amends
-
forensic
The rootkit's output is the list of scancodes produced when a user is typing on a keyboard. Using a table of scancodes (e.g., this, or the dumpkeys(1) command), it is possible to reconstruct the keys that were typed.
Note that for each keystroke, two scancodes are produced: one corresponding to the key pressing and one to the key release. Scancodes for key releases are simply the scancode for the key pressing plus 0x80.
The decoded output is the URL of a audio file, containing Richard Stallman's interpretation of the Free Software Song.
-
trivia
Searching (e.g., through Google) the strings contained in the message reveals that they correspond to numbers in the Klingon language. Decoding the message yields an IP address and doing a reverse lookup on the address shows that it corresponds to the canonical name www.sony.com.
-
reveng
The file is an obfuscated PHP program that prints a secret message if provided with the correct value of the "key" parameter.
The actual code of the program is encrypted (XOR with a random key) and the result assigned to a variable.
When the program is run, the code is decrypted and then executed through an eval statement.
Manually analyzing the code, it is possible to add an echo of the code just before it is evaluated. The resulting code contains the following function:
function check_drm_key($payload){ if ($_GET["key"]==5799012){ echo "I just had a little deja vu"; } else { echo"Wrong Parameter"; } }
copyright
-
forensic
The traffic contains MySQL traffic. By analyzing it with a network analyzer (e.g., wireshark), it is possible to recognize that three queries are performed on the database, the last one of which answers the question of the challenge.
The correct answer is "Tony Montana"
-
reveng
The program is a Java implementation of PacMan. The user had to analyze the code and identify that the applet takes a parameter that determines the initial level. By setting <param name="initlevel" value="8"> one could get directly to level 8 and see the decrypted string: Why didn't I take the yellow pill?!?
-
crypto
The provided image contains the text of "What is a Hacker" by Eric Raymond. Each letter has been substituted by a rectangular tile. So, first one needs to crop the image and extract each letter picture.
A frequency analysis based on the frequency extracted by the Canterbury's Bible get the spaces and the letter 'E'. Well, the rest can be done manually (first looking for "the", then "a", then "is"...).
Solution: crackers
petition
-
trivia
The character is Kevin Mitnick (from the movie Trackdown)
-
reveng
The user had to analyze the source of the Java program and identify that there were two short-keys for the buttons. By pressing Alt-L and Alt-E it is possible to produce the required string.
String: There is no spoon
-
forensic
Comparing the given file with the database file of a freshly installed copy of trac and a reference for the SQLite file format shows that the file magic string and part of the database index have been corrupted. It is possible to restore the database file by overwriting the first 0x90 bytes of the corrupted file with the corresponding data extracted from the new database file. It is then sufficient to copy the recovered database file in an installed trac system to access the "Timeline" page, which lists the latest changes operated on the site.
Solution: ticketPageg0df4th3rg00df3lla5anonymous
shakedown
-
forensic
Mount the filesystem using the loop option of the mount command. Locate the .gnupg directory and list the secret keys and their fingerprints, using the following command:
gpg --homedir ~abruzzi/.gnupg --list-secret-keys --fingerprint
Solution: 18FC50EA8DD1E98C8E6F63FF042761D15D94FE75
-
trivia
That was from the book Snowcrash. The main character works for a pizza delivery company owned by the Mafia.
The name is "CosaNostra Pizza" -
reveng
The application is a stripped binary. By running it, it is clear that it needs one argument (the name of a regular file) and that the decryption routine is not actually implemented.
Running strings reveals the interesting string "Key successfully built in memory". A possible solution, then, is to reverse engineer the binary to identify where the key is stored and run the program to dynamically extract the key value (e.g., with gdb).
Statically analyzing the binary shows that, at 0x804874f, a local variable is set with the return value from a function call just before the key string is used. The variable is then passed to the function (at 0x80485f0) that complains about decryption not being implemented. It is likely that the key is stored in this variable.
Running a debugger on the program requires to disable some anti-debugging mechanisms. At 0x80483a3, the program does a call to ptrace with argument PTRACE_TRACEME, to avoid being ptraced. It is possible to patch away this call (e.g., with NOPs). The program, however, periodically runs a CRC check to verify the integrity of the code and will exit with an error if the code has been modified. By tracing the program, it is easy to identify the function that verifies the CRC (called at 0x804835b) and patch it to disable this functionality.
Solution: 0x10000000
snitch
-
reveng
First of all, we have to find which function contains the requested variable.
The python reflection can tell us the answer:
> import module > module.func_xx.func_code.co_varnames() ('tmp', '_[1]', 'result', 'x')The rest can be done with the python debugger
> import pdb > pdb.run('module.func_xx()') (Pdb) step (Pdb) print result (Pdb) step (Pdb) print result .... (Pdb) step (Pdb) print resultResult: 27
-
trivia
The guy in the picture is the author of blaster: Jeffrey Lee Parson To help, one of the picture metadata was the comment "Have a blast!"
-
crypto
This question is inspired by a problem of the International Olympiad in Informatics: http://olympiads.win.tue.nl/ioi/ioi2001/contest/day2/double/
Actually, the library and the header files have been taken almost verbatim, and the little modifications made where meant only to prevent the contestants to find on the web the original problem (and then, the solution) by googling the header file)
The problem can be solved using a meet in the middle attack There are 7864320 ((16 choose 2 )* 256^2) possibly valid keys for each of the two keys k1 and k2. A naive brute force attack would test for each possible key k1 all the possible keys k2 leading to 7864320*7864320 tests in the worst case. Way too many for the limited time frame.
Using the meet-in-the-middle attack, one can store into a hash table all the possible cipher texts (by applying to the given clear text all the possible 7864320 keys) and then try to match in the table the outcome of *deciphering* the given double-ciphered text with all the possible keys. This requires in the worst case 15728640 operations (less than half a minute of computation on a average machine)
Solution:0000000000000000000000000000000100000000FF0000000000000000FF0000
teraphy
-
trivia
The user had to carefully watch what was typed
Password: Hack the planet
-
reveng
The self binary contains an MP3 file that is accessible only by providing the right pin, which is 97576.
The PIN can be easily obtained by reverse-engineering the binary.
Solution: Russian Bear
-
forensic
The file is a network dump of a guy chatting alone on an IRC channel.
Looking at the outgoing packets with wireshark you can notice two weird things. First, the checksums are wrong (we did not do that on purpose, but it has been a very successful disguise :P). Second, the first byte of the TCP window size was constant while the second was different in any packets. And in fact, extracting those bytes you obtain the following message:
This is an incredible side channel The secret information is: 1000AABF
wouldyou
-
trivia
The video "Would you steal" on the MAFIA web page was modified to add a scene with the writing "Fredrick is stealing votes".
-
reveng
This is a command line program that accept a password as first parameter and use that to decrypt an internal message.
By reverse engineering the binary one can see that, before using the key to decrypt the message, the program run a number of tests on the key.
In particular:
- It checks that the key is 7 character long
- It checks that each character ASCII code is between 115 and 125
- It checks that the ASCII code of third character is one plus the ASCII code of the second character
- It checks that the ASCII code of second character is one plus the ASCII code of the first character
- It checks that the key is palindrome
If one of the check fails, the program terminates.
It is easy to find the set of keys that satisfies the previous constraints (99 keys) and try them all. Using the right key would get the program to print the string: ILLEGAL
-
reveng
The drmcp binary copies a file only if there is an authorization file that contains an encrypted value that is the XOR of the source and destination file with an added integer. This was easily obtained by reverse-engineering the drcp binary
Answer: 04 0F 1F