Register / Log in
03
December

Thanks to a facebook message from my dad yesterday, I was informed of this website: Can you Crack it?. So, promptly, I got onto the job and it was surprisingly easy and I imagine it will be for most people who can reverse engineer and has experience doing so.

Click read more to see how I did it, but I suggest you have a good attempt beforehand. It’s a nice little reverse engineering exercise.

SPOILER – THIS IS THE SOLUTION. RUN AWAY AND HIDE IF YOU WANT TO HAVE A GO YOURSELF.


Stage 1 – Reverse engineering and decryption
Ok, so from the main page, I wrote out all the hexadecimal into a binary file. Like this:

EB04AFC2BFA381EC0001000031C9880C0CFEC175F931C0BAEFBEADDE02040C00D0C1CA088A1C0C8A3C04881C04883C0CFEC175E8E95C00000089E381C3040000005C583D414141417543583D42424242753B5A89D189E689DF29CFF3A489DE89D189DF29CF31C031DB31D2FEC0021C068A14068A341E88340688141E00F230F68A1C168A1730DA8817474975DE31DB89D8FEC0CD809090E89DFFFFFF41414141

I sat around for a good few minutes just reading the hex. However, I noticed something! “EFBEADDE”. This is the little endian storage of “0xDEADBEEF”. Tada, it’s probably code. So shoving it into a disassembler, I get some nasty x86 code. After whimpering at the sight of it, I cracked on and reversed engineered the code into lovely C.

But there was something missing! In the x86, it does a near call which pushes the return address onto the stack. This sneaky little program then pops this off the stack and then sets it as the new top of stack. After the return address, a sneaky pop loads 0x41414141, the last 32 bit value in the file, and then checks it does equal that. Then, it does another pop… wait a second. There is no more defined data, and it is looking for a 0x42424242. So, realising I copied the HEX wrong, I set about correcting it. Except, I didn’t copy it wrong, the data was truely missing! I checked the site source for any html comments; nothing. After downloading the png image on the website (the image with the hex data), I open it up in a hex editor, and I recognise a base64 encoded message in the comments section which indeed turns out to be the missing data!

So further analysis proved that I have all the data required to decrypt and complete this puzzle. I wrote this program to do it:
Show ▼

 

It successfully decrypted the message and decrypt.bin contained: “GET /15b436de1f9107f3778aad525e5d0b20.js HTTP/1.1.”. Ok, maybe I’m not done, following this GET request I got to “stage 2″. A VM in javascript.


Stage 2 – Javascript VM
This, is kind of like an emulator, you get a description of a “processor” and you follow the specification. If you do it correctly, you get the answer, easy.

I started off simply decoding the instructions and writing them to a file, like a disassembly. Then once I was happy that it was decoding it correctly, I scrapped together a simple tool interpret the instructions and then dump everything. Code below:
Show ▼

 

Then, the output_hex.bin contained another GET method: “GET /da75370fe15c4148bd4ceec861fbdaa5.exe HTTP/1.0″. Ok, cool.


Stage 3 – License check
After downloading and having a quick peek at the assembly, I saw it didn’t do that much. After running, it moaned about no hostname, so naturally, I set it to “canyoucrackit.co.uk” BAM, it screamed at me again, complaining about a license.txt.

I fully disassembled the executable and I quickly found the check, it was doing a scanf of a string from the license onto the stack and performing a check of the first 4 hex bytes.

This check looked for the values 67 63 68 71 in LE. This, translates to gchq, a UK government organisation. Regardless, I stormed through the rest of the code and saw that it does a “crypt” call on the license + 4, with a salt (or key or w/e).

char *c = crypt(license+4, "hqDTK7b8K2rvw");
 
if (strcmp(c, "hqDTK7b8K2rvw") == 0)
{
	valid_license = 1;
}

Now, I know for a fact that crypt is a one-way function, so I didn’t bother with figuring out the original license text needed. If you guys know me, I like exploits. I saw one earlier on aswell. I jumped right back to the “scanf” call onto the stack and checked if I can cause a buffer overflow. It turned out I could! valid_license was stored further on the stack, so overflowing with a big string can set valid_license to non-zero passing that check! huzzah!

