Top Menu

Thanks to a facebook message from my dad yesterday, I was informed of this website: Can you Crack it?. So, promptly, I got onto the job and it was surprisingly easy and I imagine it will be for most people who can reverse engineer and has experience doing so.

Click read more to see how I did it, but I suggest you have a good attempt beforehand. It’s a nice little reverse engineering exercise.

SPOILER – THIS IS THE SOLUTION. RUN AWAY AND HIDE IF YOU WANT TO HAVE A GO YOURSELF.


Stage 1 – Reverse engineering and decryption
Ok, so from the main page, I wrote out all the hexadecimal into a binary file. Like this:

EB04AFC2BFA381EC0001000031C9880C0CFEC175F931C0BAEFBEADDE02040C00D0C1CA088A1C0C8A3C04881C04883C0CFEC175E8E95C00000089E381C3040000005C583D414141417543583D42424242753B5A89D189E689DF29CFF3A489DE89D189DF29CF31C031DB31D2FEC0021C068A14068A341E88340688141E00F230F68A1C168A1730DA8817474975DE31DB89D8FEC0CD809090E89DFFFFFF41414141

I sat around for a good few minutes just reading the hex. However, I noticed something! “EFBEADDE”. This is the little endian storage of “0xDEADBEEF”. Tada, it’s probably code. So shoving it into a disassembler, I get some nasty x86 code. After whimpering at the sight of it, I cracked on and reversed engineered the code into lovely C.

But there was something missing! In the x86, it does a near call which pushes the return address onto the stack. This sneaky little program then pops this off the stack and then sets it as the new top of stack. After the return address, a sneaky pop loads 0x41414141, the last 32 bit value in the file, and then checks it does equal that. Then, it does another pop… wait a second. There is no more defined data, and it is looking for a 0x42424242. So, realising I copied the HEX wrong, I set about correcting it. Except, I didn’t copy it wrong, the data was truely missing! I checked the site source for any html comments; nothing. After downloading the png image on the website (the image with the hex data), I open it up in a hex editor, and I recognise a base64 encoded message in the comments section which indeed turns out to be the missing data!

So further analysis proved that I have all the data required to decrypt and complete this puzzle. I wrote this program to do it:
Show ▼

 

It successfully decrypted the message and decrypt.bin contained: “GET /15b436de1f9107f3778aad525e5d0b20.js HTTP/1.1.”. Ok, maybe I’m not done, following this GET request I got to “stage 2″. A VM in javascript.


Stage 2 โ€“ Javascript VM
This, is kind of like an emulator, you get a description of a “processor” and you follow the specification. If you do it correctly, you get the answer, easy.

I started off simply decoding the instructions and writing them to a file, like a disassembly. Then once I was happy that it was decoding it correctly, I scrapped together a simple tool interpret the instructions and then dump everything. Code below:
Show ▼

 

Then, the output_hex.bin contained another GET method: “GET /da75370fe15c4148bd4ceec861fbdaa5.exe HTTP/1.0″. Ok, cool.


Stage 3 – License check
After downloading and having a quick peek at the assembly, I saw it didn’t do that much. After running, it moaned about no hostname, so naturally, I set it to “canyoucrackit.co.uk” BAM, it screamed at me again, complaining about a license.txt.

I fully disassembled the executable and I quickly found the check, it was doing a scanf of a string from the license onto the stack and performing a check of the first 4 hex bytes.

This check looked for the values 67 63 68 71 in LE. This, translates to gchq, a UK government organisation. Regardless, I stormed through the rest of the code and saw that it does a “crypt” call on the license + 4, with a salt (or key or w/e).

char *c = crypt(license+4, "hqDTK7b8K2rvw");

if (strcmp(c, "hqDTK7b8K2rvw") == 0)
{
	valid_license = 1;
}

Now, I know for a fact that crypt is a one-way function, so I didn’t bother with figuring out the original license text needed. If you guys know me, I like exploits. I saw one earlier on aswell. I jumped right back to the “scanf” call onto the stack and checked if I can cause a buffer overflow. It turned out I could! valid_license was stored further on the stack, so overflowing with a big string can set valid_license to non-zero passing that check! huzzah!

