28 replies to this topic

[Icecube]

Challenge #13: Pretty Easy. Come On, File Fixers! It's only a bit tricky!
Try it here.

Attached Files

•  challenge-13.zip   1.86KB   137 downloads

[Holmes.Sherlock]

Original post updated with a link to try out the challenge.

[pscEx]

Maybe I give some info to the team, and somebody else adds his knowledge.

The .exe has it's executable code at offset 0x0800, finally telling that there is nothing to say.

But there is a different code in the .exe starting at 0x1400 bringing the solution.

I tried some time with debugger (OllyDbg) to execute the code at 0x1400, but w/o success. Anybody has a suggestion?
Maybe relocation table change?

Peter

[Holmes.Sherlock]

I tried some time with debugger to execute the code at 0x1400, but w/o success. Anybody has a suggestion?

You may insert a JMP at the very beginning & then try to execute it in OllyDbg.

Maybe relocation table change?

PE Explorer is a very good tool to explore EXE header. May be you have some luck with that. I used it for some time some year ago.

[pscEx]

I downloaded OllyDbg for this challenge and am not familar with it.

I can change the registers, but currently I cannot change the code.

Do you know the How To?

Peter

[Holmes.Sherlock]

Do you know the How To?

Select the instruction you want to change, then hit spacebar.

[AceInfinity]

I'll give it a shot, I haven't tried a challenge like this before, so hopefully i'll have some luck

[joakim]

Hmm, missing section and wrong entry point (and possibly more)?

[AceInfinity]

I tried jumping to the address for the challeng module in debug mode but no success

[Icecube]

PE Explorer is a very good tool to explore EXE header. May be you have some luck with that. I used it for some time some year ago.

CFF explorer is free and might be even better (only the disassembler is not that advanced): post #7 of http://reboot.pro/15001/

[Icecube]

Updated first post with a call to everybody, to try to solve the challenge now challenge #12 is finally solved.
Challenge #14 might be easier to solve tough.

[Holmes.Sherlock]

Taking out the first letters from the updated challenge text, I guess the challenge is related to PE/COFF file format.

[Icecube]

Taking out the first letters from the updated challenge text, I guess the challenge is related to PE/COFF file format.

Yes, it is.

[vtinoc]

key is 0x%x

[Icecube]

key is 0x%x

No. The string you see, is from a fprintf command. When the program is correctly fixed and run, the "%x" part will be replaced by a hexadecimal number stored in the "key" variable and printed to the screen.

fprintf(stdout, "The key is 0x%x.\n", key);

[joakim]

Just had a second look at it, and must admit it's a little bit harder than first expected. I don't know, but would think the "hidden" code at the end should be made available. So I rebuilt the PE with a new section at the end, and changed oep. So far so good (almost), as the new chunk is executable in debugger but some unknown error is preventing it from running fully and correctly. Then I noticed the printf is pointing to the "nothing here.." text string and probably should be changed to point to the "The key is.." which is also in the new last section. That's ok, not a prob, but still error when running. Probably some more pointers need to be fixed..?? On the right track here?

[Icecube]

"The key is.." which is also in the new last section. That's ok, not a prob, but still error when running. Probably some more pointers need to be fixed..?? On the right track here?

If you want to do it the hard way, it might be possible this way, although I doubt it.

A tip: To find the solution, you don't need a debugger at all. A pair of good eyes (or just one good eye) and a hexeditor to view the file carefully, might give you a clue. Be sure to read the PE/COFF spec.

[joakim]

Is it this one?

Spoiler

94241d964038ae3d701eb9f6491a94fa (md5)

[Icecube]

Is it this one?

Yes . And, did you find it a rather easy solution or not?

Challenge #13: Pretty Easy. Come On, File Fixers! It's only a bit tricky!

[joakim]

Hehe, think I tried everything except the "obvious". Nicely compiled exe with some good tricks!

[Icecube]

Is there someone else, who was able to find the solution?

[AceInfinity]

Still trying, but I can't see how to get the instructions after the text is displayed and the exit is called to run properly, I keep getting an unknown application error (0xc0000005) and another error i've seen was that Ú@.dll is missing. Hmm

[Icecube]

A tip: Use CFF explorer to solve this challenge. PE explorer won't let you solve the challenge (at least, I couldn't do it).

[AceInfinity]

Haha, wow... FINALLY figured this thing out

Is this it?

SHA-1 Hash: (Full value of 0x%x generated hash)

8da1f266225b4f7d18aac434f72b5d112464eb6d

[Holmes.Sherlock]

Is this it?

No need to wait for Icecube. Original post contains a link to try out the challenge.