Can you crack it?

[Shadeyman]

GCHQ, the British intelligence agency, has created an internet-based code-breaking game in an attempt to track down candidates with the right skills for espionage in the computer age.

Rather than hoping to identify potential spies in the traditional feeding grounds of Oxford and Cambridge, it has launched a viral campaign on Facebook and Twitter that directs users to a website called "Can you crack it?"
http://www.canyoucrackit.co.uk

 

[ChrisUK]

Nice .

 

[dave]

done, do i post the answer here?

 

[Shadeyman]

done, do i post the answer here?

No, PM it to me ...

Enter your answer and press submit, get ready to take a screen shot if your correct, cuz we want proof ...

 

[ChrisUK]

Proof enough? :devil:

 

[Shadeyman]

Proof enough? :devil:

:worship:

 

[ChrisUK]

It's unencrypted x86 machine code if anyone wants a hint

 

[Venters]

http://www.canyoucrackit.co.uk/soyoudidit.asp

 

[Shadeyman]

 

[ChrisUK]

nah I cheated. I didn't google it, I did however 'hack' the webpage code and found the url of the return of the button .

 

[Shadeyman]

// by petter wahlman, twitter: @badeip
// solution to part #1 of http://www.canyoucrackit.co.uk/
//
// part2.h will be published along with solutions to the subsequent levels after 12 December 2011
#include <stdio.h>
#include <stdint.h>
#include <malloc.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <time.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/utsname.h>
#include "part2.h" // see information above
static char part1[] = {
0xeb, 0x04, 0xaf, 0xc2, 0xbf, 0xa3, 0x81, 0xec, 0x00, 0x01, 0x00, 0x00, 0x31, 0xc9, 0x88, 0x0c,
0x0c, 0xfe, 0xc1, 0x75, 0xf9, 0x31, 0xc0, 0xba, 0xef, 0xbe, 0xad, 0xde, 0x02, 0x04, 0x0c, 0x00,
0xd0, 0xc1, 0xca, 0x08, 0x8a, 0x1c, 0x0c, 0x8a, 0x3c, 0x04, 0x88, 0x1c, 0x04, 0x88, 0x3c, 0x0c,
0xfe, 0xc1, 0x75, 0xe8, 0xe9, 0x5c, 0x00, 0x00, 0x00, 0x89, 0xe3, 0x81, 0xc3, 0x04, 0x00, 0x00,
0x00, 0x5c, 0x58, 0x3d, 0x41, 0x41, 0x41, 0x41, 0x75, 0x43, 0x58, 0x3d, 0x42, 0x42, 0x42, 0x42,
0x75, 0x3b, 0x5a, 0x89, 0xd1, 0x89, 0xe6, 0x89, 0xdf, 0x29, 0xcf, 0xf3, 0xa4, 0x89, 0xde, 0x89,
0xd1, 0x89, 0xdf, 0x29, 0xcf, 0x31, 0xc0, 0x31, 0xdb, 0x31, 0xd2, 0xfe, 0xc0, 0x02, 0x1c, 0x06,
0x8a, 0x14, 0x06, 0x8a, 0x34, 0x1e, 0x88, 0x34, 0x06, 0x88, 0x14, 0x1e, 0x00, 0xf2, 0x30, 0xf6,
0x8a, 0x1c, 0x16, 0x8a, 0x17, 0x30, 0xda, 0x88, 0x17, 0x47, 0x49, 0x75, 0xde, 0x31, 0xdb, 0x89,
0xd8, 0xfe, 0xc0, 0xcd, 0x80, 0x90, 0x90, 0xe8, 0x9d, 0xff, 0xff, 0xff, 0x41, 0x41, 0x41, 0x41,
};
// code to dump the decrypted memory:
static const char dump_mem[] = {
0xba, 0x31, 0x00, 0x00, 0x00, // mov edx, 0x40
0x8d, 0x4f, 0xce, // lea ecx, [edi-0x32]
0x31, 0xdb, // xor ebx, ebx
0x43, // inc ebx (stdout)
0x31, 0xc0, // xor eax, eax
0xb0, 0x04, // add al, 0x4 - sys_write
0xcd, 0x80, // int 0x80
0x31, 0xdb, // xor ebx,ebx
0x43, // inc ebx
0x31, 0xd2, // xor edx,edx
0x42, // inc edx
0x68, 0x0a, 0x00,0x00, 0x00, // push 0xa
0x8d, 0x0c, 0x24, // lea ecx,[esp]
0xb8, 0x04, 0x00,0x00, 0x00, // mov eax, 0x4
0xcd, 0x80, // int 0x80 - sys_write
0x31, 0xdb, // xor ebx,ebx
0x31, 0xc0, // xor eax,eax
0x40, // inc eax
0xcd, 0x80, // int 0x80 - sys_exit
};
uint32_t patch_mem(char *ptr, size_t size)
{
uint32_t i;
for (i = 0; i < size; i++) {
if (*(uint16_t *)&ptr == 0x80cd) {
*(uint16_t *)&ptr = 0x45eb;
return 0;
}
}
return 1;
}
uint32_t check_arch(void)
{
struct utsname kernel_info;
uname(&kernel_info);
return strcmp(kernel_info.machine, "i686") ? 1 : 0;
}
int main(int argc, char **argv)
{
void *mem;
if (check_arch()) {
printf("[-] this program must run on a 32-bit architecture\n");
return 1;
}
printf("
[*] allocating page aligned memory\n");
mem = memalign(4096, 4096);
if (!mem) {
printf("[-] error: %s\n", strerror(errno));
return 1;
}
memset(mem, 0, 4096);
printf("
[*] setting page permissions\n");
if (mprotect(mem, 4096, PROT_READ | PROT_WRITE | PROT_EXEC)) {
printf("[-] error: %s\n", strerror(errno));
return 1;
}
printf("
[*] copying payload\n");
memcpy(mem, part1, sizeof(part1));
memcpy(mem + sizeof(part1), part2, sizeof(part2));
memcpy(mem + sizeof(part1) + sizeof(part2), dump_mem, sizeof(dump_mem));
printf("
[*] adding dump_mem payload\n");
if (patch_mem(mem, sizeof(part1))) {
printf("[-] failed to patch memory\n");
return 0;
}
printf("
[*] executing payload..\n\n");
((int(*)(void))mem)();
return 0;
}

