iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (0)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
Decryption/reversing/cracking challange "Security through obscurity"
  • sangf
    Posts: 203
    so, i was bored and seeing as there aren't many active challenges i thought i'd set something up. there are 2 passwords to figure out. you don't have to get both (or any for that matter) - just pm me with the answers if you want to be added to the wall of awesome.

    challenge 1
    this is option 1 in the program, and is the easiest one - it can be solved without any programming or reversing knowledge, you just need to think a bit. it was originally intended to be figured out through looking at a disasm dump, but that was just too hard for people to waste time on.

    scenario


    you're attempting to crack your way through the program - trying to bypass a password, and you notice the program is using some kind of static data to calculate if your input is valid.

    try figuring out the password using the data you found: pnopnopnSjhiu



    i'm giving bonus points to anyone who supplies code that can crack the used method with any given data (i have test cases) - this can be done in a single line, so it shouldn't be too much work.

    hints: 1. "solution will be revealed through trial and error".
    2. "no common encyption is used; research will fail you; it's just a simple algorithm."
    3. "pay close attention to a glitch causing debug information to be printed."
    4. see page 2 for Semtex-Primed's spoiler hint.


    challenge 2
    this is option 2 in the program, and it has an increased difficulty. technically it doesn't require any programming or reversing knowledge, but it might help to have it.

    scenario


    once again, you come across a password you need to bypass, and you notice the program is, again, using some kind of static data to calculate if your input is valid. you manage to extract the data using a hex editor.

    try figuring out the password using the data you found: 36363D222E2D3D



    hints: 1. "^ using ascii string key (per char)"
    2. "known algorithm; used non-standardly; but logically acceptable"
    3. "you have half of what you need, why, hello mr. hex editor!"
    4. see page 2 for Semtex-Primed's spoiler hint


    01000001
    01000010
    --------
    00000011



    submitting solution/passwords
    please pm me the solution/passwords rather than posting here, and if you don't want your name on the list, you should explicitly say so. if it's too hard, i might give some hints, or even source - this is the first time i did this so it's not perfect, but i hope it's enjoyable/possible. let me know if you need something clarifying.


    download
    i only compiled the program for windows, although it will compile on any system with a standard c++ compliant compiler (i would compile it for other systems, but i'm a bit confused at how binary files work on linux.. and i haven't seen them used much). the virus scan log is attached below; and i have the source if an admin/trusted member wants to compile and post, let me know (might increase peoples "want" to run this - i know i wouldn't usually, lol). update: compiled binary files for linux, tested with LSB check utils (http://ldn.linuxfoundation.org/lsb)

    cryptc.exe (Windows ~12kb .exe) (Linux x86) (Linux x86-64)


    # running on linux:
    tar xvfz cryptc-x86.tar.gz
    cd cryptc-x86
    ./cryptc


    [spoiler]
    File name:
    cryptc.exe
    Submission date:
    2011-01-16 02:39:40 (UTC)
    Current status:
    queued (#2) queued (#2) analysing finished
    Result:
    0/ 41 (0.0%)

    VT Community

    not reviewed
    Safety score: -
    Compact
    Print results
    Antivirus Version Last Update Result
    AhnLab-V3 2011.01.15.01 2011.01.15 -
    AntiVir 7.11.1.145 2011.01.15 -
    Antiy-AVL 2.0.3.7 2011.01.16 -
    Avast 4.8.1351.0 2011.01.15 -
    Avast5 5.0.677.0 2011.01.15 -
    AVG 10.0.0.1190 2011.01.16 -
    BitDefender 7.2 2011.01.16 -
    CAT-QuickHeal 11.00 2011.01.15 -
    ClamAV 0.96.4.0 2011.01.16 -
    Command 5.2.11.5 2011.01.15 -
    Comodo 7403 2011.01.15 -
    DrWeb 5.0.2.03300 2011.01.16 -
    eSafe 7.0.17.0 2011.01.13 -
    eTrust-Vet 36.1.8100 2011.01.14 -
    F-Prot 4.6.2.117 2011.01.15 -
    F-Secure 9.0.16160.0 2011.01.15 -
    Fortinet 4.2.254.0 2011.01.15 -
    GData 21 2011.01.16 -
    Ikarus T3.1.1.97.0 2011.01.15 -
    Jiangmin 13.0.900 2011.01.15 -
    K7AntiVirus 9.75.3548 2011.01.14 -
    Kaspersky 7.0.0.125 2011.01.16 -
    McAfee 5.400.0.1158 2011.01.16 -
    McAfee-GW-Edition 2010.1C 2011.01.15 -
    Microsoft 1.6402 2011.01.15 -
    NOD32 5790 2011.01.15 -
    Norman 6.06.12 2011.01.15 -
    nProtect 2011-01-15.01 2011.01.15 -
    PCTools 7.0.3.5 2011.01.16 -
    Prevx 3.0 2011.01.16 -
    Rising 22.82.05.00 2011.01.15 -
    Sophos 4.61.0 2011.01.15 -
    SUPERAntiSpyware 4.40.0.1006 2011.01.16 -
    Symantec 20101.3.0.103 2011.01.16 -
    TheHacker 6.7.0.1.115 2011.01.14 -
    TrendMicro 9.120.0.1004 2011.01.15 -
    TrendMicro-HouseCall 9.120.0.1004 2011.01.16 -
    VBA32 3.12.14.2 2011.01.14 -
    VIPRE 8083 2011.01.16 -
    ViRobot 2011.1.15.4256 2011.01.15 -
    VirusBuster 13.6.148.0 2011.01.15 -
    Additional information
    Show all
    MD5 : 47e4dff44521a9c482dab2890fbde2b3
    SHA1 : f2d42ff9b59ef2520445e0cb3d93ce40c11ae96b
    SHA256: eb65309f3da5faf4490d894d764e626c45a27c11ea40f7fe3e78c145c53a9358
    ssdeep: 192:9KAi8a3BRX5a5lnTXof1Kw3jcN1eYK9+HblGqXzhXcn2+0+m8W7Lo4Cu7JJREqls:9/jaRR
    Ja5lTXoK6jskYK90zV9ev
    File size : 12288 bytes
    First seen: 2011-01-16 02:39:40
    Last seen : 2011-01-16 02:39:40
    TrID:
    Win32 Executable Generic (42.3%)
    Win32 Dynamic Link Library (generic) (37.6%)
    Generic Win/DOS Executable (9.9%)
    DOS Executable Generic (9.9%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
    sigcheck:
    publisher....: n/a
    copyright....: n/a
    product......: n/a
    description..: n/a
    original name: n/a
    internal name: n/a
    file version.: n/a
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned
    PEInfo: PE structure information

    [[ basic data ]]
    entrypointaddress: 0x1C00
    timedatestamp....: 0x4D324C9D (Sun Jan 16 01:40:45 2011)
    machinetype......: 0x14c (I386)

    [[ 5 section(s) ]]
    name, viradd, virsiz, rawdsiz, ntropy, md5
    .text, 0x1000, 0x12A1, 0x1400, 5.86, ca97591384eab890914679acab7fbd9c
    .rdata, 0x3000, 0xDC0, 0xE00, 5.19, 91b96156df0978cf0b7ef27692ca28cc
    .data, 0x4000, 0x38C, 0x200, 0.41, 7ac8dc66e0247d77736c94cdf165d1e2
    .rsrc, 0x5000, 0x2B0, 0x400, 5.19, 7079162aad779260b75483ba99199c40
    .reloc, 0x6000, 0x2DA, 0x400, 4.66, 3fa63ffc445bc1ed65b57c97ec3ff7eb

    [[ 3 import(s) ]]
    MSVCP90.dll: _setstate@_$basic_ios@DU_$char_traits@D@std@@@std@@QAEXH_N@Z, __A_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAADI@Z, __1_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@XZ, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@XZ, _flush@_$basic_ostream@DU_$char_traits@D@std@@@std@@QAEAAV12@XZ, _sputc@_$basic_streambuf@DU_$char_traits@D@std@@@std@@QAEHD@Z, __Unlock@_$basic_streambuf@DU_$char_traits@D@std@@@std@@QAEXXZ, __Lock@_$basic_streambuf@DU_$char_traits@D@std@@@std@@QAEXXZ, __Osfx@_$basic_ostream@DU_$char_traits@D@std@@@std@@QAEXXZ, __$_8DU_$char_traits@D@std@@V_$allocator@D@1@@std@@YA_NABV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@0@PBD@Z, _sputn@_$basic_streambuf@DU_$char_traits@D@std@@@std@@QAEHPBDH@Z, _uncaught_exception@std@@YA_NXZ, __$_5DU_$char_traits@D@std@@V_$allocator@D@1@@std@@YAAAV_$basic_istream@DU_$char_traits@D@std@@@0@AAV10@AAV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@0@@Z, _cin@std@@3V_$basic_istream@DU_$char_traits@D@std@@@1@A, _cout@std@@3V_$basic_ostream@DU_$char_traits@D@std@@@1@A
    MSVCR90.dll: _encode_pointer, __set_app_type, _crt_debugger_hook, _terminate@@YAXXZ, _unlock, __dllonexit, _lock, _onexit, _decode_pointer, _except_handler4_common, _invoke_watson, _controlfp_s, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _configthreadlocale, _initterm_e, _initterm, exit, _XcptFilter, _exit, _cexit, __getmainargs, _amsg_exit, __initenv, __CxxFrameHandler3
    KERNEL32.dll: Sleep, InterlockedCompareExchange, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, InterlockedExchange
    ExifTool:
    file metadata
    CodeSize: 5120
    EntryPoint: 0x1c00
    FileSize: 12 kB
    FileType: Win32 EXE
    ImageVersion: 0.0
    InitializedDataSize: 6144
    LinkerVersion: 9.0
    MIMEType: application/octet-stream
    MachineType: Intel 386 or later, and compatibles
    OSVersion: 5.0
    PEType: PE32
    Subsystem: Windows command line
    SubsystemVersion: 5.0
    TimeStamp: 2011:01:16 02:40:45+01:00
    UninitializedDataSize: 0
    [/spoiler]


    wall of awesome
    -------------------------------------------
    Xinapse (#1 c1)
    Semtex-Primed (c1, #1 c2)
    x3n0n (c1)
    ????
  • Sh3llc0d3
    Posts: 1,910
    Running atm, I'll go on trust, if I get infected I'll kick your ass :P

    On linux eitherway so I'll have a crack at it.

    Edit: Seems fine, however I'm going to try this properly in the morning on windows lol.
  • sangf
    Posts: 203
    said:


    Running atm, I'll go on trust, if I get infected I'll kick your ass :P

    On linux eitherway so I'll have a crack at it.

    Edit: Seems fine, however I'm going to try this properly in the morning on windows lol.


    haha ok, thanks for trying it out ;) it took me longer to write this post (and by this post i mean the first one!) than to actually code it lol.
  • Sh3llc0d3
    Posts: 1,910
    By the look of the code I can tell :P I'm shattered at the moment but i'll take a better look in the morning
  • sangf
    Posts: 203
    oh shi- i made a mistake with challenge 1 on the final compile where i changed some code. i was originally meant to output some debugging information about failed passwords from which you could gather information as to how it's being compared. but, i foolishly removed it (accidentally by breaking out of the loop before it got to that point), which means that the challenge is much harder than it should be.. but in doing this i've noticed something interesting, there is a certain glitch that enables you to print limited debugging information (you've probably seen it by now, prefixed by "debug: ", one of the best ways of figuring it out is by playing with that, so i'll leave this unintentional exploit to make it easier (albeit harder than originally planned!), i've just added a new hint.
  • Xin
    Posts: 3,251
    Im giving it a shot, its pretty tough, i mean you could easily change it to make it say the 'Congratulations!'password success!' bit but finding out the password and algorithm is difficult.
    the debug: thing isnt doing much use for me yet

    Edit
    Found how to work 'debug '

    Edit
    Found out what the pnopno thing does, still cant figure out how to get the password
    Xin
  • Xin
    Posts: 3,251
    W00t completed Challenge 1, onto number 2

    Big recommendation for the next one, allow copy and pasting into the program its unbelievally annoying typing the long codes out each time
    Xin
  • sangf
    Posts: 203
    said:


    W00t completed Challenge 1, onto number 2

    Big recommendation for the next one, allow copy and pasting into the program its unbelievally annoying typing the long codes out each time



    good job, that was fast! and yes, i should have thought about that :P
  • Xin
    Posts: 3,251
    said:


    said:


    W00t completed Challenge 1, onto number 2

    Big recommendation for the next one, allow copy and pasting into the program its unbelievally annoying typing the long codes out each time



    good job, that was fast! and yes, i should have thought about that :P


    Challenge 2 is a lot harder though :S, i cant see to get any results even with the debug thing
    Xin
  • sangf
    Posts: 203
    said:


    Challenge 2 is a lot harder though :S, i cant see to get any results even with the debug thing



    yeah, it is. there's no trick here really, no debug, you have to go a bit deeper to figure it out. i would say the key is to understand what hint 1, or the binary chart means, before even making a guess. hint 3 is also massively important, and may help with the understanding of those other 2 hints ;)
  • sangf
    Posts: 203
    mk, linux binaries up too now, for no particular reason other than my own interest, really. tested using LSB portability guidelines with their checking util: http://ldn.linuxfoundation.org/lsb - reports that they should be fine on most distros on the listed architectures.
  • Sh3llc0d3
    Posts: 1,910
    Bonus points please! lol.

    [spoiler=CHALLENGE 1 SPOILER ALERT!!!]
    #!/usr/bin/perl
    print \"Enter string [enter character in the string seperated by a dash (-)]:\n\";
    print \">> \";
    $huhu= <STDIN>;
    chomp($huhu);
    $i=12;
    @gy=split(/-/, $huhu);

    foreach $gy(@gy) {
    $num  = ord($gy);
    $num--; 
    $gy = chr($num);
    print \"$gy\";
    }
    [/spoiler]

    [spoiler=CHALLENGE 2 SPOILER ALERT!!!!]

    XORPASSKEYABCDEFGHIJKLMNOPQRSTUVWXYZ
    36363D222E2D3D

    784F5250415353

    00110110 00110110 00111101 00100010 00101110 00101101 00111101
    01111000 01001111 01010010 01010000 01000001 01010011 01010011
    -------- -------- -------- -------- -------- -------- --------
    01001110 01111001 01101111 01110010 01101111 01111110 01101110

    [/spoiler]
  • sangf
    Posts: 203
    congrats to Semtex-Primed and x3n0n for completing challenges 1/2 and 1 respectively.
  • Sh3llc0d3
    Posts: 1,910
    Edited my challenge one hint/script, if anyone has any problems with the script itself then PM me. You'll need to know how to run perl scripts...

    Linux:
    save text as .pl file.
    "chmod +x file.pl"
    "./file.pl"

    Windows:
    Save as .pl file.
    "perl file.pl"
Add a Comment