ThisisLegal.com

ThisisLegal Forums

Welcome to the forums! A chance for site members to chat and get help.

You are not logged in.

#1 2009-03-25 14:19:45

totoiste
Member
Registered: 2009-01-30
Posts: 3

Application Chall 4

Hi Hertz, Hi Tommy,

This chall is hell for guys like me that used to "debug" in Olly... 16 bits dos softs are largely useable but this quantity of code is like looking for a needle in a haystack... But I sure have a lot of time and try to understand this piss (oh !) of code...

I'm quite sure that it is an implementation of a famous computer crypto machine which was used just after 1st world war. This name is even hidden in binary ;-) and solve form told me that I'm going in the right direction.

Could you tell me even though if code disassembler reading is really necessary of if there are some more direct way to solve this complicated chall (in comparison on others on this site !!!)

Bye bye.

totoiste from dareyourmind.net


totoiste from dareyourmind.net

Offline

#2 2009-03-25 17:42:26

t0mmy9
Administrator
Registered: 2005-01-07
Posts: 21

Re: Application Chall 4

Hertz didnt tell me anything about it being like that machine (i know which you mean) but the first step to doing this is cracking the password for the app, as this is needed for the final challenge password. Have you read this yet?

http://thisislegal.com/16/

some at least basic assembly code knowledge is needed (ollydbg uses assembly, it just makes it easier)


this is definitely the hardest part. Once you have found the password, the challenge is more than half done.


Site admin

Offline

#3 2009-06-16 11:34:35

s_ha_dum
Member
Registered: 2009-06-12
Posts: 4

Re: Application Chall 4

I've read that tutorial, but this challenge is still killing me. Is Hertz.exe even solvable via the method described in that tutorial? I'm thinking not, but I'm pretty lost on this one.

I should note that TR doesn't run on Vista, and it crashes on XP Pro (at least on mine) after I step through a handful of commands. I got it running in emulation (FreeDOS on DosEmu on Slackware) but I'm not sure its working properly. It seems to work but way down toward the bottom of Hertz.exe TR finds some unrecognized commands and after forcing TR over a couple (tt) it crashes, taking the whole xDosEmu shell with it.

So, anyone have any ideas? I hate that this is the only thing between me and 100%.

Offline

#4 2009-06-16 16:40:19

t0mmy9
Administrator
Registered: 2005-01-07
Posts: 21

Re: Application Chall 4

I recommend rec studio, which a download link is listed at the top of the tutorial. TR does behave slightly wrongly for this app, but this challenge is very similar to the app described in that tutorial (if you dont know assembly, it will be pretty hard)


Site admin

Offline

#5 2010-04-01 07:49:44

kjangwa
Member
Registered: 2010-03-27
Posts: 23

Re: Application Chall 4

Holy Dword, just how much assembly do we need to know?

I have a 967kb text file of deadlisted assemby and i'm

googling like crazy for stuff like "rep stosb","cli",cwd"

if i ever finish this mission, i'll know enough assembly

to write my own O.S!

Offline

#6 2010-10-15 11:35:00

s_ha_dum
Member
Registered: 2009-06-12
Posts: 4

Re: Application Chall 4

I tried recStudio and that crashes on me as well, when trying to work with this app. I'm starting to think that I don't have the hardware/OS necessary to solve this one, which is frustrating. When was the last time someone solved this? Also, if anyone has solved this on Vista, Windows 7, WINE, dosemu, or ???, please let me know. Much appreciated.

Offline

#7 2011-04-02 07:35:03

kjangwa
Member
Registered: 2010-03-27
Posts: 23

Re: Application Chall 4

@tommy9 , if this is too much info,say and i'll edit it.
Note:I have not done this mission yet.

recStudio GUI seems a bit buggy, so put app4.exe into the
same folder as RecStud.exe and fire up recStudio, then at the bottom of the GUI theres a command bar
type >Load app4.exe(or whatever youve named it)
and give it some time to load and you should be away.

For a debugger,
You Can try CodeView 16bit debugger, but you will have to
do some work to get it up and running.
It is old school and cranky and sucks up CPU.
Google for it and you should find some install instructions,
which are not to be taken lightly.

Tried it on an old desktop with Win XP pro and it works
on that.
It is scary and i dont know if it shows enough info to
solve this mission, so I can't recommend it.

I hope this info helps somebody.
For me i dont know enough ASM,
so it's back to Randall Hyde.

Offline

#8 2011-06-13 00:29:48

xyberz09
Member
Registered: 2009-06-10
Posts: 46

Re: Application Chall 4

I cracked the tutorial app alright. It was easy as pie. But the Hertz crackme is really mind boggling. I'd be glad to find a debugger like TR that can trace through it because I don't understand RecStudio at all. I look at all that assembly code with so many unfamiliar instructions it makes my head spin. How do we figure out which procedure is the password checking procedure from the very long list of procedures detected?

And has anyone tried cracking it using other debuggers like the MS-DEBUG or Borland's Turbo Debugger or even HIEW? (which is not really a debugger)

Offline

#9 2011-08-04 09:00:44

sambo
Member
Registered: 2011-08-04
Posts: 3

Re: Application Chall 4

I have cracked the app on windows vista. I used a disassembler and a debugger (GRDB). This debugger is generally an extended version of the MS-DEBUG program in windows.

