[crackme] GCHQ Challenge

[Teddy Rogers]

Crack the code and get a job working for GCHQ...

/>http://www.canyoucrackit.co.uk/

Ted.

[Aguila]

what am i missing here? Any hint?

{
char result = 0; printf("%d %X:\n",num,key);
for (BYTE i = 0xA0; i < 0xFF; i++)
{
result = i ^ key; if (result >= 0x30 && result < 0x7B)
{
printf("%c ",result);
}
} printf("\n\n");
}
void hackit()
{ DWORD _EAX = 0;
DWORD _EBX = 0;
DWORD _EDX = 0;
DWORD _ECX = 4;
BYTE temp = 0; unsigned char table[] = {0xEF ,0x0A ,0x1B ,0xDD ,0x31 ,0xA6 ,0x02 ,0x15 ,0x3F ,0x1A ,0xAE ,0x7B ,0xE5 ,0x36 ,0x6B ,0x0B ,0x57 ,0x26 ,0x30 ,0xB8 ,0xD9 ,0x28 ,0x24 ,0x64 ,0x0E ,0x42 ,0x4A ,0xB5 ,0xB0 ,0xA3 ,0xB3 ,0x0D,
0x01 ,0x93 ,0x4B ,0x69 ,0x81 ,0x38 ,0x6D ,0x27 ,0x03 ,0x9B ,0xFC ,0x67 ,0x5C ,0x60 ,0xE6 ,0x84 ,0xA0 ,0xD4 ,0x1E ,0xCA ,0xE7 ,0x04 ,0x98 ,0x52 ,0x51 ,0x75 ,0x35 ,0x39 ,0xBA ,0xE0 ,0xEB ,0x83,
0x8D ,0xBD ,0x65 ,0x70 ,0x74 ,0x53 ,0x66 ,0x18 ,0x76 ,0x4F ,0x5F ,0x48 ,0x61 ,0x07 ,0xC9 ,0xCF ,0x17 ,0xF9 ,0x40 ,0x5A ,0x78 ,0x1F ,0x68 ,0x06 ,0x34 ,0xB6 ,0xA8 ,0x21 ,0xBF ,0xEC ,0xB4 ,0xC8,
0x7E ,0xC3 ,0xE1 ,0x9C ,0x55 ,0xD3 ,0x2E ,0xF4 ,0x82 ,0x49 ,0xC0 ,0x4E ,0xB7 ,0x2C ,0x73 ,0xE4 ,0xE8 ,0x91 ,0xAD ,0x5B ,0x50 ,0x77 ,0x7C ,0x20 ,0x9D ,0x08 ,0xAA ,0x63 ,0xFE ,0xB1 ,0xDC ,0xF0,
0x45 ,0x8A ,0x0F ,0x85 ,0xF8 ,0xBE ,0xD8 ,0xA5 ,0x05 ,0x3A ,0xB9 ,0xCB ,0xF5 ,0x54 ,0x2D ,0x1D ,0xC5 ,0x37 ,0x25 ,0x4C ,0xDB ,0x97 ,0xD7 ,0xAF ,0x41 ,0x6C ,0x92 ,0x44 ,0x8E ,0x99 ,0x62 ,0x10,
0x0C ,0x87 ,0x4D ,0xCC ,0xF6 ,0x7A ,0xE3 ,0xE9 ,0x6A ,0x6E ,0xB2 ,0x16 ,0x8C ,0x90 ,0x22 ,0x5E ,0xFA ,0x09 ,0x00 ,0xBB ,0xF7 ,0xD1 ,0x89 ,0xD2 ,0xD6 ,0x80 ,0x86 ,0x29 ,0x95 ,0x33 ,0xC2 ,0x59,
0xBC ,0x94 ,0x8B ,0x8F ,0x23 ,0x11 ,0xAB ,0x19 ,0xD5 ,0x12 ,0xE2 ,0xFF ,0x43 ,0xC7 ,0x88 ,0xC1 ,0xCD ,0xFD ,0x79 ,0x2A ,0xEE ,0xDE ,0x71 ,0xED ,0xF1 ,0x9F ,0x96 ,0xF2 ,0xEA ,0xFB ,0xDA ,0x3B,
0x6F ,0xDF ,0x47 ,0x2B ,0x3E ,0xC4 ,0x46 ,0x14 ,0x9E ,0xA1 ,0x58 ,0xAC ,0xA7 ,0x7F ,0x7D ,0x32 ,0x1C ,0x5D ,0x2F ,0xA4 ,0x13 ,0xCE ,0xA9 ,0xD0 ,0xF3 ,0x56 ,0xA2 ,0xC6 ,0x3D ,0x3C ,0x9A ,0x72};
do
{
_EAX++;
_EAX &= 0xFF; //AL _EBX += table[_EAX];
_EBX &= 0xFF; //BL _EDX = table[_EAX]; temp = table[_EBX]; _EDX += (temp << 8); //MOV DH,BYTE PTR DS:[ESI+EBX] table[_EAX] = ((_EDX >> 8) & 0xFF); //MOV BYTE PTR DS:[ESI+EAX],DH
table[_EBX] = (_EDX & 0xFF); //MOV BYTE PTR DS:[ESI+EBX],DL _EDX = (((_EDX & 0xFF) + ((_EDX >> 8) & 0xFF)) & 0xFF); _EBX = table[_EDX];
//_EDX = *pKey; //*pKey = (*pKey ^ table[_EDX]); bruteKey(_EAX,table[_EDX]); //pKey++;
} while (_EAX <= 10);}

