On October 29 we published our third CrackMe Challenge and announced two parallel tracks for the contest: "The fastest solve" , and "The best write-up".
In the first category ("The fastest solve" ), we got three winners already the first weekend following publication. Big congratulations to:
Suvaditya Sur (@x0r19x91)
Yet, even those of you who are not as fast could still join in the fun, and get a chance to win a prize in the second category. Submissions for the best writeup closed November****12(two weeks after the Crackme publication). In this post we will summarize the writeups that we received, andannounce the winner for the best writeup!
The submissions were treated as valid if they contained the following flag:
> flag{you_got_this_best_of_luck_in_reversing_and_beware_of_red_herrings}
We received them in the following order:
Congratulations to all the solvers!
Before we present you with the writeups, let's have a quick look at the task itself.
The CrackMe was composed of multiple components:
It is worth to note that each level of the CrackMe depends on the previous one, so the passwords have to be provided in the right order.
To make the analysis easier, and more approachable for beginners, the code (apart from the loader part) was not obfuscated. Some components were based on public code, or contained debug strings making it easier to follow.
In the first level, the user was supposed to input the password that would let the second stage get properly decoded and run as a new process. The second stage of the crackme was a PE, steganographically hidden in the image that was displayed in the GUI, and obfuscated by XOR with a static key. The key could be cracked with the help of plaintext attack.
The second password inserted by the user was sent over the pipe to the previously deployed server. The user was supposed to unpack the core of the server, and analyze it. First, it was required to notice that the presence of certain analysis tools cause the crackme to exit. Then, the user needed to find out that the expected password is in reality the name of one of those analysis tools. The next step was finding a public list of suspected tools, and cracking the password by a dictionary attack.
The correct password was not only clearing the level, but also triggering the decryption of the hooking DLL, that was injected in the server.
The third password inserted by the user was sent over the local TCP connection to the previously deployed server.
The user was supposed to notice that the hooking DLL alters the behavior of the verification function. With this information, the actual flow of the verification function should be reconstructed. Then it was possible to crack the final password.
We received 6 writeups in total, from the following contestants:
As we mentioned in the contest opening:
> The write-up will be judged by its educational value, clarity, and accuracy. The author should show their method of solving the CrackMe, as well as provide the explanation of the techniques used in the challenge
Just like in the previous edition, in order to introduce some objective measures, several categories were used to assign points.
There are no wrong solutions if they lead to the goal. However, some approaches are faster and more elegant than others. We ranked higher the solutions that are straight to the point and not over-engineered. If multiple solutions were presented in a single writeup, we appreciated if the author stated which of them is the most optimal, and why.
An educational value of the writeup. Writers should have:
You could also get some bonus points for OSINT if you found:
All 6 solutions turn out to be of very high quality, so it was extremely hard to select winners. Even trying to introduce some objective criteria for judging writeups, all authors covered most of the points that we would like to see described, and the margin between the scores was small. That's why we decided to reward all of them with Malwarebytes swag.
Additionally, we decided to distinct three, most comprehensive solutions, that** will be rewarded with the main prize** (an IT-related book of contestant's choice):
All the authors will be contacted soon!
Once again thank you for participation, and hopefully see you again next year!
The post Malwarebytes CrackMe - contest summary appeared first on Malwarebytes Labs.