• Announcements

    • Spaff

      These Forums are closing!   10/04/2019

      After more than a decade of serving this community well, these forums have finally run their course and it's time to close them down. That doesn't mean we want to close the doors on our community, quite the opposite!
      Our discord server grows ever busier by the day, and we encourage all Double Fine fans to meet us over there www.discord.gg/doublefine In a short time these forums will become a read only archive and will remain that way until they become needed again.
      You never know, it might happen.  There is... a prophecy. Thank you all for being part of these forums, and remember that the fun is definitely not over - so please join us on Discord! Love ya, Spaff, Tim, Info Cow, and all of Double Fine.
Sign in to follow this  
mundanename

HacknSlashAnnounce

Recommended Posts

That is the incantation. Here's the result:

YOUR INCANTATION: AND WITH THIS APPLICATION I DO DECLARE THAT BIRTHRIGHT HAS NO

STANDING IN THE CHAMBERS OF WISDOM.

SUCCESSFUL INCANTATION

Congratulations! You are a true reverser. It does my heart good that you

were willing to put in the effort to solve this series of puzzles. I want

to know who you are! Tweet the following code at me (@Noughtceratops),

and I'll know to keep in touch!

I snipped out the code because it varies each time you run it; I'm fairly sure it's an encrypted timestamp.

Share this post


Link to post
Share on other sites

It is encrypted I think, both pass & result, as there is reference to a LibTomCrypt.

I found the jnz that jump out of the subroutine if you didn't enter the right pass in PE Explorer, but impossible to find it again in OllyDbg to modify it to a jz...

Share this post


Link to post
Share on other sites

That actually works. Awesome!

Remember, the full stop is a part of the incantation.

Share this post


Link to post
Share on other sites

Awww... so sad it won't work for me in Wine :-(


Unhandled exception: page fault on read access to 0x00000000 in 32-bit code (0x00401342).

Register dump:

CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b

EIP:00401342 ESP:0032fe14 EBP:0032fe28 EFLAGS:00010246(  R- --  I  Z- -P- )

EAX:00000000 EBX:00400000 ECX:c0000001 EDX:c000007a

ESI:00000000 EDI:0064386c

Stack dump:

0x0032fe14:  0064386c 0063515c 00400000 00110e10

0x0032fe24:  00110e10 7b875ad0 0040140c 00643883

0x0032fe34:  00400000 00000001 00000000 00401000

0x0032fe44:  00643857 00400000 00000001 00000000

0x0032fe54:  00643660 7ffdf000 0032fe88 0032fe74

0x0032fe64:  7b894ff4 0032fef0 0032fef0 00000000

000c: sel=0067 base=00000000 limit=00000000 16-bit r-x

Backtrace:

=>0 0x00401342 in hknslash (+0x1342) (0x0032fe28)

 1 0x0040140c in hknslash (+0x140b) (0x7b875ad0)

0x00401342: movb    0x0(�x),%cl

.

.

.

Threads:

process  tid      prio (all id:s are in hex)

00000008 (D) Z:\home\XXXXXXXX\Desktop\test\hknslash.exe

   00000009    0 <==

0000000c services.exe

   0000003b    0

   0000002a    0

   00000028    0

   00000024    0

   00000023    0

   0000000e    0

   0000000d    0

00000012 explorer.exe

   00000013    0

00000025 winedevice.exe

   0000002c    0

   0000002b    0

   00000027    0

   00000026    0

System information:

   Wine build: wine-1.4

   Platform: i386 (WOW64)

   Host system: Linux

   Host version: 3.2.0-55-generic

I'll live vicariously through you, my Windows-hacking compatriots :-(

Share this post


Link to post
Share on other sites
That is the incantation. Here's the result:
YOUR INCANTATION: AND WITH THIS APPLICATION I DO DECLARE THAT BIRTHRIGHT HAS NO

STANDING IN THE CHAMBERS OF WISDOM.

SUCCESSFUL INCANTATION

I snipped out the code because it varies each time you run it; I'm fairly sure it's an encrypted timestamp.

You have typed "AND WITH THIS APPLICATION I DO DECLARE THAT BIRTHRIGHT HAS NO

STANDING IN THE CHAMBERS OF WISDOM." and got a positive response? This does nothing for me (besides "UNKNOWN INCANTATION").

Share this post


Link to post
Share on other sites

Brandon Dillon really should have hashed that incantation. Curious how we were suppose to come across it without digging in the exe

Share this post


Link to post
Share on other sites
That is the incantation. Here's the result:
YOUR INCANTATION: AND WITH THIS APPLICATION I DO DECLARE THAT BIRTHRIGHT HAS NO

STANDING IN THE CHAMBERS OF WISDOM.

SUCCESSFUL INCANTATION

I snipped out the code because it varies each time you run it; I'm fairly sure it's an encrypted timestamp.

You have typed "AND WITH THIS APPLICATION I DO DECLARE THAT BIRTHRIGHT HAS NO

STANDING IN THE CHAMBERS OF WISDOM." and got a positive response? This does nothing for me (besides "UNKNOWN INCANTATION").

Same here, in Parallels.

Share this post


Link to post
Share on other sites
That is the incantation. Here's the result:
YOUR INCANTATION: AND WITH THIS APPLICATION I DO DECLARE THAT BIRTHRIGHT HAS NO

STANDING IN THE CHAMBERS OF WISDOM.

SUCCESSFUL INCANTATION

I snipped out the code because it varies each time you run it; I'm fairly sure it's an encrypted timestamp.

You have typed "AND WITH THIS APPLICATION I DO DECLARE THAT BIRTHRIGHT HAS NO

STANDING IN THE CHAMBERS OF WISDOM." and got a positive response? This does nothing for me (besides "UNKNOWN INCANTATION").

I found and used succesfully a different one when I looked into the exe. I'm not sure where that one comes from.

Edit: I am super curious where the real incantation was supposed to come from.

Share this post


Link to post
Share on other sites
Brandon Dillon really should have hashed that incantation. Curious how we were suppose to come across it without digging in the exe

Maybe there was more hidden in the audio file?

Share this post


Link to post
Share on other sites
That is the incantation. Here's the result:
YOUR INCANTATION: AND WITH THIS APPLICATION I DO DECLARE THAT BIRTHRIGHT HAS NO

STANDING IN THE CHAMBERS OF WISDOM.

SUCCESSFUL INCANTATION

I snipped out the code because it varies each time you run it; I'm fairly sure it's an encrypted timestamp.

You have typed "AND WITH THIS APPLICATION I DO DECLARE THAT BIRTHRIGHT HAS NO

STANDING IN THE CHAMBERS OF WISDOM." and got a positive response? This does nothing for me (besides "UNKNOWN INCANTATION").

I found and used succesfully a different one when I looked into the exe. I'm not sure where that one comes from.

Edit: I am super curious where the real incantation comes from.

>_> ..... and yet he doesn't put the one he used... I smell trolling from both of you

Share this post


Link to post
Share on other sites

Well the text do mention "true reverser". Digging throught the exe IS reverse engineering...

Also looking a bit more at the disassembly, it seems to grab some basic hardware info from your pc. Meaning the Incantation must be set to something different for every pc....

Which is why I guess it's called "YOUR" invocation...

But hey, you got a list of all of them no? ;)

Share this post


Link to post
Share on other sites
Well the text do mention "true reverser". Digging throught the exe IS reverse engineering...

Also looking a bit more at the disassembly, it seems to grab some basic hardware info from your pc. Meaning the Incantation must be set to something different for every pc....

Which is why I guess it's called "YOUR" invocation...

But hey, you got a list of all of them no? ;)

That would make a lot of sense.

If that's the case it's not really a spoiler what my code was.

http://pastebin.com/LHRwkbvQ

Share this post


Link to post
Share on other sites

Could someone please give instructions on which part of the program to access in order to receive the message? I'm using OilyDBG v1.10 on windows 7 and I really want to find out my code.

Share this post


Link to post
Share on other sites
Could someone please give instructions on which part of the program to access in order to receive the message? I'm using OilyDBG v1.10 on windows 7 and I really want to find out my code.

I unpaused the debugger while running the application, I pressed enter in the incantation application (no incantation entered) and the debugger spewed out one of the incantations in a child window. I ran the incantation application again and used the incantation the debugger intercepted and it worked fine.

Share this post


Link to post
Share on other sites
Could someone please give instructions on which part of the program to access in order to receive the message? I'm using OilyDBG v1.10 on windows 7 and I really want to find out my code.

I unpaused the debugger while running the application, I pressed enter in the incantation application (no incantation entered) and the debugger spewed out one of the incantations in a child window. I ran the incantation application again and used the incantation the debugger intercepted and it worked fine.

Thanks! Did what you said and it worked. Got

@Noughtceratops tenh4xeGjjPunjRtQ00VGnLzY6qyok7U2IEJ7ZJMoUmxSKcgkprFU4tbq90oxBWasz1ILMx5rO4RgoRzHDUR6Q==

Note that Permafry_42 is also my twitter handle.

I hope Double Fine does another one of these, possibly in the style of the Portal 2 ARG next time so that we could all work towards getting an earlier release date =D

Share this post


Link to post
Share on other sites
Could someone please give instructions on which part of the program to access in order to receive the message? I'm using OilyDBG v1.10 on windows 7 and I really want to find out my code.

I unpaused the debugger while running the application, I pressed enter in the incantation application (no incantation entered) and the debugger spewed out one of the incantations in a child window. I ran the incantation application again and used the incantation the debugger intercepted and it worked fine.

Thanks! Did what you said and it worked. Got

@Noughtceratops tenh4xeGjjPunjRtQ00VGnLzY6qyok7U2IEJ7ZJMoUmxSKcgkprFU4tbq90oxBWasz1ILMx5rO4RgoRzHDUR6Q==

Note that Permafry_42 is also my twitter handle.

I hope Double Fine does another one of these, possibly in the style of the Portal 2 ARG next time so that we could all work towards getting an earlier release date =D

hope you sent that code in before putting it here, i assume he checks them, but dang, my older brother is trying it now, he's an actual programmer, not that it really matter I guess, but it's not working for him. altho I think he's working on an older version of windows

Share this post


Link to post
Share on other sites

Alright we got it to work :). We think it's because my bro was running windows xp, because when we ran it on my comp which has windows 7 its worked fine.

So if you running windows xp it may not work for you but idk its just a theory :/

Share this post


Link to post
Share on other sites
Could someone please give instructions on which part of the program to access in order to receive the message? I'm using OilyDBG v1.10 on windows 7 and I really want to find out my code.

I unpaused the debugger while running the application, I pressed enter in the incantation application (no incantation entered) and the debugger spewed out one of the incantations in a child window. I ran the incantation application again and used the incantation the debugger intercepted and it worked fine.

Thanks! Did what you said and it worked. Got

@Noughtceratops tenh4xeGjjPunjRtQ00VGnLzY6qyok7U2IEJ7ZJMoUmxSKcgkprFU4tbq90oxBWasz1ILMx5rO4RgoRzHDUR6Q==

Note that Permafry_42 is also my twitter handle.

I hope Double Fine does another one of these, possibly in the style of the Portal 2 ARG next time so that we could all work towards getting an earlier release date =D

hope you sent that code in before putting it here, i assume he checks them, but dang, my older brother is trying it now, he's an actual programmer, not that it really matter I guess, but it's not working for him. altho I think he's working on an older version of windows

I'm gonna be learning programming in Processing (basically a form of Java), but since I was just following what everyone else has uploaded so far I don't think I'll be able to help you unfortunately.

Also don't worry; I've already tweeted my code. Since every code seems to be unique based on the computer that successfully solved the last puzzle correctly, I should be safe from copy cats. If not then its easy enough to just search twitter posts for @Noughtceratops and see I was the first person to use that code. Besides I was doing this just for some fun and challenge in my day =D

Share this post


Link to post
Share on other sites
Could someone please give instructions on which part of the program to access in order to receive the message? I'm using OilyDBG v1.10 on windows 7 and I really want to find out my code.

I unpaused the debugger while running the application, I pressed enter in the incantation application (no incantation entered) and the debugger spewed out one of the incantations in a child window. I ran the incantation application again and used the incantation the debugger intercepted and it worked fine.

Thanks! Did what you said and it worked. Got

@Noughtceratops tenh4xeGjjPunjRtQ00VGnLzY6qyok7U2IEJ7ZJMoUmxSKcgkprFU4tbq90oxBWasz1ILMx5rO4RgoRzHDUR6Q==

Note that Permafry_42 is also my twitter handle.

I hope Double Fine does another one of these, possibly in the style of the Portal 2 ARG next time so that we could all work towards getting an earlier release date =D

Did the same thing. My incantation was

AND COMMIT TO THE PURSUITE OF UNDERSTANDING.
which is only a fragment of one of the incantations in the examined file.

Share this post


Link to post
Share on other sites

Did the same thing. My incantation was

AND COMMIT TO THE PURSUITE OF UNDERSTANDING.
which is only a fragment of one of the incantations in the examined file.

Yeah, similar case here. My incantation was:

AND WITH THIS INCANTATION I REVER INTWINING OURSELVES TO OUR COMBINED DESTINIES WHICH PRODUCE A KIND OF INFINITE REWARD IN THE CONSTRUCTION OF MECHANISMS TO AID OUR DISCOVERY OF KNOWLEDGE AND TRUTH.

which matches one from http://pastebin.com/KUGyj3rq but with "THEE BOND INTO REALMS FO" removed. So it looks like there is some morphing being done to the selected incantations to make them more unique.

I ran it two times, a few minutes apart and got:

@Noughtceratops MwFzn24NANcGuSR7cfFQ8PnwAN8FrbJlK3qQNdfObPPb8VtgrJZMkTNtHpzTsYP45vw4ALGYc9YwOrgXJJzi2Q==

and

@Noughtceratops u2jJ4qXVCv8ZO+dc+bjTkoN3Ce5DzHGQwU+1iDKppaJ5hpt4kzuXnqt0Hfp5ptPIJceTuqRwdxVE7mUrKtRoEw==

Share this post


Link to post
Share on other sites

yeah i think it looks at your specific computer and generates a code based on your specs so only one will work on your computer and then it generates a code based on you computer aswell

Share this post


Link to post
Share on other sites

Oh man, I totally didn't even think to look at the forum. I finally finished the puzzle, it was really fun, reminded me of the good old days when my hat was a darker shade of grey.

I'll post my process here just in case anybody is curious:

- Went to http://www.hacknslashthegame.com/ and download the .zip.jpg from http://www.hacknslashthegame.com/download/HacknSlashAnnounce.zip.jpg

- Opened it with 7-zip and extracted the 3 files.

- Looked at the text file and noticed that lines seemed to repeat every 34 characters, except some words had weird offsets so I wrote a simpl (and super hacky) python scrip to grab out the interesting parts:

with open('WorldTablet.txt', 'rb') as f:

 text = f.read().decode('cp1252')

s = ''

for a, b in [(text[i:i+30], text[i+34:i+64]) for i in range(0, len(text), 68)]:

 if a != b: for i in range(30): if a[i] != b[i]:

   c = a if a[i] != ' ' else b

   s += (' ' if len(s) != 0 else '') + c[i:c.find(' ', i)]

   break

print(s)

- Got the message "the embedded application is enciphered with the incantation presented by the first observed glyphs"

- Figured I had to decode the glyphs which I assumed were a simple substitution cypher. I guessed that the original jpeg was a rosetta stone panagram. Based on frequency, the dots were clearly spaces, so it clearly wasn't "quick brown fox". Instead of actually figuring it out, I just Googled for English panagrams and "The five boxing wizards jump quickly" was the only one that fit.

- I then used ffmpeg to dump every frame from the video file using:

ffmpeg -i Outside.mp4 Outside%d.png

and went through all 400 some odd frames and found the 84 that actually had text in them.

- Proceeded to decode the video message to get "most of the time we only see the things that we expect to often secrets are in plain sight but remain invisible to us size up the medium you are observing and you may find it supports modes of expression you do not expect images can contain words words can produce images something that appears to be a recording of life may actually be a container filled with the sequences of images and channels of audio that you expect but that container may hold" (I could actually read this stuff without the reference by the end).

- The first part of this I guessed had something to do with text file. I turned on line wrap mode in my editor (as a programmer, this is a feature I NEVER use linewrap), and realized that if I resized it to 64 characters (nice number there), you could actually look at the image as a cross-eyed stereogram and the words would actually stand out (cool idea, but the python script gave less of a headache).

- The second part, was clearly talking about the mp4 container used for the video. It made it fairly apparent that there was something else multiplexed into the file. I ran:

MP4Box -info Outdoors.mp4

and got the following (and a bunch more that I cut out for brevity):

Root Meta type: "mp21" - 1 resource item(s)

Item #1 - ID 1 - Name: crackme.enc - MimeType: application/octet-stream

- It was clear that there was a file called crackme.enc in the mp4 as a resource file. I again used MP4Box to extract the resource with:

MP4Box -dump-item 1 Outdoors.mp4

- I guessed that the .enc in crackme.enc was either for encoded or encrypted, so I ran

hexdump -C crackme.enc | less

to look at the contents of the file. I immediately noticed that it started with "Salted__" which is the magic number header for AES encrypted files produced with OpenSSL.

- The message from the text file seemed to indicate that "enciphered" file was decoded using the "first observed runes" the first runes I saw (or anybody saw for that matter) were the ones in the rosetta stone image, so I guessed that the pass phrase for the encrypted data was either "the five boxing wizards jump quickly" or "THE FIVE BOXING WIZARDS JUMP QUICKLY", I just needed to figure out what AES mode to use. Looking at the original post, I saw "TLS_RSA_WITH_AES_256_CBC_SHA" so I guessed aes-256-cbc.

- Ran

openssl aes-256-cbc -d -in crackme.enc -out crackme.bin

and tried both passwords, and low and behold, the capital one worked.

- Took a look at crackme.bin with:

hexdump -C crackme.bin | less

and saw that it started with 4d 5a (MZ) the magic number for an exe. At this point I switched to Windows (why was your little puzzle not an elf? srsly)

- Copied crackme.bin over to my Windows box and ran it. Obviously needed some sort of password, but had no idea what. Opened it up with ollydbg and searched for all referenced string, but I couldn't find anything with "INCANTATION" in it, so I just ran the program and got a warning that the code section was encrypted and thought "oh great, this is gunna suck", but it was actually super easy. I just typed in some text, and let the program finish, and low and behold, right there on the stack was the value "AND TRUTH. AND WITH THE POWERS I HAVE OVER HIDDEN BUT NOT INACCESSIBLE TRUTHS.". I'm assuming that they loaded the string from the binary to compare it, and didn't explicitly 0 the memory when they were done (not sure if this was accidental or intentional).

- Ran it again with this as the incantation, and got the code.

At this point, I think I have gotten essentially everything figured out. There may be some real way you are supposed to figure out the code for the exe, but I like using debuggers, and find that a totally acceptable approach. I also didn't end up using the song for anything, but looking at it there are a couple of interesting things which may have helped. The genre of the song is aes-256-cbc, a really clear hint to the encryption to use (more so than the string on the website). There is also a comment on the track of "passwords read like incantations when spoken in all capital letters" which would have helped make the leap from the invocation comment to the aes password, and would have made it clear that I needed all caps. There are also a few "encrypted_payload"s on the blog post that may or may not actually mean anything, I might try to decrypt them tomorrow. I was really hoping for a demo when I saw "embedded application", but no such luck. Overall, a very fun little puzzle, although more interesting exe hacking would have made it better; I love spending weekends reading x86 assembly, and it has been so long since I have had reason to, the days of making no-cd cracks for myself so that I didn't have to change discs all the time are long gone thanks to Steam.

Share this post


Link to post
Share on other sites
Oh man, I totally didn't even think to look at the forum. I finally finished the puzzle, it was really fun, reminded me of the good old days when my hat was a darker shade of grey.

All I can say after reading how much work you must have put into solving the puzzle on your own is this:

Neil-deGrasse-Tyson-we-got-a-bad-ass-over-here-meme.png

Share this post


Link to post
Share on other sites

I found mine as well.

AND SPIRIT WHICH STRENGTHEN AND MAGIC OF THIS APPLICATION PRODUCES A RESULT THAT MUST INVARIABLY ENGENDER MAGNIFICENT AMPLIFICATION OF THE DESIRED OUTCOMES THAT WE PRODUCE.

I don't feel right tweeting the code, though, since I only did the final part of this puzzle (using a debugger on the .exe). I also hardly ever use twitter anyway. :P

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this