Jump to content











Photo

December 2011 TechLife Challenge (Possible Reward)

Started by Holmes.Sherlock , Dec 13 2011 02:48 PM

  • Please log in to reply
28 replies to this topic

#1 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 13 December 2011 - 02:48 PM

AceInfinity has shared a nice, custom made challenge here. Solving it might fetch fortune for you in terms of a small monetary reward. Dare to try it?

#2 Icecube

Icecube

    Gold Member

  • Team Reboot
  • 1063 posts
  •  
    Belgium

Posted 13 December 2011 - 04:29 PM

You can download the file from:
http://www.mediafire...gz3kqch0n3vtxhn

#3 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 13 December 2011 - 05:39 PM

Where do I test if the key is correct?

#4 Icecube

Icecube

    Gold Member

  • Team Reboot
  • 1063 posts
  •  
    Belgium

Posted 13 December 2011 - 05:59 PM

@ joakim
When you find the key, you will know that you have the right one (before you have it, you won't see anything that looks even like a key).

#5 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 13 December 2011 - 06:01 PM

SHA1:


B361855A10325CC4CD7CF63044E35C49DC89F302
?

#6 Icecube

Icecube

    Gold Member

  • Team Reboot
  • 1063 posts
  •  
    Belgium

Posted 13 December 2011 - 06:17 PM

@ joakim
Yes

#7 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 14 December 2011 - 06:33 AM

@Icecube & joakim

Please share the key on the thread @TLF.

#8 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 14 December 2011 - 08:53 AM

Nice work joakim, I didn't realize this thread existed until joakim mentioned the correct SHA-1 hash of the key to verify that it was the right key without revealing the answer to others. It was smart to do that too, I would have expected just the key in a spoiler, but well done. I seen his username as being the last poster and I knew he had the right key before I even looked at the thread lol.

Reward is $10 CAN, payable via my PayPal. Just something exciting for the Christmas season :)

#9 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 14 December 2011 - 09:18 AM

It was an easy challenge for me, since I do have rather extensive knowledge about zip based files. My reward was to get the key. :) Happy X-mas shopping.

#10 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 14 December 2011 - 09:24 AM

Alright friend :) Nice work anyway, gives some more people a chance to earn some Christmas shopping prize money then too I suppose!

#11 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 14 December 2011 - 09:30 AM

@joakim/Icecube,

Can you please share the steps to solve the problem with us?

#12 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 14 December 2011 - 09:49 AM

@joakim/Icecube,

Can you please share the steps to solve the problem with us?

I opened the file in a hex editor and quickly identified the target as a broken zip file. Instead of rebuilding the zip structure by hand, I just decompressed the raw content. ;)

#13 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 14 December 2011 - 08:51 PM

I opened the file in a hex editor and quickly identified the target as a broken zip file. Instead of rebuilding the zip structure by hand, I just decompressed the raw content. ;)


I thought you rebuilt it by editing the signature to a valid PK zip signature, but I suppose that would work too, i've not too much knowledge in doing it the way you claim to have done it, but it obviously works too :)

#14 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 14 December 2011 - 10:03 PM

I thought you rebuilt it by editing the signature to a valid PK zip signature, but I suppose that would work too, i've not too much knowledge in doing it the way you claim to have done it, but it obviously works too :)

There are 2 ways of solving it. One is to recreate the zip structure so that regular zip libraries can unzip the content. The other way is to use zlib in raw mode, ie no zip structure or headers needed. Just deflate the raw data (which is what I do in one of my stegotools).

#15 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 15 December 2011 - 05:30 AM

There are 2 ways of solving it. One is to recreate the zip structure so that regular zip libraries can unzip the content. The other way is to use zlib in raw mode, ie no zip structure or headers needed. Just deflate the raw data (which is what I do in one of my stegotools).

Can you please be a bit elaborate or provide us with some links to learn the structure of deflated ZIP file format?

#16 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 15 December 2011 - 08:40 AM

Can you please be a bit elaborate or provide us with some links to learn the structure of deflated ZIP file format?

