“I’m locked outside of my program…. I have the password but somehow can’t access it. Can you help me?
1. This is not a reversing challenge, try to research the behavior of the program
2. The program is recognized as a virus although it is not”
We start the challenge with an attached zip file, which contains two files:
By the challenge description, this is not a reversing challenge, so we probably shouldn’t try to reverse it. The files are probably packed, and that’s why the program is recognized as a virus.
Let’s run the program (after fighting with Windows Defender to keep the file instead of deleting it…)
We can see a pretty empty window with a top-menu button that says “Click-Me”. When clicking the button, a pop up appears with a message to insert a super secret password.
As we can see, the super secret password is “JohnE”.
Let’s try it.
Uhh, the password is wrong.
When trying “JohnE” as the password, we can notice that there are more wildcards (*) in the box than the letters in the password. That’s weird.
Let’s try to type random data in another program, like our beloved notepad.
Pressing random buttons on the keyboard results “bazinga” being written. It happens for every button, not only for character buttons (Shift and CAPSLOCK for example).
As we can see, the program prevents us from typing what we really want, and messes up the keyboard. The program doesn’t do it only inside its window, it does it for the entire system.
Anyone who is a bit familiar with Windows should know it can be done using hooks (The name of the challenge implies using hooks).
A hook is a point in the system message-handling mechanism where an application can install a subroutine to monitor the message traffic in the system and process certain types of messages before they reach the target window procedure. (from MSDN).
In simple words, hooks can be used by programs to wait for events that happen on other programs, and modify them before the target program handles them. So the program probably sets a global hook on keyboard events, and changes the pressed key before the message is passed to the target program. Let’s think how we can disable this behavior…
The program is packed, so trying to patch it probably will be a waste of time.
Let’s read a bit more about hooks.
The system maintains a separate hook chain for each type of hook. A hook chain is a list of pointers to special, application-defined callback functions called hook procedures. When a message occurs that is associated with a particular type of hook, the system passes the message to each hook procedure referenced in the hook chain, one after the other. The action a hook procedure can take depends on the type of hook involved. The hook procedures for some types of hooks can only monitor messages; others can modify messages or stop their progress through the chain, preventing them from reaching the next hook procedure or the destination window. (from MSDN)
So, each type of hook has a chain with all the hooks that were set for that type. Each hook can decide whether the event should be passed to the next hook in the chain, or not.
This is exactly what we need ! We can disable the keyboard modification by setting our own hook before the program’s hook, and our hook will stop the hook chain. If a program wants to set a hook, it needs to have a loaded DLL which contains the hook procedure.
The code is pretty simple: First, we need to load a DLL with the hook procedure, that simply returns a constant value (by Windows conventions). Then, we need to set the hook with WH_KEYBOARD_LL type.
After our program is running and the hook is set, we can launch the challenge program, and still write whatever we want. Let’s try JohnE of course, and we get the flag.
The flag is:
Since the program uses hooks, you might have some problems running it on your computer, depending on the programs you have installed. For example, I use a program which enables me to create new key shortcuts for the system, so I managed to solve the challenge in a different way than the expected. By pressing buttons with precise number of times will the SPACE button was pressed, I succeeded typing the correct letters, without writing any code. I’ve spoken with the writers of the challenge about this weird, (but cool) way.