• Announcements

    • Spaff

      These Forums are closing!   10/04/2019

      After more than a decade of serving this community well, these forums have finally run their course and it's time to close them down. That doesn't mean we want to close the doors on our community, quite the opposite!
      Our discord server grows ever busier by the day, and we encourage all Double Fine fans to meet us over there www.discord.gg/doublefine In a short time these forums will become a read only archive and will remain that way until they become needed again.
      You never know, it might happen.  There is... a prophecy. Thank you all for being part of these forums, and remember that the fun is definitely not over - so please join us on Discord! Love ya, Spaff, Tim, Info Cow, and all of Double Fine.
Sign in to follow this  
mundanename

HacknSlashAnnounce

Recommended Posts

There is a reference to DbgUiRemoteBreakin which is a function handling remote debugging. So trying to attach debugger to running process, not a lot of success so far.

Disassembling the exe also, trying to find where the string are compared to the one entered, and find by reverse the right one.

Share this post


Link to post
Share on other sites
Ya guys this is the furthest I can go every time I run the exe my browser hangs and I can't end the process without restarting my computer so keep me up to date!

Part of me has latched on to that and is now hunting around in for some indication that its attempting to open a browser or similar.

The rest of me thinks thats probably mad, there's no evidence for it, and that farting around in a hex editor at half one in the morning is a terrible idea with work in the morning, so I'm bowing out. I expect all you geniuses will have solved it by the time I wake up in the morning :).

Share this post


Link to post
Share on other sites

Well when I look at the process in details from the screen it has a bunch of Java stuff listed.

Share this post


Link to post
Share on other sites
The full message (lots of hints here):

most of the time we only see the things that we expect to

often secrets are in plain sight but remain invisible to us

size up the medium you are observing and you may find it supports modes of expression you do not expect

images can contain words

words can produce images

something that appears to be a recording of life may actually be a container filled with the sequences of images and channels of audio that you expect but that container can hold

The message ends abruptly here...

Maybe there's a hint to finding the incantation in this text? Has everything mentioned been done already?

Share this post


Link to post
Share on other sites
The full message (lots of hints here):

most of the time we only see the things that we expect to

often secrets are in plain sight but remain invisible to us

size up the medium you are observing and you may find it supports modes of expression you do not expect

images can contain words

words can produce images

something that appears to be a recording of life may actually be a container filled with the sequences of images and channels of audio that you expect but that container can hold

The message ends abruptly here...

Maybe there's a hint to finding the incantation in this text? Has everything mentioned been done already?

idk the original text file after unzipping the picture decodes to "the embedded application is enciphered with the incantation presented by the first observed glyphs" so i would assume it must be the glyphs in the picture

Share this post


Link to post
Share on other sites

I think that's referring to the password used to decrypt the executable, not the "incantation" we need to enter once you run the decrypted executable.

So, back to the border, are we? I'm out of other ideas as to where the incantation could be hiding.

Share this post


Link to post
Share on other sites
The full message (lots of hints here):

...

Maybe there's a hint to finding the incantation in this text? Has everything mentioned been done already?

Yeah I was thinking about that - presumably the "Images can contain words" was a reference to the password in the splashscreen image, but we haven't really done anything that maps to "Words can produce images"

Share this post


Link to post
Share on other sites
The full message (lots of hints here):

...

Maybe there's a hint to finding the incantation in this text? Has everything mentioned been done already?

Yeah I was thinking about that - presumably the "Images can contain words" was a reference to the password in the splashscreen image, but we haven't really done anything that maps to "Words can produce images"

Actually I think that was referring to the magic eye text.

Share this post


Link to post
Share on other sites
The full message (lots of hints here):

...

Maybe there's a hint to finding the incantation in this text? Has everything mentioned been done already?

Yeah I was thinking about that - presumably the "Images can contain words" was a reference to the password in the splashscreen image, but we haven't really done anything that maps to "Words can produce images"

Anyone try 'algorithms' yet? It seems like these things would contain algorithms.

