The final stage of the GCHQ challenge was a small (5kB) x86 Windows/cygwin binary (available here). Analyzing it in IDA Pro, I could see that it expects a 24 byte license file with the following format:
"gchq" : Static header Password : Eight character password, matching the DES-hash hqDTK7b8K2rvw (hq=salt) Key from stage 1 : 32-bit value Keys from stage 2 : Two 32-bit values
The above could be deduced from the following reverse-engineered code:
if (license_buf[0] == 0x71686367) { /* 67 63 68 71 = "gchq" */
hash = crypt((char *) &license_buf[1], "hqDTK7b8K2rvw");
if (! strcmp(hash, "hqDTK7b8K2rvw"))
success = 1;
printf("loading stage1 license key(s)...\n");
keys[0] = license_buf[3];
printf("loading stage2 license key(s)...\n");
keys[1] = license_buf[4];
keys[2] = license_buf[5];
}
If a valid license is found, it calls a function that requests the following URI from the specified host (which should obviously still be www.canyoucrackit.co.uk): /hash/A/B/C/key.txt
Where:
- A = 32-bit hex key from stage 1
- B = 32-bit hex key #1 from stage 2
- C = 32-bit hex key #2 from stage 2
Note that the hash itself is used, and not the password corresponding to the hash. Misdirection, again, in order to waste some time for those who didn’t bother to actually understand the code.
It’s now clear that we need two 32-bit values that somehow relates to stage 2, and the so called “firmware” array is a rather obvious choice. It consists of two 32-bit values, and it wasn’t used in the stage2 challenge itself. We also need one 32-bit value from stage 1. Remembering that the payload actually starts out with a “useless” jump over four bytes (e.g a 32-bit value) that are never used in any way, this is quite an obvious choice as well.
This gives us the following URL:
http://www.canyoucrackit.co.uk/hqDTK7b8K2rvw/a3bfc2af/d2ab1f05/da13f110/key.txt
Which contains the following key:
Pr0t3ct!on#cyber_security@12*12.2011+
When entering the correct keyword, we get this page:
http://www.canyoucrackit.co.uk/soyoudidit.asp
“So you did it. Well done! Now this is where it gets interesting. Could you use your skills and ingenuity to combat terrorism and cyber threats? As one of our experts, you’ll help protect our nation’s security and the lives of thousands. Every day will bring new challenges, new solutions to find – and new ways to prove that you’re one of the best.”
Interestingly, the salary for the “Cyber Specialist” position at GCHQ is £25,446 for a GC10 (Executive Officer) and £31,152 for a GC9 (Higher Executive Officer). Comparing this with the salaries in the corporate world makes it quite clear why GCHQ has to try so hard to find competent people to recruit. After all, for people with skills there are lots of opportunities for interesting work with a much higher paycheck. For juniors with potential, but no real experience, it might be an interesting opportunity though. I’m sure that the work can be quite stimulating. :)
someone posted me the original img from the 3301 escapades and i had not seen it before so i thought id get a’cracking.. having poked around with a number of hacker challenges (gchq etc) i thought i had it in me but apparently im about 6 months late to the party.. anyway i saw all your work on your blog-post about it and i just wanted to say hi.. there are few like-minded people around my part of the globe interested in these sorts of activities.. i just wondered how you managed to form a whole group!??? i tried to set up an inter-university league for these sorts of “games” but there really weren’t enough people that knew enough to get the ball rolling. i tried at my uni to get a few people hooked on a simple game and they fell as-soon as they realised a basic knowledge of EXIF data wouldnt save them. anyway… great blog. and if you ever think theres space on your team for another fella im HiBurn8 on skype.