Snackey is an annual competition at defcon going back a couple years, I think to DC30. I have been interested in trying it ever since I first heard of it but this year, at DC33, was the first time I tried.

This year they provided a file download and no hints about the challenges except somewhat inscrutable challenge names. I was excited to jump in but I hadn’t brought my laptop from my hotel room so I was looking at the file on my phone.

Termux pitfall#

On Android there is an app called Termux that lets you get access to a terminal and standard linux commands. It was inconvenient typing terminal commands on my phone keyboard but not the worst experience, just not great.

The real issue came from the toolset installed with Termux not being the same as what’s in a standard modern linux install, and me not realizing it. I first started by trying to run the file command on the download but it didn’t turn up any information. I later tried on my laptop and found it gives the answer right away, so I was headed in the right direction but I didn’t set myself up with the right tools.

$ file bender_ctf.z5
bender_ctf.z5: data

vs on my laptop with a proper linux install:

$ file bender_ctf.z5 
bender_ctf.z5: Infocom (Z-machine 5, Release 1, Serial 250708)

Hex editor to the rescue…?#

I tried looking at the data in hexdump as well but didn’t come up with anything obvious.

$ hexdump -C -n512 bender_ctf.z5 
00000000  05 00 00 01 37 b4 37 b5  22 f5 01 0a 15 ac 1b 05  |....7.7.".......|
00000010  00 40 32 35 30 37 30 38  00 42 58 c3 d4 d0 00 00  |.@250708.BX.....|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 1b 04  |................|
00000030  00 00 00 00 00 00 01 02  00 00 00 00 36 2e 34 33  |............6.43|
00000040  80 00 00 20 00 20 00 20  00 20 00 20 00 20 00 20  |... . . . . . . |
00000050  00 20 00 20 00 20 00 20  00 20 00 20 00 20 00 20  |. . . . . . . . |
*
00000100  00 20 00 03 00 00 00 00  00 00 00 00 00 00 00 00  |. ..............|
00000110  00 00 ff ff 00 00 00 00  00 00 00 00 00 00 ff ff  |................|
00000120  00 00 ff ff ff ff ff ff  00 00 00 00 00 00 00 00  |................|
00000130  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000140  ff ff 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000150  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000190  00 00 00 00 07 38 00 00  00 00 00 00 00 00 00 00  |.....8..........|
000001a0  00 00 07 48 00 00 00 00  00 00 00 00 00 00 00 00  |...H............|
000001b0  07 5a 00 00 00 00 00 00  00 00 00 00 00 00 07 6c  |.Z.............l|
000001c0  00 08 00 00 00 00 00 00  00 00 00 00 07 7e 02 52  |.............~.R|
000001d0  00 00 00 00 00 00 00 00  00 00 07 93 00 04 00 00  |................|
000001e0  00 00 00 00 00 00 00 00  07 c6 00 00 00 00 00 00  |................|
000001f0  00 00 00 00 00 09 07 e4  00 04 00 00 00 00 00 08  |................|
00000200

Z-Machine games#

Thankfully I figured it out based on some google-fu and the filename extension, so they really gave us multiple routes to get past this first step and ultimately this only took a few minutes to work out.

Some quick searching then took me to frotz, a z-machine compatible player for the terminal that happened to be in whatever package repo Termux uses.

From this point I messed around with the game itself for an hour or two. Its a nicely made game, with some interesting puzzles. I’ve never played text-based adventure games much because I find it frustrating when it won’t do something you think is obvious unless you word it just right.

I spent probably 15 minutes trying to pick up a casino chip that was underwater before giving up. It was the last one I needed and I couldn’t for the life of me figure out how to tell the game to pick it up or search or examine the area to find it.

Shortly after this I was put out of my misery by the badges running out. I had started really late in the weekend so I only had an hour or two to mess with it before it was effectively too late to continue on.

Dumping the game content#

One thing I had tried immediately on the file was the obvious strings command, but the format is not conducive to this technique as there are no plaintext strings present.

I did find that there is a ztools package that provides some likely tools to work on the file, but unfortunately as I was limited to my phone I was unable to get it installed. I probably could have given enough time, again if I had set myself up for success better by having my laptop on hand then this wouldn’t have been an issue.

Thankfully as soon as I opened up my laptop back at the hotel it was a simple nix-shell -p ztools away.

The file dump was extrememly useful, there aren’t any flags pasted plaintext in it but it does admonish you (or is it a congratulations for doing things the “correct” hacker way?) for reading the file that way, presumably using a string that is not referenced in the actual game.

What the file dump allowed me to do is read through all the text descriptions the game gives to see what the eventual outcomes are possible. It doesn’t say exactly how to get those outcomes, but in many cases the text itself provides enough context.

The story structure#

It seems like a central thread in the story is an extended go-fetch quest where several NPCs want a certain thing, and mostly these things come from other NPCs who, surprise, want something in return.

There are several other loose pieces of story I haven’t connected together yet, which present other flags presumably. All are around the idea of encoding data in some obscure way and decoding it using clues and keys found in the game.

One of the big pieces is a long “soliloquy” from Lintile which appears to represent some programming code that will output a sequence of numbers.

Go Fetch#

So for the fetch quest chain you wind up with the ciphertext to decode.

Working backwards from the ciphertext:

Give To Receive
Manual Scanline Ciphertext
Encrypted Data chip Proxy Manual
Vintage Tube Filaments Diva Encrypted Data Chip
Zero-Day Cocktail Alleyway Al Vintage Tube Filaments
Oracle Zero-Day Cocktail

Based on the text it seems like oracle will just give you the ZDC. They also have some other data for you but I’ll document that separately.

Several NPCs also give you a clue on how to decode the data, basically a method and key, and then Scanline tells you you’ll need to apply those three techniques in order to get to the output.

I think the methods described are different types of shift ciphers and other things of that ilk, but I’m not well-versed enough to spot them on site so I may need to try a few things to see what works.

Soliloquy#

The soliloquy from Lintile is long, so I won’t reproduce the whole thing here, but one stanza is:

Romeo:
You are a sweet blossoming amazing embroidered cunning blue plum.
You are the sum of yourself and a gentle lovely king. You are the sum of a
big cat and yourself.
Speak your mind!

I’ve seen this kind of programming riddle before, usually as a way to encode code in english language.

On first glance it immediately appears to be an accumulator based CPU with simple instructions.

The above code would translate to

accumulator = "sweet blossoming amazing embroidered cunning blue plum"
accumulator += "gentle lovely king"
accumulator += "big cat"
print accumulator

I haven’t spent enough time with it to confirm how the strings should be interpreted. My first guess is that the number of letters in a word are the byte value, and each word is essentially a byte. But this is pretty arbitrary so it could be a variety of other things such as the sum of all character values.

Loose data#

  • Oracle’s data
  • Chips
  • “free” flag / encoded

WIP#

I’ll continue this at some point…