Log in

View Full Version : "brand-new-ways-crypted" crackme for new year!


evaluator
December 31st, 2004, 03:56
just coded hot puzzle for our MB
find "brand-new-ways-crypted" message!

dELTA
January 1st, 2005, 18:29
Nice to see you around here again Eval, thanks for the puzzle.

JMI
January 1st, 2005, 20:09
Careful. I welcomed him back and got a very "cryptic" reply.

Regards,

Kayaker
January 1st, 2005, 22:14
Hi Eval,

As usual your code excursions are interesting. Also minimal and cryptic in and of themselves

Is your message THE code, or is there a message IN the code?

I see an interesting MISuse of a privileged instruction, a little trick a protector could play for a quick exit. Is there a further message?

Cheers,
Kayaker

Neitsa
January 2nd, 2005, 21:53
Hello,

Nice riddle but I'm a little bit lost...

I've tried various things (like "xoring" between 0x402005 to 0x402018 with different values) but none seems to works...No readable string or executable code seems to appear.

Some strange things :

1) The use of "HLT" in a ring3 process must call the SEH handler, so we go directly to Pop the handler+ExitProcess...

2) Why there's so much INT3 opcodes ? so why the Entry point is not at the base of the code section ? and BTW, the VirtualSize (and SizeOfRawData) are trully big for just some lines of code...

Nothing important in the PE header, and the import table is ok with just one import...

Well... I'm stuck

Any advices or clues ?

Regards, Neitsa.

Woodmann
January 2nd, 2005, 23:45
Hmmmmmmmmmmmm.........

I have spent a few hours on this and I am also wondering the same things.
A big pile of int3's. I thought they were there to put "us" lost in an infinite loop/ kill debugger. Perhaps even a stack crasher but I could not find anything to indicate a stack crash. (I could have missed it :P )
The HLT is a bit strange.

Perhaps we are mis-interpeting the name of this challenge.

Woodmann

Tola
January 2nd, 2005, 23:46
happy new year to you, too, evaluator

Kayaker
January 3rd, 2005, 00:02
Nice one Tola
You speak Evabulator I see

klier
January 3rd, 2005, 09:41
shit how could i have missed that.
nice puzzle evaluator.
Regards,

evaluator
January 3rd, 2005, 11:55
ok, open for public you findungs, Kayk & Tola..

Neitsa
January 3rd, 2005, 12:50
Ok, I'm must be blind, dumb or something like that...

I haven't got it .... Waiting for the light to come

I'm still searching...

Tola
January 3rd, 2005, 12:56
Code:
hlt
and eax, 79h
push 5
pop ecx
inc eax
...


Neitsa
January 3rd, 2005, 13:01


Damn ! It reminds me +Mala's riddles, where searching too far for things that are...just here under your nose...

That was fun.

Regards, Neitsa.

Woodmann
January 3rd, 2005, 16:56


Woodmann

dELTA
January 4th, 2005, 07:30
My IDA Pro fails to decode the instructions in the middle of the message, I only get this:
Code:

.text:00402005 hlt
.text:00402006 and eax, 79h
.text:00402009 push 5
.text:0040200B pop ecx
.text:0040200C inc eax
.text:0040200D neg eax
.text:0040200D ; -----------------------------------------
.text:0040200F dd 419B0B0Fh, 0D083770Fh
.text:00402017 ; -----------------------------------------
.text:00402017 and ebx, eax
.text:00402019 retn
Any idea why anyone? The processor is set to metapc, so it should recognize any x86 instructions, right? Which instructions is it that it's unable to decode?

Neitsa
January 4th, 2005, 08:47
Hello,

This is due to the UD2 opcode (0x0F0B : Undefined opcode wich cause an invalid opcode exception).

noping those bytes and IDA can decode it:

Code:

.text:00402005 000 hlt
.text:00402006 000 and eax, 79h
.text:00402009 000 push 5
.text:0040200B 004 pop ecx
.text:0040200C 000 inc eax
.text:0040200D 000 neg eax
.text:0040200F 000 nop
.text:00402010 000 nop
.text:00402011 000 wait
.text:00402012 000 inc ecx
.text:00402013 000 emms
.text:00402015 000 adc eax, 21h
.text:00402018 000 retn


This is strange that IDA Pro cannot decode this opcode since it is documented in the Intel manuals...

Maybe it is possible to "teach" to IDA what is this instruction but I don't know how to do it...

Regards, Neitsa.

blabberer
January 4th, 2005, 10:46
ollydbg decodes thus

Quote:

00402005 HLT
00402006 AND EAX, 79
00402009 PUSH 5
0040200B POP ECX
0040200C INC EAX
0040200D NEG EAX
0040200F UD2
00402011 WAIT
00402012 INC ECX
00402013 EMMS
00402015 ADC EAX, 21
00402018 RETN
00402019 RETN

evaluator
January 5th, 2005, 04:05
"I love you (
"You love NY )

little fun poetry by me. good?