image38

Can you crack it by the Lazy Hacker

Like many ethical hackers,there is a small part of me that dreams of working as a professional computer hacker for the government, so when I saw the GCHQ challenge at  http://www.canyoucrackit.co.uk/ I couldn’t resist…

Challenge #1

So the first challenge was a mess for me. I broke out my PHP development tools and got to work. I typed out all the numbers in a sequence of arrays and started running cryptography tests on it. The frequency analysis was off the charts… panic time!  This wasn’t the simple challenges you find in a newspaper. From my years of experience, I thought “I needed to figure out what encryption algorithm they are using“.  I did some google searches trying to find an algorithm for calculating the randomness of the sequences and a list of randomnesses of known algorithms. That didn’t go well; I couldn’t find anything of value. The page does say enter the keyword, so I figured it must be a cypher based on a repeating keyword since there wasn’t enough data for this to be a real encryption challenge.

Modern encryption techniques like RSA or DES would need a much larger data set to have any possibility of cracking it. Assuming this was a password, then I needed to figure out how long the password was. I ran some more frequency analysis tests and came up empty. The keyword length was undetectable. I did notice that the HEX patterns looked a bit like it could be binary executable code, but I I don’t have any assembly language tools on my computer to test it, and I’m not going to just execute code posted on a web site  without seeing the source first so I didn’t want to risk it.

So whats left… Social engineering!

I went to work searching google for forums on the subject. Turned out that it was binary assembly language code, oh well, I probably could have cracked this first challenge but I was just too lazy.  So they posted the link to the next challenge so I went to work on it.

Challenge #2

Project two was a virtual machine which contained a pre-loaded application. The only thing that the machine was missing was a bytecode interpreter.  Ok, so this is something I can handle. I went to work. Here was my results…

 

 

<html>
<head></head>

<script src=”15b436de1f9107f3778aad525e5d0b20.js”></script>
<body>

<script>
function bin2String(array) {
var result = “”;
for (var i = 0; i < array.length; i++) {
result += String.fromCharCode(parseInt(array[i], 2));
}
return result;
}

function getMem() {
//var val = bin2String(VM.mem);

//document.getElementById(‘tgt’).value = val;

for(idx=448;idx<VM.mem.length;idx++) {
var n = document.createElement(‘p’);
n.appendChild(document.createTextNode(String.fromCharCode(VM.mem[idx])));
document.getElementById(‘tgt2′).appendChild(n);
}
}

</script>

<textarea cols=”80″ rows=”20″ id=”tgt”>
</textarea>
<a href=”#” onclick=”getMem()”>XXX</a>
<div id=”tgt2″></div>
</body>
</html>

Javascript:

//————————————————————————————————–
//
// stage 2 of 3
//
// challenge:
//   reveal the solution within VM.mem
//
// disclaimer:
//   tested in ie 9, firefox 6, chrome 14 and v8 shell (http://code.google.com/apis/v8/build.html),
//   other javascript implementations may or may not work.
//
//————————————————————————————————–

