Solution to Part One of the GCHQ ‘’

The image on contains x86 code.  So save typing it out by hand, I googled a couple of bytes and found a text version someone had kindly put up.

Next, I took a dummy exe file (anything with a valid PE header will do) and pasted the hex above into the Entry Point of the program.  This allows the code to be debugged.

The code eventually crashes when it tries to access an invalid memory address.  A clue is given here:

00401043  CMP EAX,41414141
00401048  JNZ SHORT test.0040108D
0040104A  POP EAX
0040104B  CMP EAX,42424242
00401050  JNZ SHORT test.0040108D

The condition passes (EAX == 41414141), the second doesn’t.  Something is missing.

It turns out there is something base64 encoded in the header of the PNG file:


This decodes to the following:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   42 42 42 42 32 00 00 00  91 D8 F1 6D 70 20 3A AB   BBBB2   ‘Øñmp :«
00000010   67 9A 0B C4 91 FB C7 66  0F FC CD CC B4 02 FA D7   gš Ä‘ûÇf üÍÌ´ ú×
00000020   77 B4 54 38 AB 1F 0E E3  8E D3 0D EB 99 C3 93 FE   w´T8«  ãŽÓ ë™Ã“þ
00000030   D1 2B 1B 11 C6 11 EF C8  CA 2F                     Ñ+  Æ ïÈÊ/

Note that the first four bytes are 42 42 42 42! So, to solve the problem, put a breakpoint on ’0040104A  POP EAX’ and before the instruction is executed paste the whole lot into the address pointed to by ESP (the stack pointer).  The code will now run to completion.  Check the memory and you’ll see this string:

GET /15b436de1f9107f3778aad525e5d0b20.js HTTP/1.1

So, go to to go to the next part of the challenge!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>