try2hack.nl

[rktak]

well, for level5...... both the user name and the password is available freely and i've tested them also....... however the challenge is to get this info from the program...... there's got to be a way other than decompiling the program..... vb6 decompilor doesn't work for vb3 files .....one suggestion was to use hex editor ........( http://su2.info/doc/try2hack_solutions.php ) however couldn't follow the memory instructions!? any further ideas !?

[White Scorpion]

well, the password and username (and url) you find using an hexeditor doesn't work, they're fake.

perhaps you might like this link, i think it is the data of the original developer of the program.

[Aglasys]

Originally posted here by h3r3tic
Don't waste too much time on level5. As far as I know you have to use some vb3 decompiler that is nearly impossible to find, unless you are really really good with ASM. It's pretty stupid, and the hardest part of the level is actually finding the working decompiler. If I were you I'd find someone who has passed it to just give you the password or something then move on. Good luck.

Well, I wouldn't say impossible... It's just a bit hidden =)

Search some more, if you still can't find it, i'll upload it somewhere.

[jackandjill]

Hi

You have to use Dodi VB decompiler for level 5.
I don't remember the password now but after you decompile using that decompiler you get one .bas file showing the username and password which is the wrong one.Actual password is in coded form in the other 2 or 3 files you get after decompiling.
It's like gc=001 ,gc=002.... and so on.
Try it out.
BTW level 6 and onwards are the real challenge.

Hope this post helps you.
C ya

[White Scorpion]

BTW level 6 and onwards are the real challenge.

i don't agree, i had a hard time getting past level5, but 6, 7 and 8 were pretty easy

[rktak]

jackandjill-------- i guess dodi did a pretty good job in decompiling the file (see attachment)....... now the algorithm is clear however where are the variables declared!? and what does the function..... Mid(gc0006, 56, 1) ...... do !?


Aglasys----- got any thing better than the job dodi does!?

any further ideas!?

[Tekron-X]

Way back when I did level 5 I did it like this. Basicall VB3 is not obfusicated so all you have to do is open the exe with a text editor and you can see all the variables and the values of them. However, with vb6 you must decompile it.

[rktak]

ok at last level 5 is done ... for level 6, as i understand we need a packet sniffer ..... fair enough however issue is that i don't have admin rights on the computer where i'm working so winpcap and none of the packet sniffers will get installed.....any workarounds will be helpful!? also should i use a packet sniffer or a password sniffer!?

[sec_ware]

hi rktak

Since you had the correct idea, here is the packet I captured. Good luck!


No. Time Source Destination Protocol Info
10 3.216311 62.192.127.200 192.168.1.13 HTTP HTTP/1.1 200 OK (text/plain)

Frame 10 (579 bytes on wire, 579 bytes captured)
Ethernet II, Src: xxxxxxxxxxxxxxxxxx, Dst: xxxxxxxxxxxxxxxxxx
Destination: xxxxxxxxxxxxxxxx (192.168.1.13)
Source: xxxxxxxxxxxxxxxxx (192.168.1.1)
Type: IP (0x0800)
Internet Protocol, Src Addr: 62.192.127.200 (62.192.127.200), Dst Addr: 192.168.1.13 (192.168.1.13)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 565
Identification: 0x4de9 (19945)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 52
Protocol: TCP (0x06)
Header checksum: 0x769c (correct)
Source: 62.192.127.200 (62.192.127.200)
Destination: 192.168.1.13 (192.168.1.13)
Transmission Control Protocol, Src Port: http (80), Dst Port: 1113 (1113), Seq: 1, Ack: 129, Len: 525
Source port: http (80)
Destination port: 1113 (1113)
Sequence number: 1 (relative sequence number)
Next sequence number: 526 (relative sequence number)
Acknowledgement number: 129 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 57400
Checksum: 0x1494 (correct)
SEQ/ACK analysis
Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Date: Sun, 31 Oct 2004 02:46:43 GMT\r\n
Server: Apache\r\n
Cache-Control: max-age=1296000\r\n
Expires: Mon, 15 Nov 2004 02:46:43 GMT\r\n
Last-Modified: Sun, 01 Jun 2003 20:37:04 GMT\r\n
ETag: "xxxxxxxxxxxxxxxxx"\r\n
Accept-Ranges: bytes\r\n
Content-Length: 220\r\n
Connection: close\r\n
Content-Type: text/plain\r\n
\r\n
Line-based text data: text/plain
(ENCRYPTION TYPE)
B*C*N**N

(USERNAME)
aaabb aaaaa aaaab abbab ababb aaaab
(PASSWORD)
aabaa abbaa aaaba baaaa babba abbba baaba abaaa abbab abbaa baaaa aaaaa babaa abaab baaab
(PAGE)
babab aabab abaab abbab aabbb aaaba

[rktak]

thanks sec_ware that was great the information was more than enough to clear level 6....... however i would like to know which packet sniffer did you use!?