Joel Eriksson
Vulnerability researcher, exploit developer and reverse-engineer. Have spoken at BlackHat, DefCon and the RSA conference. CTF player. Puzzle solver (Cicada 3301, Boxen) / GCHQ Challenge Solution – Stage 3

The final stage of the GCHQ challenge was a small (5kB) x86 Windows/cygwin binary (available here). Analyzing it in IDA Pro, I could see that it expects a 24 byte license file with the following format:

"gchq"            : Static header
Password          : Eight character password, matching the DES-hash hqDTK7b8K2rvw (hq=salt)
Key from stage 1  : 32-bit value
Keys from stage 2 : Two 32-bit values

The above could be deduced from the following reverse-engineered code:

        if (license_buf[0] == 0x71686367) { /* 67 63 68 71 = "gchq" */
                hash = crypt((char *) &license_buf[1], "hqDTK7b8K2rvw");
                if (! strcmp(hash, "hqDTK7b8K2rvw"))
                        success = 1;
                printf("loading stage1 license key(s)...\n");
                keys[0] = license_buf[3];
                printf("loading stage2 license key(s)...\n");
                keys[1] = license_buf[4];
                keys[2] = license_buf[5];

If a valid license is found, it calls a function that requests the following URI from the specified host (which should obviously still be /hash/A/B/C/key.txt


  • A = 32-bit hex key from stage 1
  • B = 32-bit hex key #1 from stage 2
  • C = 32-bit hex key #2 from stage 2

Note that the hash itself is used, and not the password corresponding to the hash. Misdirection, again, in order to waste some time for those who didn’t bother to actually understand the code.

It’s now clear that we need two 32-bit values that somehow relates to stage 2, and the so called “firmware” array is a rather obvious choice. It consists of two 32-bit values, and it wasn’t used in the stage2 challenge itself. We also need one 32-bit value from stage 1. Remembering that the payload actually starts out with a “useless” jump over four bytes (e.g a 32-bit value) that are never used in any way, this is quite an obvious choice as well.

This gives us the following URL:

Which contains the following key:

When entering the correct keyword, we get this page:

“So you did it. Well done! Now this is where it gets interesting. Could you use your skills and ingenuity to combat terrorism and cyber threats? As one of our experts, you’ll help protect our nation’s security and the lives of thousands. Every day will bring new challenges, new solutions to find – and new ways to prove that you’re one of the best.”

Interestingly, the salary for the “Cyber Specialist” position at GCHQ is £25,446 for a GC10 (Executive Officer) and £31,152 for a GC9 (Higher Executive Officer). Comparing this with the salaries in the corporate world makes it quite clear why GCHQ has to try so hard to find competent people to recruit. After all, for people with skills there are lots of opportunities for interesting work with a much higher paycheck. For juniors with potential, but no real experience, it might be an interesting opportunity though. I’m sure that the work can be quite stimulating. :)