var VM = {

cpu: {
ip: 0×00,

r0: 0×00,
r1: 0×00,
r2: 0×00,
r3: 0×00,

cs: 0×00,
ds: 0×10,

fl: 0×00,

firmware: [0xd2ab1f05, 0xda13f110]
},

mem: [
/* 0000 */
0x31, 0x04, // 00110001 movr r1, 4
0x33, 0xaa, // 00110011 movr r3, 170
0x40, 0x02, // 01000000 movm r0, [ds:r2]
0×80, 0×03, // 10000000 xor r0, r3
0×52, 0×00, // 01010010 movm [ds:r2], r0
0×72, 0×01, // 01110010 add r2, 1
0×73, 0×01, // 01110010 add r3, 1
0xb2, 0×50, // 10110010 cmp r2 ,#80
/* 0010 */
0×30, 0×14, // 00110000 movr r0, 20
0xc0,  // 11000000 jmpe r0
0×01,  // 00000001 jmp r1
0×80, 0×00, // 10000000 xor r0, r0
0×10, 0×10, // 00010000 jmp 16:r0
0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
/* 0020 */  0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
/* 0030 */  0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
/* 0040 */  0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
/* 0050 */  0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
/* 0060 */  0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
/* 0070 */  0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
/* 0080 */  0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
/* 0090 */  0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
/* 00A0 */  0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
/* 00B0 */  0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
/* 00C0 */  0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
/* 00D0 */  0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
/* 00E0 */  0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
/* 00F0 */  0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
/* 0100 */  0×98, 0xab, // xor r1, 171
0xd9, // 11011001 JMPE r2:r1
0xa1,
0x9f, 0xa7, 0×83, 0×83, 0xf2, 0xb1, 0×34, 0xb6, 0xe4, 0xb7, 0xca, 0xb8,
0xc9, 0xb8, 0x0e, 0xbd, 0x7d, 0x0f, 0xc0, 0xf1, 0xd9, 0×03, 0xc5, 0x3a, 0xc6, 0xc7, 0xc8, 0xc9,
0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8, 0xd9,
0xda, 0xdb, 0xa9, 0xcd, 0xdf, 0xdf, 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9,
0×26, 0xeb, 0xec, 0xed, 0xee, 0xef, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9,
0x7d, 0x1f, 0×15, 0×60, 0x4d, 0x4d, 0×52, 0x7d, 0x0e, 0×27, 0x6d, 0×10, 0x6d, 0x5a, 0×06, 0×56,
0×47, 0×14, 0×42, 0x0e, 0xb6, 0xb2, 0xb2, 0xe6, 0xeb, 0xb4, 0×83, 0x8e, 0xd7, 0xe5, 0xd4, 0xd9,
0xc3, 0xf0, 0×80, 0×95, 0xf1, 0×82, 0×82, 0x9a, 0xbd, 0×95, 0xa4, 0x8d, 0x9a, 0x2b, 0×30, 0×69,
0x4a, 0×69, 0×65, 0×55, 0x1c, 0x7b, 0×69, 0x1c, 0x6e, 0×04, 0×74, 0×35, 0×21, 0×26, 0x2f, 0×60,
0×03, 0x4e, 0×37, 0x1e, 0×33, 0×54, 0×39, 0xe6, 0xba, 0xb4, 0xa2, 0xad, 0xa4, 0xc5, 0×95, 0xc8,
0xc1, 0xe4, 0x8a, 0xec, 0xe7, 0×92, 0x8b, 0xe8, 0×81, 0xf0, 0xad, 0×98, 0xa4, 0xd0, 0xc0, 0x8d,
0xac, 0×22, 0×52, 0×65, 0x7e, 0×27, 0x2b, 0x5a, 0×12, 0×61, 0x0a, 0×01, 0x7a, 0x6b, 0x1d, 0×67,
0×75, 0×70, 0x6c, 0x1b, 0×11, 0×25, 0×25, 0×70, 0x7f, 0x7e, 0×67, 0×63, 0×30, 0x3c, 0x6d, 0x6a,
0×01, 0×51, 0×59, 0x5f, 0×56, 0×13, 0×10, 0×43, 0×19, 0×18, 0xe5, 0xe0, 0xbe, 0xbf, 0xbd, 0xe9,
0xf0, 0xf1, 0xf9, 0xfa, 0xab, 0x8f, 0xc1, 0xdf, 0xcf, 0x8d, 0xf8, 0xe7, 0xe2, 0xe9, 0×93, 0x8e,
0xec, 0xf5, 0xc8, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,

