$
you're reading...
Business Security, Computer Networking

Can You Crack It? (part 1) #Solution


Fire up your compiler ;) If you run into problems do let me know ....

// Cliffsull, twitter: @cliffsull
// Compiler solution to part #1 of http://www.canyoucrackit.co.uk/ via @badeip
//

#include <stdio.h>
#include <stdint.h>
#include <malloc.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <time.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/utsname.h>

static char part1[] = {
    0xeb, 0x04, 0xaf, 0xc2, 0xbf, 0xa3, 0x81, 0xec,   0x00, 0x01, 0x00, 0x00, 0x31, 0xc9, 0x88, 0x0c,
    0x0c, 0xfe, 0xc1, 0x75, 0xf9, 0x31, 0xc0, 0xba,   0xef, 0xbe, 0xad, 0xde, 0x02, 0x04, 0x0c, 0x00,
    0xd0, 0xc1, 0xca, 0x08, 0x8a, 0x1c, 0x0c, 0x8a,   0x3c, 0x04, 0x88, 0x1c, 0x04, 0x88, 0x3c, 0x0c,
    0xfe, 0xc1, 0x75, 0xe8, 0xe9, 0x5c, 0x00, 0x00,   0x00, 0x89, 0xe3, 0x81, 0xc3, 0x04, 0x00, 0x00,
    0x00, 0x5c, 0x58, 0x3d, 0x41, 0x41, 0x41, 0x41,   0x75, 0x43, 0x58, 0x3d, 0x42, 0x42, 0x42, 0x42,
    0x75, 0x3b, 0x5a, 0x89, 0xd1, 0x89, 0xe6, 0x89,   0xdf, 0x29, 0xcf, 0xf3, 0xa4, 0x89, 0xde, 0x89,
    0xd1, 0x89, 0xdf, 0x29, 0xcf, 0x31, 0xc0, 0x31,   0xdb, 0x31, 0xd2, 0xfe, 0xc0, 0x02, 0x1c, 0x06,
    0x8a, 0x14, 0x06, 0x8a, 0x34, 0x1e, 0x88, 0x34,   0x06, 0x88, 0x14, 0x1e, 0x00, 0xf2, 0x30, 0xf6,
    0x8a, 0x1c, 0x16, 0x8a, 0x17, 0x30, 0xda, 0x88,   0x17, 0x47, 0x49, 0x75, 0xde, 0x31, 0xdb, 0x89,
    0xd8, 0xfe, 0xc0, 0xcd, 0x80, 0x90, 0x90, 0xe8,   0x9d, 0xff, 0xff, 0xff, 0x41, 0x41, 0x41, 0x41,
};

// code to dump the decrypted memory:
static const char dump_mem[] = {
    0xba, 0x31, 0x00, 0x00, 0x00,   // mov    edx, 0x40
    0x8d, 0x4f, 0xce,               // lea    ecx, [edi-0x32]
    0x31, 0xdb,                     // xor    ebx, ebx
    0x43,                           // inc    ebx (stdout)
    0x31, 0xc0,                     // xor    eax, eax
    0xb0, 0x04,                     // add    al, 0x4           - sys_write
    0xcd, 0x80,                     // int    0x80
    0x31, 0xdb,                     // xor    ebx,ebx
    0x43,                           // inc    ebx
    0x31, 0xd2,                     // xor    edx,edx
    0x42,                           // inc    edx
    0x68, 0x0a, 0x00,0x00, 0x00,    // push   0xa
    0x8d, 0x0c, 0x24,               // lea    ecx,[esp]
    0xb8, 0x04, 0x00,0x00, 0x00,    // mov    eax, 0x4
    0xcd, 0x80,                     // int    0x80              - sys_write
    0x31, 0xdb,                     // xor    ebx,ebx
    0x31, 0xc0,                     // xor    eax,eax
    0x40,                           // inc    eax
    0xcd, 0x80,                     // int    0x80              - sys_exit
};

uint32_t patch_mem(char *ptr, size_t size)
{
    uint32_t i;

    for (i = 0; i < size; i++) {
        if (*(uint16_t *)&ptr[i] == 0x80cd) {
            *(uint16_t *)&ptr[i] = 0x45eb;
            return 0;
        }
    }
    return 1;
}

uint32_t check_arch(void)
{
    struct utsname kernel_info;

    uname(&kernel_info);
    return strcmp(kernel_info.machine, "i686") ? 1 : 0;
}

int main(int argc, char **argv)
{
    void *mem;

    if (check_arch()) {
        printf("[-] this program must run on a 32-bit architecture\n");
        return 1;
    }

    printf("[*] allocating page aligned memory\n");
    mem = memalign(4096, 4096);
    if (!mem) {
        printf("[-] error: %s\n", strerror(errno));
        return 1;
    }
    memset(mem, 0, 4096);

    printf("[*] setting page permissions\n");
    if (mprotect(mem, 4096, PROT_READ | PROT_WRITE | PROT_EXEC)) {
        printf("[-] error: %s\n", strerror(errno));
        return 1;
    }

    printf("[*] copying payload\n");

    memcpy(mem, part1, sizeof(part1));
    memcpy(mem + sizeof(part1), part2, sizeof(part2));
    memcpy(mem + sizeof(part1) + sizeof(part2), dump_mem, sizeof(dump_mem));

    printf("[*] adding dump_mem payload\n");
    if (patch_mem(mem, sizeof(part1))) {
        printf("[-] failed to patch memory\n");
        return 0;
    }

    printf("[*] executing payload..\n\n");

    ((int(*)(void))mem)();

    return 0;
}

can you crack it - yes we can ;)

LOL – Check out – http://twitter.com/badeip  (he wrote this – NOT ME ) …check his paste bin – http://pastebin.com/uERE2WfF

About these ads

About cliffsull

More on twitter - http://twitter.com/cliffsull

Discussion

58 thoughts on “Can You Crack It? (part 1) #Solution

  1. Slightly different method for part 1 to some of the posts seen: http://www.youtube.com/watch?v=e1uIpBI9u6g

    Posted by Matt Bartlett | December 13, 2011, 10:17 am
  2. cant this be performed by without the help of coding ?

    Posted by talun | December 11, 2011, 12:35 pm
  3. Solution: #cyber_security

    Posted by infernalhack | December 7, 2011, 8:13 pm
  4. easy one Password is Pr0t3ct!************* :) its how it starts… 04/12/2011

    Posted by ImRocker | December 4, 2011, 11:28 pm
  5. If you are asking for clues or the answer, you Do NOT have what it takes for what they are looking for or to man handle the best of the best in the world, although, the best of the best, have been man handled for a while now, and.

    It amazes me how Clueless the vast majority are in the world, and not to seem heartless, but even my own mom looked at and saw the answers to this, and said it’s just some game he’s playing. Sheer stupidity how the world really works that even some of the smartest phD’s and all those degrees and suits have NO CLUE! I’m beginning to understand why many things are kept under wraps, As my ideals and beliefs are always within reason and on a realist level.

    Without accountability on all levels, abuse will always be there, even those who have 4 stars on their shoulders… Or the president of any country in the world…

    The one who steps up to set the better example, is the smartest of the bunch in the world.. But not one country has done that yet, which shows the sheer stupidity of them all…

    Enjoy the game

    Posted by Zicon | December 4, 2011, 9:27 pm
    • Actually no, as Kevin Mitnick and others have repeatedly proven, hacking is more about social engineering and research skills than technological attacks, and looking up the answer should be step number one for all hack attempts. The good hacker doesn’t waste their time on things that are already broken. I’m sure GCHQ wouldn’t want you to be off writing programs when you could just look up the answer. Time is critical in the spy business – don’t waste it.

      Posted by Jasmine Adamson | December 5, 2011, 4:51 pm
  6. Copy the png file, import it to linux gimp graphics package, alter intensity and contrast even colour, divide picture into two halves and mask one, whats with all the programming in aid of. Probably done on an old commodore64 using a green crt monitor using CPM.

    Then visit – M15-M16_royal_arch_freemasonary.html

    Was it all worth it.

    Posted by Christafari | December 4, 2011, 9:10 pm
  7. Damn. I was thinking this was Letter swapping (I don’t know the technical term) ex: 3bb = a

    Now that I see it’s computer code, I’m out of the race. Boo :[ I love stuff like this.

    Posted by Open_eyes | December 4, 2011, 7:25 pm
  8. Well done :)
    #cyber_security

    Posted by tj | December 4, 2011, 2:57 pm
  9. password is:
    Correct – #cyber_security

    Posted by ckan9013 | December 4, 2011, 12:36 pm
  10. The code doesn’t make much sense to me. It seems as if all the patch_mem function is doing is replacing 0x80cd (int 0×80) with 0x45eb (don’t know what function that is, but if I remember correctly eb is jmp or something). I don’t understand how patching the int 0×80 would do anything. I have a weird feeling that this is impossible to crack. My compiler does not have some of those include files. Would you mind sharing what you compiled this with?