I used this license:

gchq------------lolhax.org------Davee-----------

So now, running the application I got this result:

keygen.exe
 
loading stage1 license key(s)...
loading stage2 license key(s)...
 
request:
 
GET /hqDTK7b8K2rvw/2d2d2d2d/686c6f6c/6f2e7861/key.txt HTTP/1.0
 
response:
 
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Sat, 02 Dec 2011 23:44:59 GMT
Connection: close
Content-Length: 315
 
Not Found
HTTP Error 404. The requested resource is not found.

Error, 404, odd. It tried to request “GET /hqDTK7b8K2rvw/2d2d2d2d/686c6f6c/6f2e7861/key.txt HTTP/1.0″. I recognise those HEX values. The first one looked the the hash check, the 2d2d2d2d, 686c6f6c and 6f2e7861 looked like data out of my license file. After confirming with the assembly, this information was true. the format of the license was:

[4 bytes header]
[8 bytes password]
[4 bytes first hex]
[4 bytes second hex]
[4 bytes third hex]
[0x18 bytes to bypass check]

Now, what the hell were these 4 bytes? They weren’t inside the application. I sat around, stressing over what these numbers are. I guessed a few of course, no luck. After a nice chill and a cup of tea, it struck me. There was a spare value in the first executable, which the program just jumped over. There was also the VM’s firmware version which was not used. These 3 unreferenced values may be the answer!

So I plugged them in, and what do you know! I don’t get the answer. Such a perfect scenario, but I still fall victim to this challenge.

Later on though, I thought I should try plug it into the browser… well, what do you know. It worked.
Show ▼


Completed
The winners’ page takes you to an application form to apply for a position within GCHQ. Shame I don’t have a degree yet :P

How about that eh? It’s a nice little challenge and I hoped you all attempted it your best before reading this!

– Davee

PS, due a grammar/spell check tomorrow.

44 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. hughe

    Yeah a bit tricky but didn’t take too long.

    Here was my step 2 vm in javascript:

    http://www.hughe.co.uk/canyoucrackit2.html

    Sat 3rd December, 2011 at 21:07 GMT
  2. Bob

    Good work!

    You said “Shame I don’t have a degree yet”

    but they say

    “So, whether you’ve got a relevant technical degree or you’ve developed your own expertise, you could really make a difference. Join our mission”.

    Looks like you qualify!!!

    Go for it…..

    Sat 3rd December, 2011 at 22:51 GMT
  3. Davee

    Thank you for the kind comments! hughe, I’m totally loving the javascript implementation! Looks awesome :P

    Sun 4th December, 2011 at 00:07 GMT
  4. grant

    Since people seem to crack the code srelatively easily while at the same time say will only hire 35 people, what if it is a trick and they want you to somehow crack the website? Rather than the code. What do you think?

    P.S. I have no experience in hacking or cracking (other than lockpicking of course :P)

    Sun 4th December, 2011 at 03:17 GMT
  5. Matthew Steeples

    I gave this a go but failed. I think my progress as a spy will be limited to mixing my martinis shaken, not stirred. http://dasteepsspeaks.blogspot.com/2011/12/can-you-crack-it.html

    Sun 4th December, 2011 at 13:37 GMT
  6. Xaman

    I’m just a locksmith.
    This is far too difficult for me.
    However, I can open damn near any lock in about 10-15 seconds!!

    Sun 4th December, 2011 at 16:43 GMT
  7. PJ

    “Shame I don’t have a degree yet”?
    I wouldn’t bother about that. Apply!

    Sun 4th December, 2011 at 16:59 GMT
  8. darragh

    Good work Davee, very impressive

    Sun 4th December, 2011 at 17:13 GMT
  9. Orange

    How did you get the knowledge to resolve this challenge?

