I have not had too much time to work on this but I have run through the execution a few times and I have discovered a possible way to solve it.
1) It does not seem to have a point where the password I want will be in plain text sitting in memory. I was kinda expecting this but there was always a little bit of hope.
2) It also seems that there is a possibility to brute force it, it appears to be looking for a value to match a specific outcome.
Currently I might try to brute force it, but I am still looking at manipulating the code to try and reverse the value I need. It seems to be fairly simple.
After a lot of stepping through program execution I have finally reached the section where it’s getting ready to open the encrypted.enc file. If what I am thinking is correct, I should be able to let the application decrypt the contents of the file while I am stepping though and then I can retrieve it from memory.
This is some new territory for me, I have looked at more then a few applications in ollydbg but this is the fist that I have done that opens a file.
Level 7 is significantly different from the previous levels that we were able to breeze right through.
It is the same when launched but it uses an additional file included with the exe, encrypred.enc.
The previous methods we have been using were not successful on this sample. I am currently examining the sample and have made some progress identifying sections but I have not worked out what the enc file is used for.
At this point it may be worth fully understanding the function of the enc file, but currently I am working on following the execution and I should be able to locate the section were either my entered string is compared to the password (it will have to decrypt it at some point) or my string will be encrypted then compared (this might be more difficult).
Level 6 is very similar to level 5, if you were able to locate the password in 5, you can find it in 6.
I just stumbled on it, as I was stepping through the execution and I did not even stop to write down the step where I got it. As you are stepping through watch the memory pane for strings, it will not decode but I can make them out in the ASCII dump.
It will also be near by your string that you entered.
After some a deeper dive, it looks like the switch statements that I set breakpoints on get called with the longer password.
With a little more playing I have located the key CMP that needs to be looked at.
00401080 |. 837D E4 10 |CMP DWORD PTR SS:[EBP-1C],10
If you know your your assembly or you are a good guesser CMP is a compare operation, this is in the suspect loop that seems to be checking out my entered password. After going through the 16 characters that I entered I stepped through the instructions, until I got to this line and started digging. I wanted to know what was at EBP-1C.
While stopped here if you go to the memory section and change the view to relative of EBP you can walk up the stack and see what it’s referencing.
The switches may have presented another avenue, but even by entering 4 characters, the password is still stored in the same location.
Time for level 5.
When you run application 5 it displays a dos box that prompts for a password.
If you look through the file we can see a couple other strings.
00401022 |. 68 30704000 PUSH app5win.00407030 ; ASCII "Please enter the password:"
004010C9 |. 68 4C704000 |PUSH app5win.0040704C ; ASCII "Invalid Password"
004010E0 |. 68 60704000 PUSH app5win.00407060 ; ASCII "The password is %s
We also have some call and jump’s around those, we should set some break points on them to follow the execution.
Also if you look further down the file you will see some switch statements, lets put break points on all of those too just to see what happens.
Alright, lets resume the application and see what breakpoints we can hit. Lets start by entering a 8 character password, and see what happens.
With an 8 character password I can see it loop through what I am suspecting is some sort of loop. It seems to start at 00401054, it loops 8 times then quits. Lets see what happens when you throw a longer password in there, lets try 20. Now that’s something worth following, with a 20 character password it loops 16 times then quits. Now we are going to have to get dirty and slow, I am going to follow the execution down through the compares to see what its doing. This may not be the answer but we will learn more about it.
I found this one really annoying, I spent a few hours going around the application and tracing what it was doing.
In a few instances I found the calls disabling the focus of the buttons and I was able to disable that part of the app using NOP’s but I was not able to click on the button. It would stay focused when I moused over, but I could not click the bugger.
After a bit more kicking around I started to look at some olly plugins, why re-invent the wheel.
I did find one that worked called windowjuggler, from there it should not take very long for you to solve this.
I just got a bit more free time and I wanted to come back to this site and work on a couple more of these challenges.
Level 3 is rated easy, along with 1 and 2. I was able to figure out level 1 and 2 using static analysis of the exe’s but no such luck with 3. It took me much longer to configure my stuff then it did to get the password.
I don’t want to give anything away but just poke at it see what it does when you run it. Treat it like a malware specimen, the answer should come pretty quick.
Mr. Dotcom has tweeted that the re-build of megaupload is %90 completed (this was a few days ago).
I have not heard any news on the recovery of the previously lost information but this is still good news to seem them almost back in business. The latest news on the old data is that there is still no news, it appears they are at an impasse. The users are unable to match the US Gov physically and they are no match for their brains.
A Korean mirror has been serving a backdoor’d version of phpMyAdmin since at least the 22nd of September.
And for Metasploit.
It is a very clever backdoor, I am sure it took a lot of planning and execution to get it into the tree. It appears that only about four hundred copies were downloaded and the mirror is currently offline.