    Posted by Paul | December 4, 2011, 9:18 am
  11. How did you figure it out? Everything I’ve tried hasn’t worked…..

    Posted by Josh | December 4, 2011, 6:52 am
  12. #Cyber_security

    Posted by loic | December 4, 2011, 6:50 am
  13. P.S. on the website they have written “The challenge continues”. Maybe indicating that its more than the password many people have cracked or just copied and pasted.

    Posted by Grant | December 4, 2011, 4:10 am
  14. If everyone seems to get it or find it on the internet (as i did) and there are only 35 available job positions dont you think its not that easy? Maybe the REAL job offers are after you crack the website itself rather than the code or something like that. Just my opinion.

    Posted by Grant | December 4, 2011, 4:03 am
  15. crappy! you gotta be a goddamn limey to get a job witrh them saps! hehehe! im american!

    Posted by Jumpman Lane (@JumpmanLane) | December 4, 2011, 1:40 am
  16. *Original Comment removed :)

    Correct Answer !!
    ( Click Home – see my latest blogpost explaining why I don’t publish the actual answer) – very well done ! #cybersecurity

    Posted by Ledion Shahinas | December 3, 2011, 4:17 pm
  17. is that a single word that we are left with to crack ?

    Posted by deepak | December 3, 2011, 12:49 pm
  18. Cryptography, and other junks. went through bunch of processes. and got this as my answer:

    (REMOVED) – But you are right – which you knew becuase you would have checked it at the website ;) WELL DONE ShiftyB

    Posted by ShiftBy3 | December 3, 2011, 5:27 am
  19. (REMOVED) – BUT YES!! Well done izzy!

    Posted by izzy | December 2, 2011, 9:31 pm
  20. I have it compiled but how do I execute the results, I have never done anything with c++ just java?

    Posted by daswahnsinn | December 2, 2011, 6:07 pm
  21. Linux gcc doesn’t eat it, mussing part2.h, so this is no solution without part2.h.
    Greedy bastard wants job for himself, no scriptkiddies allowed

    Posted by Scriptkiddy | December 2, 2011, 8:57 am
  22. all ihave so far is Just bingo and x=AAAA and x=BBBB

    Posted by eddy | December 2, 2011, 1:06 am
  23. Keyword: $$$$$$$$$$$$$$$$$$$$$$$$$$$$ ( Answer Removed )
    WELL DONE Warren – that was correctimundo ;)

    Posted by Warren | December 2, 2011, 12:20 am
  24. can you solve it without computers?

    Posted by gomesy2010 | December 2, 2011, 12:01 am
  25. I thought this looked familiar!

    I found an old 6507 assembler (well, 6502 actually) and modded it a bit (remember: 6502 is an 8-bit machine; this is obviously 16-bit code…) before running it, and this is what I got:

    Can You Crack It Solution

    ~Graham

    Posted by Graham Strong | December 1, 2011, 10:09 pm
    • Excellent :) the easy option is to check the site with websucker/pyton and go to the page entitled ‘ So you did it’ – NO PASSWORD required – lol

      Posted by cliffsull | December 1, 2011, 10:20 pm
  26. Well it was a bit easy a bit hard http://www.canyoucrackit.co.uk/soyoudidit.asp here is the solution.

    Posted by Jersey Island (@jerseyisland) | December 1, 2011, 5:44 pm
  27. Try this link http://www.canyoucrackit.co.uk/soyoudidit.asp and yes it was easy.

    Posted by Jerzzy | December 1, 2011, 5:43 pm
  28. How does it work ???I speake only alitittle bit englisch

    Posted by pascal | December 1, 2011, 5:27 pm
  29. Oh my brain! Don’t have a clue how this coding thing works but I don’t know how to crack it just using my noggin either lol!

    Posted by DunDeagh | December 1, 2011, 4:55 pm
  30. So easy ! Lol
    Thanks for sharing!
    Best Regards

    Posted by Loic Helias | December 1, 2011, 4:53 pm
  31. as usual the bofins are overly complicating things. This can be solved on a peice of paper or in your head. NUMPTY

    Posted by Tango | December 1, 2011, 3:54 pm
  32. What did you use to compile?