0×37, 0x7a, 0×07, 0×11, 0x1f, 0x1d, 0×68, 0×25, 0×32, 0×77, 0x1e, 0×62, 0×23, 0x5b, 0×47, 0×55,
0×53, 0×30, 0×11, 0×42, 0xf6, 0xf1, 0xb1, 0xe6, 0xc3, 0xcc, 0xf8, 0xc5, 0xe4, 0xcc, 0xc0, 0xd3,
0×85, 0xfd, 0x9a, 0xe3, 0xe6, 0×81, 0xb5, 0xbb, 0xd7, 0xcd, 0×87, 0xa3, 0xd3, 0x6b, 0×36, 0x6f,
0x6f, 0×66, 0×55, 0×30, 0×16, 0×45, 0x5e, 0×09, 0×74, 0x5c, 0x3f, 0×29, 0x2b, 0×66, 0x3d, 0x0d,
0×02, 0×30, 0×28, 0×35, 0×15, 0×09, 0×15, 0xdd, 0xec, 0xb8, 0xe2, 0xfb, 0xd8, 0xcb, 0xd8, 0xd1,
0x8b, 0xd5, 0×82, 0xd9, 0x9a, 0xf1, 0×92, 0xab, 0xe8, 0xa6, 0xd6, 0xd0, 0x8c, 0xaa, 0xd2, 0×94,
0xcf, 0×45, 0×46, 0×67, 0×20, 0x7d, 0×44, 0×14, 0x6b, 0×45, 0x6d, 0×54, 0×03, 0×17, 0×60, 0×62,
0×55, 0x5a, 0x4a, 0×66, 0×61, 0×11, 0×57, 0×68, 0×75, 0×05, 0×62, 0×36, 0x7d, 0×02, 0×10, 0x4b,
0×08, 0×22, 0×42, 0×32, 0xba, 0xe2, 0xb9, 0xe2, 0xd6, 0xb9, 0xff, 0xc3, 0xe9, 0x8a, 0x8f, 0xc1,
0x8f, 0xe1, 0xb8, 0xa4, 0×96, 0xf1, 0x8f, 0×81, 0xb1, 0x8d, 0×89, 0xcc, 0xd4, 0×78, 0×76, 0×61,
0×72, 0x3e, 0×37, 0×23, 0×56, 0×73, 0×71, 0×79, 0×63, 0x7c, 0×08, 0×11, 0×20, 0×69, 0x7a, 0×14,
0×68, 0×05, 0×21, 0x1e, 0×32, 0×27, 0×59, 0xb7, 0xcf, 0xab, 0xdd, 0xd5, 0xcc, 0×97, 0×93, 0xf2,
0xe7, 0xc0, 0xeb, 0xff, 0xe9, 0xa3, 0xbf, 0xa1, 0xab, 0x8b, 0xbb, 0x9e, 0x9e, 0x8c, 0xa0, 0xc1,
0x9b, 0x5a, 0x2f, 0x2f, 0x4e, 0x4e, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00
],

exec: function()
{
// virtual machine architecture
// ++++++++++++++++++++++++++++
//
// segmented memory model with 16-byte segment size (notation seg:offset)
//
// 4 general-purpose registers (r0-r3)
// 2 segment registers (cs, ds equiv. to r4, r5)
// 1 flags register (fl)
//
// instruction encoding
// ++++++++++++++++++++
//
//           byte 1               byte 2 (optional)
// bits      [ 7 6 5 4 3 2 1 0 ]  [ 7 6 5 4 3 2 1 0 ]
// opcode      – - -
// mod               -
// operand1            – - – -
// operand2                         – - – - – - – -
//
// operand1 is always a register index
// operand2 is optional, depending upon the instruction set specified below
// the value of mod alters the meaning of any operand2
//   0: operand2 = reg ix
//   1: operand2 = fixed immediate value or target segment (depending on instruction)
//
// instruction set
// +++++++++++++++
//
// Notes:
//   * r1, r2 => operand 1 is register 1, operand 2 is register 2
//   * movr r1, r2 => move contents of register r2 into register r1
//
// opcode | instruction | operands (mod 0) | operands (mod 1)
// ——-+————-+——————+—————–
// 0×00   | jmp         | r1               | r2:r1
// 0×01   | movr        | r1, r2           | rx,   imm
// 0×02   | movm        | r1, [ds:r2]      | [ds:r1], r2
// 0×03   | add         | r1, r2           | r1,   imm
// 0×04   | xor         | r1, r2           | r1,   imm
// 0×05   | cmp         | r1, r2           | r1,   imm
// 0×06   | jmpe        | r1               | r2:r1
// 0×07   | hlt         | N/A              | N/A
//
// flags
// +++++
//
// cmp r1, r2 instruction results in:
//   r1 == r2 => fl = 0
//   r1 < r2  => fl = 0xff
//   r1 > r2  => fl = 1
//
// jmpe r1
//   => if (fl == 0) jmp r1
//      else nop

