Jump to content











Photo

Challenge #13 - Can you find the key?


  • Please log in to reply
28 replies to this topic

#1 Icecube

Icecube

    Gold Member

  • Team Reboot
  • 1062 posts
  •  
    Belgium

Posted 29 August 2011 - 02:15 AM

Challenge #13: Pretty Easy. Come On, File Fixers! It's only a bit tricky!
Try it here.

Attached Files



#2 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 29 August 2011 - 04:57 PM

Original post updated with a link to try out the challenge.

#3 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12688 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 29 August 2011 - 05:02 PM

Maybe I give some info to the team, and somebody else adds his knowledge.

The .exe has it's executable code at offset 0x0800, finally telling that there is nothing to say.

But there is a different code in the .exe starting at 0x1400 bringing the solution.

I tried some time with debugger (OllyDbg) to execute the code at 0x1400, but w/o success. Anybody has a suggestion?
Maybe relocation table change?

Peter

#4 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 29 August 2011 - 05:06 PM

I tried some time with debugger to execute the code at 0x1400, but w/o success. Anybody has a suggestion?

You may insert a JMP at the very beginning & then try to execute it in OllyDbg.

Maybe relocation table change?

PE Explorer is a very good tool to explore EXE header. May be you have some luck with that. I used it for some time some year ago.

#5 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12688 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 29 August 2011 - 05:13 PM

I downloaded OllyDbg for this challenge and am not familar with it.

I can change the registers, but currently I cannot change the code.

Do you know the How To?

Peter

#6 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 29 August 2011 - 05:54 PM

Do you know the How To?

Select the instruction you want to change, then hit spacebar.

#7 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 29 August 2011 - 09:51 PM

I'll give it a shot, I haven't tried a challenge like this before, so hopefully i'll have some luck :)

#8 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 29 August 2011 - 11:38 PM

Hmm, missing section and wrong entry point (and possibly more)?

#9 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 29 August 2011 - 11:52 PM

I tried jumping to the address for the challeng module in debug mode but no success

#10 Icecube

Icecube

    Gold Member

  • Team Reboot
  • 1062 posts
  •  
    Belgium

Posted 30 August 2011 - 09:33 PM

PE Explorer is a very good tool to explore EXE header. May be you have some luck with that. I used it for some time some year ago.

CFF explorer is free and might be even better (only the disassembler is not that advanced): post #7 of http://reboot.pro/15001/

#11 Icecube

Icecube

    Gold Member

  • Team Reboot
  • 1062 posts
  •  
    Belgium

Posted 01 September 2011 - 08:02 PM

Updated first post with a call to everybody, to try to solve the challenge now challenge #12 is finally solved.
Challenge #14 might be easier to solve tough.

#12 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 02 September 2011 - 06:00 AM

Taking out the first letters from the updated challenge text, I guess the challenge is related to PE/COFF file format.

#13 Icecube

Icecube

    Gold Member

  • Team Reboot
  • 1062 posts
  •  
    Belgium

Posted 05 September 2011 - 09:22 PM

Taking out the first letters from the updated challenge text, I guess the challenge is related to PE/COFF file format.

Yes, it is.

#14 vtinoc

vtinoc
  • Members
  • 2 posts
  •  
    United States

Posted 06 September 2011 - 07:11 PM

key is 0x%x

#15 Icecube

Icecube

    Gold Member

  • Team Reboot
  • 1062 posts
  •  
    Belgium

Posted 06 September 2011 - 07:19 PM

key is 0x%x

No. The string you see, is from a fprintf command. When the program is correctly fixed and run, the "%x" part will be replaced by a hexadecimal number stored in the "key" variable and printed to the screen.
fprintf(stdout, "The key is 0x%x.\n", key);


#16 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 06 September 2011 - 08:44 PM

Just had a second look at it, and must admit it's a little bit harder than first expected. I don't know, but would think the "hidden" code at the end should be made available. So I rebuilt the PE with a new section at the end, and changed oep. So far so good (almost), as the new chunk is executable in debugger but some unknown error is preventing it from running fully and correctly. Then I noticed the printf is pointing to the "nothing here.." text string and probably should be changed to point to the "The key is.." which is also in the new last section. That's ok, not a prob, but still error when running. Probably some more pointers need to be fixed..?? On the right track here?

#17 Icecube

Icecube

    Gold Member

  • Team Reboot
  • 1062 posts
  •  
    Belgium

Posted 06 September 2011 - 08:57 PM

"The key is.." which is also in the new last section. That's ok, not a prob, but still error when running. Probably some more pointers need to be fixed..?? On the right track here?

If you want to do it the hard way, it might be possible this way, although I doubt it.

A tip: To find the solution, you don't need a debugger at all. A pair of good eyes (or just one good eye) and a hexeditor to view the file carefully, might give you a clue. Be sure to read the PE/COFF spec.

#18 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 07 September 2011 - 08:05 PM

Is it this one?
Spoiler


#19 Icecube

Icecube

    Gold Member

  • Team Reboot
  • 1062 posts
  •  
    Belgium

Posted 07 September 2011 - 08:10 PM

Is it this one?

Yes :cheerleader: . And, did you find it a rather easy solution or not?

Challenge #13: Pretty Easy. Come On, File Fixers! It's only a bit tricky!



#20 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 07 September 2011 - 08:14 PM

Hehe, think I tried everything except the "obvious". Nicely compiled exe with some good tricks!

#21 Icecube

Icecube

    Gold Member

  • Team Reboot
  • 1062 posts
  •  
    Belgium

Posted 07 January 2012 - 12:45 AM

Is there someone else, who was able to find the solution?

#22 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 07 January 2012 - 03:00 AM

Still trying, but I can't see how to get the instructions after the text is displayed and the exit is called to run properly, I keep getting an unknown application error (0xc0000005) and another error i've seen was that Ú@.dll is missing. Hmm

#23 Icecube

Icecube

    Gold Member

  • Team Reboot
  • 1062 posts
  •  
    Belgium

Posted 07 January 2012 - 12:40 PM

A tip: Use CFF explorer to solve this challenge. PE explorer won't let you solve the challenge (at least, I couldn't do it).

#24 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 08 January 2012 - 04:39 AM

Haha, wow... FINALLY figured this thing out :)

Is this it?

SHA-1 Hash: (Full value of 0x%x generated hash)
8da1f266225b4f7d18aac434f72b5d112464eb6d


#25 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 08 January 2012 - 04:42 AM

Is this it?

No need to wait for Icecube. Original post contains a link to try out the challenge.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users