Site icon Panda Security Mediacenter

1st Panda Challenge solution & winners

First of all, let me thank you all for having participated in this challenge. The solution to this challenge is described below:

The binary was packed in UPX, and we changed a section name to .reloc, to make it “uncomfortable” while using IDA. Renaming the section to its original name (UPX0) overcomes this obstacle.

Then, we have the unpacked PE file. When run, nothing will happen unless you use a parameter; a basic analysis using a debugger will let you know that. Then, you could try to brute force it, but there is a smarter way of doing it: the file has attached a file as a resource; it is a JPEG file xored with a byte 0xFF mask. The name of the file is Acrostic.JPG, and once unencrypted, you could see the following text:

To solve
almost each
known challenge you could
easily find
a solution.
Look carefully
on each word,
on each sentence, because
knowledge is hidden.
At this time you'd probably
take into account that this is not
more than garbage or
encrypted text…

Taking a look at it, you will notice the hidden message:

To solve
almost each
known challenge you could
easily find
a solution.
Look carefully
on each word,
on each sentence, because
knowledge is hidden.
At this time you'd probably
take into account that this is not
more than garbage or
encrypted text…

Once you take a look inside the file, the following message can be seen:

>>> USE easy_challenge as pwd!!!! (STAGE 1/2)<<<

Running the file using easy_challenge as parameter, then next messagebox will appear:

Oric Atmos is the name o fan ancient 8 bits microcomputer. 

The name of the file is taken and the CRC32 of this name is calculated, given as a result a value of 32 bits. With this value, a new hidden message is decoded. In this case the result is not showed on screen but it is saved in an internal variable (just to make things a little bit awkward.) You have to pay attention to notice that the text is there (it is something that you see straight away analyzing the disassembled code.)

And the final hidden message is:

Congratulations!!
You reached the end of this crackme. 
The secret message is "There is no place like 8 bit world!"
Panda Security AMR Team 2009

As you can see, it was not that hard, was it? In fact, we have received more than 100 answers in the first hours, and finally we have received 44 right answers. This is the winner of the Amazon Gift Card and the AV license, who sent the right answer in just 24 minutes:

Bbuc

And the winners of the AV license:

Kaspars Osis
Vyacheslav Rusakov
kokezaru                                                                                                                                                                                                                 
김지환 DB분석팀

Thank you all for participating. Tomorrow, I will publish the second challenge, which I promise it’s going to be much harder 😉

En primer lugar, agradeceros a todos la participación en este reto. La solución al reto la pódéis encontrar aquí:

El binario estaba empaquetado en UPX, y cambiamos el nombre de la sección a .reloc para dificultar su seguimiento con IDA. Renombrando la sección a su nombre original (UPX0) se puede salvar este obstáculo.

A continuación tenemos el fichero PE desempaquetado. Al ejecutarlo no sucede nada a menos que se utilice un determinado parámetro; un análisis básico con un debugger nos deja clara esta parte. A continuación puedes intentar sacarlo por fuerza bruta, pero hay una forma más elegante de hacerlo: el binario tiene adjunto un fichero como recurso; es un fichero JPEG xoreado con una máscara de un byte 0xFF. El nombre del fichero es Acrostic.JPG, y una vez desencriptado se puede observar el siguiente texto al abrir el fichero:

To solve
almost each
known challenge you could
easily find
a solution.
Look carefully
on each word,
on each sentence, because
knowledge is hidden.
At this time you'd probably
take into account that this is not
more than garbage or
encrypted text…

Si nos fijamos un poco, veremos el mensaje escondido:

To solve
almost each
known challenge you could
easily find
a solution.
Look carefully
on each word,
on each sentence, because
knowledge is hidden.
At this time you'd probably
take into account that this is not
more than garbage or
encrypted text…

Mirando el fichero por dentro, veremos el siguiente mensaje:

>>> USE easy_challenge as pwd!!!! (STAGE 1/2)<<<

Ejecutando el fichero original con el parámetro easy_challenge, aparecerá la siguiente ventana:

Oric Atmos es el nombre de un antiguo microcomputador de 8 bits. 

Calculando el CRC32 del nombre del fichero obtendremos un valor de 32 bits. Con este valor se puede decodificar un nuevo mensaje escondido. En este caso el mensaje no es mostrado en pantalla, sino salvado en una variable interna local (para dificultar un poco las cosas). Prestando un poco de atención ves cómo el texto está ahí (es algo que se ve a simple vista analizando el código desensamblado).

Y el mensaje final es:

Congratulations!!
You reached the end of this crackme. 
The secret message is "There is no place like 8 bit world!"
Panda Security AMR Team 2009

Como podéis ver, no ha sido tan difícil, ¿verdad? De hecho recibimos más de 100 respuestas durante las primeras horas, y finalmente tenemos 44 respuestas correctas. Este es el ganador de la tarjeta regalo de Amazon y de la licencia de antivirus, que además envió la respuesta correcta en tan sólo 24 minutos:

Bbuc

Y los ganadores de la licencia de antivirus:

Kaspars Osis
Vyacheslav Rusakov
kokezaru                                                                                                                                                                                                                  김지환 DB분석팀

Gracias a todos por participar. Mañana publicaré el segundo reto, prometo que va a ser bastante más complicado ;-)

Exit mobile version