Slashdot Mirror

← Back to Stories (view on slashdot.org)

GCHQ Challenge Solution Explained

Posted by timothy on from the oh-well-now-that's-just-obvious dept.

First time accepted submitter DrDevil writes "The British spy agency GCHQ recently published a puzzle at canyoucrackit.co.uk (as featured on Slashdot), now just a few days later an academic at the University of Greenwich in England has posted a full video explanation of the puzzle. The puzzle has three stages and is not at all simple — likely to challenge even the best computer science graduates."

27 of 107 comments (clear)

  1. Opaque by DarkIye · · Score: 3, Interesting

    I didn't give the challenge a serious go, but stage 1 just seems convoluted - why is it the mark of a good code cracker to recognise x86 bytecode?

    --
    To prevent this day from getting worse, I'll just read ERROR as GOOD TH
    1. Re:Opaque by Robadob · · Score: 4, Funny

      Because terrorists are yet to discover x64

    2. Re:Opaque by bWareiWare.co.uk · · Score: 5, Insightful

      The ability to recognise codes is precisely what they were testing.
      If they had used a week cryptography code everyone would have cracked it, if they had used a strong code no one could (at least no one who didn't already work for their competition).
      Utilizing an unexpected but extremely common code seems to be a nice solution.

    3. Re:Opaque by pushing-robot · · Score: 4, Informative

      Well, "DEADBEEF" is a bit of a giveaway.

      --
      How can I believe you when you tell me what I don't want to hear?
    4. Re:Opaque by marcansoft · · Score: 5, Informative

      Recognizing unknown architecture binaries is an important skill to have when reverse engineering, especially for embedded systems. Very often you'll get a firmware file and you have to figure out what it is. Each architecture has its peculiarities, so it doesn't take long to get a feeling for what their opcodes look like. For example, 32-bit ARM code sticks out like a sore thumb (no pun intended :) due to the condition code field, which means that every 32-bit word almost always starts with 0xEx (and whether that's the first or last byte in the word tells you the endianness). Variable length architectures like x86 look very different from RISC ISAs with a fixed instruction length like PowerPC.

    5. Re:Opaque by Lumpy · · Score: 3, Interesting

      Not really.
      You can make a simple cipher that is obfuscated in such a way that many people will not get it.

      Heck a simply letter substitution ciper used on a dead language will pretty much cull the number of people trying to crack it by a significant amount. I completely fooled my CS instructor by doing just that. Aramaic phrase that had a simple letter substitution applied and a xor of a passphrase that was 1/10th the length of the cipher.

      Mine was un-cracked for a full semester with him, his undergrads and all the CS students crakcing at it. Nowhere in the challenge did he say we HAD to use english as the content of the message.

      --
      Do not look at laser with remaining good eye.
    6. Re:Opaque by maroberts · · Score: 3, Interesting

      Let's assume for the sake of this discussion that you are a USian.
      As a result of political infighting you have heads of state that are reviled in a vitriolic manner by about half the population.

      Lets take a list of your heads of state:
      Nixon (out due to Watergate)
      Ford (ok, but reviled for Nixon pardon)
      Carter (amiable bloke, but seemed to let America go to sleep on his watch)
      Reagan (surprisingly effective, considering he was slowly losing his marbles)
      H.W.Bush (had the bad luck to say "No new taxes" when ambush adverting was getting going)
      Clinton (also effective, but American expectation of clean personal life when married to Hillary?? pleasse)
      George Bush (endless disputes about chads)
      Obama (has the bad luck to be black, leading to morons disputing his legitimacy to be President)

      In the UK, Queen Lizzie enjoys the support of a large majority of the population, and most of the political shenanigans gets directed, not at the Head of State, but at the (semi) elected Prime Minister, thus keeping the head of state out of most of the sh1t. I'd say the UK system works better in that regard.

      As for the tv cameras, I strongly suspect that most US shopping malls have the same coverage as our city centres, and your heavily robbed 7-11s probably have their own personal systems etc. Most states have surveillance of one sort or another; the only question is where and how much.

      And we've (nearly) all been British Citizens and not British Subjects since the Nationality Act 1981 (subject is used but is normally incorrect)

      --

      Donte Alistair Anderson Roberts - hi son!
      Karma: Chameleon

    7. Re:Opaque by xaxa · · Score: 4, Interesting

      It looked interesting, but I lost interest when I saw the salary -- slightly less than what I have already, working for a different bit of government. And GCHQ is in Cheltenham.

      But have you visited the UK? I live here, so it's what I'm used to, but when visiting a couple of cities in the US recently I felt more "watched" and regulated. There were many signs with lists of local laws, with violations incurring big fines. There were *more* public (government/city/whatever) CCTV cameras. (I don't know about private ones, in shops and so on -- they didn't catch my eye.) The government buildings were built like fortresses, and I had my ID scanned and bag x-rayed when visiting museums. When I tried to leave, a government employee handled my genitals.

      I don't want an argument about which country is better -- they both need improvements in this respect. But I'd like to know how you felt watched (or similar) when you visited the UK.

  2. Not a great challenge by marcansoft · · Score: 5, Interesting

    My opinion, as someone who has both solved and organized several challenges of this sort, is that the challenge is neither hard (at least by the standards of the ones I've dealt with) nor well designed. In fact, it kind of degenerates: it starts out OK but the ending is terrible.

    Stage 1 is interesting: it combines recognizing executable code (the first thing I thought when I stared at that hex dump is "this looks like x86 code", but being able to recognize binary architectures is a valuable skill) combined with some steganography (fishing out the rest of the required data from the PNG. Fair enough, and OK for a first round.

    Stage 2 starts out well: virtual machines are used for obfuscation and make fun challenges. However, the execution is backwards. Being given VM bytecode and a specificiation to implement a VM isn't a hacking or reverse engineering challenge; it's just work ("go implement this for me"). A much better challenge would be to be given either the spec or (preferably) code that implements it, and then have to reverse engineer the bytecode itself to solve the puzzle. That involves writing a custom disassembler, which is a much more interesting task.

    Stage 3 is a clusterfuck. It's just an executable that checks for a few constants in a file and then builds a URL out of the rest of it. There's a hash (old-school DES crypt() salted password) that the input has to match, but even though it's crackable using a dictionary, you don't even have to do that because the URL includes the hash (which is in the executable), not the plaintext! The rest of the URL isn't checked, and it's basically a guessing game where you have to fish out constants from previous levels. It's just a glorified way of saying "okay, now take a wild guess as to what numbers to stick in the URL". It's not realistic in the slightest.

    Anyone interested in a "better stage 2" might want to check out a level that I put together for the Hack-It competition at the 18th Euskal Encounter (2010). Your goal is to figure out the 64-bit input key that works (if you don't know what "works" means, compile and run the code and it should be obvious). The full set of challenges can be found here: 2010 2011 (unfortunately, the website / problem statements are in Spanish, but I'm sure you can work it out with a bit of copy/pasting into Google Translate - if there's enough interest I'll translate them to English).

    1. Re:Not a great challenge by b4dc0d3r · · Score: 3, Interesting

      Your experience has you quite biased towards these sorts of things. You only watched this video, I can tell, and didn't pay attention.

      In the disassembly for stage 3, the messages "loading stage x license key", when they clearly said you were on "stage 2 of 3", were good hints. The unused firmware bits were fairly obvious because they had the right size and served no other purpose, and the unused bytes from stage 1 were obvious after you get your mind on the "unused bits from each stage" track.

      And the VM part wasn't trivial. This guy did it in python, but it was intended to be done in javascript. The implementation doesn't really matter, but understanding the bit fiddling needed to implement it is a valuable skill. If you have the skills to disassemble, but not write anything more complicated than hello world, you're probably not useful to them. Not a difficult challenge, but one where you can easily make a mistake and grind your gears for hours. Remember the intent, to find viable candidates for cybersecurity who are interested in doing this sort of thing. Sometimes cyber security is boring but you do what's necessary to solve the problem.

      And they never advertised it as a hack-it contest or programming challenge, just a puzzle. So it didn't have to even be fun or entertaining to do - just something to solve. Note as well, they didn't ask for contact information or offer a resume upload - just "Please consider applying with us". So it doesn't even get you an interview.

      If you spent the time and are curious enough, you're probably someone they want. If not, you're probably not.