    Sun 4th December, 2011 at 19:38 GMT
  10. Kid

    Hey Davee, you’re pretty good to have done it all by yourself – which I reckon you did looking at the code. Now see if you can solve the next part as eluded to by this article:

    The Inquirer (http://s.tt/14uit)
    “In a statement GCHQ said that this was only one of the many ways in which users could crack the code …. The website you refer to is part of the path that a successful code-cracker will follow … ”

    I’m sure you’ve noticed the unused chucks of memory in the VM, decrypted non-zero but unused bytes around the 0x130 address and what this the real meaning of the firmware, if the /soyoudidit.asp page was just an all too obvious honeypot?

    Look forward to your future post!

    Sun 4th December, 2011 at 23:51 GMT
  11. Gabriel

    yeah, too bad you have to be a british citizen though. Dave your petty cool

    Mon 5th December, 2011 at 00:08 GMT
  12. Crypto

    Dave,

    I got this from deadbeef:

    00000000 20EF and bh,ch
    00000002 BE db 0xBE
    00000003 AD lodsd
    00000004 DE db 0xDE

    When I tried it myself I got this far with it:
    http://pastebin.com/N7Q8XcGP

    Your deadbeef part above lost me. I kinda gave up after I got this far then I ran into your blog here.

    Its amazing you figured all that out. I’ve been working on and off on it for a bit now.

    Mon 5th December, 2011 at 00:09 GMT
  13. crackit

    Hey Davee can you email me I have a few questions. Nothing big. Please email asap. Thanks.

    Mon 5th December, 2011 at 01:14 GMT
  14. Stu Neville

    OK, so (without reading this in depth) I’m thinking that, like the Navaho during WWII, hiding raw code that was in, say COBOL or an arcane assembler like DEC or DGC’s, then most of the people who can read it in Hex, Octal or binary (or even radix 50) will be dead.

    Mon 5th December, 2011 at 01:19 GMT
  15. coolio

    /* rage */
    return printf(“fuuuuuuuuuuuuuuuuu (aka cant open decrypt.bin)\n”);
    }

    only part i really understood.

    Mon 5th December, 2011 at 04:03 GMT
  16. ghost

    well done guys

    Mon 5th December, 2011 at 04:20 GMT
  17. Hacker

    I figured it out without using this tutorial,

    It’s :

    Pr0t3ct!on#cyber_security@12*12.2011+

    Mon 5th December, 2011 at 05:54 GMT
  18. Kaan

    Nice, but…

    …the very first part could have taken only 2 minutes, if you just assembled the executable, ran it through a debugger, and read the decrypted string directly from the memory…

    Mon 5th December, 2011 at 08:42 GMT
  19. hot2use

    Nice piece of information. Good work. I hope you’ve applied by now?

    Mon 5th December, 2011 at 15:45 GMT
  20. Crypto

    Crypto,

    I found this tag in the .png “iTXt”

    Which according to a reference I used states:

    <>

    If we look at the XMP format we see:

    <>

    This states, why Dave thought it was Base64 encoded. I should of seen it. Blah…

    Ref Used: Unknown because of challenge.. :P

    Mon 5th December, 2011 at 17:41 GMT
  21. nome

    Not bad. Now finish this one off and we’ll really be impressed.

    http://www.austininc.com/SciRealm/KryptosPart4.html

    Tue 6th December, 2011 at 02:54 GMT
  22. tom

    I just thouhht I’d have a wild guess but didnt get any were I’m in college doing catering

    Tue 6th December, 2011 at 16:58 GMT
  23. Saltmeister

    Wow you get the job! FWIW a very simple alternative method, which took me about 20 seconds, so I guess you could say I cheated :) was this …
    I typed this into Google search:
    * site:http://www.canyoucrackit.co.uk
    which provided me with a list of available pages & I noticed one called key.txt
    http://www.canyoucrackit.co.uk/hqDTK7b8K2rvw/a3bfc2af/d2ab1f05/da13f110/key.txt
    so I opened it up & hey presto there was the password!
    Simples!

