Thank you to everyone who tried to solve our FortiChallenge 2k11!

We’ve had way more participants than expected, and two winners :

1. Shirley Chen
2. Nagy Ferenc László

Shirley and Nagy found the secret sentence, without even using the hints.

A special mention for another participant (StalkR) who tried to solve it in the wake of Insomni’Hack 2011, and managed to reach the md5 collision step.

Stay tuned for the official solution!

– the Reverse naM

It’s high time the Crypto Girl talks about Crypto, isn’t it?

A few days ago, I analyzed a malicious Opera Updater, named SymbOS/OpFake.A!tr.dial, and was surprised to discover it uses a 91-byte XOR key to conceal one of its configuration file. 91 bytes?! Yes, bytes, so 728 bits. This is quite a lot. AES only uses keys up to 256 bits, though I do not mean it would be less secure than this XOR. But it is a first for mobile malware where we had only seen XOR used with a single byte key. Have a look at the disassembled decryption routine below.

Actually, this is another confirmation to my talk at RSA Conference Europe, where I explained that 1-byte key XOR encryption is still very popular among malware authors but that they are gradually shifting to more complicated algorithms. Actually, I had meant algorithms such as AES ;) but a 91-byte key for XOR is another way of complicating things… Feel free to check my slides or the demo video below.

Fortunately, for SymbOS/OpFake.A!tr.dial, the key was provided at the beginning of the encrypted file. First the key length (0x5b = 91), then the key, then the ciphertext.

– the Crypto Girl

References: F-Secure’s blog post on OpFake
-

Any progress on our FortiChallenge 2k11? After the first clue, here is the second.

Just a reminder that the first hint is meant to help you to find the good way with hashes.

Don’t miss the modification, Crypto Girl hates MD5 for this reason !

By the way, challenge’s submission deadline is extended to Nov 13th, 2011.

–

The Reverse naM

Stuck on our FortiChallenge 2k11? Here’s a first hint!

Translations:

La fin est encore loin surtout quand on est sur le mauvais chemin !
Wrong track, go back!

La fin est proche, l’anneau est inclus.
Dawn is close, search for the ring.

Mon precieux
My precious

Hint:

-6D01BAE018694CDB446DC7EADBA08BE497A8CBE78BCFE91478AB120B4400E357
-ad23ebc59b720eac0979ead3176de3331ddaa1356466ecc8e8c9fb82f62a6dca
-BCA85F09D8D174844C5D5B80095E6EF595181AAB0CABA9144324418B9F291645
-3EE90318AA2881118B8C09A777D52129E61760CCAE1EF679C744A25E9EB50789
-5868049FE51A60811D2C75C3B8896B956EE42114C568DE47531E436CEA2E0F77

– the Reverse naM

Hello all,

At Insomni’Hack 2011, we created a challenge dedicated to static reversing of Symbian executables (using SDK S60 Ed3 FP1). Sadly, nobody found the full solution, so we finally decided to put it online for you to try, until November 1st, 2011. We will then post the winner’s solution on this blog, along with the ‘official’ solution. To help you out – if needed – this post will be updated with a hint in a few days.

Challenge prize? the winner (first good solution) receives … fame and glory :)) i.e. nothing besides marketing goodies, if desired :D

Challenge steps:

• retrieve the archive here

sha256 => B74D50104499C35EE9544A77A0DD491646991CD2B3780A7571377152A5F65BD0
P@55 => *Dneige

No  username. 7z archive contains an IDA disassembly, an executable, some snapshots and a readme

• find the secret sentence

• send us an e-mail at FORTIChallenge@fortinet.com with the secret sentence and explain the solution you used.

That’s all for today, happy RE !

– the Reverse naM

Update Oct 21 2011: Hint #1

Update Nov 3 2011: Hint #2

Update Nov 15 2011: Results