Monday, 12 December 2011

Solution for GCHQ '_Can you crack it' cyber challenge

Okay, the GCHQ cyber challenge canyoucrackit.co.uk has just closed seems to have re-opened... Is it on a loop? Anyhow, here's the solution.  We can report that the challenge, described in the Telegraph as 'fiendishly difficult', is... fiendishly difficult!

Here's a 30-minute video to guide you through, there are actually 3 stages - see below for more info. Best watched full screen HD (and even then, apologies some of the screen text is not fully readable and apologies again for occasional bumbling):



The stages

Stage 1: combine the machine code instructions displayed on the website with additional bytes encoded in a comment field of the PNG image.  The bytes in the comment field are base64 encoded.  Create an executable wrapper and execute the routine (I did this on a virtual machine just in case there was any malware inside).  Search the stack and find a URL which retrieves stage 2 from the canyoucrackit.co.uk website.

Open Digital files for stage 1:
 - 'C' wrapper to make an executable (compiles using gcc on a 32-bit linux machine)
 - (roughly) disassembled assembler for the routine provided by the challenge website

Stage 2: write a software implementation of a CPU (a virtual machine) and execute the provided software on the virtual machine you've just written.  The routine decrypts part of the provided memory and results in another URL which retrieves stage 3 from the challenge site.

Here's a copy of the starting point (.js) (in case it doesn't work not the challenge has closed) and our solution (.js).  Or a web page which will run our solution.

Stage 3: use the Linux 'strings' command and a good disassembler (I used PE Explorer) to work out what the executable does.  Turns out you don't need to actually run it.  Find a mystery string which looks like an encrypted word and hunt 3 mystery 4-byte words, 1 from stage 1 and 2 from stage 2.  Plug them all together and use the resultant URL to retrieve a keyword from the challenge website.


Put the keyword into the front page of canyoucrackit.co.uk and apply for your job at GCHQ!


Here's the disassembled stage 3 executable "keygen.exe"

@JamesFirth

1 comment: