Didier Stevens

Tuesday 22 July 2008

Authenticode Challenge

Filed under: Puzzle — Didier Stevens @ 21:03

Here’s a new puzzle, and “by popular demand”, it’s a couple of magnitudes harder than previous puzzles.

The puzzle is a Windows console application, you can download it here. When you run the program, it prints “Authenticode Challenge version 1” to stdin. The challenge is twofold:

1) make the program print “Authenticode Challenge version 2” (that’s easy)

2) update the digital signature to keep it valid (not so easy)

When you check the digital signature of the puzzle, you’ll see this:

And after you changed the program to print “Authenticode Challenge version 2”, you’ll see an invalid signature:

The challenge is to keep the signature valid, using a certificate with the same public key.

All the data you need from me is in the executable. You’re not allowed to hack my servers in search of the private key.

FYI: this puzzle was reviewed by a PKI expert, who confirmed the solution.

Good luck, I hope there will be many challengers, and better yet, with another solution than mine!

Blog at WordPress.com.