Slashdot Mirror

← Back to Stories (view on slashdot.org)

GCHQ Challenge Solution Explained

Posted by timothy on from the oh-well-now-that's-just-obvious dept.

First time accepted submitter DrDevil writes "The British spy agency GCHQ recently published a puzzle at canyoucrackit.co.uk (as featured on Slashdot), now just a few days later an academic at the University of Greenwich in England has posted a full video explanation of the puzzle. The puzzle has three stages and is not at all simple — likely to challenge even the best computer science graduates."

10 of 107 comments (clear)

  1. Re:Opaque by Robadob · · Score: 4, Funny

    Because terrorists are yet to discover x64

  2. Not a great challenge by marcansoft · · Score: 5, Interesting

    My opinion, as someone who has both solved and organized several challenges of this sort, is that the challenge is neither hard (at least by the standards of the ones I've dealt with) nor well designed. In fact, it kind of degenerates: it starts out OK but the ending is terrible.

    Stage 1 is interesting: it combines recognizing executable code (the first thing I thought when I stared at that hex dump is "this looks like x86 code", but being able to recognize binary architectures is a valuable skill) combined with some steganography (fishing out the rest of the required data from the PNG. Fair enough, and OK for a first round.

    Stage 2 starts out well: virtual machines are used for obfuscation and make fun challenges. However, the execution is backwards. Being given VM bytecode and a specificiation to implement a VM isn't a hacking or reverse engineering challenge; it's just work ("go implement this for me"). A much better challenge would be to be given either the spec or (preferably) code that implements it, and then have to reverse engineer the bytecode itself to solve the puzzle. That involves writing a custom disassembler, which is a much more interesting task.

    Stage 3 is a clusterfuck. It's just an executable that checks for a few constants in a file and then builds a URL out of the rest of it. There's a hash (old-school DES crypt() salted password) that the input has to match, but even though it's crackable using a dictionary, you don't even have to do that because the URL includes the hash (which is in the executable), not the plaintext! The rest of the URL isn't checked, and it's basically a guessing game where you have to fish out constants from previous levels. It's just a glorified way of saying "okay, now take a wild guess as to what numbers to stick in the URL". It's not realistic in the slightest.

    Anyone interested in a "better stage 2" might want to check out a level that I put together for the Hack-It competition at the 18th Euskal Encounter (2010). Your goal is to figure out the 64-bit input key that works (if you don't know what "works" means, compile and run the code and it should be obvious). The full set of challenges can be found here: 2010 2011 (unfortunately, the website / problem statements are in Spanish, but I'm sure you can work it out with a bit of copy/pasting into Google Translate - if there's enough interest I'll translate them to English).

  3. Why crack it when you can bypass it? by TripleP · · Score: 4, Funny

    So if you can't crack it, but you can bypass the challenge, do you still win?

    http://www.canyoucrackit.co.uk/soyoudidit.asp

  4. Re:Opaque by bWareiWare.co.uk · · Score: 5, Insightful

    The ability to recognise codes is precisely what they were testing.
    If they had used a week cryptography code everyone would have cracked it, if they had used a strong code no one could (at least no one who didn't already work for their competition).
    Utilizing an unexpected but extremely common code seems to be a nice solution.

  5. Re:Opaque by pushing-robot · · Score: 4, Informative

    Well, "DEADBEEF" is a bit of a giveaway.

    --
    How can I believe you when you tell me what I don't want to hear?
  6. Re:Opaque by marcansoft · · Score: 5, Informative

    Recognizing unknown architecture binaries is an important skill to have when reverse engineering, especially for embedded systems. Very often you'll get a firmware file and you have to figure out what it is. Each architecture has its peculiarities, so it doesn't take long to get a feeling for what their opcodes look like. For example, 32-bit ARM code sticks out like a sore thumb (no pun intended :) due to the condition code field, which means that every 32-bit word almost always starts with 0xEx (and whether that's the first or last byte in the word tells you the endianness). Variable length architectures like x86 look very different from RISC ISAs with a fixed instruction length like PowerPC.

  7. Re:I thought this was a crypto/cypher challange by dachshund · · Score: 4, Insightful

    didn't realize that reversing IA-32 excutables was the modern meaning of cracking a code. I figured it would be difficult and possibly even rely on dictonary attack of a cryptographic hash, but IA-32 machine code?

    For better or for worse, modern intelligence agencies are much more dependent on people who can RE software and develop exploits, than they are on pure cryptographers.

    This is a consequence of the rolling disaster that is software security, combined with the fact that crypto folks have (mostly) gotten their act together.

  8. perhaps they want to examine packet logs? by wierd_w · · Score: 4, Insightful

    This is an intelligence agency, and network intrusion programs pumping executable code in the attempt at smashing a stack and jumping execution are pretty common.

    Perhaps they want people who can quickly spot x86 assembly payloads from raw packet traces as part of a counter aggression op?

    If we assume that their network stack isn't riddled with exploitable stack variables or pointers, and that they successfully prevent the code from running, but log the unrequested network access and dump the binary packets to file for analysis, then having people that can "at a glance" determine what kind of data is in those dumps would be valuable.

    Being able to determine what it actually is supposed to do even more so.

    With the recent hysteria over scada system cyber attacks (I hate that phrase btw..),setting up a fake scada system as a honeypot and seeing what the cat drags in could also make use of this skillset.

    So, the obvious questions:

    Does the UK fear it has poorly secured scada systems, or does it fear network worm intrusion on some network segement, and if so, what segments or systems are those?

  9. My solution with full writeup by ncw · · Score: 5, Informative

    I was going to hold this back until the competition was finished, but it seems the cat is out of the bag!

    Here is my solution and a writeup of exactly how I got there.

    http://www.craig-wood.com/nick/articles/how-i-solved-the-gchq-challenge/

    --
    Every man for himself, all in favour say "I"
  10. Re:Opaque by xaxa · · Score: 4, Interesting

    It looked interesting, but I lost interest when I saw the salary -- slightly less than what I have already, working for a different bit of government. And GCHQ is in Cheltenham.

    But have you visited the UK? I live here, so it's what I'm used to, but when visiting a couple of cities in the US recently I felt more "watched" and regulated. There were many signs with lists of local laws, with violations incurring big fines. There were *more* public (government/city/whatever) CCTV cameras. (I don't know about private ones, in shops and so on -- they didn't catch my eye.) The government buildings were built like fortresses, and I had my ID scanned and bag x-rayed when visiting museums. When I tried to leave, a government employee handled my genitals.

    I don't want an argument about which country is better -- they both need improvements in this respect. But I'd like to know how you felt watched (or similar) when you visited the UK.