The image on canyoucrackit.co.uk contains x86 code. So save typing it out by hand, I googled a couple of bytes and found a text version someone had kindly put up.
Next, I took a dummy exe file (anything with a valid PE header will do) and pasted the hex above into the Entry Point of the program. This allows the code to be debugged.
The code eventually crashes when it tries to access an invalid memory address. A clue is given here:
00401043 CMP EAX,41414141 00401048 JNZ SHORT test.0040108D 0040104A POP EAX 0040104B CMP EAX,42424242 00401050 JNZ SHORT test.0040108D
The condition passes (EAX == 41414141), the second doesn’t. Something is missing.
It turns out there is something base64 encoded in the header of the PNG file:
This decodes to the following:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 42 42 42 42 32 00 00 00 91 D8 F1 6D 70 20 3A AB BBBB2 ‘Øñmp :« 00000010 67 9A 0B C4 91 FB C7 66 0F FC CD CC B4 02 FA D7 gš Ä‘ûÇf üÍÌ´ ú× 00000020 77 B4 54 38 AB 1F 0E E3 8E D3 0D EB 99 C3 93 FE w´T8« ãŽÓ ë™Ã“þ 00000030 D1 2B 1B 11 C6 11 EF C8 CA 2F Ñ+ Æ ïÈÊ/
Note that the first four bytes are 42 42 42 42! So, to solve the problem, put a breakpoint on ’0040104A POP EAX’ and before the instruction is executed paste the whole lot into the address pointed to by ESP (the stack pointer). The code will now run to completion. Check the memory and you’ll see this string:
GET /15b436de1f9107f3778aad525e5d0b20.js HTTP/1.1
So, go to http://canyoucrackit.co.uk/15b436de1f9107f3778aad525e5d0b20.js to go to the next part of the challenge!