My Video for my solution to part 1 of the GCHQ www.canyoucrackit.co.uk challenge.

A video is worth 10,000 words but basically this is the process I followed.

Hand typed the hex shown on the webpage into a file.

Uploaded the file to Linux and ran to ‘file’ command to give me a clue.

Command ‘ndisasm’ passes the file as assembly. It is assembly.

Used IDA Disassembler together with the Bochs x86 Emulator to step through the code. There is a check routine that points to the fact we are missing data.

Analysis of the original image shows a hidden comment within the raw content. Looks like base 64 encoded as the string is all printable characters and ends with ‘==’. Converted to hex using this online tool and pasted back into the original file.

Back into IDA Disassembler ran the code and analysed the memory revealing the solution to part 1. http://www.canyoucrackit.co.uk/15b436de1f9107f3778aad525e5d0b20.js