    Wed 7th December, 2011 at 00:00 GMT
  24. Vic S. Shahid

    Hey,
    I got a link to this from my 12yo daughter. Started explaining to her what to look for and what the data means. Due to work load din’t have the time to try to reverse engineer this and simple attempts didn’t lead anywhere. I found your post and love the degree of effort you have put in and your coding and decoding skills.
    I do not know what you do, but there are plenty of openings here at Microsoft for such skills. If you are interested, contact me and I will see if we can setup an interview in my team at the least. :)

    Wed 7th December, 2011 at 14:59 GMT
  25. Davee

    Hi there,

    I am currently studying at the University of Strathclyde, Glasgow. So, if anything, it would have to be summer placement or part time or something as I do wish to complete my degree.

    If you wish to contact me, you can grab my email from the “about” page.

    Wed 7th December, 2011 at 16:25 GMT
  26. Chris

    Hey,

    Found the link to the can-you-crack-it surfing, and sent it to a few codemonkeys I know. That’s as far as my 40 year old skills could take me. One of them sent me back your solution and we were all immediately a) impressed, and b) depressed ;). You did what they couldn’t, and I couldn’t attempt. Well done!

    Definitely get your degree and pursue your interests. Don’t pass up the opportunities to apply or talk with some of the folks that offer, though. Information, assistance, and like-minded brains can spur your self-education and direction of interest more than you know. As someone who won’t get to do those things, I hope you do.

    Be well, do well, and have fun!

    Kindest, Chris

    Wed 7th December, 2011 at 18:07 GMT
  27. Fred

    I wish I could learn how to code like that. I will take it up in college, for nor I am just sitting on knowledge of how binary works….

    Wed 7th December, 2011 at 21:04 GMT
  28. Davee

    Thank you for the kind words Chris! I’ll definitely take what you’ve said on-board! Much appreciated!

    @Fred, Ah the programmers puzzle. Life is too short for “i wish” unfortunately. You should buy a book or access an online resource and just play around with a language or a VM. You’ll get to grips with how things work. It will all add up together and with that knowledge you can apply it to a real problem. Either directly, or indirectly.

    Thu 8th December, 2011 at 02:49 GMT
  29. FSHero

    Hi Davee, this is an excellent solution; well explained too (to those who can understand it — not me :P), which is important as it shows your thought process.

    I would like to pose you a question that someone else above posed: how did you (without studying for a degree in computer science/equivalent) acquire the skills to be able to do this? There’s a lot of specialised skills needed from what I can see: e.g. reverse engineering code, debugging, assembly language, etc.

    I thought I’d give it a try for a laugh: I did simple stuff like convert to decimal, run it through two’s complement, render the binary as ‘art’, render the hex on the website as XBM, get Firefox to interpret the hex (converted to ASCII) as various character encodings… I feel stupid now!

    Good luck if you manage to get the job; serve our country well!

    Thu 8th December, 2011 at 05:33 GMT
  30. Shayne O

    @FSHero: By being REALLY interested in how your computer works and slugging through arcane texts on assembly and C. Same stuff my generation did with old Z80 machinces because we didn’t have much choice but to.

    Whatever the case is, our young codebreaker is one very very promising dude, and if I had the money i’d be houdning him to work for me.

    But I don’t so I can merely give a standing ovation!

    Thu 8th December, 2011 at 06:39 GMT
  31. Davee

    @FSHero: Shayne is right, it’s just a hobby of mine. I started programming quite young and got involved in various communities around the internet. There is so many resources on the internet and so much open source code that you can learn from lots of peoples’.

    Getting involved is key, you meet a bunch of professionals who can pass on tips and suggestions to your work and even if you get the chance to talk to a manufacturer or developer of a tool, you can learn about undocumented or poorly documented functionality (legality permitting).

    As for the security and cryptography stuff, I got involved with the PSP which obviously applies both of these. I read up lots of poorly written documentation on security vulnerabilities in older devices such as gameboy, xbox, ps1, ps2 etc and the history of recent PSP vulnerabilities. From there, you knew a lovely base-set of skills that can be applied to almost any system.

