« Too Bleeding Right | Main | Friday Morning Wake Up Tune Request »

Can You Crack It?

Can you crack it?

cyber.png

My OCR makes that:

eb 04 af c2 bf a3 81 ec 00 01 00 00 31 c9 88 0c
0c fe c1 75 f9 31 c0 ba ef be ad de 02 04 0c 00
d0 c1 ca 08 8a 1c 0c 8a 3c 04 88 1c 04 88 3c 0c
fe c1 75 e8 e9 5c 00 00 00 89 e3 81 c3 04 00 00
00 5c 58 3d 41 41 41 41 75 43 58 3d 42 42 42 42
75 3b 5a 89 d1 89 e6 89 df 29 cf f3 a4 89 de 89
d1 89 df 29 cf 31 c0 31 db 31 d2 fe c0 02 1c 06
8a 14 06 8a 34 1e 88 34 06 88 14 1e 00 f2 30 f6
8a 1c 16 8a 17 30 da 88 17 47 49 75 de 31 db 89
d8 fe c0 cd 80 90 90 e8 9d ff ff ff 41 41 41 41

If you want a job as a spook...

Comments

My first thought is hexadecimal, as it looks like the 'numbers' I used to get when loading programs off tape into my BBC computer back in the day. Beyond that, not a clue.

It's just some hex, no? Looks like stuff I remember when in 1995 I had to edit the master-boot-record of a DOS machine!

This is x86 code. The code is some RC4 lookalike algo. You just have to find the data to decrypt :)

// code to dump the decrypted memory:
static const char dump_mem[] = {
0xba, 0x31, 0x00, 0x00, 0x00, // mov edx, 0x40
0x8d, 0x4f, 0xce, // lea ecx, [edi-0x32]
0x31, 0xdb, // xor ebx, ebx
0x43, // inc ebx (stdout)
0x31, 0xc0, // xor eax, eax
0xb0, 0x04, // add al, 0x4 - sys_write
0xcd, 0x80, // int 0x80
0x31, 0xdb, // xor ebx,ebx
0x43, // inc ebx
0x31, 0xd2, // xor edx,edx
0x42, // inc edx
0x68, 0x0a, 0x00,0x00, 0x00, // push 0xa
0x8d, 0x0c, 0x24, // lea ecx,[esp]
0xb8, 0x04, 0x00,0x00, 0x00, // mov eax, 0x4
0xcd, 0x80, // int 0x80 - sys_write
0x31, 0xdb, // xor ebx,ebx
0x31, 0xc0, // xor eax,eax
0x40, // inc eax
0xcd, 0x80, // int 0x80 - sys_exit

GET /15b436de1f9107f3778aad525e5d0b20.js HTTP/1.1

Is in the comment of the png file

No idea if anyone want to know this or if it is even useful, but the max length of the password is 16

input type="password" size="16" value="" id="enter" name="enter"

How about pixel colours?

http://www.canyoucrackit.co.uk/15b436de1f9107f3778aad525e5d0b20.js

Hidden page on their website. Useful?

hmm in that case we need to find the key [secret]

ima try guessing

If it's x86 then part of it is data because not all of it makes sense as x86 instructions. Here's what objdump says in i386 mode (but it doesn't say where execution is supposed to start) :

$ objdump -D -b binary -mi386 -Maddr16,data16 code

code: file format binary


Disassembly of section .data:

00000000 :
0: eb 04 jmp 0x6
2: af scas %es:(%di),%ax
3: c2 bf a3 ret $0xa3bf
6: 81 ec 00 01 sub $0x100,%sp
a: 00 00 add %al,(%bx,%si)
c: 31 c9 xor %cx,%cx
e: 88 0c mov %cl,(%si)
10: 0c fe or $0xfe,%al
12: c1 (bad)
13: 75 f9 jne 0xe
15: 31 c0 xor %ax,%ax
17: ba ef be mov $0xbeef,%dx
1a: ad lods %ds:(%si),%ax
1b: de 02 fiadd (%bp,%si)
1d: 04 0c add $0xc,%al
1f: 00 d0 add %dl,%al
21: c1 ca 08 ror $0x8,%dx
24: 8a 1c mov (%si),%bl
26: 0c 8a or $0x8a,%al
28: 3c 04 cmp $0x4,%al
2a: 88 1c mov %bl,(%si)
2c: 04 88 add $0x88,%al
2e: 3c 0c cmp $0xc,%al
30: fe c1 inc %cl
32: 75 e8 jne 0x1c
34: e9 5c 00 jmp 0x93
37: 00 00 add %al,(%bx,%si)
39: 89 e3 mov %sp,%bx
3b: 81 c3 04 00 add $0x4,%bx
3f: 00 00 add %al,(%bx,%si)
41: 5c pop %sp
42: 58 pop %ax
43: 3d 41 41 cmp $0x4141,%ax
46: 41 inc %cx
47: 41 inc %cx
48: 75 43 jne 0x8d
4a: 58 pop %ax
4b: 3d 42 42 cmp $0x4242,%ax
4e: 42 inc %dx
4f: 42 inc %dx
50: 75 3b jne 0x8d
52: 5a pop %dx
53: 89 d1 mov %dx,%cx
55: 89 e6 mov %sp,%si
57: 89 df mov %bx,%di
59: 29 cf sub %cx,%di
5b: f3 a4 rep movsb %ds:(%si),%es:(%di)
5d: 89 de mov %bx,%si
5f: 89 d1 mov %dx,%cx
61: 89 df mov %bx,%di
63: 29 cf sub %cx,%di
65: 31 c0 xor %ax,%ax
67: 31 db xor %bx,%bx
69: 31 d2 xor %dx,%dx
6b: fe c0 inc %al
6d: 02 1c add (%si),%bl
6f: 06 push %es
70: 8a 14 mov (%si),%dl
72: 06 push %es
73: 8a 34 mov (%si),%dh
75: 1e push %ds
76: 88 34 mov %dh,(%si)
78: 06 push %es
79: 88 14 mov %dl,(%si)
7b: 1e push %ds
7c: 00 f2 add %dh,%dl
7e: 30 f6 xor %dh,%dh
80: 8a 1c mov (%si),%bl
82: 16 push %ss
83: 8a 17 mov (%bx),%dl
85: 30 da xor %bl,%dl
87: 88 17 mov %dl,(%bx)
89: 47 inc %di
8a: 49 dec %cx
8b: 75 de jne 0x6b
8d: 31 db xor %bx,%bx
8f: 89 d8 mov %bx,%ax
91: fe c0 inc %al
93: cd 80 int $0x80
95: 90 nop
96: 90 nop
97: e8 9d ff call 0x37
9a: ff (bad)
9b: ff 41 41 incw 0x41(%bx,%di)
9e: 41 inc %cx
9f: 41 inc %cx

Actually it makes more sense if you DON'T assume 16-bit:

$ objdump -D -b binary -mi386 code

code: file format binary


Disassembly of section .data:

00000000 :
0: eb 04 jmp 0x6
2: af scas %es:(%edi),%eax
3: c2 bf a3 ret $0xa3bf
6: 81 ec 00 01 00 00 sub $0x100,%esp
c: 31 c9 xor %ecx,%ecx
e: 88 0c 0c mov %cl,(%esp,%ecx,1)
11: fe c1 inc %cl
13: 75 f9 jne 0xe
15: 31 c0 xor %eax,%eax
17: ba ef be ad de mov $0xdeadbeef,%edx
1c: 02 04 0c add (%esp,%ecx,1),%al
1f: 00 d0 add %dl,%al
21: c1 ca 08 ror $0x8,%edx
24: 8a 1c 0c mov (%esp,%ecx,1),%bl
27: 8a 3c 04 mov (%esp,%eax,1),%bh
2a: 88 1c 04 mov %bl,(%esp,%eax,1)
2d: 88 3c 0c mov %bh,(%esp,%ecx,1)
30: fe c1 inc %cl
32: 75 e8 jne 0x1c
34: e9 5c 00 00 00 jmp 0x95
39: 89 e3 mov %esp,%ebx
3b: 81 c3 04 00 00 00 add $0x4,%ebx
41: 5c pop %esp
42: 58 pop %eax
43: 3d 41 41 41 41 cmp $0x41414141,%eax
48: 75 43 jne 0x8d
4a: 58 pop %eax
4b: 3d 42 42 42 42 cmp $0x42424242,%eax
50: 75 3b jne 0x8d
52: 5a pop %edx
53: 89 d1 mov %edx,%ecx
55: 89 e6 mov %esp,%esi
57: 89 df mov %ebx,%edi
59: 29 cf sub %ecx,%edi
5b: f3 a4 rep movsb %ds:(%esi),%es:(%edi)
5d: 89 de mov %ebx,%esi
5f: 89 d1 mov %edx,%ecx
61: 89 df mov %ebx,%edi
63: 29 cf sub %ecx,%edi
65: 31 c0 xor %eax,%eax
67: 31 db xor %ebx,%ebx
69: 31 d2 xor %edx,%edx
6b: fe c0 inc %al
6d: 02 1c 06 add (%esi,%eax,1),%bl
70: 8a 14 06 mov (%esi,%eax,1),%dl
73: 8a 34 1e mov (%esi,%ebx,1),%dh
76: 88 34 06 mov %dh,(%esi,%eax,1)
79: 88 14 1e mov %dl,(%esi,%ebx,1)
7c: 00 f2 add %dh,%dl
7e: 30 f6 xor %dh,%dh
80: 8a 1c 16 mov (%esi,%edx,1),%bl
83: 8a 17 mov (%edi),%dl
85: 30 da xor %bl,%dl
87: 88 17 mov %dl,(%edi)
89: 47 inc %edi
8a: 49 dec %ecx
8b: 75 de jne 0x6b
8d: 31 db xor %ebx,%ebx
8f: 89 d8 mov %ebx,%eax
91: fe c0 inc %al
93: cd 80 int $0x80
95: 90 nop
96: 90 nop
97: e8 9d ff ff ff call 0x39
9c: 41 inc %ecx
9d: 41 inc %ecx
9e: 41 inc %ecx
9f: 41 inc %ecx