void bruteKey(int num, BYTE key)

I don't have British nationality, so I will never get this job. Still a funny challenge.

Edited December 1, 2011 by Aguila

[rendari]

Part 1 you use the shellcode given to decrypt the base64 encrypted string in the header of the PNG file. that takes you here:

http://www.canyoucrackit.co.uk/15b436de1f9107f3778aad525e5d0b20.js

You have to write a VM and execute it. It will print another HTTP get that takes you here:
/>http://www.canyoucrackit.co.uk/da75370fe15c4148bd4ceec861fbdaa5.exe

Disassembling that now...

[Aguila]

Part 1 you use the shellcode given to decrypt the base64 encrypted string in the header of the PNG file. that takes you here:

how did you find out that the picture is a part of the hackit? This sucks

[deepzero]

how did you find out that the picture is a part of the hackit? This sucks Posted Image

hehe, why else would they put it up as a pic, not plain text?

But yeah, i fell for the trap too...spent like 30 minutes trying to think of a way to somehow bruteforce the data.

But then i remembered this from another challenge...eset i think it was...guess this is the "use all the information you have" part.

[Killboy]

too little, too late

would've taken me years to figure that one out. Guess I'm not UK spy material :v

Edited December 1, 2011 by Killboy

[rendari]

Someone figured it out. The keyword is:

Pr0t3ct!on#cyber_security@12*12.2011+

/>http://volatile-minds.blogspot.com/2011/11/can-you-crack-it-nope-i-tried-though.html

[rendari]

00401167  |. 817D C8 676368>CMP DWORD PTR SS:[EBP-38],71686367
0040116E  |. 75 5F		  JNZ SHORT keygen.004011CF

Check for gchq... rest of string have to figure out. Guess you have to bruteforce it. Comes out to

0028CCB0 67 63 68 71 63 79 62 65 gchqcybe

0028CCB8 72 77 69 6E rwin

Note I did not do the bruteforcing.

Edited December 1, 2011 by rendari

[rendari]

Stuck on this URL. Tried entering DWORD constants provided throughout the problems:
/>http://canyoucrackit.co.uk/hqDTK7b8K2rvw/afc2bfa3/d2ab1f05/da13f110/key.txt

No luck...

[chickenbutt]

3 Russians and a Hungarian originally cracked it on IRC..I think some people ripped their work..

It's just a layered puzzle, no decent obfusc or code-flow tricks. The Russians even did keygens..

[Loki]

Was playing with this last week and got to the same place rendari did.

cyberwin is bruteforceable Unix(DES) as it truncates to 8 chars by design. Took me a minute with a dictionary attack.

Havent yet been bothered to trawl through the other challenges to find 3 random dwords for bytes 12-24 though of the license.

Not sure what the Russians keygenned? :S The final half of license.txt can be random chars to pass the exe tests, but not to get the key file so keygenning that is pointless

Edited December 2, 2011 by Loki

[rendari]

http://www.canyoucrackit.co.uk/hqDTK7b8K2rvw/a3bfc2af/d2ab1f05/da13f110/key.txt

You just have to keep inputting combinations of the 3 dwords until you find this and it works. Really ****ing stupid.

Well, that's the end of this challenge.

-rendari

[Loki]

meh, stupid. So the first one is the dword that is jumped at the beginning of stage 1 (I tried this but got the endians wrong) and the second two are the firmware dwords from the VM.

Meh, glad i didnt waste hours trying to work that out. Thanks for posting the link rendari. Was interesting to know at least

Edited December 5, 2011 by Loki

[skypeaful]

Solution Can You Crack It by asOlOt (CrackSLatinoS)

http://www.mediafire.com/?r9ffea84fc5n2x4

Language: Spanish (You can use google translate texts)