2010
07.14

ReversingLabs Summer Challenge

Category: Events, Reversing, ReversingLabs / Tag:  / Add Comment

Looks cool? Want one? All you have to do is solve this challenge and tell us what is the password we seek. Sounds easy? Its not... Mail us with your solution at: blog(at)reversinglabs(dot)com; Challenge is now closed! Thanks to everyone who participated. Click read more for the solution...

We didn't even dream about getting so many people to participate in our little challenge. The sheer number of emails simply flooded our mailbox with possible solutions and compliments about  our challenge! One of those compliments expresses just what we want to do in the not-so-distant future, we quote: "Fun challenge, do more of these!" We definitely will!

Now to the solution, and discussion of the parts that proved troublesome for many...

We start by downloading the file and doing our initial analysis. Since the file is a ZIP archive we open it with any program that works with this archive format to find a folder named "r" with the file named "r.zip" in it. This part of the challenge is just a decoy to keep you busy and distracted from the real content which is appended to the archive as an archive comment. That real content is another archive in 7Zip file format, which once extracted produces a single CAB file, and that is where the things get interesting. The CAB file has a single PNG file in it, but to solve this challenge we must observe the image and the archive as two separate objects.

First the image part of the puzzle. The image, once opened, shows a normal picture with the logo of our company. However the picture itself has embedded steganography data. Since we didn't want to do any hard stego which can be solved by inspecting image pixels we embedded our hidden information between valid records inside the PNG file header. Something very similar to what we demonstrated on BlackHat Barcelona earlier this year. With the obvious difference that the file format is an image not an archive. Nonetheless the principle is the same. So, what's hidden? If you open the image file with any hex editor you will see a string "pSWD" near the start of the file. That string is followed by a 16 number sequence: 538B327278BBAB654747288999FBCDA1 which isn't the password we need. Nope, its not - even though many of you thought that that was the end solution. Why isn't it?

Because of the fact that the CAB file that compressed that PNG image holds the last piece of the puzzle. If we scan that CAB file with our NyxEngine we get the following output:

Steganography ID: 0x00000b
Possible steganography due to suspicious CAB extra data present between entries!
Data start: 0x5a; Data size: 0x0000f6

And in that data there is the following text block:

UmFyIRoHAM6Zc4AADQAAAAAAAAA8MSAOyRZcWCVhcEFcUfp
P4JdbtU2derwgjSYp+BpxVYkWJPDtQ/TITifo4qO7qyYz+yLpd9+6
nkwwxmomWHbHK0Bt6UPHOwL/pEKm6IGXo/5dioeP66Fq5brTldgi
Z7do5bbFjykQIsx6PMCBre4iUJ7jcwrwD2MDs69XwuuHL+fMKy9hD
UJQPDEgDskWXFjp6jPWFXoWVSNb4H1zjQpW

Which is, in fact, a base64 encoded password protected RAR file. But, what's the password? The password is the PNG image number sequence converted to lower case text. So, its: 538b327278bbab654747288999fbcda1 which isn't an MD5 and needs not to be bruteforced. Once its entered and the RAR file is decrypted we can see the file named "file" containing the following text: "Password is: 9ec4c12949a4f31474f299058ce2b22a". And that's it, the challenge is successfully completed at that point. No more stego or hidden files.

There are six accepted solutions to this challenge, but the one that simply astonished us is the following python script which solves our challenge:

#! /usr/bin/env python
URL="http://blog.reversinglabs.com/wp-content/uploads/2010/07/r.zip"

import os
import urllib2
import struct

os.chdir("/tmp")
rzip=urllib2.urlopen("http://blog.reversinglabs.com/wp-content/uploads/2010/07/r.zip").read()
r7z = rzip[rzip.find("7z"):]
open("r.7z","w").write(r7z)
os.system("7z e r.7z")
cab = open("puzzle.cab").read()
os.system("cabextract puzzle.cab")
open("r.rar","w").write(cab[0x5a:0x5a+250].decode("base64"))
png = open("ReversingLabs.png").read()
ppos = png.find("pSWD")
sz, = struct.unpack(">I", png[ppos-4:ppos])
pwd = png[ppos+4:ppos+4+sz]
os.system("unrar e -P%s r.rar" % pwd.encode("hex"))
print open("file").read()

Thanks to everyone who participated in our little competition. Winners, your T-shirts are in the mail. Until our next challenge...

NyxEngine

ReversingLabs Corporation		 Our challenge got beaten by our own NyxEngine! Oh, Nyx...

VN:F [1.9.13_1145]
Rating: +18 (from 18 votes)
Share
  1. Breezer said: 2010.07.16 06:29

    I think some friends in China are interested in your challenge, let me help to post it in Upack.cn forum, and I want a T-shirt too:)

    VA:F [1.9.13_1145]
    Rating: 0 (from 0 votes)
  2. hiro said: 2010.07.19 10:48

    the first ‘s’ in the hidden CAB text block is wrong (position 59). Extra character means invalid length for the Base-64 char array ;-)

    Congratulations for the challenge!

    VA:F [1.9.13_1145]
    Rating: 0 (from 0 votes)
    • admin said: 2010.07.19 12:51

      You are absolutely correct. Our copy/paste mistake is now fixed. Thank you.

      VN:F [1.9.13_1145]
      Rating: 0 (from 0 votes)
  3. kerstin45 said: 2010.07.19 16:56

    Sometimes it’s really that simple, isn’t it? I feel a little stupid for not thinking of this by myself.

    VA:F [1.9.13_1145]
    Rating: 0 (from 0 votes)
  4. xiaocaijk said: 2010.07.20 01:27

    ??
    9ec4c12949a4f31474f299058ce2b22a

    VA:F [1.9.13_1145]
    Rating: 0 (from 0 votes)
  5. reversinglabs summer chalenge | CyberHades said: 2010.07.20 01:56

    [...] web de reversinglabs publicó un pequeño reto la semana pasado, que dado un archivo .zip había que encontrar la [...]