I used this license:

gchq------------lolhax.org------Davee-----------

So now, running the application I got this result:

keygen.exe

loading stage1 license key(s)...
loading stage2 license key(s)...

request:

GET /hqDTK7b8K2rvw/2d2d2d2d/686c6f6c/6f2e7861/key.txt HTTP/1.0

response:

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Sat, 02 Dec 2011 23:44:59 GMT
Connection: close
Content-Length: 315

Not Found
HTTP Error 404. The requested resource is not found.

Error, 404, odd. It tried to request “GET /hqDTK7b8K2rvw/2d2d2d2d/686c6f6c/6f2e7861/key.txt HTTP/1.0″. I recognise those HEX values. The first one looked the the hash check, the 2d2d2d2d, 686c6f6c and 6f2e7861 looked like data out of my license file. After confirming with the assembly, this information was true. the format of the license was:

[4 bytes header]
[8 bytes password]
[4 bytes first hex]
[4 bytes second hex]
[4 bytes third hex]
[0x18 bytes to bypass check]

Now, what the hell were these 4 bytes? They weren’t inside the application. I sat around, stressing over what these numbers are. I guessed a few of course, no luck. After a nice chill and a cup of tea, it struck me. There was a spare value in the first executable, which the program just jumped over. There was also the VM’s firmware version which was not used. These 3 unreferenced values may be the answer!

So I plugged them in, and what do you know! I don’t get the answer. Such a perfect scenario, but I still fall victim to this challenge.

Later on though, I thought I should try plug it into the browser… well, what do you know. It worked.
Show ▼


Completed
The winnersโ€™ page takes you to an application form to apply for a position within GCHQ. Shame I don’t have a degree yet ๐Ÿ˜›

How about that eh? It’s a nice little challenge and I hoped you all attempted it your best before reading this!

– Davee

PS, due a grammar/spell check tomorrow.

About The Author

I am a 21 year old programmer from Scotland, studying Computer and Electronic Systems at Strathclyde University.

46 Comments

  1. Yeah a bit tricky but didn’t take too long.

    Here was my step 2 vm in javascript:

    http://www.hughe.co.uk/canyoucrackit2.html

  2. Good work!

    You said “Shame I don’t have a degree yet”

    but they say

    “So, whether you’ve got a relevant technical degree or you’ve developed your own expertise, you could really make a difference. Join our mission”.

    Looks like you qualify!!!

    Go for it…..

  3. Thank you for the kind comments! hughe, I’m totally loving the javascript implementation! Looks awesome ๐Ÿ˜›

  4. Since people seem to crack the code srelatively easily while at the same time say will only hire 35 people, what if it is a trick and they want you to somehow crack the website? Rather than the code. What do you think?

    P.S. I have no experience in hacking or cracking (other than lockpicking of course :P)

  5. I gave this a go but failed. I think my progress as a spy will be limited to mixing my martinis shaken, not stirred. http://dasteepsspeaks.blogspot.com/2011/12/can-you-crack-it.html

  6. I’m just a locksmith.
    This is far too difficult for me.
    However, I can open damn near any lock in about 10-15 seconds!!

  7. “Shame I donโ€™t have a degree yet”?
    I wouldn’t bother about that. Apply!

  8. Good work Davee, very impressive

  9. How did you get the knowledge to resolve this challenge?

  10. Hey Davee, you’re pretty good to have done it all by yourself – which I reckon you did looking at the code. Now see if you can solve the next part as eluded to by this article:

    The Inquirer (http://s.tt/14uit)
    “In a statement GCHQ said that this was only one of the many ways in which users could crack the code …. The website you refer to is part of the path that a successful code-cracker will follow … ”

    I’m sure you’ve noticed the unused chucks of memory in the VM, decrypted non-zero but unused bytes around the 0x130 address and what this the real meaning of the firmware, if the /soyoudidit.asp page was just an all too obvious honeypot?

    Look forward to your future post!

  11. yeah, too bad you have to be a british citizen though. Dave your petty cool

  12. Dave,

    I got this from deadbeef:

    00000000 20EF and bh,ch
    00000002 BE db 0xBE
    00000003 AD lodsd
    00000004 DE db 0xDE

    When I tried it myself I got this far with it:
    http://pastebin.com/N7Q8XcGP

    Your deadbeef part above lost me. I kinda gave up after I got this far then I ran into your blog here.

    Its amazing you figured all that out. I’ve been working on and off on it for a bit now.

  13. Hey Davee can you email me I have a few questions. Nothing big. Please email asap. Thanks.

  14. OK, so (without reading this in depth) I’m thinking that, like the Navaho during WWII, hiding raw code that was in, say COBOL or an arcane assembler like DEC or DGC’s, then most of the people who can read it in Hex, Octal or binary (or even radix 50) will be dead.

  15. /* rage */
    return printf(“fuuuuuuuuuuuuuuuuu (aka cant open decrypt.bin)\n”);
    }

    only part i really understood.

  16. I figured it out without using this tutorial,

    It’s :

    Pr0t3ct!on#cyber_security@12*12.2011+

  17. Nice, but…

    …the very first part could have taken only 2 minutes, if you just assembled the executable, ran it through a debugger, and read the decrypted string directly from the memory…

  18. Nice piece of information. Good work. I hope you’ve applied by now?

  19. Crypto,

    I found this tag in the .png “iTXt”

    Which according to a reference I used states:

    <>

    If we look at the XMP format we see:

    <>

    This states, why Dave thought it was Base64 encoded. I should of seen it. Blah…

    Ref Used: Unknown because of challenge.. ๐Ÿ˜›

  20. Not bad. Now finish this one off and we’ll really be impressed.

    http://www.austininc.com/SciRealm/KryptosPart4.html

  21. I just thouhht I’d have a wild guess but didnt get any were I’m in college doing catering

  22. Wow you get the job! FWIW a very simple alternative method, which took me about 20 seconds, so I guess you could say I cheated :) was this …
    I typed this into Google search:
    * site:http://www.canyoucrackit.co.uk
    which provided me with a list of available pages & I noticed one called key.txt
    http://www.canyoucrackit.co.uk/hqDTK7b8K2rvw/a3bfc2af/d2ab1f05/da13f110/key.txt
    so I opened it up & hey presto there was the password!
    Simples!

  23. Hey,
    I got a link to this from my 12yo daughter. Started explaining to her what to look for and what the data means. Due to work load din’t have the time to try to reverse engineer this and simple attempts didn’t lead anywhere. I found your post and love the degree of effort you have put in and your coding and decoding skills.
    I do not know what you do, but there are plenty of openings here at Microsoft for such skills. If you are interested, contact me and I will see if we can setup an interview in my team at the least. :)

  24. Hi there,

    I am currently studying at the University of Strathclyde, Glasgow. So, if anything, it would have to be summer placement or part time or something as I do wish to complete my degree.

    If you wish to contact me, you can grab my email from the “about” page.

  25. Hey,

    Found the link to the can-you-crack-it surfing, and sent it to a few codemonkeys I know. That’s as far as my 40 year old skills could take me. One of them sent me back your solution and we were all immediately a) impressed, and b) depressed ;). You did what they couldn’t, and I couldn’t attempt. Well done!

    Definitely get your degree and pursue your interests. Don’t pass up the opportunities to apply or talk with some of the folks that offer, though. Information, assistance, and like-minded brains can spur your self-education and direction of interest more than you know. As someone who won’t get to do those things, I hope you do.

    Be well, do well, and have fun!

    Kindest, Chris

  26. I wish I could learn how to code like that. I will take it up in college, for nor I am just sitting on knowledge of how binary works….

  27. Thank you for the kind words Chris! I’ll definitely take what you’ve said on-board! Much appreciated!

    @Fred, Ah the programmers puzzle. Life is too short for “i wish” unfortunately. You should buy a book or access an online resource and just play around with a language or a VM. You’ll get to grips with how things work. It will all add up together and with that knowledge you can apply it to a real problem. Either directly, or indirectly.

  28. Hi Davee, this is an excellent solution; well explained too (to those who can understand it — not me :P), which is important as it shows your thought process.

    I would like to pose you a question that someone else above posed: how did you (without studying for a degree in computer science/equivalent) acquire the skills to be able to do this? There’s a lot of specialised skills needed from what I can see: e.g. reverse engineering code, debugging, assembly language, etc.

    I thought I’d give it a try for a laugh: I did simple stuff like convert to decimal, run it through two’s complement, render the binary as ‘art’, render the hex on the website as XBM, get Firefox to interpret the hex (converted to ASCII) as various character encodings… I feel stupid now!

    Good luck if you manage to get the job; serve our country well!

  29. @FSHero: By being REALLY interested in how your computer works and slugging through arcane texts on assembly and C. Same stuff my generation did with old Z80 machinces because we didn’t have much choice but to.