OK. The ZIP format can be read about here;
http://en.wikipedia....ip_(file_format)
http://www.pkware.co...ies/APPNOTE.TXT

Since compression method can vary, the deflate method is just one of many and comes from zlib. Read the doc above and you will see where in the zip structure this information is found. Since we know compression method is deflate (opposite is inflate for decompression), which it usually is in a zip archive anyway, we move on the zlib site and dig; http://zlib.net/manual.html By careful inspection and extensive searching, we can dig up some tiny comment like this;

windowBits can also be –8..–15 for raw deflate. In this case, -windowBits determines the window size. deflate() will then generate raw deflate data with no zlib header or trailer, and will not compute an adler32 check value.


A little bit of thinking later we conclude that since zlib can compress/decompress data without header (ie information about about data size, checksum etc) by setting windowBits to unusual values, we should in theory be able to do so for certain zip archives too. And honestly it took me a lttle bit of time to make this connection and draw the lines between this information. That means you should also be able to attempt brute force decompression of raw data by moving the filepointer byte for byte. I created some apps for this, which can be found here; http://www.mediafire...gzmxu17gspxuymx (check out the readme) And by running the tool inflate_raw_loop.exe on this challenge you will have the decompressed and fully functional exe in a second. So most of the time it took me to solve the challenge was actually in getting the missing dll's. Note that when working in raw mode without header, there exist no name to give the output, and abviously also no extension. For that reason I added a very simple signature identification to give the output an extension. You get the point now. But this information is not very well documented or otherwise described. Google yourself..

#17 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 15 December 2011 - 03:50 PM

@joakim
A bunch of info indeed. Let me find some time to digest. :)

#18 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 15 December 2011 - 07:46 PM

If you like AutoIt, then this code may be useful for learning purpose; http://www.autoitscr...f-from-scratch/

#19 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 15 December 2011 - 11:17 PM

If you like AutoIt, then this code may be useful for learning purpose; http://www.autoitscr...f-from-scratch/

Yep, I do like AutoIt. The SessionChange service present in my signature is based on arcker's UDF & written in AutoIt.

#20 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 16 December 2011 - 01:08 AM

What interesting is, when I tried to repair the broken file using Winrar, it detected it as RAR file. :dubbio:

Does anyone have any link to detailed specification of RAR file format?

#21 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 16 December 2011 - 06:40 AM

What interesting is, when I tried to repair the broken file using Winrar, it detected it as RAR file. :dubbio:

Does anyone have any link to detailed specification of RAR file format?

It was detected so because of the header, but the content was not in the header, so it did not matter at all for the challenge. Have no idea about RAR format though.

#22 Icecube

Icecube

    Gold Member

  • Team Reboot
  • 1063 posts
  •  
    Belgium

Posted 16 December 2011 - 07:58 AM

The RAR signature is not valid. Not all necessary bytes are there (only the first 4 bytes).

HEAD_CRC	    Always 0x6152

2 bytes 

HEAD_TYPE	   Header type: 0x72

1 byte

HEAD_FLAGS	  Always 0x1a21

2 bytes

HEAD_SIZE	   Block size = 0x0007

2 bytes

   The marker block is actually considered as a fixed byte

sequence: 0x52 0x61 0x72 0x21 0x1a 0x07 0x00
http://www.win-rar.com/index.php?id=24&kb_article_id=162

#23 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 16 December 2011 - 08:22 AM

The RAR signature is not valid. Not all necessary bytes are there (only the first 4 bytes).

Got it. :happy_dance2:

#24 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 16 December 2011 - 04:40 PM

The RAR signature is not valid. Not all necessary bytes are there (only the first 4 bytes).


HEAD_CRC		Always 0x6152

But the first two bytes are 0x244E

#25 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 17 December 2011 - 01:49 AM

But the first two bytes are 0x244E


Just to clarify, I think he was talking about the first 4 bytes for the RAR signature, the RAR signature is an invalid signature. Look around the bytes where you see a "RAR" signature in it's ANSI form.

Edit: I quotted you to help out the other member solving this challenge if that's okay with you joakim :)
Back to Team Reboot


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. reboot.pro
  2. Groups
  3. Security
  4. Team Reboot
  5. Privacy Policy
  6. Site policies ·