Oh man, I totally didn't even think to look at the forum. I finally finished the puzzle, it was really fun, reminded me of the good old days when my hat was a darker shade of grey.
I'll post my process here just in case anybody is curious:
- Went to http://www.hacknslashthegame.com/ and download the .zip.jpg from http://www.hacknslashthegame.com/download/HacknSlashAnnounce.zip.jpg
- Opened it with 7-zip and extracted the 3 files.
- Looked at the text file and noticed that lines seemed to repeat every 34 characters, except some words had weird offsets so I wrote a simpl (and super hacky) python scrip to grab out the interesting parts:
with open('WorldTablet.txt', 'rb') as f:
text = f.read().decode('cp1252')
s = ''
for a, b in [(text[i:i+30], text[i+34:i+64]) for i in range(0, len(text), 68)]:
if a != b: for i in range(30): if a[i] != b[i]:
c = a if a[i] != ' ' else b
s += (' ' if len(s) != 0 else '') + c[i:c.find(' ', i)]
- Got the message "the embedded application is enciphered with the incantation presented by the first observed glyphs"
- Figured I had to decode the glyphs which I assumed were a simple substitution cypher. I guessed that the original jpeg was a rosetta stone panagram. Based on frequency, the dots were clearly spaces, so it clearly wasn't "quick brown fox". Instead of actually figuring it out, I just Googled for English panagrams and "The five boxing wizards jump quickly" was the only one that fit.
- I then used ffmpeg to dump every frame from the video file using:
ffmpeg -i Outside.mp4 Outside%d.png
and went through all 400 some odd frames and found the 84 that actually had text in them.
- Proceeded to decode the video message to get "most of the time we only see the things that we expect to often secrets are in plain sight but remain invisible to us size up the medium you are observing and you may find it supports modes of expression you do not expect images can contain words words can produce images something that appears to be a recording of life may actually be a container filled with the sequences of images and channels of audio that you expect but that container may hold" (I could actually read this stuff without the reference by the end).
- The first part of this I guessed had something to do with text file. I turned on line wrap mode in my editor (as a programmer, this is a feature I NEVER use linewrap), and realized that if I resized it to 64 characters (nice number there), you could actually look at the image as a cross-eyed stereogram and the words would actually stand out (cool idea, but the python script gave less of a headache).
- The second part, was clearly talking about the mp4 container used for the video. It made it fairly apparent that there was something else multiplexed into the file. I ran:
MP4Box -info Outdoors.mp4
and got the following (and a bunch more that I cut out for brevity):
Root Meta type: "mp21" - 1 resource item(s)
Item #1 - ID 1 - Name: crackme.enc - MimeType: application/octet-stream
- It was clear that there was a file called crackme.enc in the mp4 as a resource file. I again used MP4Box to extract the resource with:
MP4Box -dump-item 1 Outdoors.mp4
- I guessed that the .enc in crackme.enc was either for encoded or encrypted, so I ran
hexdump -C crackme.enc | less
to look at the contents of the file. I immediately noticed that it started with "Salted__" which is the magic number header for AES encrypted files produced with OpenSSL.
- The message from the text file seemed to indicate that "enciphered" file was decoded using the "first observed runes" the first runes I saw (or anybody saw for that matter) were the ones in the rosetta stone image, so I guessed that the pass phrase for the encrypted data was either "the five boxing wizards jump quickly" or "THE FIVE BOXING WIZARDS JUMP QUICKLY", I just needed to figure out what AES mode to use. Looking at the original post, I saw "TLS_RSA_WITH_AES_256_CBC_SHA" so I guessed aes-256-cbc.
openssl aes-256-cbc -d -in crackme.enc -out crackme.bin
and tried both passwords, and low and behold, the capital one worked.
- Took a look at crackme.bin with:
hexdump -C crackme.bin | less
and saw that it started with 4d 5a (MZ) the magic number for an exe. At this point I switched to Windows (why was your little puzzle not an elf? srsly)
- Copied crackme.bin over to my Windows box and ran it. Obviously needed some sort of password, but had no idea what. Opened it up with ollydbg and searched for all referenced string, but I couldn't find anything with "INCANTATION" in it, so I just ran the program and got a warning that the code section was encrypted and thought "oh great, this is gunna suck", but it was actually super easy. I just typed in some text, and let the program finish, and low and behold, right there on the stack was the value "AND TRUTH. AND WITH THE POWERS I HAVE OVER HIDDEN BUT NOT INACCESSIBLE TRUTHS.". I'm assuming that they loaded the string from the binary to compare it, and didn't explicitly 0 the memory when they were done (not sure if this was accidental or intentional).
- Ran it again with this as the incantation, and got the code.
At this point, I think I have gotten essentially everything figured out. There may be some real way you are supposed to figure out the code for the exe, but I like using debuggers, and find that a totally acceptable approach. I also didn't end up using the song for anything, but looking at it there are a couple of interesting things which may have helped. The genre of the song is aes-256-cbc, a really clear hint to the encryption to use (more so than the string on the website). There is also a comment on the track of "passwords read like incantations when spoken in all capital letters" which would have helped make the leap from the invocation comment to the aes password, and would have made it clear that I needed all caps. There are also a few "encrypted_payload"s on the blog post that may or may not actually mean anything, I might try to decrypt them tomorrow. I was really hoping for a demo when I saw "embedded application", but no such luck. Overall, a very fun little puzzle, although more interesting exe hacking would have made it better; I love spending weekends reading x86 assembly, and it has been so long since I have had reason to, the days of making no-cd cracks for myself so that I didn't have to change discs all the time are long gone thanks to Steam.