    After that, it’s just research and development. You keep trying stuff out, you apply it to different systems and you keep yourself upto date. Nowadays, everything is online and the growing trend is Cloud services. Which means, a LOT of personal and important information is stored remotely and cyber security is critical.

    This isn’t learned over a week, or even a year. It’s a long process and it doesn’t stop. It’s difficult even for a single person to keep upto date on cyber threats and problems which is why more and more corporations are working together.

    To conclude, if you want to get into security, get involved, learn about cryptography, learn about history (history DOES repeat itself; frequently), develop a base skill-set and keep upto date on current affairs. You can’t possibly study everything and you will never know it all, so a base skill-set is a good stand point.

    A silly example can be that you might not know how to prevent SQL injections on your website, but a skill-set based off cryptography can protect your clients/users details on the database.

    Also, a little bit of advice for those who don’t know, you’re never ahead of hackers. It’s game of catch up, so always be prepared and have a plan if something does go tits-up.

    @Shayne O: Aaah, the Z80 :P I got my mothers Sinclair Spectrum still, a lovely processor!

    Thu 8th December, 2011 at 10:53 GMT
  32. VETUSA666

    comon lolhax either you just 100% lucky or one of the cyber crime team ,have you noticed that after typing the password into the website you get injected from clk.atdmt.com?

    vetusa666
    Egypt

    Thu 8th December, 2011 at 19:11 GMT
  33. Fred

    Get injected w/ a virus or watch program or what, my AV (Avira premium) did not detect anything.

    Fri 9th December, 2011 at 20:47 GMT
  34. Dan

    Very impressed.

    Sat 10th December, 2011 at 00:39 GMT
  35. FatMan

    Google Hack:

    site:www.canyoucrackit.co.uk

    recieve 29 hits

    eventually get page “http://www.canyoucrackit.co.uk/hqDTK7b8K2rvw/a3bfc2af/d2ab1f05/da13f110/key.txt”
    Contains keyword: “Pr0t3ct!on#cyber_security@12*12.2011+”

    Not quite the way they want you to do it but it works nonetheless

    Sat 10th December, 2011 at 16:38 GMT
  36. Ajit kumar

    Excellent work………learnt many new things and got food to work more……..
    All the best for your degree…….

    Tue 13th December, 2011 at 05:42 GMT
  37. Matt Bartlett

    Really good skills, I only found time to solve stage 1 but in a bit of a different way without writing any code. I put together a little video of my method http://www.youtube.com/watch?v=e1uIpBI9u6g

    Cheers
    Matt

    Tue 13th December, 2011 at 10:12 GMT
  38. FSHero

    Shayne O, Davee: thanks for the tips. I guess the key is “lifelong learning”!

    I am regarded by many friends and family as the go-to guy for computing, but I didn’t take it forward beyond casual use. Nor did I go into it at university. Still I discovered the Linux world recently and have learned much from that. I am happy with my skill levels, but would encourage any able young people to push yourselves; as demonstrated by Davee, you can achieve a lot!

    Davee: So playing video games really can have real-life uses! :)

    vetusa666: is there really a virus on the website? In that case, everyone’s been fooled; the real test was to *defend* yourself from it!

    Sun 18th December, 2011 at 23:36 GMT
  39. Shrubzzz

    any news of chronoswitch downgrader v 5.1???

    Tue 20th December, 2011 at 16:59 GMT
  40. columbia outerwear

    columbia outerwear is the best columbia sportswear online

    Wed 21st December, 2011 at 02:15 GMT
  41. firekid654

    Davee Nice work
    you should qualify!
    i just wanna know how you because so good at hacking/coding ?
    thanks
    –firekid654

    Sat 7th January, 2012 at 22:05 GMT
  42. firekid654

    soz i meant
    how you became so good at coding

    Fri 27th January, 2012 at 16:30 GMT
  43. Marylin

    We’re a group of voluteers andd opening a neww scheme in our community.

    Your web site provided us with helpful information to work on. You have performed an impressive task and our entire group might be thankful to you.

    Mon 6th October, 2014 at 15:23 GMT

Some HTML is OK

or, reply to this post via trackback.