    2. Re:Not a great challenge by dnewt · · Score: 3, Insightful

      Unless you're intimately familiar with the tasks undertaken by GCHQ analysts such as the one this test is recruiting for, I think it's hard to say for sure whether the test was, in fact, good or bad. The thinking behind why some elements of the test were designed the way they were may not be immediately obvious. Having said that, I do wonder whether GCHQ would put their best minds to task working on devising a top rate recruitment puzzle. With the current international climate, combined the the current economic climate, I'd hazard a guess that their time is rather precious ;)

  3. Why crack it when you can bypass it? by TripleP · · Score: 4, Funny

    So if you can't crack it, but you can bypass the challenge, do you still win?

    http://www.canyoucrackit.co.uk/soyoudidit.asp

  4. I've been having a go... by shic · · Score: 3, Interesting

    I'm aware that the solution has been leaking out onto the net...

    Starting later than most, in spare time, I've trudged through stages One and Two... I've been playing with the stage-3 executable and have disassembled it... though there remains further tedious trudging for me to demonstrate by sensible sequential steps how to go about solving stage-3.

    I'm finding it difficult to convince myself that it's worth the effort... I'm sure I can fathom any remaining steps - based upon the fact that there has been little about stages one and two that was actually 'challenging'. It seems silly to plod onwards without 'cheating'.

    I was interested principally to try and find out what sort of skills GCHQ actually want... I never assumed I'd be (one of the) first to solve it. The experience has left me wondering what sort of job this sort of tom-foolery would suit one for. Sure debugging and OS-level skills can be valuable - but the challenge is most time consuming as one is required to guess the objective - identifying the intentions of the challenge setter rather than to address real-world issues.

    1. Re:I've been having a go... by marcansoft · · Score: 2

      Stage 3 isn't worth the effort. It's very little hacking/reverse engineering and mostly silly guesswork with no sensible sequence of steps to get there. Spoiler ahead:

      The primary challenge is to guess what bits of stage 1 and stage 2 to stick into a URL (or a file which the exe then formats into a URL). You have to go back to stages 1 and 2 and fish out the most likely candidates for "3 32-bit numbers that do nothing and stick out like a sore thumb".

    2. Re:I've been having a go... by starofale · · Score: 2

      errrr.... what?

      I'd like to know where I could earn £120,000 as a starting salary when I graduate.

    3. Re:I've been having a go... by xaxa · · Score: 2

      What are the hours and stress like in that job though?

      Rhetorical, or not?

      A couple of my friends (well, more friends-of-friends) from my year went on to do that. That was when I stopped seeing them. "Let's meet for drinks after work in central London!" They rarely turned up before 10pm, and even then sometimes went back to work after an hour or two. Got to get their bonus, you see.

      One of my closer friends -- I lived with this guy for two years! -- is working for a hedge fund. £200k, I think, probably with a bonus. He was never particularly social, but in the last three years I've seen him about three times. Last time, he noticed I'd cycled straight from work and asked if I thought it was quicker than taking the metro. I said it was similar, but it was nice to avoid the crowds and kept me fit. He said "but the train's always pretty empty at 5:45am"...

    4. Re:I've been having a go... by xaxa · · Score: 2

      You might get £35k (basic) in IT in a bank in London, with anything up to 100% bonus. You get to help screw up the economy, too. Don't worry -- after 2-3 years you'll have lost your morals.

      Or similar money (and bonus) working in IT for a software company writing code for banks.

      I know someone who's making nearer (over?) £120k as a contractor for banks writing Android apps, but he spent a couple of years writing apps himself (earning a decent amount selling them) before he had the reputation to do that.

    5. Re:I've been having a go... by MattBecker82 · · Score: 3, Informative

      Err ... no. There simply aren't quant jobs with grad starting salaries of that level, certainly not in London, and I would highly doubt you'd find that level in NY either. Salaries actually went up (and bonuses down in relative terms) after '08-09, but there's still no way you'll get a six-figure (GBP) base for a grad starting position.

      Also, timing is pretty bad if you want to land a quant role right now. Front-office hiring patterns tend to be very cyclical and right now they're in a downswing with most banks downsizing their quant teams and only a few hiring. Those that are hiring will much prefer experienced candidates over fresh grads, and competition among grads is fierce at the best of time.