 

[schillers]

I get that its machine code but how did you run it and what answer did it generate? Really struggling with this and my lecturer suggested I learn the method to aid my computer science degree.

 

[ChrisUK]

It's raw code you need to compile it / run it in a C interpreter. I used my Linux system.

 

[m20b25]

It's raw code you need to compile it / run it in a C interpreter. I used my Linux system.

After fiddling with the code a bit, this is what I got...

mal@mal-EASYNOTE-SW51:~$ cd Documents
mal@mal-EASYNOTE-SW51:~/Documents$ ls
a.out Musgrave Contingencies.doc tttt.c tttt.exe tttt.h.gch
c Musgrave Financial Report.doc tttt.c~ tttt.h
mal@mal-EASYNOTE-SW51:~/Documents$ gcc tttt.c
mal@mal-EASYNOTE-SW51:~/Documents$ gcc tttt.c -o tttt.exe
mal@mal-EASYNOTE-SW51:~/Documents$ ./tttt.exe
[*] allocating page aligned memory
[*] setting page permissions
[*] copying payload
[*] adding dump_mem payload
[-] failed to patch memory
mal@mal-EASYNOTE-SW51:~/Documents$

He did say there was a part 2. Compiling that code gives this:

mal@mal-EASYNOTE-SW51:~/Documents$ gcc tttt.c -o tttt.exe
tttt.c:12:44: fatal error: part2.h: No such file or directory
compilation terminated.
mal@mal-EASYNOTE-SW51:~/Documents$