    Whatever the case is, our young codebreaker is one very very promising dude, and if I had the money i’d be houdning him to work for me.

    But I don’t so I can merely give a standing ovation!

  30. @FSHero: Shayne is right, it’s just a hobby of mine. I started programming quite young and got involved in various communities around the internet. There is so many resources on the internet and so much open source code that you can learn from lots of peoples’.

    Getting involved is key, you meet a bunch of professionals who can pass on tips and suggestions to your work and even if you get the chance to talk to a manufacturer or developer of a tool, you can learn about undocumented or poorly documented functionality (legality permitting).

    As for the security and cryptography stuff, I got involved with the PSP which obviously applies both of these. I read up lots of poorly written documentation on security vulnerabilities in older devices such as gameboy, xbox, ps1, ps2 etc and the history of recent PSP vulnerabilities. From there, you knew a lovely base-set of skills that can be applied to almost any system.

    After that, it’s just research and development. You keep trying stuff out, you apply it to different systems and you keep yourself upto date. Nowadays, everything is online and the growing trend is Cloud services. Which means, a LOT of personal and important information is stored remotely and cyber security is critical.

    This isn’t learned over a week, or even a year. It’s a long process and it doesn’t stop. It’s difficult even for a single person to keep upto date on cyber threats and problems which is why more and more corporations are working together.

    To conclude, if you want to get into security, get involved, learn about cryptography, learn about history (history DOES repeat itself; frequently), develop a base skill-set and keep upto date on current affairs. You can’t possibly study everything and you will never know it all, so a base skill-set is a good stand point.

    A silly example can be that you might not know how to prevent SQL injections on your website, but a skill-set based off cryptography can protect your clients/users details on the database.

    Also, a little bit of advice for those who don’t know, you’re never ahead of hackers. It’s game of catch up, so always be prepared and have a plan if something does go tits-up.

    @Shayne O: Aaah, the Z80 ๐Ÿ˜› I got my mothers Sinclair Spectrum still, a lovely processor!

  31. comon lolhax either you just 100% lucky or one of the cyber crime team ,have you noticed that after typing the password into the website you get injected from clk.atdmt.com?

    vetusa666
    Egypt

  32. Get injected w/ a virus or watch program or what, my AV (Avira premium) did not detect anything.

  33. Google Hack:

    site:www.canyoucrackit.co.uk

    recieve 29 hits

    eventually get page “http://www.canyoucrackit.co.uk/hqDTK7b8K2rvw/a3bfc2af/d2ab1f05/da13f110/key.txt”
    Contains keyword: “Pr0t3ct!on#cyber_security@12*12.2011+”

    Not quite the way they want you to do it but it works nonetheless

  34. Excellent work………learnt many new things and got food to work more……..
    All the best for your degree…….

  35. Really good skills, I only found time to solve stage 1 but in a bit of a different way without writing any code. I put together a little video of my method http://www.youtube.com/watch?v=e1uIpBI9u6g

    Cheers
    Matt

  36. Shayne O, Davee: thanks for the tips. I guess the key is “lifelong learning”!

    I am regarded by many friends and family as the go-to guy for computing, but I didn’t take it forward beyond casual use. Nor did I go into it at university. Still I discovered the Linux world recently and have learned much from that. I am happy with my skill levels, but would encourage any able young people to push yourselves; as demonstrated by Davee, you can achieve a lot!

    Davee: So playing video games really can have real-life uses! :)

    vetusa666: is there really a virus on the website? In that case, everyone’s been fooled; the real test was to *defend* yourself from it!

  37. any news of chronoswitch downgrader v 5.1???

  38. columbia outerwear is the best columbia sportswear online

  39. Davee Nice work
    you should qualify!
    i just wanna know how you because so good at hacking/coding ?
    thanks
    –firekid654

  40. soz i meant
    how you became so good at coding

  41. We’re a group of voluteers andd opening a neww scheme in our community.

    Your web site provided us with helpful information to work on. You have performed an impressive task and our entire group might be thankful to you.

  42. Thanks in support of sharing such a nice thinking,
    post is good, thats why i have read it fully

  43. I was suggested this blog by way of my cousin. I am not sure whether this
    publish is written through him as nobody else realize such precise about
    my problem. You are amazing! Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Close