Log in

View Full Version : "brand-new-ways-crypted" crackme for new year!

evaluator
December 31st, 2004, 03:56
just coded hot puzzle for our MB
find "brand-new-ways-crypted" message!
dELTA
January 1st, 2005, 18:29
Nice to see you around here again Eval, thanks for the puzzle.
JMI
January 1st, 2005, 20:09
Careful. I welcomed him back and got a very "cryptic" reply.

Regards,
Kayaker
January 1st, 2005, 22:14
Hi Eval,

As usual your code excursions are interesting. Also minimal and cryptic in and of themselves

Is your message THE code, or is there a message IN the code?

I see an interesting MISuse of a privileged instruction, a little trick a protector could play for a quick exit. Is there a further message?

Cheers,
Kayaker
Neitsa
January 2nd, 2005, 21:53
Hello,

Nice riddle but I'm a little bit lost...

I've tried various things (like "xoring" between 0x402005 to 0x402018 with different values) but none seems to works...No readable string or executable code seems to appear.

Some strange things :

1) The use of "HLT" in a ring3 process must call the SEH handler, so we go directly to Pop the handler+ExitProcess...

2) Why there's so much INT3 opcodes ? so why the Entry point is not at the base of the code section ? and BTW, the VirtualSize (and SizeOfRawData) are trully big for just some lines of code...

Nothing important in the PE header, and the import table is ok with just one import...

Well... I'm stuck

Any advices or clues ?

Regards, Neitsa.
Woodmann
January 2nd, 2005, 23:45
Hmmmmmmmmmmmm.........

I have spent a few hours on this and I am also wondering the same things.
A big pile of int3's. I thought they were there to put "us" lost in an infinite loop/ kill debugger. Perhaps even a stack crasher but I could not find anything to indicate a stack crash. (I could have missed it :P )
The HLT is a bit strange.

Perhaps we are mis-interpeting the name of this challenge.

Woodmann
Tola
January 2nd, 2005, 23:46
happy new year to you, too, evaluator
Kayaker
January 3rd, 2005, 00:02
Nice one Tola
You speak Evabulator I see
klier
January 3rd, 2005, 09:41
shit how could i have missed that.
nice puzzle evaluator.
Regards,
evaluator
January 3rd, 2005, 11:55
ok, open for public you findungs, Kayk & Tola..
Neitsa
January 3rd, 2005, 12:50
Ok, I'm must be blind, dumb or something like that...

I haven't got it .... Waiting for the light to come

I'm still searching...
Tola
January 3rd, 2005, 12:56
Code:
hlt

and     eax, 79h

push    5

pop     ecx

inc     eax

...

Neitsa
January 3rd, 2005, 13:01


Damn ! It reminds me +Mala's riddles, where searching too far for things that are...just here under your nose...

That was fun.

Regards, Neitsa.
Woodmann
January 3rd, 2005, 16:56


Woodmann
dELTA
January 4th, 2005, 07:30
My IDA Pro fails to decode the instructions in the middle of the message, I only get this:
Code:
 

.text:00402005                 hlt

.text:00402006                 and     eax, 79h

.text:00402009                 push    5

.text:0040200B                 pop     ecx

.text:0040200C                 inc     eax

.text:0040200D                 neg     eax

.text:0040200D ; -----------------------------------------

.text:0040200F                 dd 419B0B0Fh, 0D083770Fh

.text:00402017 ; -----------------------------------------

.text:00402017                 and     ebx, eax

.text:00402019                 retn
Any idea why anyone? The processor is set to metapc, so it should recognize any x86 instructions, right? Which instructions is it that it's unable to decode?
Neitsa
January 4th, 2005, 08:47
Hello,

This is due to the UD2 opcode (0x0F0B : Undefined opcode wich cause an invalid opcode exception).

noping those bytes and IDA can decode it:

Code:


.text:00402005 000                 hlt

.text:00402006 000                 and     eax, 79h

.text:00402009 000                 push    5

.text:0040200B 004                 pop     ecx

.text:0040200C 000                 inc     eax

.text:0040200D 000                 neg     eax

.text:0040200F 000                 nop

.text:00402010 000                 nop

.text:00402011 000                 wait

.text:00402012 000                 inc     ecx

.text:00402013 000                 emms

.text:00402015 000                 adc     eax, 21h

.text:00402018 000                 retn


This is strange that IDA Pro cannot decode this opcode since it is documented in the Intel manuals...

Maybe it is possible to "teach" to IDA what is this instruction but I don't know how to do it...

Regards, Neitsa.
blabberer
January 4th, 2005, 10:46
ollydbg decodes thus

Quote:

00402005 HLT
00402006 AND EAX, 79
00402009 PUSH 5
0040200B POP ECX
0040200C INC EAX
0040200D NEG EAX
0040200F UD2
00402011 WAIT
00402012 INC ECX
00402013 EMMS
00402015 ADC EAX, 21
00402018 RETN
00402019 RETN
evaluator
January 5th, 2005, 04:05
"I love you (
"You love NY )

little fun poetry by me. good?