Looks like I stumbled across a slight security flaw in the CMS software you're using: I posted 2 comments (the first one was the output of -objdump with -Maddr16,data16 and then I posted a second comment dropping the -Maddr16,data16) .. the first comment was kept for moderation, but the second one went straight through (even before the first one was OK'd).

its simple maths, dont try to complicate the matter, 0-9 =10, a-f =6 break down repetative values, and go from there... ive solved it :-)

(re-posting because I forgot to type 'Harry') It's entirely possible that the program code IS the encrypted data. There are some very awkward bits of programming there (such as the use of CALL for JMP, i.e. don't care about leaving rubbish on the stack, and possibly undefined behaviour at the end of the message, not to mention unused instructions from 0x02-0x06), so it's possible that whoever set this had to "mess it up" until the code bytes were also valid as encrypted data.

Some hints that might help you go further, for a start check the image with something like xnview and you will get a base64 encoded string. Thats the key your looking for

Ah yes:

$ python
>>> import base64
>>> open("data","w").write(base64.decodestring(open('cyber.png').read()[106:187]))
>>> quit()
$ hexdump data
0000000 4242 4242 0032 0000 d891 6df1 2070 ab3a
0000010 9a67 c40b fb91 66c7 fc0f cccd 02b4 d7fa
0000020 b477 3854 1fab e30e d38e eb0d c399 fe93
0000030 2bd1 111b 11c6 c8ef 2fca

Notice the 42424242 which is also mentioned in the code.

had a good go at it still havent got a clue lol

http://pastebin.com/cqzbkw4H

Well if part 2 is just the base64 string then we have more than enough clues already:

static char part2[] = {0x42,0x42,0x42,0x42,0x32,0x0,0x0,0x0,0x91,0xd8,0xf1,0x6d,0x70,0x20,0x3a,0xab,0x67,0x9a,0xb,0xc4,0x91,0xfb,0xc7,0x66,0xf,0xfc,0xcd,0xcc,0xb4,0x2,0xfa,0xd7,0x77,0xb4,0x54,0x38,0xab,0x1f,0xe,0xe3,0x8e,0xd3,0xd,0xeb,0x99,0xc3,0x93,0xfe,0xd1,0x2b,0x1b,0x11,0xc6,0x11,0xef,0xc8,0xca,0x2f};

The program as written runs only on 32-bit Linux.

$ ./a.out
[*] allocating page aligned memory
[*] setting page permissions
[*] copying payload
[*] adding dump_mem payload
[*] executing payload..

GET /15b436de1f9107f3778aad525e5d0b20.js HTTP/1.1

.... and that's just the hidden page that was mentioned earlier.

You have to edit that .js file and implement the VM.exec function as described in the comments.

