F-Secure reversing challange

[Ghirai]

http://www.khallenge.com

I wrote a detailed howto solving Level 1 (https://nodereality.com/viewtopic.php?pid=707#p707).

Poked at Level 2 for about an hour, then gave up. Gonna try again later.

Anyone else having a stab at it?

[bozo]

level 1 was easy, but i've not been able to figure out level 2 so far.

[hutch--]

Ask them for an hourly rate.  :bg

[bozo]

i spent 6 hours on the second one and decided to give up, its enough!  :green
i managed to find the key gen routine, but not sure how it works really.
Any luck Ghirai?

[asmfan]

Let brute force be with you;)

[Ghirai]

Any luck Ghirai?

Not really, i didn't find any more time. Got stuck at the keygen routine as well :(

They usually post some sort of howtos some time after the official results are posted.

Offtopic: Does anyone feel the board *really* slow sometimes as of recently? Doesn't seem to be my pipe...

[bozo]

i'm gonna have another stab at it later..was just thinking about it again.
the only part i haven't figured out yet is what the valid key lengths are.

Let brute force be with you;)

i did run an md5crack on the hash for 8 characters using uppercase alphabet ;) but no luck..maybe its longer?
most of the time was spent looking at how the checksum was generated, i believe this is the way to generate any valid keys..

[retarded]

http://www.khallenge.com

I wrote a detailed howto solving Level 1 (https://nodereality.com/viewtopic.php?pid=707#p707).

Poked at Level 2 for about an hour, then gave up. Gonna try again later.

Anyone else having a stab at it?

found this thread yesterday, very interesting.

level 2:

look at 401000 while tracing. to speed up things, set a memory write breakpoint on 00401E29 and let it run. now check all new code it built, if you move on tracing after bp you will end up here:

00407054     8B02           MOV EAX,DWORD PTR DS:[EDX] ; we will crash here.

i havent checked more than a couple of minutes, but i suppose it might build code based on input key or so. might check it more later.. fun with levels like this.  :U

level 1:

i coded a very ugly bruteforcer.. i think it can be improved very much.. writing nice code and optimize it is not my strong side... but it works and thats the point.  :toothy

Code Select Expand

;\MASM32\bin\ml /c /coff /Cp /nologo brute.asm
;\MASM32\bin\link /SUBSYSTEM:CONSOLE brute.obj

include \masm32\include\masm32rt.inc
include \masm32\macros\macros.asm
includelib \masm32\lib\masm32.lib

.data
intro db 'FSC08 Level 1 bruteforcer by retarded.',0dh,0ah,0dh,0ah,
         'im bruting... be patient...',0dh,0ah,0dh,0ah,0
key   db 4 dup(?),0
xortb db 8 dup(?),0
xormv db 07h,2Eh,35h,29h,70h,20h,76h,68h,0

.data?
gtc   dd ?
count dd ?

.code
start:
      print offset intro
      call brutme
      print offset key,' is the magic key! ',0
      inkey str$(count),' tries to find it.',0
      exit

brutme proc max: dword

      ; we need to fix bytes after every tested key.
     
newkey:     
      lea esi,offset xormv
      lea edi,offset xortb
      mov ecx,8h
      rep movsb
      xor esi,esi     

      ; make 4char key A-Z...

find:
      invoke GetTickCount
      mov gtc,eax
      invoke nrandom, max
      add gtc,eax
      mov al,byte ptr ds: [gtc]
      cmp al,41h
      jl find
      cmp al,5ah
      ja find
      mov byte ptr ds: [key+esi],al
      add esi,1
      cmp esi,4
      jne find
     
      ; 4char key done...

      add count,1

      ; test key in algo to see if it's valid. code ripped from the main program.

      MOVZX EDX,BYTE PTR DS:[key+2]
      MOV AL,BYTE PTR DS:[key]
      XOR BYTE PTR DS:[xortb],AL
      XOR BYTE PTR DS:[xortb+2],DL
      XOR BYTE PTR DS:[xortb+4],AL
      MOVZX EDX,BYTE PTR DS:[key+3]
      MOVZX EAX,BYTE PTR DS:[key+1]
      XOR BYTE PTR DS:[xortb+3],DL
      XOR BYTE PTR DS:[xortb+5],AL
      MOV CL,BYTE PTR DS:[xortb+1]
      MOVZX EDX,BYTE PTR DS:[key+2]
      MOVZX EAX,BYTE PTR DS:[key+3]
      XOR CL,BYTE PTR DS:[key+1]
      XOR BYTE PTR DS:[xortb+6],DL
      XOR BYTE PTR DS:[xortb+7],AL
      CMP CL,061h
      MOV BYTE PTR DS:[xortb+1],CL
      JNZ newkey                     ; if key fails, we try again...
      CMP BYTE PTR DS:[xortb+3],079h
      JNZ newkey
      CMP BYTE PTR DS:[xortb+4],032h
      JNZ newkey
      CMP BYTE PTR DS:[xortb+6],030h
      JNZ newkey
     
      ; seems like we found a match...

      ret

brutme endp

end start