//throw “VM.exec not yet implemented”;

var halt = false;
var bsz = 1;
var debug = function(msg) {
var log = function(object, context, className, rep, noThrottle, sourceLink) {
try {
if (‘undefined’ != typeof Firebug && ‘undefined’ != typeof Firebug.Console) {
Firebug.Console.log(object, context, className, rep, noThrottle, sourceLink);
} else if (‘undefined’ != typeof console && ‘undefined’ != typeof console.log) {
console.log(object);
}
} catch (e) {
}
};
log(VM.cpu.cs+’:’+VM.cpu.ip+’ ‘+msg);
};
var ops = 0;
debug(‘Start!’);
while(!halt) {
ops++;
var pcp = (VM.cpu.cs*16)+VM.cpu.ip;
var inst =  VM.mem[pcp];
var opcode = (inst>>5) & 7;
var mod = (inst >> 4) & 1;
var op1 = 15 & inst;
var op2 = VM.mem[pcp+1];

var setIx = function(op1,val) {
if (op1 == 0) {
VM.cpu.r0 = val;
} else if (op1 == 1) {
VM.cpu.r1 = val;
} else if (op1 == 2) {
VM.cpu.r2 = val;
} else if (op1 == 3) {
VM.cpu.r3 = val;
} else if (op1 == 4) {
VM.cpu.cs = val;
} else if (op1 == 5) {
VM.cpu.ds = val;
} else {
halt = true;
debug(“Invalid setIx “+opcode+’:’+mod+’:’+op1+’:’+op2);
throw ‘Invalid operation!’;
}
};

var getIx = function(op1) {
if (op1 == 0) {
return VM.cpu.r0;
} else if (op1 == 1) {
return VM.cpu.r1;
} else if (op1 == 2) {
return VM.cpu.r2;
} else if (op1 == 3) {
return VM.cpu.r3;
} else if (op1 == 4) {
return VM.cpu.cs;
} else if (op1 == 5) {
return VM.cpu.ds;
} else {
debug(“Invalid getIx “+opcode+’:’+mod+’:’+op1+’:’+op2);
throw “Invalid Operation!”;
halt = true;
}
};

