Jump to content
Tuts 4 You

[crackme] GCHQ Challenge

Teddy Rogers

Recommended Posts

what am i missing here? Any hint?

char result = 0; printf("%d %X:\n",num,key);
for (BYTE i = 0xA0; i < 0xFF; i++)
result = i ^ key; if (result >= 0x30 && result < 0x7B)
printf("%c ",result);
} printf("\n\n");
void hackit()
{ DWORD _EAX = 0;
BYTE temp = 0; unsigned char table[] = {0xEF ,0x0A ,0x1B ,0xDD ,0x31 ,0xA6 ,0x02 ,0x15 ,0x3F ,0x1A ,0xAE ,0x7B ,0xE5 ,0x36 ,0x6B ,0x0B ,0x57 ,0x26 ,0x30 ,0xB8 ,0xD9 ,0x28 ,0x24 ,0x64 ,0x0E ,0x42 ,0x4A ,0xB5 ,0xB0 ,0xA3 ,0xB3 ,0x0D,
0x01 ,0x93 ,0x4B ,0x69 ,0x81 ,0x38 ,0x6D ,0x27 ,0x03 ,0x9B ,0xFC ,0x67 ,0x5C ,0x60 ,0xE6 ,0x84 ,0xA0 ,0xD4 ,0x1E ,0xCA ,0xE7 ,0x04 ,0x98 ,0x52 ,0x51 ,0x75 ,0x35 ,0x39 ,0xBA ,0xE0 ,0xEB ,0x83,
0x8D ,0xBD ,0x65 ,0x70 ,0x74 ,0x53 ,0x66 ,0x18 ,0x76 ,0x4F ,0x5F ,0x48 ,0x61 ,0x07 ,0xC9 ,0xCF ,0x17 ,0xF9 ,0x40 ,0x5A ,0x78 ,0x1F ,0x68 ,0x06 ,0x34 ,0xB6 ,0xA8 ,0x21 ,0xBF ,0xEC ,0xB4 ,0xC8,
0x7E ,0xC3 ,0xE1 ,0x9C ,0x55 ,0xD3 ,0x2E ,0xF4 ,0x82 ,0x49 ,0xC0 ,0x4E ,0xB7 ,0x2C ,0x73 ,0xE4 ,0xE8 ,0x91 ,0xAD ,0x5B ,0x50 ,0x77 ,0x7C ,0x20 ,0x9D ,0x08 ,0xAA ,0x63 ,0xFE ,0xB1 ,0xDC ,0xF0,
0x45 ,0x8A ,0x0F ,0x85 ,0xF8 ,0xBE ,0xD8 ,0xA5 ,0x05 ,0x3A ,0xB9 ,0xCB ,0xF5 ,0x54 ,0x2D ,0x1D ,0xC5 ,0x37 ,0x25 ,0x4C ,0xDB ,0x97 ,0xD7 ,0xAF ,0x41 ,0x6C ,0x92 ,0x44 ,0x8E ,0x99 ,0x62 ,0x10,
0x0C ,0x87 ,0x4D ,0xCC ,0xF6 ,0x7A ,0xE3 ,0xE9 ,0x6A ,0x6E ,0xB2 ,0x16 ,0x8C ,0x90 ,0x22 ,0x5E ,0xFA ,0x09 ,0x00 ,0xBB ,0xF7 ,0xD1 ,0x89 ,0xD2 ,0xD6 ,0x80 ,0x86 ,0x29 ,0x95 ,0x33 ,0xC2 ,0x59,
0xBC ,0x94 ,0x8B ,0x8F ,0x23 ,0x11 ,0xAB ,0x19 ,0xD5 ,0x12 ,0xE2 ,0xFF ,0x43 ,0xC7 ,0x88 ,0xC1 ,0xCD ,0xFD ,0x79 ,0x2A ,0xEE ,0xDE ,0x71 ,0xED ,0xF1 ,0x9F ,0x96 ,0xF2 ,0xEA ,0xFB ,0xDA ,0x3B,
0x6F ,0xDF ,0x47 ,0x2B ,0x3E ,0xC4 ,0x46 ,0x14 ,0x9E ,0xA1 ,0x58 ,0xAC ,0xA7 ,0x7F ,0x7D ,0x32 ,0x1C ,0x5D ,0x2F ,0xA4 ,0x13 ,0xCE ,0xA9 ,0xD0 ,0xF3 ,0x56 ,0xA2 ,0xC6 ,0x3D ,0x3C ,0x9A ,0x72};
_EAX &= 0xFF; //AL _EBX += table[_EAX];
_EBX &= 0xFF; //BL _EDX = table[_EAX]; temp = table[_EBX]; _EDX += (temp << 8); //MOV DH,BYTE PTR DS:[ESI+EBX] table[_EAX] = ((_EDX >> 8) & 0xFF); //MOV BYTE PTR DS:[ESI+EAX],DH
table[_EBX] = (_EDX & 0xFF); //MOV BYTE PTR DS:[ESI+EBX],DL _EDX = (((_EDX & 0xFF) + ((_EDX >> 8) & 0xFF)) & 0xFF); _EBX = table[_EDX];
//_EDX = *pKey; //*pKey = (*pKey ^ table[_EDX]); bruteKey(_EAX,table[_EDX]); //pKey++;
} while (_EAX <= 10);}
void bruteKey(int num, BYTE key)

I don't have British nationality, so I will never get this job. Still a funny challenge.

Edited by Aguila
Link to comment

Part 1 you use the shellcode given to decrypt the base64 encrypted string in the header of the PNG file. that takes you here:

how did you find out that the picture is a part of the hackit? This sucks cry.gif

Link to comment

how did you find out that the picture is a part of the hackit? This sucks Posted Image

hehe, why else would they put it up as a pic, not plain text? ;)

But yeah, i fell for the trap too...spent like 30 minutes trying to think of a way to somehow bruteforce the data.

But then i remembered this from another challenge...eset i think it was...guess this is the "use all the information you have" part.

Link to comment


too little, too late :(

would've taken me years to figure that one out. Guess I'm not UK spy material :v

Edited by Killboy
Link to comment

Someone figured it out. The keyword is:



Link to comment
00401167  |. 817D C8 676368>CMP DWORD PTR SS:[EBP-38],71686367
0040116E |. 75 5F JNZ SHORT keygen.004011CF

Check for gchq... rest of string have to figure out. Guess you have to bruteforce it. Comes out to

0028CCB0 67 63 68 71 63 79 62 65 gchqcybe

0028CCB8 72 77 69 6E rwin

Note I did not do the bruteforcing.

Edited by rendari
Link to comment

Stuck on this URL. Tried entering DWORD constants provided throughout the problems:

No luck...

Link to comment

3 Russians and a Hungarian originally cracked it on IRC..I think some people ripped their work..

It's just a layered puzzle, no decent obfusc or code-flow tricks. The Russians even did keygens..

Link to comment

Was playing with this last week and got to the same place rendari did.

cyberwin is bruteforceable Unix(DES) as it truncates to 8 chars by design. Took me a minute with a dictionary attack.

Havent yet been bothered to trawl through the other challenges to find 3 random dwords for bytes 12-24 though of the license.

Not sure what the Russians keygenned? :S The final half of license.txt can be random chars to pass the exe tests, but not to get the key file so keygenning that is pointless

Edited by Loki
Link to comment

meh, stupid. So the first one is the dword that is jumped at the beginning of stage 1 (I tried this but got the endians wrong) and the second two are the firmware dwords from the VM.

Meh, glad i didnt waste hours trying to work that out. Thanks for posting the link rendari. Was interesting to know at least smile.png

Edited by Loki
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...