Small challenge from Gynvael Coldwin

2017-08-04 783 words 4 minutes

Contents

Gynvael Coldwin posted a small challenge at the end of his last podcast on Windows Kernel Debugging with Artem Shishkin:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Welcome back agent 1336.
No mail.
> mission --take
MISSION 012               goo.gl/qudiHJ             DIFFICULTY: ██░░░░░░░░ [2╱10]
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅

Our agents managed to install a hardware keylogger in suspects computer. After
they retrieved it and dumped the recorded data, here is what showed up:

  58 f0 58 1b f0 1b 58 f0 58 44 f0 44 2d f0 2d 2d f0 2d 35 f0 35 41 f0 41 29
  f0 29 59 43 f0 43 f0 59 29 f0 29 23 f0 23 44 f0 44 31 f0 31 52 f0 52 2c f0
  2c 29 f0 29 1b f0 1b 4d f0 4d 24 f0 24 1c f0 1c 42 f0 42 29 f0 29 12 42 f0
  42 f0 12 24 f0 24 35 f0 35 32 f0 32 44 f0 44 1c f0 1c 2d f0 2d 23 f0 23 49
  f0 49

Could you help us decoded it to know what was typed?

Good luck!

---------------------------------------------------------------------------------

If you decode the answer, put it in the comments under this video! If you write
a blogpost / post your solution online, please add a link in the comments too!

P.S. I'll show/explain the solution on the stream in ~two weeks.

Our first guess was that the characters use some well-known encoding such as ASCII, but this turned out to be wrong assumption. In order to obtain some knowledge about the structure of the recorded data, we ran some statistical analysis of the different byte values:

This shows that the byte \xf0 is used far more often than the other ones, so our research continued in this direction. We realized that this byte is a part of the so-called scan code, which is sent whenever a key is pressed on a hardware keyboard. The following web page provides detailed information on this matter, especially the different scan code sets. The byte \xf0 is frequently used in the scan code set 2:

http://www.computer-engineering.org/ps2keyboard/

Quotation:

Scan Code Set 1 - Original XT scan code set; supported by some modern keyboards
Scan Code Set 2 - Default scan code set for all modern keyboards
Scan Code Set 3 - Optional PS/2 scan code set–rarely used

When handling direct hardware input, the hardware obviously has no knowledge of ASCII encodings, keyboard layouts and so on - this is all handled by the operating system. We only know which scan and make codes are used and can infer which keys were pressed (and released).

The basic logic is as follows:

Key is pressed -> MAKE CODE
Key is released -> BREAK CODE

There are unique make and break codes for every key and can be looked up in the scan code set.

To translate the number of bytes to text, we assume scan code set 2 has been used, both because of the usage of \xf0 and due to the fact that it is used for all modern keyboards:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
 58 f0 58 	<CAPS>
 1b f0 1b 	S
 58 f0 58 	<CAPS>
 44 f0 44 	o
 2d f0 2d 	r
 2d f0 2d 	r
 35 f0 35 	y
 41 f0 41 	,
 29 f0 29 	<SPACE>
 59   		<R SHIFT> (MAKE)
 43 f0 43 	I
 f0 59   	<R SHIFT> (BREAK)
 29 f0 29 	<SPACE>
 23 f0 23 	d
 44 f0 44 	o
 31 f0 31 	n
 52 f0 52 	'
 2c f0 2c 	t
 29 f0 29 	<SPACE>
 1b f0 1b 	s
 4d f0 4d 	p
 24 f0 24 	e
 1c f0 1c 	a
 42 f0 42 	k
 29 f0 29 	<SPACE>
 12   		<L SHIFT> (MAKE) 
 42 f0 42 	k
 f0 12  	<L SHIFT> (BREAK)
 24 f0 24 	e
 35 f0 35 	y
 32 f0 32 	b
 44 f0 44 	o
 1c f0 1c 	a
 2d f0 2d 	r
 23 f0 23 	d
 49 f0 49 	.

Thus, we obtain the result text:

Sorry, I don't speak Keyboard.