All right, I must say that I respect people who don't give up trying, and since the following
limdis wrote:As for this thread. Until the challenge is fixed we're going to go soft on spoilers since a few of us are trying to rehack the simulation.
rather qualifies as a 'green light' (literally), I will try to clarify some basic concepts for you.*
As you already know, there aren't many things you can do (at least for this mission) with a hex editor apart from looking for strings and trying to figure out what they do, where are they used etc.,etc. In our case, especially if you don't know much about assembly, a hex editor is the 'only' way to go. As you found out yourself, Ollydb (and other disassemblers -like Win32dasm- ) fail to fetch the strings. So, what now? Well, now is a good time to remember that the 'original' mission (ie the one that has no communication problems) can be beaten with nothing more than a hex editor. This fact, should tell you right away that you have to change something in there to something else. (I know this sounds rather vague but I can't say more on this as it would ruin the mission altogether). All you have to do at this point is to find this 'something'. It's going to be a little hard since you can't actually verify that you have found the right one, due to the comm problem. But hey, the road to success is paved with trials-and-errors...*
Now, let's say you narrowed down your candidate 'somethings'. This is where wireshark comes in handy. At this point the communication schema should be quite obvious to you: app 'says' something, site 'says' something else, app does its things and all are OK (or not). In our case the site 'says' something 'crazy' -apparently- and the result is that our app doesn't know how to handle this and hangs... So, our goal here is to -somehow- make our app 'understand' what the site 'says'. In other words, we have to 'enhance its vocabulary': And wireshark will provide this vocabulary. All you have to do is look; and of course bear in mind that an HTTP 'Bad Request' Response is not a string saying 'Bad Request'. It comes 'packaged' into something bigger...*
... which brings us to the last part of this tut... I mean post
: There's a possibility that the app still hangs, even though you were correct in finding your way through the previous steps. Then (even though you don't have access to the app's source code) you have to think a little bit like a programmer, and especially try to think what a programmer does when dealing with variables (that is if he/she wants to avoid 'bad' things like say... buffer overflow...).
There it is, I hope you'll find this helpful and I really hope that it doesn't spoil the fun.
Your next post should be a success one... @limdis
limdis wrote:Right so, few days back I said I was going to try this. There are a couple of 'easy' ways but it REALLY got me thinking and now I've been trying to pull it off with some tcp injection, without being mitm.
Are you talking about TCP sequence prediction? That sounds interesting enough...
By the way, I noticed that the platform probably uses nginx as a load balancer proxy and, as you might already know, nginx has a reputation of throwing 'Bad Requests' a little too often. Maybe that's a reason for this situation.