The problems for me began with valid passwords for the app, but not for thisislegal and the slightly misleading good boy message.

Greetings,
sambo

Offline

#10 2011-08-05 14:35:59

xyberz09
Member
Registered: 2009-06-10
Posts: 46

Re: Application Chall 4

I downloaded GRDB yesterday but it won't run on my system (Win 7, 64-bit)
How did you get it to run on Vista? Did you use DOSBOX or something similar?

Thanks for helping! smile
xyberz09

Offline

#11 2011-08-11 07:42:35

sambo
Member
Registered: 2011-08-04
Posts: 3

Re: Application Chall 4

I used it on Win Vista 32 bit system!

I could be possible that is the problem. I start it simply from the command line without any virtualization!

Greetz
sambo

Offline

#12 2011-08-13 20:25:49

xyberz09
Member
Registered: 2009-06-10
Posts: 46

Re: Application Chall 4

Thanks. I'll try it out in WinXP under VMWare and see what happens. I hope the crackme isn't a lot tougher to crack than the tutorial crackme smile

Offline

#13 2011-08-26 02:18:29

caveman
Member
Registered: 2010-05-02
Posts: 5

Re: Application Chall 4

"The problems for me began with valid passwords for the app, but not for thisislegal and the slightly misleading good boy message."

Sambo, I'm having the same problem. Figuring out the passwords for the app was easy and I have variable g. But none of my tries work on the website... That good boy message seems pretty straightforward...

Can someone give me a hint now? Is cryptography involved somehow? I've cracked the app, this challenge should be exactly that, not figuring out how to combine/take apart bits and pieces from strings to get the pass, that's for cryptography...

So.. any hint would be appreciated biggrin

Offline

#14 2011-09-07 16:38:22

kjangwa
Member
Registered: 2010-03-27
Posts: 23

Re: Application Chall 4

:: EDIT ::
@ caveman.
If i understand you correctly, then
you have all you need,
just juggle it about.

Note to self:
Aug26th 2011
I hereby swear that one day I will complete this challenge.
[Edit: Sept08th]
finally after 17 months, w00tw00t.
:: EDIT ::

Offline

#15 2012-03-04 07:41:04

HiPhiSch
Member
Registered: 2012-03-04
Posts: 2

Re: Application Chall 4

I am stuck at the end of this chall. I finally managed to come to a point where I was able to find the two possible passwords which give the good boy. However, I do not understand the good boy at all.. What is this variable about? In assembly there is no register related to g. Do I need to use some special decompiler which assigns a g to something? Two candidates I tried were not right. (The ones used in the relevant checks...)

Did I overlook something?

Offline

#16 2012-03-04 11:18:44

kjangwa
Member
Registered: 2010-03-27
Posts: 23

Re: Application Chall 4

@HiPhiSch
The last bit is a litle odd.
The goodboy message is, as sambo says "misleading".
No special decompiler needed to find the inappropriately named 'variable g'.
If you find something, you can test it on the app4 page.
Read this thread from the start wink
You can PM me if you are still stuck.

Offline

#17 2012-03-07 02:03:26

HiPhiSch
Member
Registered: 2012-03-04
Posts: 2

Re: Application Chall 4

Finally made it!!!

For those of you who are still struggling, I try to give some hints without giving too much away:

1. Concatanation here is the simplest case, don't mess with spaces or ','.

2. 'variable g' has two parts and the challenge form will help you if you found something appropriate. Do not waste time by trying assembly registers used at the checks of the password.

3. I found two valid passwords. If you order them alphabetically use the first one.

Good luck!

And thx a lot kjangwa!

Offline

#18 2013-01-15 16:37:02

Fulldawa
Member
Registered: 2012-03-22
Posts: 4

Re: Application Chall 4

Hi there,

I really don't understand what's bad with my answer :hrmm: I'm just working with IDA, after months I'm finally here :

[spoiler]
* I found the app' password, an english common word, look like XXXXX; tested on the chall form, the site says "Part of the password was correct."
> So I suppose it is my first part (because can't test it for real on the app').

* I found the "en!gmatic" thing, the site says "Your going in the right direction."
> So I suppose this is my second part.

At this point I have 4 strings. Spamming the chall form with all concatenation possible with those pieces and then uppercase lowercase etc.. I always receive "Part of the password was correct."

Taking a look here it reduces clearly solutions:

my only one logical final answer look like:

XXXXX0123456789abcdef0123456789abcdef
and it doesn't works !

I forgot something? I'm french, maybe a thing I misunderstand? Am I close to find ?

Please a little help.

[/spoiler]

Offline

#19 2013-11-04 03:44:40

tibbi
Member
Registered: 2013-11-04
Posts: 4

Re: Application Chall 4

I could use some more hints here hrmm Tried several decompilers/debuggers and I thought Im fairly good with assembly, but I cant solve it. I cant find the spot where my input is checked, was looking for similar spots like at Crackme tutorial. I cant even test Crackme anymore, as it was uploaded at megaupload, which was pwnt. Feel free pming me some big hint or password too wink

Offline

Board footer

Powered by FluxBB