Reverse engineering, Windows internals, x86 magic, low level programming, and everything else I feel like writing about.

CrySyS SecChallenge 2020: Side Quest

Hey John!

I need your help! You know my friend Eric Leblanc, right? We were talking on the phone, and he was quite disturbed. He said that one of his co-workers told him a story about a cave in a nearby forest where they used to live. He said that they used to hear people screaming regularly, and they were so terrified, that they decided to move. So long story short, Eric and his son Timmy went into this “terrifying” forest to check it out for themselves. He said that he meant to turn it into a “father and son time”, because they are both into scary movies, but whatever. They found the entrance, went inside, and listen to this: they found a metal doorway leading into a dark room, and apparently, Eric thought it would be funny to pull a prank on Lil’ Timmy and close the door behind him. Now guess what, as he closed the door, he heard a beep AND THE DOOR IS F***ING LOCKED RIGHT NOW WITH LIL’ TIMMY INSIDE.

If that’s not enough the story gets even creepier… He found a keypad next to the doorway with a red and green LED on it. He tried a bunch of combinations, but none of them worked so he panicked, and called me on the phone to come and help him. I threw a bunch of electronical stuff into my bag, and went there to take a look at it, but I could not open the door. You’re better at hardware stuff than me! Could you help me please? We tried to call the cops, but they think we’re just joking and wouldn’t come here to help.

Here are the details:

  • There are 11 buttons on the keypad, labeled 0-9 and # (which is used to send the key code). All of them looks like they has been heavily used, so I assume the password is at least 10 number long, but it could be even more.
  • There are two LED above the keys, a red and a green one. If I enter a key code and press the # button, the red LED turns on for a short amount of time. I assume this means that the code is incorrect, and the green would mean if the code is valid.
  • I have managed to get off the front cover of the keypad, and look around, but there are no micro controller inside the box, only the wiring goes back onto the other side of the wall for the keys and the LEDs.
  • I brought my laptop, an arduino and some wires with me. I’ve managed to tap into the wiring of the keypad and tried to brute force the code, but as soon as I try more than 10 key code per second, it blocks me from entering a new one for 1 minute. This way, it would take me at least 31 years to try all combinations, even with only 10 numbers!! Lil’ Timmy can’t wait for that long inside! He needs to go to school on Monday…
  • I’ve set up a simple web page for you, where you can help me figure out the password. In order to help you, I managed to hook the signal of the two LED onto the site, so you can see if the password is correct or not. I’ve made it so, that if you press on the SEND button, the arduino emulates a # press, so please enter the numbers only in the input field.

I have to go now to try to get a blowtorch, but the door looks like at least 15” thick so I hope that you can figure this one out for me and Lil’ Timmy.

Sincerely, George

Hint: If you want to automatize your solution, you can send direct POST requests to the remote.php.

Categories

Hardware, Side channel, Offensive

Files

  • Unfortunately I cannot provide the environment for this, as the server code wasn’t given

Solution

The task here is clearly using the measured delay to figure out the passcode. Most data comparisons work by first comparing the size, then the contents. I decided to just solve it by hand: