• Announcements

    • Spaff

      These Forums are closing!   10/04/2019

      After more than a decade of serving this community well, these forums have finally run their course and it's time to close them down. That doesn't mean we want to close the doors on our community, quite the opposite!
      Our discord server grows ever busier by the day, and we encourage all Double Fine fans to meet us over there www.discord.gg/doublefine In a short time these forums will become a read only archive and will remain that way until they become needed again.
      You never know, it might happen.  There is... a prophecy. Thank you all for being part of these forums, and remember that the fun is definitely not over - so please join us on Discord! Love ya, Spaff, Tim, Info Cow, and all of Double Fine.
Sign in to follow this  
mundanename

HacknSlashAnnounce

Recommended Posts

I updated my post to actually do the key expansion as well. I'm 100% sure this is sha256 for the PRF as TLS_RSA_WITH_AES_256_CBC_SHA was defined in rfc5246 and there is a note that all cipher suites defined in that rfc use P_SHA256 (plus I looked through the source code for the jdk, wpa_supplicant, and polarssl, and they all use P_SHA256). BTW, what application are you using to getnerate the keys from the random + premaster? I couldn't find anything that does it out of the box.

Share this post


Link to post
Share on other sites
I updated my post to actually do the key expansion as well. I'm 100% sure this is sha256 for the PRF as TLS_RSA_WITH_AES_256_CBC_SHA was defined in rfc5246 and there is a note that all cipher suites defined in that rfc use P_SHA256 (plus I looked through the source code for the jdk, wpa_supplicant, and polarssl, and they all use P_SHA256). BTW, what application are you using to getnerate the keys from the random + premaster? I couldn't find anything that does it out of the box.

Would also be interested in any tools - I'm doing a lot of googling and rolling my own, but I'm pretty damn sure I'm getting it wrong :).

Share this post


Link to post
Share on other sites

#!/bin/sh

wget -q http://www.hacknslashthegame.com/download/HacknSlashAnnounce.zip.jpg

unzip -qq HacknSlashAnnounce.zip.jpg Outdoors.mp4 2> /dev/null

MP4Box -quiet -dump-item 1 Outdoors.mp4

openssl aes-256-cbc -d -pass 'pass:THE FIVE BOXING WIZARDS JUMP QUICKLY' -in crackme.enc -out crackme.exe

upx -qqq -d crackme.exe

echo ${THE_ANSWER} | env WINEDEBUG=-all wine crackme.exe

You can also easily get the entire incantation by running

strings -n 1500 crackme.exe

Wow, that's most helpful. I still didn't catch how you would get that final password i.e. what to put in THE_ANSWER if you don't have access to a Windows debugger. Plus, Brandon's tweets seem to indicate that there are more possible solutions than just the debugger one. I'm currently trying to brute force my way through the possible substrings. There are only 127,008 of them if splitting words in half isn't allowed.

If anybody wants to do the same, here's a quick and dirty Python script I came up with:


#!/usr/bin/env python



all="AND WITH THIS INCANTATION I DO SO ENSORCELL MATTERS [.... rest removed so it won't weird out the page]"



words = all.split(' ')



for i in range(len(words)):

   for j in range(len(words)):

       print ' '.join(words[i:j])

       print '\0'

It will output the substrings zero-seperatedly so you can pipe the output into

xargs -n 1 -0 -P 50 env WINEDEBUG=-all wine crackme.exe

where the 50 (parallel executions) is just a guesstimation. I tried a higher number at first but that lead to loads of error messages after a while and 50 is enough to max out my CPU anyway. Apparently wine only uses one core here.

BTW, if you pass WINEDEBUG=+all instead of -all and grep for ntdll.strstr, you get loads of substrings from that incantation beast. Didn't get me anywhere so far though.

Share this post


Link to post
Share on other sites
I updated my post to actually do the key expansion as well. I'm 100% sure this is sha256 for the PRF as TLS_RSA_WITH_AES_256_CBC_SHA was defined in rfc5246 and there is a note that all cipher suites defined in that rfc use P_SHA256 (plus I looked through the source code for the jdk, wpa_supplicant, and polarssl, and they all use P_SHA256).

Right, that's the TLS 1.2 RFC. However, I believe RFC 3268 covers using TLS_RSA_WITH_AES_256_CBC_SHA with TLS 1.0, which basically just replaces IDEA/DES with AES and leaves the key generation itself unchanged.

BTW, what application are you using to getnerate the keys from the random + premaster? I couldn't find anything that does it out of the box.

I'm hacking up a python TLS implementation I found: https://github.com/bjornedstrom/toytls (low levels of confidence in its actual correctness).

This is the first time I've dug into the guts of TLS, so its a nice little learning experience.

Also, I note we're overlooking "... [computing verify_data:Tcz7sewhNdF70Xmd]". Not sure if this is useful.

Edit: actual code:


import toytls.tls

import cStringIO



clientrandom = open('../client-random.bin').read()

serverrandom = open('../server-random.bin').read()

premaster = open('../premaster.bin').read()



m = toytls.hash.PRF(premaster, 'master secret', clientrandom + serverrandom, 48)



# aes-256-cbc-sha - 20 byte MAC, 32 byte key, 16 byte IV (block)

material = cStringIO.StringIO(toytls.hash.PRF(m, 'key expansion', serverrandom + clientrandom, 20*2 + 32*2 + 16*2))



print('cmac: ' + material.read(20).encode('hex'))

print('smac: ' + material.read(20).encode('hex'))



print('ckey: ' + material.read(32).encode('hex'))

print('skey: ' + material.read(32).encode('hex'))



print('civ: ' + material.read(16).encode('hex'))

print('siv: ' + material.read(16).encode('hex'))

Share this post


Link to post
Share on other sites

I don't think there is anything we can do with the verify_data since it is based on a hash of all communications so far, and we don't have most of the information (source).

Share this post


Link to post
Share on other sites

Doesn't seem to match any of the complete strings in another part of memory so guessing something assembles fragments from different strings, or that was a red herring.

WITH THIS INCANTATION I OPEN THE LOCK CLASPED SIMPLY TO PROVIDE OPPORTUNITY FOR DEMONSTRATION OF MY POWER.

AND WITH THIS INCANTATION I DO DECLARE THAT BIRTHRIGHT HAS NO STANDING IN THE CHAMBERS OF WISDOM.

Damn, you're right. This makes my brute force attempt much less feasible :/

Share this post


Link to post
Share on other sites

I'm hacking up a python TLS implementation I found: https://github.com/bjornedstrom/toytls (low levels of confidence in its actual correctness).

This is the first time I've dug into the guts of TLS, so its a nice little learning experience.

Also, I note we're overlooking "... [computing verify_data:Tcz7sewhNdF70Xmd]". Not sure if this is useful.

Nice, I had docs from a couple of java implementations but not the actual source, so that's a much better reference point.

And yeah, I'm comfortable with SSL/TLS on a high level but I've never poked around the actual maths and such. Crypto is so cool.

Also, I note we're overlooking "... [computing verify_data:Tcz7sewhNdF70Xmd]". Not sure if this is useful.

Given its based on a hash of the messages gone before


     struct {

         opaque verify_data[verify_data_length];

     } Finished;



     verify_data

        PRF(master_secret, finished_label, Hash(handshake_messages))

           [0..verify_data_length-1];

Not sure it really helps

Share this post


Link to post
Share on other sites

Ok, looking through the various specs, I agree that we can't assume the TLS version (it really should have been specified in the trace thing). I'm still guessing it is 1.2, but I could be wrong.

Share this post


Link to post
Share on other sites

Don't worry guys, I've got a team of monkeys pounding away on typewriters to solve this all.

Smiles

Share this post


Link to post
Share on other sites
Unpacking the exe with upx makes it work under wine:


$ upx -d crackme.exe

$ wine crackme.exe

fixme:heap:HeapSetInformation (nil) 1 (nil) 0

fixme:volume:GetVolumePathNameA ("C:\\windows", 0x32f844, 260), stub!

fixme:volume:GetVolumePathNameW (L"C:\\windows", 0x12a010, 260), stub!

YOUR INCANTATION: 

Ha, awesome, I just figured this out on my own and came here to report it back :-D

You guys are way ahead, haha. So happy I can finally make some progress on my own!

Though I must admit I'm bad at debugging software inside of Wine...

Share this post


Link to post
Share on other sites
Ok, looking through the various specs, I agree that we can't assume the TLS version (it really should have been specified in the trace thing). I'm still guessing it is 1.2, but I could be wrong.

I'm assuming 1.0 simply because that's what the actual site is.

As an aside, has anyone carefully compared the http and https versions of the site...?

Share this post


Link to post
Share on other sites

You are probably right, I just connected with my browser, and it used TLS v1.0 TLS_DHE_RSA_WITH_AES_256_CBC_SHA, and I know chrome supports TLS 1.2, so it looks like the server is set to 1.0 (which is strange since Apache 2.2 supports TLS 1.2).

Share this post


Link to post
Share on other sites
snip

Can you edit this so that you don't have a giant line in a code block? It is really weirding out the page.

Also, I wrote a little python script using tlslite (pure python tls implementation) and got the following using the TLS 1.0 PRF (the only one it has):

cmac: 398e7548bd39cde1f4ebd862a37f3688230d9536

smac: cf9f5dc2799c50cf3df019adaa1c303ef754705e

ckey: f6f1534ed93084efe97a1428ec1af9f61fd8e6158aa8f6136ddfa8e6f27ea8ac

skey: c53bacff1cd31e3e70ed83d9506c9f9e6a9f35689499c25fa1f8bd896770e0ba

civ: 21329ea59191682cc3562c52315550c9

siv: 600470c838b93c56f1d6c62b66ef1caa

Which is identical to the ones you had at least confirming that the library works. If it is using TLS 1.0, these should be the correct keys, if not, I either need to actually build that snippet of c code (I don't feel like messing with makefiles right now), or write a pure python implementation of P_SHA256 (also, ugh).

Share this post


Link to post
Share on other sites

Though I must admit I'm bad at debugging software inside of Wine...

Yeah, don't we all love debugging with a command line only debugger?

BTW, running OllyDBG which most people seem to use inside of Wine didn't do any good for me. I finally had to resort to a Windows terminal server I have access to. I hate myself. Oh and Brandon for making this so much harder for non-Windows users.

Share this post


Link to post
Share on other sites

Success!!

YOUR INCANTATION: AND WITH THIS INCANTATION I OPEN THE MECHANISMS TO AID OUR DISCOVERY OF KNOWLEDGE AND TRUTH.

SUCCESSFUL INCANTATION

Congratulations! You are a true reverser. It does my heart good that you

were willing to put in the effort to solve this series of puzzles. I want

to know who you are! Tweet the following code at me (@Noughtceratops),

and I'll know to keep in touch!

@Noughtceratops beJuJMbjKswS/gYxmhHqM20MptDezhgJ1r4Y...

Don't worry, I've already put it in your clipboard - sorry if something

important was in there!

Press any key to exit

After unpacking the UPX, it runs correctly under OllyDbg 1.10 (at least) under Wine 1.4 (at least). Just do:


WINEDEBUG=-all wine odbg110/OLLYDBG.EXE crackme.exe

That's likely to work on OS X as well, so nobody really needs Windows at this point.

Share this post


Link to post
Share on other sites

Though I must admit I'm bad at debugging software inside of Wine...

Yeah, don't we all love debugging with a command line only debugger?

BTW, running OllyDBG which most people seem to use inside of Wine didn't do any good for me. I finally had to resort to a Windows terminal server I have access to. I hate myself. Oh and Brandon for making this so much harder for non-Windows users.

Ah, bummer! It did work for me, just now.

Share this post


Link to post
Share on other sites

Interestingly, my incantation under wine was the same. I suspect that whatever it is looking at to decide the incantation is always the same under wine. Olly has a few problems under wine, but it does work.

Share this post


Link to post
Share on other sites

Ah, so we're effectively running the same box. Interesting. Well, that's one way to solve the problem for us Linux folks :-/

Feels awfully cheatery though. Well, at least there's still the other puzzle!

Share this post


Link to post
Share on other sites

I haven't been following the RSA discussion very closely so far because I was still struggling to get this darn password on my Linux box. AFAICS you're searching for an RSA key though. Did you guys try the ssh host key of the same machine? a7:6d:bd:17:05:a9:c0:c5:c5:01:22:62:62:c0:d6:be DSA and d2:3e:11:36:17:fa:27:e4:31:e9:63:1d:92:6c:1c:dc RSA. Dunno if this is any help.

Share this post


Link to post
Share on other sites

Dude, those are the right keys, just use the client key and iv to decrypt the request and the server ones for the response, works like a champ. Looks like dumped packets for an http request and response, haven't figured out for what yet though. Looks like it is requesting Vote-from-cbd.txt from hacksnslashthegame.com, but that doesn't seem to exist. If anyone else wants to decrypt these, simply use:

openssl aes-256-cbc -d -K f6f1534ed93084efe97a1428ec1af9f61fd8e6158aa8f6136ddfa8e6f27ea8ac -iv 21329ea59191682cc3562c52315550c9 -in 

or

openssl aes-256-cbc -d -K c53bacff1cd31e3e70ed83d9506c9f9e6a9f35689499c25fa1f8bd896770e0ba -iv 600470c838b93c56f1d6c62b66ef1caa -in 

BTW, it is an http request for http://hacknslashthegame.com/download/a-note-from-cbd.txt

Actually, it is for hacksnslashthegame.com/download/a-note-from-cbd.txt, but that doesn't exist xD

Share this post


Link to post
Share on other sites
Dude, those are the right keys, just use the client key and iv to decrypt everything, works like a champ. Looks like dumped packets for an http request and response, haven't figured out for what yet though. Looks like it is requesting Vote-from-cbd.txt from hacksnslashthegame.com, but that doesn't seem to exist. If anyone else wants to decrypt these, simply use:

openssl aes-256-cbc -d -K c53bacff1cd31e3e70ed83d9506c9f9e6a9f35689499c25fa1f8bd896770e0ba -iv 600470c838b93c56f1d6c62b66ef1caa -in 

Would you believe I was forgetting to specify -d?

Share this post


Link to post
Share on other sites
snip

Can you edit this so that you don't have a giant line in a code block? It is really weirding out the page.

Sorry, done. Was to lazy to wrap that string so I just amputated it.

Share this post


Link to post
Share on other sites
Dude, those are the right keys...

... [snip] ...

Actually, it is for hacksnslashthegame.com/download/a-note-from-cbd.txt, but that doesn't exist xD

Oh, man that is so cool!!! What an awesome payoff.

So, I wonder if we've found everything? Hopefully CBD will pop in here and tell us for sure :-D

Share this post


Link to post
Share on other sites

Great work guys.

I never had time to poke around with many of the AF2012 prototypes. Did anybody find the love letter (if so, I'm guessing it's hiding somewhere in the forums here)?

So, I wonder if we've found everything? Hopefully CBD will pop in here and tell us for sure :-D

Brandon mentioned on Twitter that there was one last puzzle left. I think this was it :D

Share this post


Link to post
Share on other sites

So, I wonder if we've found everything? Hopefully CBD will pop in here and tell us for sure :-D

Sounds like it. He said there was only one puzzle unsolved. I guess I can abort the attempt to brute force myself into the ssh account then.

Share this post


Link to post
Share on other sites
Great work guys.

I never had time to poke around with many of the AF2012 prototypes. Did anybody find the love letter (if so, I'm guessing it's hiding somewhere in the forums here)?

Now that I know is still not quite working in Linux yet. Progress on that pretty much stopped in January: http://www.doublefine.com/forums/viewthread/8364/

Share this post


Link to post
Share on other sites

Nice work DRayX! :D

Great work guys.

I never had time to poke around with many of the AF2012 prototypes. Did anybody find the love letter (if so, I'm guessing it's hiding somewhere in the forums here)?

Yup! We were a bit more evasive with the details in the thread and I don't think anyone put up the decrypted contents anywhere, since it was all entirely possible to solve in-game (though requiring a lot of patience with the first build since failed attempts to solve made it crash & you had to start from scratch; most of us hacked things up a bit to make it easier). Thread is here.

Share this post


Link to post
Share on other sites
Thread is here.

Awesome, thanks :D

I spotted Brandon confirming on Twitter that we've found everything.

... only for now! There will be more puzzles in the future.

Share this post


Link to post
Share on other sites

Wow, I'm late to this party but geez, well done everyone and what an awesome announcement.

P.S. If you want more puzzles to tide you over until later Hack 'n' Slashiness, the Python Challenge (http://www.pythonchallenge.com/) is a similar sort of puzzle.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this