• Announcements

    • Spaff

      These Forums are closing!   10/04/2019

      After more than a decade of serving this community well, these forums have finally run their course and it's time to close them down. That doesn't mean we want to close the doors on our community, quite the opposite!
      Our discord server grows ever busier by the day, and we encourage all Double Fine fans to meet us over there www.discord.gg/doublefine In a short time these forums will become a read only archive and will remain that way until they become needed again.
      You never know, it might happen.  There is... a prophecy. Thank you all for being part of these forums, and remember that the fun is definitely not over - so please join us on Discord! Love ya, Spaff, Tim, Info Cow, and all of Double Fine.
Sign in to follow this  
mundanename

HacknSlashAnnounce

Recommended Posts

I felt like finding the incantation on the stack was too easy, so I unpacked the binary and found the entire incantation. It looks like everyones string is some substring of this. Still not sure how it determines what substring though. There are also a bunch of misspellings as well xD.

AND WITH THIS INCANTATION I DO SO ENSORCELL MATTERS SUCH THAT THE MAGIC OF THIS APPLICATION PRODUCES A RESULT THAT MUST INVARIABLY ENGENDER MAGNIFICENT AMPLIFICATION OF THE DESIRED OUTCOMES THAT WE PRODUCE. AND WITH THIS INCANTATION I THEE BOND INTO REALMS FOREVER INTWINING OURSELVES TO OUR COMBINED DESTINIES WHICH PRODUCE A KIND OF INFINITE REWARD IN THE CONSTRUCTION OF MECHANISMS TO AID OUR DISCOVERY OF KNOWLEDGE AND TRUTH. AND WITH THIS INCANTATION I REVEAL MYSELF TO BE CAPABLE OF CHALLENGES OF THE MIND AND SPIRIT WHICH STRENGTHEN AND EMBOLDEN MY CAPACITY FOR TAKING CONTROL OVER THAT WHICH WAS ALWAYS OUR BIRTHRIGHT THOUGH SOMESTIMES WE FOOL EVEN OURSELVES TO PROTECT THAT WHICH CANNOT BE PROTECTED. WITH THIS INCANTATION I OPEN THE LOCK CLASPED SIMPLY TO PROVIDE OPPORTUNITY FOR DEMONSTRATION OF MY POWER. AND WITH THIS INCANTATION I FOREVER OPEN THE BOUNDARIES OF UNDRESTANDING SUCH THAT I ALWAYS REALIZE THE POWERS I HAVE OVER HIDDEN BUT NOT INACCESSIBLE TRUTHS. AND WITH THE MECHANISMS OF THIS INCANTATION I CAN BREAK THE BONDS THAT WERE NEVER REALLY THERE DESPITE THE INSISTENCE OF THOSE PRESENTING THEMSELVES AS WIZARDS. AND WITH THIS INCANTATION I OBSERVE THE FINITE IN THE INFINITE THAT HAS PRODUCED MUCH WONDER AND MAGIC IN OUR WORLD AND COMMIT TO THE PURSUITE OF UNDERSTANDING. AND WITH THIS INCANTATION I DO DECLARE THAT BIRTHRIGHT HAS NO STANDING IN THE CHAMBERS OF WISDOM. AND WITH THIS INCANTATION I DO PRESENT MATTERS SUCH THAT IT IS OBSERVABLE THAT NO CREATURE SHOULD BE RESTRAINED BY THE FEAR OF OTHERS.

Share this post


Link to post
Share on other sites
At this point I switched to Windows (why was your little puzzle not an elf? srsly)

I was thinking the same thing when I hopped onto the forum to look for some assistance (although switching to Windows isn't an option for me) >_<

I felt like finding the incantation on the stack was too easy, so I unpacked the binary and found the entire incantation. It looks like everyones string is some substring of this. Still not sure how it determines what substring though.

I was thinking that the full stop was the delimeter.

Share this post


Link to post
Share on other sites

I have zero knowledge in this area so it was super cool to see how clever you guys are. But since I never participated in solving the puzzle, probably won't tweet my incantation, whatever that is. Awesome work guys! Fingers crossed for the "Amnesia Fortnight 2012 games getting published for realsies" trend to hit Black Lake (please).