      If you really want to go for it, be aware that most houses won't look at you unless you have at least a Masters or equivalent in finance and/or a Doctorate in strongly numerate hard-science subject. You need demonstrable skills in maths (linear algebra, PDEs, probability theory), quant finance theory and software development. Language-wise, C++ is a must-have, knowing R is also good. "Sure I can program: I did some MATLAB as part of my masters" is not looked upon well. Interviews are tough and mostly fair: a mix of technical (maths, finance, programming) and problem-solving, with some interviewers unfortunately throwing in the odd "what-am-I-thinking" type question. Oh, and if the interviewer asks you to explain your doctoral thesis, it's not because they care about the subject: they are testing your skill at communicating complex subject matter succinctly.

      Disclaimer: I was a quant in a tier-one European bank for over 6 years, including recruiting experienced hires and grads.

  5. Re:I thought this was a crypto/cypher challange by morphage · · Score: 2

    I haven't looked at the video yet, because I still want to see how far I can get with just the spoilers in the comments.

    Grr...now I'm mad I didn't recognize the byte swapped DEADBEEF.

  6. Re:I thought this was a crypto/cypher challange by dachshund · · Score: 4, Insightful

    didn't realize that reversing IA-32 excutables was the modern meaning of cracking a code. I figured it would be difficult and possibly even rely on dictonary attack of a cryptographic hash, but IA-32 machine code?

    For better or for worse, modern intelligence agencies are much more dependent on people who can RE software and develop exploits, than they are on pure cryptographers.

    This is a consequence of the rolling disaster that is software security, combined with the fact that crypto folks have (mostly) gotten their act together.

  7. Re:I thought this was a crypto/cypher challange by The+Askylist · · Score: 3, Interesting

    GCHQ has just announced that they are to lead the UK's cybersecurity push. I guess they need some reverse engineering skills in a hurry.

  8. perhaps they want to examine packet logs? by wierd_w · · Score: 4, Insightful

    This is an intelligence agency, and network intrusion programs pumping executable code in the attempt at smashing a stack and jumping execution are pretty common.

    Perhaps they want people who can quickly spot x86 assembly payloads from raw packet traces as part of a counter aggression op?

    If we assume that their network stack isn't riddled with exploitable stack variables or pointers, and that they successfully prevent the code from running, but log the unrequested network access and dump the binary packets to file for analysis, then having people that can "at a glance" determine what kind of data is in those dumps would be valuable.

    Being able to determine what it actually is supposed to do even more so.

    With the recent hysteria over scada system cyber attacks (I hate that phrase btw..),setting up a fake scada system as a honeypot and seeing what the cat drags in could also make use of this skillset.

    So, the obvious questions:

    Does the UK fear it has poorly secured scada systems, or does it fear network worm intrusion on some network segement, and if so, what segments or systems are those?

  9. Re:I thought this was a crypto/cypher challange by PeterBrett · · Score: 2

    This sounds like they are more interested in recruiting people to analyze stuff like Stuxnet

    Yes, that's probably exactly what they're after.

    --
    Pirate Party UK
  10. My solution with full writeup by ncw · · Score: 5, Informative

    I was going to hold this back until the competition was finished, but it seems the cat is out of the bag!

    Here is my solution and a writeup of exactly how I got there.

    http://www.craig-wood.com/nick/articles/how-i-solved-the-gchq-challenge/

    --
    Every man for himself, all in favour say "I"
  11. Re:I thought this was a crypto/cypher challange by russotto · · Score: 2

    This sounds like they are more interested in recruiting people to analyze stuff like Stuxnet

    Yes, that's probably exactly what they're after.

    If they're really looking for people who can do that, they should be looking at people who crack DRM. Oh, are most of the people like that keeping their heads down and unlikely to be considering government jobs? Gee golly, I can't imagine why...

  12. Re:Screen recorder - here by Anonymous Coward · · Score: 2, Interesting

    http://recordmydesktop.sourceforge.net/about.php

  13. Re: segmented memory by neonsignal · · Score: 2

    The Z80 is not a segmented memory model either; you might be thinking of some of the embedded versions such as the HD64180. It was the x86 architecture that was really afflicted with these segment registers.