Register / Log in
03
December

Thanks to a facebook message from my dad yesterday, I was informed of this website: Can you Crack it?. So, promptly, I got onto the job and it was surprisingly easy and I imagine it will be for most people who can reverse engineer and has experience doing so.

Click read more to see how I did it, but I suggest you have a good attempt beforehand. It’s a nice little reverse engineering exercise.

SPOILER – THIS IS THE SOLUTION. RUN AWAY AND HIDE IF YOU WANT TO HAVE A GO YOURSELF.


Stage 1 – Reverse engineering and decryption
Ok, so from the main page, I wrote out all the hexadecimal into a binary file. Like this:

EB04AFC2BFA381EC0001000031C9880C0CFEC175F931C0BAEFBEADDE02040C00D0C1CA088A1C0C8A3C04881C04883C0CFEC175E8E95C00000089E381C3040000005C583D414141417543583D42424242753B5A89D189E689DF29CFF3A489DE89D189DF29CF31C031DB31D2FEC0021C068A14068A341E88340688141E00F230F68A1C168A1730DA8817474975DE31DB89D8FEC0CD809090E89DFFFFFF41414141

I sat around for a good few minutes just reading the hex. However, I noticed something! “EFBEADDE”. This is the little endian storage of “0xDEADBEEF”. Tada, it’s probably code. So shoving it into a disassembler, I get some nasty x86 code. After whimpering at the sight of it, I cracked on and reversed engineered the code into lovely C.

But there was something missing! In the x86, it does a near call which pushes the return address onto the stack. This sneaky little program then pops this off the stack and then sets it as the new top of stack. After the return address, a sneaky pop loads 0×41414141, the last 32 bit value in the file, and then checks it does equal that. Then, it does another pop… wait a second. There is no more defined data, and it is looking for a 0×42424242. So, realising I copied the HEX wrong, I set about correcting it. Except, I didn’t copy it wrong, the data was truely missing! I checked the site source for any html comments; nothing. After downloading the png image on the website (the image with the hex data), I open it up in a hex editor, and I recognise a base64 encoded message in the comments section which indeed turns out to be the missing data!

So further analysis proved that I have all the data required to decrypt and complete this puzzle. I wrote this program to do it:
Show ▼

 

It successfully decrypted the message and decrypt.bin contained: “GET /15b436de1f9107f3778aad525e5d0b20.js HTTP/1.1.”. Ok, maybe I’m not done, following this GET request I got to “stage 2″. A VM in javascript.


Stage 2 – Javascript VM
This, is kind of like an emulator, you get a description of a “processor” and you follow the specification. If you do it correctly, you get the answer, easy.

I started off simply decoding the instructions and writing them to a file, like a disassembly. Then once I was happy that it was decoding it correctly, I scrapped together a simple tool interpret the instructions and then dump everything. Code below:
Show ▼

 

Then, the output_hex.bin contained another GET method: “GET /da75370fe15c4148bd4ceec861fbdaa5.exe HTTP/1.0″. Ok, cool.


Stage 3 – License check
After downloading and having a quick peek at the assembly, I saw it didn’t do that much. After running, it moaned about no hostname, so naturally, I set it to “canyoucrackit.co.uk” BAM, it screamed at me again, complaining about a license.txt.

I fully disassembled the executable and I quickly found the check, it was doing a scanf of a string from the license onto the stack and performing a check of the first 4 hex bytes.

This check looked for the values 67 63 68 71 in LE. This, translates to gchq, a UK government organisation. Regardless, I stormed through the rest of the code and saw that it does a “crypt” call on the license + 4, with a salt (or key or w/e).

char *c = crypt(license+4, "hqDTK7b8K2rvw");
 
if (strcmp(c, "hqDTK7b8K2rvw") == 0)
{
	valid_license = 1;
}

Now, I know for a fact that crypt is a one-way function, so I didn’t bother with figuring out the original license text needed. If you guys know me, I like exploits. I saw one earlier on aswell. I jumped right back to the “scanf” call onto the stack and checked if I can cause a buffer overflow. It turned out I could! valid_license was stored further on the stack, so overflowing with a big string can set valid_license to non-zero passing that check! huzzah!

I used this license:

gchq------------lolhax.org------Davee-----------

So now, running the application I got this result:

keygen.exe
 
loading stage1 license key(s)...
loading stage2 license key(s)...
 
request:
 
GET /hqDTK7b8K2rvw/2d2d2d2d/686c6f6c/6f2e7861/key.txt HTTP/1.0
 
response:
 
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Sat, 02 Dec 2011 23:44:59 GMT
Connection: close
Content-Length: 315
 
Not Found
HTTP Error 404. The requested resource is not found.

Error, 404, odd. It tried to request “GET /hqDTK7b8K2rvw/2d2d2d2d/686c6f6c/6f2e7861/key.txt HTTP/1.0″. I recognise those HEX values. The first one looked the the hash check, the 2d2d2d2d, 686c6f6c and 6f2e7861 looked like data out of my license file. After confirming with the assembly, this information was true. the format of the license was:

[4 bytes header]
[8 bytes password]
[4 bytes first hex]
[4 bytes second hex]
[4 bytes third hex]
[0x18 bytes to bypass check]

Now, what the hell were these 4 bytes? They weren’t inside the application. I sat around, stressing over what these numbers are. I guessed a few of course, no luck. After a nice chill and a cup of tea, it struck me. There was a spare value in the first executable, which the program just jumped over. There was also the VM’s firmware version which was not used. These 3 unreferenced values may be the answer!

So I plugged them in, and what do you know! I don’t get the answer. Such a perfect scenario, but I still fall victim to this challenge.

Later on though, I thought I should try plug it into the browser… well, what do you know. It worked.
Show ▼


Completed
The winners’ page takes you to an application form to apply for a position within GCHQ. Shame I don’t have a degree yet :P

How about that eh? It’s a nice little challenge and I hoped you all attempted it your best before reading this!

- Davee

PS, due a grammar/spell check tomorrow.

52 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Plumbing Installation

    There are many Lethbridge plumbing companies in this city which
    provide full service of plumbing. It also helps to minimize the common problems like allergies, asthma and hay fever.
    Installation and repair of bathroom and kitchen water systems.

    Mon 14th July, 2014 at 12:29 BST
  2. Hotels in Las Vegasresort bargainslast minute lodge lodge discounts

    With havin so much written content do you ever run into any
    problems of plagorism or copyright infringement? My site has
    a lot of completely unique content I’ve either written myself or outsourced but it seems a
    lot of it is popping it up all over the web without my authorization. Do you know any solutions to help protect against content from being stolen? I’d certainly appreciate it.

    Wed 27th August, 2014 at 15:13 BST
« Older Comments

Some HTML is OK

or, reply to this post via trackback.