Share this post


Link to post
Share on other sites

Aww maaaaaaaaan, I should totally have got that last night, but I am a stupidhead who fails to notice what her debugger is telling her. Congrats Nasarius for cracking it first!

Well that's certainly got me warmed up for the game - hiddenjournal.txt was my favourite thing about AF 2012 so it was nice to do it all over again :).

Now I'm just curious what the messages we're sending Brandon say :)

Share this post


Link to post
Share on other sites

AND WITH THIS INCANTATION I OPEN THE CHAMBERS OF WISDOM.

A bit slow since was at work before I could work on it, then wanted to replicate most of the steps myself with minimal reference to forum - even though couldn't resist reading during the day. From my time in debugger seems like the game had pregenerated the expected response based on 'something' before it actually waits for the user input. The first thing it was looking for was a string of length 56 before it went on to (presumably) do a string comparison to something I saw in memory. Might do a bit more looking later. Doesn't seem to match any of the complete strings in another part of memory so guessing something assembles fragments from different strings, or that was a red herring.

WITH THIS INCANTATION I OPEN THE LOCK CLASPED SIMPLY TO PROVIDE OPPORTUNITY FOR DEMONSTRATION OF MY POWER.

AND WITH THIS INCANTATION I DO DECLARE THAT BIRTHRIGHT HAS NO STANDING IN THE CHAMBERS OF WISDOM.

Is this is end of AF2012 games for now? Remaining leads Andy and Levi seem to be occupied with other projects, while Lee's involvement in Autonomous for Leap seems to have been minimal.

Share this post


Link to post
Share on other sites
Is this is end of AF2012 games for now? Remaining leads Andy and Levi seem to be occupied with other projects, while Lee's involvement in Autonomous for Leap seems to have been minimal.
Broken Age is getting very close to shipping, so Levi would be completely opened up fairly soon. Of course, he may be needed on something else seeing as DF would still have 3 projects under development (that we know of) and Black Lake doesn't seem like a small scale project. Though with the entire Broken Age team free (fingers crossed) within less than six months, there will be a lot of unassigned man power (unless they are needed for Massive Chalice as it goes into fuller production).

Share this post


Link to post
Share on other sites

The more I thought about it last night (in bed, losing sleep; CURSE YOU BRANDON!!!!!), the debugging to observe the application for the solution does seem like a valid way to find the solution, considering the title of the game and the concepts portrayed in the AF demo.

BTW, there is obviously some way for Brandon to check if your code provided during the incantation is "valid":

Share this post


Link to post
Share on other sites
The more I thought about it last night (in bed, losing sleep; CURSE YOU BRANDON!!!!!), the debugging to observe the application for the solution does seem like a valid way to find the solution, considering the title of the game and the concepts portrayed in the AF demo.

BTW, there is obviously some way for Brandon to check if your code provided during the incantation is "valid":

I'm pretty sure it's the intended solution from what I recall (on a mac right now so I can't poke about) - it looked like there was some explicit debug-related logic going on, hashing the incantation would be pretty easy, and it seemed like there was some anti-debugging stuff happening but it only made things a little awkward, not super-hard. So yeah, dumping your randomised incantation in plaintext was almost certainly deliberate.

Share this post


Link to post
Share on other sites
I have zero knowledge in this area so it was super cool to see how clever you guys are. But since I never participated in solving the puzzle, probably won't tweet my incantation, whatever that is. Awesome work guys! Fingers crossed for the "Amnesia Fortnight 2012 games getting published for realsies" trend to hit Black Lake (please).

I have zero linux knowledge either , so it's just plain magic for me what you guys do. Still , it's awesome to see your brains in motion !

Share this post


Link to post
Share on other sites
Is this is end of AF2012 games for now? Remaining leads Andy and Levi seem to be occupied with other projects, while Lee's involvement in Autonomous for Leap seems to have been minimal.
Broken Age is getting very close to shipping, so Levi would be completely opened up fairly soon. Of course, he may be needed on something else seeing as DF would still have 3 projects under development (that we know of) and Black Lake doesn't seem like a small scale project. Though with the entire Broken Age team free (fingers crossed) within less than six months, there will be a lot of unassigned man power (unless they are needed for Massive Chalice as it goes into fuller production).

I am crossing fingers for soon to come Black Lake development myself.

Share this post


Link to post
Share on other sites
AND WITH THIS INCANTATION I OPEN THE CHAMBERS OF WISDOM.

A bit slow since was at work before I could work on it, then wanted to replicate most of the steps myself with minimal reference to forum - even though couldn't resist reading during the day. From my time in debugger seems like the game had pregenerated the expected response based on 'something' before it actually waits for the user input. The first thing it was looking for was a string of length 56 before it went on to (presumably) do a string comparison to something I saw in memory. Might do a bit more looking later. Doesn't seem to match any of the complete strings in another part of memory so guessing something assembles fragments from different strings, or that was a red herring.

WITH THIS INCANTATION I OPEN THE LOCK CLASPED SIMPLY TO PROVIDE OPPORTUNITY FOR DEMONSTRATION OF MY POWER.

AND WITH THIS INCANTATION I DO DECLARE THAT BIRTHRIGHT HAS NO STANDING IN THE CHAMBERS OF WISDOM.

Is this is end of AF2012 games for now? Remaining leads Andy and Levi seem to be occupied with other projects, while Lee's involvement in Autonomous for Leap seems to have been minimal.

Now WOuldn't the Glyphs apparearing in the HEIR'S CROWN be that BIRTHRIGHT INCANTATION he is talking about ?

Share this post


Link to post
Share on other sites

At this point, I feel like I would be cheating to grab a code and tweet it. I will say it was AWESOME watching everyone decrypt the message!

Share this post


Link to post
Share on other sites
At this point, I feel like I would be cheating to grab a code and tweet it. I will say it was AWESOME watching everyone decrypt the message!

It'll also be obvious since Brandon is decoding them and it'll be identical to someone else's tweet, I figure if you manage to get the application running and successfully generate your own tweet you should go for it - not your fault others went and documented the process ;)

Share this post


Link to post
Share on other sites
At this point, I feel like I would be cheating to grab a code and tweet it. I will say it was AWESOME watching everyone decrypt the message!

It'll also be obvious since Brandon is decoding them and it'll be identical to someone else's tweet, I figure if you manage to get the application running and successfully generate your own tweet you should go for it - not your fault others went and documented the process ;)

Well, I can't really argue with that logic. :) I'll have to do it when I get home from work.

:)

Share this post


Link to post
Share on other sites

Unpacking the exe with upx makes it work under wine:


$ upx -d crackme.exe

$ wine crackme.exe

fixme:heap:HeapSetInformation (nil) 1 (nil) 0

fixme:volume:GetVolumePathNameA ("C:\\windows", 0x32f844, 260), stub!

fixme:volume:GetVolumePathNameW (L"C:\\windows", 0x12a010, 260), stub!

YOUR INCANTATION: 

Share this post


Link to post
Share on other sites
Unpacking the exe with upx makes it work under wine:


$ upx -d crackme.exe

$ wine crackme.exe

fixme:heap:HeapSetInformation (nil) 1 (nil) 0

fixme:volume:GetVolumePathNameA ("C:\\windows", 0x32f844, 260), stub!

fixme:volume:GetVolumePathNameW (L"C:\\windows", 0x12a010, 260), stub!

YOUR INCANTATION: 

I kinda wonder if unpacking the exe with upx reveals some hidden metadata....

Share this post


Link to post
Share on other sites

Unpacking the exe reveals a lot more information and makes it possible to actually debug it for real. I'm still trying to figure out a way that I can have a single bash script that would run the app and input the correct code for your system automatically. This is what I've got so far:

#!/bin/sh

wget -q http://www.hacknslashthegame.com/download/HacknSlashAnnounce.zip.jpg

unzip -qq HacknSlashAnnounce.zip.jpg Outdoors.mp4 2> /dev/null

MP4Box -quiet -dump-item 1 Outdoors.mp4

openssl aes-256-cbc -d -pass 'pass:THE FIVE BOXING WIZARDS JUMP QUICKLY' -in crackme.enc -out crackme.exe

upx -qqq -d crackme.exe

echo ${THE_ANSWER} | env WINEDEBUG=-all wine crackme.exe

You can also easily get the entire incantation by running

strings -n 1500 crackme.exe

after the exe has been unpacked.

The packages you will need to run all of this are gpac (for MP4Box), openssl (for openssl), upx-ucl (for upx), wine (for wine), and binutils (for strings).

Share this post


Link to post
Share on other sites

Brandon posted on Twitter that there's one more puzzle left.

I'm very impressed by how fast people chewed through the announcement puzzle. There's still one unsolved puzzle out there, though!

I think it may have to do with the TLS session and the encrypted payloads in the announcement. I'm not an expert in TLS, but it appears we may have to calculate session keys to decrypt the two encrypted payloads and the stream data found after them. However, we don't have the public/private keys for the client in this case so I'm not sure how to proceed. I notice in the spots that the client's certificate is sent initially, it is just noted as "verified". I wonder if this means there's a way around needing the client certificate/key.

Anyone more knowledgeable about TLS that can add to my analysis?

Share this post


Link to post
Share on other sites

AND WITH THIS INCANTATION I CAN BREAK THE BONDS THAT WERE NEVER REALLY THERE DESPITE THE INSISTENCE OF THOSE PRESENTING THEMSELVES AS WIZARDS.

That was pretty badass as incantations go.

Share this post


Link to post
Share on other sites
Wine?

No thanks, gotta keep a clear head if we're gonna figure this out.

I laughed way harder than I should have at that one. And I was at work, so it was a bit embarassing.

Share this post


Link to post
Share on other sites
Brandon posted on Twitter that there's one more puzzle left.
I'm very impressed by how fast people chewed through the announcement puzzle. There's still one unsolved puzzle out there, though!

I think it may have to do with the TLS session and the encrypted payloads in the announcement. I'm not an expert in TLS, but it appears we may have to calculate session keys to decrypt the two encrypted payloads and the stream data found after them. However, we don't have the public/private keys for the client in this case so I'm not sure how to proceed. I notice in the spots that the client's certificate is sent initially, it is just noted as "verified". I wonder if this means there's a way around needing the client certificate/key.

Anyone more knowledgeable about TLS that can add to my analysis?

... my low-level knowledge of TLS is hella rusty, but actually now I look at it again, don't we have all the information there already? The client and server random seeds, and the pre-master key (note from the context this is *not* encrypted with the server's public key yet). Either way your probably right - time to refresh myself on the specification!

Share this post


Link to post
Share on other sites

Ya, there is definitely enough information there to get the master secret, and then decrypt the traffic. The only problem is that I can’t find what the PRF for TLS_RSA_WITH_AES_256_CBC_SHA is. Does anybody happen to know it or able to find it somewhere?

Edit: The TLS_RSA_WITH_AES_256_CBC_SHA basically tells us that we are using TLS (rfc5246), RSA for the key exchange (not important since the premaster is unencrypted and we don't have the server private key anyway), aes-256-cbc for the actual encryption and sha for hashing. The only part I can't remember is how you take the client_random, server_random, and premaster to create the master secret.

Share this post


Link to post
Share on other sites
Ya, there is definitely enough information there to get the master secret, and then decrypt the traffic. The only problem is that I can't find what the PRF for TLS_RSA_WITH_AES_256_CBC_SHA is. Does anybody happen to know it or able to find it somewhere?

RFC 2246 or 5246 depending on which version of TLS it is. Looks like its TLS 1.0:


$ openssl  s_client -msg -pause -debug -connect hacknslashthegame.com:443

[...]

<<< TLS 1.0 Handshake [length 0004], ServerHelloDone

   0e 00 00 00

>>> TLS 1.0 Handshake [length 0086], ClientKeyExchange

[...]

Share this post


Link to post
Share on other sites

That doesn't really mean anything since OpenSSL is likely not starting the handshake with the same parameters (I think it uses TLS 1.0 instead of 1.2 by default). If you look through you dump it is almost certainly using a different cipher suite (especially since I thought TLS_RSA_WITH_AES_256_CBC_SHA was defined in 1.2).

On another note, I'm still reading through the RFC, but there is a note at the top that all the cipher suites defined in TLS 1.2 use P_SHA256 as the PRF, but I can't find a definition of that anywhere.

Share this post


Link to post
Share on other sites

Other data, just for the record:

random1: c489771d6ba93ddb2fc18f785d5dd41ed5b4e1a13fc13e17f29ec599d4b15b9c

random2: 529dbe466cf16b8085cb03297c0302067ef02476a2067c041ac9563eae106934

premaster: 030295d149b1900fe25d9e18e0d0e7d0fd49bbf9ba18d2f5d0547b3ee25a7bff371a1cb7128fbaa83889c10b0dce3c81

[code]

random1 and 2 are 32 bytes or 256 bits, so the right size for aes-256. premaster is 48 bytes which suggests its several things packed together.

Still picking through the RFC to work out what to do with these (ie, get an aes-256-cbc key and IV) to attack the two payload chunks.

Share this post


Link to post
Share on other sites

No, the premaster is supposed to be 48 bytes. You use those three things plus a PRF to generate a master secret which is split into the mac, key, and iv.

Ok, I read through JDK 7s implementation of TLS, and found that the PRF is definitely P_SHA256. I found code for this in wpa_suppicant (doxygen here).

The following blob of c code should give us the master secret:


char random[64];

char master[48];

char keyblock[256];



memcpy(random, client_random, 32);

memcpy(random + 32, server_random, 32);

tls_prf_sha256(premaster, 48, "master secret", random, 64, master, 48);



memcpy(random, server_random, 32);

memcpy(random + 32, client_random, 32);

tls_prf_sha256(master, 48, "key expansion", random, 64, keyblock, 256);



char *cmac = keyblock;

char *smac = keyblock + 20;

char *ckey = keyblock + 40;

char *ckey = keyblock + 72;

char *civ = keyblock + 104;

char *siv = keyblock + 120;

Edit added the code to actually create the key block.

Share this post


Link to post
Share on other sites
That doesn't really mean anything since OpenSSL is likely not starting the handshake with the same parameters (I think it uses TLS 1.0 instead of 1.2 by default). If you look through you dump it is almost certainly using a different cipher suite (especially since I thought TLS_RSA_WITH_AES_256_CBC_SHA was defined in 1.2).

On another note, I'm still reading through the RFC, but there is a note at the top that all the cipher suites defined in TLS 1.2 use P_SHA256 as the PRF, but I can't find a definition of that anywhere.

Sure, but I'm offering 1.2 but it falls back to 1.0. According to https://www.ssllabs.com/ssltest/analyze.html?d=hacknslashthegame.com it only supports SSLv3 and TLS 1.0. It has a bunch of cipher suites though; I'm getting DHE for key exchange, but the press release is RSA.

Share this post


Link to post
Share on other sites
No, the premaster is supposed to be 48 bytes. You use those three things plus a PRF to generate a master secret which is split into the mac, key, and iv.

Ok, I read through JDK 7s implementation of TLS, and found that the PRF is definitely P_SHA256. I found code for this in wpa_suppicant (doxygen here).

The following blob of c code should give us the master secret:


char random[64];

char master[48];

memcpy(random, client_random, 32);

memcpy(random + 32, server_random, 32);

tls_prf_sha256(premaster, 48, "master secret", random, 64, master, 48);

Isn't that only for TLS > 1.0? And there's a second 'key expansion' PRF to derive the actual mac/key/iv material?

Using the TLS 1.0 PRF (md5 + sha1) I'm getting:


cmac: 398e7548bd39cde1f4ebd862a37f3688230d9536

smac: cf9f5dc2799c50cf3df019adaa1c303ef754705e

ckey: f6f1534ed93084efe97a1428ec1af9f61fd8e6158aa8f6136ddfa8e6f27ea8ac

skey: c53bacff1cd31e3e70ed83d9506c9f9e6a9f35689499c25fa1f8bd896770e0ba

civ: 21329ea59191682cc3562c52315550c9

siv: 600470c838b93c56f1d6c62b66ef1caa

which isn't producing anything useful, so I'll see if SHA256 does any better.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this