What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.


Hack This Site! - Application 3


Application Challenges

Welcome to Hack This Site application challenges! In this variety of hacking challenges, you are given an application with an objective and you are expected to manipulate the operating system, the executable, or through other means to complete the level. Each challenge operates in a different way and will require different methods to go about completing the level.

Upon completion, the challenge will give you a password for you to enter on the website. This will update your HTS account, demonstrating that you have actually completed the level.

All application challenges can be beaten without brute-forcing. We encourage you to try what you like on the programs but please do NOT brute-force the website.

These levels are available for Windows(9X/ME/NT/2000/XP) and Macintosh(Mac OS X, Mac OS classic with carbon) systems only. If anyone is interested in developing *nix versions of these application challenges, please contact us - basic socket programming experience is necessary.

Level 3
Application Challenge 3
Find the Password. (easy)
app3win.zip   app3mac.sit   
Enter password:
level up!
  1. At first, you need to download one of the files from the HTS website depending on your OS. I chose the Windows one.
  2. After unzip the archive, there's an executable file named 'app3win.exe'. Execute it, then it will require you to enter a serial number for verifying the software license.
  3. You could input something, press the "Authenticate" button and sniff the network traffic in the meantime. After that, you'll find out there's a URL for authentication. But this time there are no serial numbers for you.
  4. Since this series of challenges is about 'Application', let's go back to the application itself. Use a hex editor to open the executable file. I use 010 Editor to do so.
  5. Find the judgement statement inside the raw string like the left part in the image below. Exchange  the label of 'true' and 'false' in the statement like the right part in the image below and save it.
  6. Execute the file again. This time when you input anything wrong, the application will think it's correct and give you the password.
  7. Congratulations, you have successfully completed application 3!