©¬¯²µ¸»¾ÁÄÇÊÍ
    ÐÓÖÙÜßâåèëîñô÷úý
    ...........!$'*-
    0369ADGJM

    Notice ADGJMP from earlier.

    Googling these strings gives all sorts of results, making me think they're artefacts of algorithms people have spotted before, adopting them as handles etc.

    Expecially notice cfilorux.dll is listed as associated with malware!

    Anyone any thoughts? Just meaningless artefacts or a deeper game?

    ReplyDelete
  162. @James,
    behknqtwz is missing cd fg ij; etc.
    CFILORUX is missing de gh jk; etc.
    ADGJM is missing bc, ef, hi; etc.
    Not sure if this means anything, though. ~ ET.

    ReplyDelete
  163. This crops up in google searches, though what it means, if anything, I don't know, James:
    0 3 6 9 C F I L O R U X a d g j m p s v y
    1 4 7 A D G J M P S V Y b e h k n q t w z
    2 5 8 B E H K N Q T W Z c f i l o r u x
    ~ ET.

    ReplyDelete
  164. A short history of cryptography:
    http://all.net/edu/curr/ip/Chap2-1.html
    Search for "ADGJMPSVY" in the page.
    ~ ET.

    ReplyDelete
  165. @ET talk about me not seeing the wood for the trees with that, thx!

    ET said:
    > behknqtwz is missing cd fg ij; etc.
    > CFILORUX is missing de gh jk; etc.
    > ADGJM is missing bc, ef, hi; etc.
    > Not sure if this means anything, though. ~ ET.

    ReplyDelete
  166. PS almost certainly meaningless artefacts, but that doesn't mean there isn't more hidden in mem!

    ReplyDelete
  167. You're welcome, James. Just working on a php script to implement the Skytale cipher on my server, to see if any strings throw up useful results, though really need to know what character set they're using, if this is what they're upto.

    May not be as simple as "0369CFILORUX" at
    http://all.net/edu/curr/ip/Chap2-1.html
    Regards, ~ ET.

    ReplyDelete
  168. I gave this a go but failed. I think my progress as a spy will be limited to mixing my martinis shaken, not stirred. http://dasteepsspeaks.blogspot.com/2011/12/can-you-crack-it.html

    ReplyDelete
  169. this is the correct keyword to fill in:
    Pr0t3ct!on#cyber_security@12*12.2011+

    ReplyDelete
  170. "this is the correct keyword to fill in:
    Pr0t3ct!on#cyber_security@12*12.2011+

    Yes, we've been there.

    If I asked you what is the next number in the sequence "123", it could be 4. But it could equally well be "5", if you're open minded.

    There could be more than one correct answer, especially if they want to be able to grade or sift would-be applicants. Just a thought.

    ReplyDelete
  171. This ADGJMPS and CFILORUX sequences are caused by decryption over zeroes. You can see the ascii code for letters is increasing, so what you see is just "i*3+0x32" pattern (AbcDefGhiJklMnoPqrS = ADGJMPS - just every 3rd letter).
    This isn't decrypting anything.

    ReplyDelete
  172. That makes sense, thanks. :)

    ReplyDelete
  173. Where do you guys learn this stuff? I'm reading through the comments just oblivious to whats being said in them. I have no idea what almost any of that means.

    ReplyDelete
  174. See:
    "Reverse Engineering Code with IDA Pro"

    Also, look at how Truecrypt is constructed...

    ReplyDelete
  175. Not quite sure where the Truecrypt thread might be heading, @Anonymous. Some explanatory text at: http://www.forensicinnovations.com/blog/?p=7

    Seems that they can detect Truecrypt and many other things, using their File Investigator Tools (try or buy). ~ ET.

    ReplyDelete
  176. @Anonymous: Are you hinting at the use of Truecrypt in steganography?

    ReplyDelete
  177. Can we get a new blog so us serious guys can actually exchange useful info? Getting fed up with "I cracked it the answer is blah...".

    Firstly: Improved version of Python VM originally posted in http://pastebin.com/Uz8QBFkg is here: http://pastebin.com/3PrL1mTX. This disassembles the whole block now. As the original code self-modified its later block to run for the actual simple decryption, I tried pointing to some of the other blocks and self-modifying those but it didn't seem to produce anything useful with the current code but I will look further - the Python makes it easy.

    Looked at two other JPG images: images/codebreaker.jpg and images/code-bg.jpg for steganography - no apparent extra strings there but others may want to inspect more closely?

    Robert

    ReplyDelete
  178. When I looked at cyber.png at @Flex's suggestion, I had firstly assumed that I was looking for a small amount of text hidden using steganography. Secondly, I therefore assumed that the output from DIIT using Battlesteg, Laplace and "cyberwin" was too "busy" -- masses of apparently random message.

    However, I hadn't appreciated that you can hide something like TrueCrypt in an image or video file and that being headerless and not having any magic signature, TrueCrypt is not easily detectable.

    May be barking up the wrong tree, but trying to keep options open. ~ ET.

    ReplyDelete
  179. Good on you ET!

    I suggested TrueCrypt partly because of the fact that different passwords can lead to different locations and partly for the fact that messages can be encrypted and decrypted, on the fly using a portable version of TrueCrypt - which is free, difficult to detect and easily incorporated into images.
    This is the most convenient way to transmit messages around the world without resource to specialized equipment or software.
    There are now many steganographic software packages on the market today.
    I wrote a review paper on steg, over 10 years ago, but it is wayyy out of date now.

    Miyamoto Musashi

    ReplyDelete
  180. If you want a new Blog Page Set up then Email me at blog@zycore.co.uk and i will set one up, also if i set one up, only share the link with people that can help.

    ReplyDelete
  181. Pr0t3ct!on#cyber_security@12*12.2011+

    Looks like this works LOL

    ReplyDelete
  182. Or set up a yahoo! group and boot out anyone who just keeps parroting "Pr0t3ct!on#cyber_security@12*12.2011+ ad nauseam.

    Regards, ET (aka Esowteric).

    ReplyDelete
  183. Blog Set up, email blog@zycore.co.uk for web address.

    ReplyDelete
  184. For all of you that want to join the new discussion, here is the link.

    aHR0cDovL2JpdC5seS9yT3BXOVM=

    ReplyDelete
  185. ;) Be there, or be square.

    ReplyDelete
  186. tnx

    Miyamoto Musashi

    ReplyDelete
  187. Hi @Heru-ur.
    I don't seem to be able to post at the new site.
    The comment appears, but on page refresh it's gone. Any hlp?

    Miyamoto Musashi

    ReplyDelete
  188. Pr0t3ct!on#cyber_security@12*12.2011+ is the answer lol

    ReplyDelete
  189. Did you notice that your PC info has been send to an anonymous server? Just something to debate/think ... Are we being followed? ... Nevertheless is a great code... Queen is here!

    ReplyDelete
  190. Pr0t3ct!on#cyber_security@12*12.2011+

    ReplyDelete
  191. I know a key that'll get on yer nerves, get on yer nerves, get on yer nerves. I know a key that'll get on yer nerves, get on yer nerves, get on yer nerves .....

    ReplyDelete
  192. Anyone managed to reveal the source code for /index.asp?

    ReplyDelete