It's pained me to be at work and not decoding all this stuff (though I did get a chance to futz around with it at a slow point). Hoping to get home soon and decipher more!

Share this post


Link to post
Share on other sites

The file tiledark.jpg in a hex editor has the word "Ducky" very near the beginning; it isn't an "Incantation" for the new executable, but it looks pretty out of place.

Share this post


Link to post
Share on other sites

So by installing GPAC, and using this command:

MP4Box Outdoors.mp4 -dump-item test:1

I manage to obtain a file called crackme.enc

(http://bayfiles.net/file/11yVd/hLkKRh/crackme.enc)

Which I can decrypt with:

openssl enc -d -aes-256-cbc -k "THE FIVE BOXING WIZARDS JUMP QUICKLY" -in crackme.enc -out cracked

(http://bayfiles.net/file/11yVr/IoZ1YH/cracked)

(if anyone knows of a better place to upload, let me know)

Share this post


Link to post
Share on other sites
I think that's referring to the password used to decrypt the executable, not the "incantation" we need to enter once you run the decrypted executable.

So, back to the border, are we? I'm out of other ideas as to where the incantation could be hiding.

I've looked over the border a bit just to check. Doesn't seem to be anything out of place.

Reading file border.png...

89 50 4e 47 0d 0a 1a 0a

PNG Header found...

Chunk: Length 13 Type IHDR

Width 1336 Height 775

bits per channel: 8

color type: 6

Chunk: Length 25 Type tEXt

keyword: Software

text : Adobe ImageReady

Chunk: Length 802 Type iTXt

keyword: XML:com.adobe.xmp

Chunk: Length 104435 Type IDAT

Chunk: Length 0 Type IEND

Size of buffer 4142375

Seems like it was just made in Adobe ImageReady. My barebones PNG writer saves a 86 KB file, so 103 KB doesn't seem too suspicious.

Share this post


Link to post
Share on other sites
So by installing GPAC, and using this command:

MP4Box Outdoors.mp4 -dump-item test:1

I manage to obtain a file called crackme.enc

Which I can decrypt with:

openssl enc -d -aes-256-cbc -k "THE FIVE BOXING WIZARDS JUMP QUICKLY" -in crackme.enc -out cracked

Upload somewhere and let us see

Share this post


Link to post
Share on other sites
So by installing GPAC, and using this command:

MP4Box Outdoors.mp4 -dump-item test:1

I manage to obtain a file called crackme.enc

Which I can decrypt with:

openssl enc -d -aes-256-cbc -k "THE FIVE BOXING WIZARDS JUMP QUICKLY" -in crackme.enc -out cracked

Upload somewhere and let us see

It's the executable, but properly extracted (ie no trailing data)

Share this post


Link to post
Share on other sites
So by installing GPAC, and using this command:

MP4Box Outdoors.mp4 -dump-item test:1

I manage to obtain a file called crackme.enc

Which I can decrypt with:

openssl enc -d -aes-256-cbc -k "THE FIVE BOXING WIZARDS JUMP QUICKLY" -in crackme.enc -out cracked

Upload somewhere and let us see

It's the executable, but properly extracted (ie no trailing data)

Upload anyway, it may contain more meaningful information than the previous one

Share this post


Link to post
Share on other sites
I've looked over the border a bit just to check. Doesn't seem to be anything out of place.

Reading file border.png...

89 50 4e 47 0d 0a 1a 0a

PNG Header found...

Chunk: Length 13 Type IHDR

Width 1336 Height 775

bits per channel: 8

color type: 6

Chunk: Length 25 Type tEXt

keyword: Software

text : Adobe ImageReady

Chunk: Length 802 Type iTXt

keyword: XML:com.adobe.xmp

Chunk: Length 104435 Type IDAT

Chunk: Length 0 Type IEND

Size of buffer 4142375

Seems like it was just made in Adobe ImageReady. My barebones PNG writer saves a 86 KB file, so 103 KB doesn't seem too suspicious.

I admit, I'm still *super* suspicious about it, that artifacting just seems like a weird bit of sloppiness otherwise, but I don't know what it could be so I'm probably just being paranoid. The way I see it, we've got a few obvious options for what the next step is supposed to be

- we've missed something in one of the site images, or the mp3. I think I've gone over them with as fine-toothed a comb I can feasibly manage (even the blinking cursor gif, just in case), but they may still have secrets to give up

- it's to do with the encrypted message in the press release - I've taken some wild stabs at decrypting it, but nothing.

- the incantation, the press release key, or both, is staring me in the face and I'm too sleepy to see it :)

Share this post


Link to post
Share on other sites

I'm sorry, my responses are limited. You must use the right incantations.

Share this post


Link to post
Share on other sites
And somewhere, Brandon Dillon has a great big geeky smile on his face.

oh im 100% sure he is here watching all of this go down...

51987-Are-You-Not-Entertained-1a5I.jpeg

Share this post


Link to post
Share on other sites
I admit, I'm still *super* suspicious about it, that artifacting just seems like a weird bit of sloppiness otherwise

I believe the incantation is hidden in the border. And to further complicate it, I believe the incantation isn't hidden bitwise, but visually. I'm very familiar with compression artifacts and these don't look like compression artifacts. In some places, there is a very tight pattern as well.

Share this post


Link to post
Share on other sites
I admit, I'm still *super* suspicious about it, that artifacting just seems like a weird bit of sloppiness otherwise

I believe the incantation is hidden in the border. And to further complicate it, I believe the incantation isn't hidden bitwise, but visually. I'm very familiar with compression artifacts and these don't look like compression artifacts. In some places, there is a very tight pattern as well.

I could investigate some blind steganography techniques, but I'd be surprised they went that far. So far we've made a lot of progress with common tools.

Share this post


Link to post
Share on other sites
I admit, I'm still *super* suspicious about it, that artifacting just seems like a weird bit of sloppiness otherwise

I believe the incantation is hidden in the border. And to further complicate it, I believe the incantation isn't hidden bitwise, but visually. I'm very familiar with compression artifacts and these don't look like compression artifacts. In some places, there is a very tight pattern as well.

Cool! That makes me feel better, I thought I was going mad with how structured they seemed to be, but images are not a strong point in my technical knowledge at all.

Share this post


Link to post
Share on other sites
I admit, I'm still *super* suspicious about it, that artifacting just seems like a weird bit of sloppiness otherwise

I believe the incantation is hidden in the border. And to further complicate it, I believe the incantation isn't hidden bitwise, but visually. I'm very familiar with compression artifacts and these don't look like compression artifacts. In some places, there is a very tight pattern as well.

Well, actually, now that I think about it - isn't it odd its the only PNG on the site? Everything else is JPEG. PNG is lossless, meaning it doesn't lose any data when compressed, unlike JPEG compression. So a PNG would be a better format for hidden data.

Share this post


Link to post
Share on other sites

The border is obviously odd, I lowered the brightness and increased the contrast and it seems like something might be there.

highcontrastlowbrightnessborder.png

highcontrastlowbrightnessborder.png.3ba3

Share this post


Link to post
Share on other sites

You may have something there but to me it just looks like a typical canvas effect from Photoshop. ^^:

Share this post


Link to post
Share on other sites

The incantation is easy to find if you open the decrypted EXE in a disassembler/debugger like OllyDbg.

AND WITH THIS APPLICATION I DO DECLARE THAT BIRTHRIGHT HAS NO STANDING IN THE CHAMBERS OF WISDOM.

Share this post


Link to post
Share on other sites
The incantation is easy to find if you open the decrypted EXE in a disassembler/debugger like OllyDbg.

AND WITH THIS APPLICATION I DO DECLARE THAT BIRTHRIGHT HAS NO STANDING IN THE CHAMBERS OF WISDOM.

So are we to assume you found it and just aren't telling us?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this