//alert(inst+’:’+opcode+’:’+mod+’:’+op1);
switch(opcode) {
case 0:  // jmp
if (mod) {
var v1 = op2;//getIx(op2);
var v2 = op1;//getIx(op1);
debug(‘jmp ‘+op2+’:’+op1+’ #’+v1+’:’+v2);
VM.cpu.cs = v1;
VM.cpu.ip = v2;
} else {
var val = getIx(op1);
debug(‘jmp r’+op1+’ #’+val);
VM.cpu.ip = val;
}
break;
case 1: // movr
if (mod) { // rx,   imm
setIx(op1,op2);
debug(‘movr r’+op1+’, ‘+op2);
} else {  //r1, r2
var val = getIx(op2);
setIx(op1,val);
debug(‘movr r’+op1+’, r’+op2+’ #’+val);
}
VM.cpu.ip += 2;
break;
case 2:  // movm
if (mod) { // [ds:r1], r2
VM.mem[(VM.cpu.ds * 16)+getIx(op1)] = getIx(op2);
debug(‘movm [ds:r'+op1+'], r’+op2);
} else { //r1, [ds:r2]
var val = VM.mem[(VM.cpu.ds * 16)+getIx(op2)];
setIx(op1,val);
debug(‘movm r’+op1+’, [ds:r'+op2+'] #’+val);
}
VM.cpu.ip += 2;
break;
case 3: // add
var op2 = VM.mem[pcp+1];
if (mod) { // r1,   imm
var val = (getIx(op1)+op2) & 255;
setIx(op1,val);
debug(‘add r’+op1+’, ‘+op2+’ # ‘+val);
} else { // r1, r2
var val = (getIx(op1)+getIx(op2)) & 255;
setIx(op1,val);
debug(‘add r’+op1+’, r’+op2+’ #’ + val);
}
VM.cpu.ip += 2;
break;
case 4:   //xor
if (mod) { // r1,   imm
var val = getIx(op1) ^ op2;
setIx(op1,val);
debug(‘xor r’+op1+’, ‘+op2+’ # ‘+val);
} else { // r1, r2
var val = getIx(op1) ^ getIx(op2);
setIx(op1,val);
debug(‘xor r’+op1+’, r’+op2+’ # ‘+val);
}
VM.cpu.ip += 2;
break;
case 5:  //cmp

if (mod) { //r1,   imm
if (getIx(op1) == op2) {
VM.cpu.fl = 0;
} else if (getIx(op1) < op2) {
VM.cpu.fl = 0xff;
} else {
VM.cpu.fl = 1;
}
debug(‘cmp r’+op1+’, ‘+op2);
} else {  //r1, r2
if (getIx(op1) == getIx(op2)) {
VM.cpu.fl = 0;
} else if (getIx(op1) < getIx(op2)) {
VM.cpu.fl = 0xff;
} else {
VM.cpu.fl = 1;
}
debug(“cmp r’+op1+’, r’+op2+’”);
}
VM.cpu.ip += 2;
break;
case 6:  //jmpe        | r1               | r2:r1

if (VM.cpu.fl == 0) {
if (mod) {
var op2 = VM.mem[pcp+1];
var val2 = getIx(op2);
var val2 = getIx(op1);
debug(‘jmpe r’+op2+’:r’+op1+’ # ‘+val1+’:’+val2);
VM.cpu.cs = val1;
VM.cpu.ip = val2;
} else {
var val = getIx(op1);
debug(‘jmpe r’+op1+’ # ‘+val);
VM.cpu.ip = val;
}

} else {
debug(‘jmpe # noop’);
if (mod) {
VM.cpu.ip += 2;
} else {
VM.cpu.ip += 1;
}
}
break;
case 7:
alert(“halt”);
halt = true;
break;
}
}

return;
}

};

//————————————————————————————————–

try
{
VM.exec();
}
catch(e)
{
alert(‘nError: ‘ + e + ‘n’);
}

//————————————————————————————————–

Sweet! It worked. So I download the .exe file produced by the virtual machine.

Challenge #3

Well, this is annoying. Their exe file requires cygwin.  I haven’t used cygwin in years, and I really don’t want to download it. Hmm… I guess I’ll just google it. So I googled the exe filename and found a lot of forum posts about this file. Well, I’m not going to trust these people; I don’t know who they are, I guess I’ll just install cygwin. So I did and ran the program, and what do you know, another error. Invalid license.  Hmm. So I need to crack a software license? What type of legal government hacking would ever involve cracking software licenses??? What a mess. So I tried to download the license file from the can you crack it site, but no luck. They really want you to crack the license. So I did some more googling and I found that someone has already cracked the license and published the results online. Well, there’s no point in wasting my time cracking a license when its already been done. I went to the site posted in the forums and its just a link to a page advertising a  job posting. Bah! It was just viral marketing trying to fill a job position, no calls from secret government agencies or anything, just a job posting that you could probably find without going through all this hassle. What a waste…

Oh well, at least I cracked one of the challenges without any help, not bad for a lazy hacker.

 

Posted by:

Ralph Ritoch

Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top