    Posted by Rob | December 1, 2011, 3:51 pm
  33. i get this error:

    prog.c: In function ‘main’:
    prog.c:99: error: ‘part2’ undeclared (first use in this function)
    prog.c:99: error: (Each undeclared identifier is reported only once
    prog.c:99: error: for each function it appears in.)

    any help please?

    Posted by Ryan | December 1, 2011, 3:50 pm
    • Solution to part2 of hxxp://www.canyoucrackit.co.uk: pastebin.com/pJmZYbMy This is the missing pice from level1 (pastebin.com/cqzbkw4H)

      Posted by cliffsull | December 1, 2011, 3:55 pm
  34. can you explain the code to dump the decrypted memory please?

    Posted by James Attard | December 1, 2011, 3:36 pm
  35. you are all a bunch of faggots

    Posted by the faggot finder | December 1, 2011, 2:54 pm
    • Cheers for your insight – its very enlightening. and well done on spelling faggots ALL BY YOURSELF!! Woohoo – well done – tomorrow we shall be learning how to spell ASSHOLE!

      Posted by cliffsull | December 1, 2011, 3:08 pm
  36. SHOWS ERRORS IN TURBO C++

    Posted by shivam anand | December 1, 2011, 2:30 pm

Trackbacks/Pingbacks

  1. Pingback: Socially engineering a Password – or ‘How to get 100,000 hits in 4 days’ « Cliffsull's Blog - December 5, 2011

RSS Blog – ‘@cliffsull’ – a.k.a. PC Insecurities

  • iPhone – simple security tip (5) – Restrictions April 23, 2014
    Go to Settings-General-Restrictions and enter your Passcode. Look at all the Apps which you never use (and which can be used for tracking your device and browsing habits) and restrict them. Firstly you will need to ‘Allow Changes’ at the…Read more →
  • iPhone – simple security tip (4) – don’t ‘Find my iPhone’ April 23, 2014
    Apps like ‘Find My iPhone’ seem great and if you don’t care about your movements being tracked 24/7 then by all means use them – but remember – they are tracking your every move and the trade off is that…Read more →
  • iPhone – simple security tip (3) – Contacts and apps April 21, 2014
    If , like me, you have several different email accounts on your iPhone for personal and business purposes then this post is for you. Click on Settings -> Privacy-> Contacts and check which apps have access to your contacts –…Read more →
  • iPhone – simple security tip (2) – Turn off Advertiser Tracking April 20, 2014
    Turn off Advertiser Tracking – another method companies use which is capable of following all of your online browsing activities via the iPhone. You will find the option to turn it off Under – Settings – privacy (scroll to the…Read more →
  • iPhone – simple security tip (1) April 19, 2014
    Tracking is used by more apps than you might think – it’s not just used by the Maps App. Apps such as Foursquare, FaceFook , Twitter, and that Nike app used by joggers are perfect examples. They say they use…Read more →
Cliffsull's Blog

Just the ramblings of a UK based Irishguy, interested in Network Security, Archaeology and anthropology!

James Blamires

Me and art.

Post Concussion Syndrome Awareness UK & Worldwide

Bringing Awareness, Education & Support for PCS

SHEILA MEDLAM

Making a difference, one day at a time.

Dumok's ComicsWeblog

Just another WordPress.com weblog

Don Charisma

because anything is possible with Charisma

A Mummy's View

Telling it like it is

Random Hardware Collector

Various reviews on hardware and gadgets I try or find interesting

Percy's Random Ramblings

Random thoughts from a random guy

zprávy ze světa 2.0 (nejen) v českém jazyce

Social Work/Social Care & Media

Social Work / Social Care and Media

UK Constitutional Law Association

affiliated to the IACL

Turn Left 2013

Australian Politics

A Mummys View

Telling it like it is

Power of Positive Thoughts

Positive Thoughts, Inspirational Photos & Mental Health Advocacy

Fictions

by A. S. J. Ellis

Bournemouth & Poole Holocaust Memorial Committee

Holocaust Memorial Day. To be held at Lighthouse Poole's Centre for the Arts (26.1.2014)

Paul Bernal's Blog

Privacy, Human Rights, Law, The Internet, Politics and more

patrickgrieder

4 out of 5 dentists recommend this WordPress.com site

Follow

Get every new post delivered to your Inbox.

Join 61 other followers

%d bloggers like this: