Tutorial on BoR0's Riddle [#5]

Tuesday, August 30 2005 @ 11:29 PM CEST

Contributed by: TDC

Level : intermediate

Solution for [file:20050828133925134 bor0's 5th crackme] using a modified base64 table.

----------------

BoR0's 5th Crackme (Riddle)

----------------

Written by: TDC - The Dutch Cracker

Tools used: Notepad and a mind

Level: 4/10

Attachment: attachment

Contact info
------------

ICQ: 264541651

-----------

Introduction:
-=-=-=-=-=-=-

Welcome to this tutorial, we are going to solve BoR0's riddle this time, hope you have fun with it, good luck :)

The Tutorial
-=-=-=-=-=-=

Start-up the crackme5.exe, you will see he says "Find more information in the data section"... Hmm? Well just notepad the file =P. We see something like this if we scroll down a little bit:

Filename startup-- (Stuff) --Filename endup

So, it looks like Base64 if you really checked it in notepad. And... it is some encoded file we can see from the hint BoR0 gives.

Download Base64 decoder http://www.fourmilab.ch/webtools/base64/

Ok, when you got that we can prepare, save all the information between Filename startup and Filename endup in a file, called for example "blabla.bla".

Theres always a signature in a file, lets decrypt the first 4 bytes of the string. Yes "R0lG" that part. Use the online Base64 decoder:

http://makcoder.sourceforge.net/demo/base64.php

If you decrypted R0lG, you see it is GIF, aha so our file should be called not "blabla.bla" but "blabla.GIF". We are now ready to decode this file. The commandline of Base64.EXE is -d to decode something, well we are not interesting in errors too so use -n switch also.

Commandline: "Base64 -d -n blabla.gif output.gif"
Now if all went good you have a output.gif that is a valid .GIF file. Open it up, doesn't it look like a Base64 table? 8x8 = yep 64, it's a Base64 table :-). But wait, it looks also modified, we see also 0RoB in it, seems like BoR0's name as a kind of signature =P. I included my decoded gif file in the zipfile.

What I did is, search a online webpage that decodes Base64, saved the source to my harddisk, I changed the table and opened the file from my harddisk in the web browser.

http://ostermiller.org/calc/encode.html (that decoder I used)

Cool we have the modified Base64 now. Check my included encode.html, it's the modified thing :-)

Ready? Insert BoR0's encrypted stuff (U can COPY/PASTE from notepad because it uses as the name Base64 says, 64 characters, notepad can read those) So put that stuff into our own modified decoder, yeap it's working :-)

The decrypted stuff is:
------------ DECRYPTED ------------
Part #1:
Well, as you can see (and you probably reversed my application by now)
this is my fifth crackme :) I am using base64 (modified) for this text,
and base64 (not modified) in a file table.gif that contains the

Part #2:
table of the modified base64. Anyway, I hope you had a great time
while solving this crackme :) it was more a riddle, but anyway..
My greetings list is: Detten, ZaiRoN, upb, TDC, Tanatos, parabytes,
Zephyrous, Muad'Dib, HMS, bluffer, and all my other friends.
Respectful webpages: www.reversing.be
My webpage: www.freewebs.com/bor0/

Part #3:
This tool I have done 28.7.2oo5 when I was playing with base64
------------ DECRYPTED ------------

Oh and BoR0, thanks for greetings ;-)

Greetings
-=-=-=-=-

To BoR0 for this funny crackme of course :-), to all BiW and special thanks to thorpe, guyonasm, detten, xb0z, Soul12, parabytes, upb :-)

4 comments



http://www.reversing.be/article.php?story=20050830232901767