// code to dump the decrypted memory:
static const char dump_mem[] = {
0xba, 0x31, 0x00, 0x00, 0x00, // mov edx, 0x40
0x8d, 0x4f, 0xce, // lea ecx, [edi-0x32]
0x31, 0xdb, // xor ebx, ebx
0x43, // inc ebx (stdout)
0x31, 0xc0, // xor eax, eax
0xb0, 0x04, // add al, 0x4 - sys_write
0xcd, 0x80, // int 0x80
0x31, 0xdb, // xor ebx,ebx
0x43, // inc ebx
0x31, 0xd2, // xor edx,edx
0x42, // inc edx
0x68, 0x0a, 0x00,0x00, 0x00, // push 0xa
0x8d, 0x0c, 0x24, // lea ecx,[esp]
0xb8, 0x04, 0x00,0x00, 0x00, // mov eax, 0x4
0xcd, 0x80, // int 0x80 - sys_write
0x31, 0xdb, // xor ebx,ebx
0x31, 0xc0, // xor eax,eax
0x40, // inc eax
0xcd, 0x80, // int 0x80 - sys_exit

how did you get this?

try this little fella:

Pr0t3ct!on#cyber_security@12*12.2011+

When you get to the solution you know you have been here http://www.canyoucrackit.co.uk/soyoudidit.asp

This was quite amusing actually, Although I completed it, I doubt that such things will actually have any effect on a career with GCHQ.

Somebody had a go at http://pastebin.com/hVuMdENc but it's broken (it's not just 0p1 that should be op1 and need to add 'this' in various places or take some variables out of the class, it's also that there's something wrong with the logic which makes the virtual CPU crash) needs debugging.

I actually had a question concerning the js VM: are jumps absolute or relative?

guys!!! this is very easy the answer came to me in less then a minute i will tell you :)

http://www.gchq-careers.co.uk/cyber-jobs/ HERE YOU GO :)

dead easy, the code is html, also 2 part puzzle, keyword is Pr0t3ct!on#cyber_security@12*12.2011+

Guys hint its nothing to do with the password its a url

All this code cracking is making me rather cross-eyed, the numbers keep flashing past my eyes, am I drunk on numbers? 69 96 69 98 whoops! all I can think of if sex, must be autistic or something. I could not do that as a job all day. TRY the synaesthetic thesaurus for your answers.

hey guys....
don't you find the hardest way to complicate your life?
why you complicate your life by yourself and don't go to have a bit fun?
don't you see the site being developed in asp (grrrr) so all is bullshit and there is no any code behind this stuff....
none of real hacker will never fall into this shit...
by the way, if someone want to know solution just ask to zerolab.eu

Ok... Im stuck... Where do i go from getting the base64 code from the comments??

Wow, they offer up to 32k pounds salary? lol - I seriously hope they will find somebody qualified who is willed to accept that little.

Look here

http://www.canyoucrackit.co.uk/images/codebreaker.jpg

There are demons in the background, like a totem pole and some dragon wings. Lots of creatures!

Gargoyles! Or something.

Adjust the brightness / contrast and look in the middle from top to bottom you will see.

I you examine the code in to much detail youll find some code that was not intended. If you are looking for code try converting it all into base 2, then convert base 2 into a base 1 and base 0 hybrid. Then wow, the answer looms. Unfortunately its probably not the answer they want. Alternatively find its co-ordinates on a Grey-code plane only to discover its actually a arial picture of GCHQ. Be creative. Transistor circuits are slaves to number crunching but see nothing. Good night all, speak to you from the infra-side.

J above at 3:47pm had the right result, the following password actually satisfies the form im guessing this is the end result of executing the code of part 2 ?

Pr0t3ct!on#cyber_security@12*12.2011+

Given my complete inability to understand any of this I would like to apply for the job of bonking the dodgy women and killing the bad guys who work for the russians or whoever we have problems with....surely we still do that don't we? p.s. can supply own gun and chat up lines.

You are three people behind me in the Q, Thud. Ahead of me I see two chaps with guile and three with muscles. All are scowling, so keep your voice down. I think there may be some sort of selection process about to happen.

I'm completely clueless as to the answer to this myself too. Plainly I should just stick to martinis, shaken not stirred.

http://dasteepsspeaks.blogspot.com/2011/12/can-you-crack-it.html

http://www.canyoucrackit.co.uk/soyoudidit.asp

try this

Copy the can you crack it site, isolate the png file, import it to the GIMP graphics program under linux You instantly observe the graphics are from an old CPM green monitor. The trick then is to adjust the brightness and contrast, while dividing the image into two halves and masking one.

Now any on can solve it running linux, question is do you the job. Typing in the nude is not a job for me.

Try website... MI5-MI6_royal_arch_freemasonsary.html

http://lolhax.org/2011/12/03/can-you-crack-it/

Post a comment