My third MIT Mystery Hunt with ✈✈✈ Galactic Trendsetters ✈✈✈ (also
see: 2017 and 2016, writing with Random in 2015). It was a good hunt with a
fun theme, solid puzzles, and extraordinary production quality, marred
only by a fickle unlock structure and a handful of unnecessarily
involved extractions.
Since we had been told the hunt would be smaller than past years’
(now a controversial statement since the coin was not found
particularly early) and we didn’t particularly want to win (yet), part
of our team temporarily split off this year to hunt as Teammate. Based
on our Discord channel, ✈✈✈ Galactic Trendsetters ✈✈✈ had 75 people this
year, including remote solvers and people who dropped in and out.
A short description of the hunt structure: This year’s hunt theme was
Inside Out, the Disney movie about anthropomorphized emotions.
This was revealed through a kickoff that demonstrated the hunt’s
extraordinary production quality, in which we watched the unveiling of
the Health & Safety hunt, first directly, then in the Control Room
with the emotions of a distraught hunter (Miss Terry Hunter) and a lot
of beautiful memory orbs and scenery. After Terry’s emotions became
overwhelmed in response to the theme, we had to help her emotions to
allow her to complete the Health & Safety hunt. The intro round took
place in the Control Room; we had to solve 34 regular puzzles and five
metapuzzles (somewhat overlapping, with some regular puzzles belonging
to more than one metapuzzle) to help each of the five emotions get back
to the Control Room. The rest of the hunt consisted of recovering memory
orbs from each of four Islands of Personality, each of which had its own
theme and meta structure, and which we could choose the unlock order
of.
I love the music and the animation. The music video spells out the
central conceit somewhat explicitly, but I think the lyrics by
themselves have a hint of ambiguity — is it a harmful addiction that you
just can’t escape from, or an essential part of your identity that you
just can’t deny?
What parts of me can I just not deny, huh? Unfortunately 2017 is also
the year I decide my online presence should probably be a little more
professional, so you might have to read between the lines a bit.
Woo, first CTF writeup. I got the opportunity to participate in the
2017 CSAW CTF finals with Don’t Hack Alone.
Dumped by my core, left to bleed out bytes on the heap, I was
stripped of my dignity… The last thing I could do was to let other
programs strip me of my null-bytes just so my memory could live on.
We are provided with a core dump. Examining the flavor-text and the
dump, we notice that the dump has no null bytes; we conjecture that they
have been stripped out.
Next, we examine the hexdump and look for any clues. There are a
bunch of ASCII strings, but they look like normal debugging symbols. One
thing that jumps out is that there are a couple fairly convincing
regular striped patterns that become vertically aligned if you display
20 bytes in each line. Once we do that, we notice the following section.
(This dump is from xxb but
xxd -c 20 thoroughlyStripped is quite sufficient.)
Disassembling the executable produces a huge amount of code. There
are some basic obfuscations like a lot of trivial identity functions
nested in each other, and a few functions that wrap around identity
functions but just add some constant multiple of 16. Most of the meat is
in one very large function, though. If you disassemble this function
with IDA, you see a lot of variable initializations and then a lot of
interesting loops that are quite similar:
This is the first post on this blog after I migrated off WordPress
for a static solution.
At first, I wanted to set things up on Amazon Web Services (AWS),
which was an adventure. There are lots of online posts about how to do
this, but Amazon’s services change quickly and there was often outdated
information. For instance, Amazon had a wizard that led you through
setting up a static site, which I clicked on. It helpfully handled a lot
of grunt work, but now I was out of sync with all of the guides. Oh
well.
I think things are confusing partly because there are four AWS
components all interacting to make a static site happen:
I’m planning on migrating my primary blog (again), off WordPress to a
static site hosted somewhere. I might just throw everything onto GitHub
Pages, or might follow any of the zillions of tutorials on how to host
static sites off a cheap Amazon S3 bucket — I haven’t decided yet, but
no longer having to rely on the free part of freemium services is fairly
liberating.
2017-09-27
(1480 words)
filed under
Meta, Thoughts
tl;dr: I don’t use Facebook much. If you want to contact me,
I would prefer nearly any other mode of communication. I am also going
to stop autosharing posts from this blog onto Facebook. RSS readers are
great; get yours today.
Recently I checked Facebook and it said something like “You’ve added
N friends this past T units of time! Thanks for making the world more
connected!” and I just couldn’t any more. Facebook friends are not
friends.
Dunbar’s
number is around 150, maybe double that if you want to stretch it;
humans cannot handle that many human relationships. Facebook’s siloed
ecosystem is the opposite of connected with the rest of the
Internet.
That is one of many reasons I pretty much don’t use Facebook any
more. This is not new, but I’ve never formalized it. Also, I figure
others might assume otherwise since I still do have an account and still
accept friend requests and post sometimes. Thus, I’m writing this
post.
There’s some point in the decline of a blog’s activity at which you
just can’t apologize with a straight face for not posting any more. Only
ironically.
I brainstormed reasons why I’m not blogging. It took a while for me
to find a reason that felt right, but I think it’s mostly the concern
that I don’t have anything important to say, and I’m just spamming
people’s inboxes or Facebook feeds. I make fun of my perfectonist
tendencies, but they haven’t gone away and have been exacerbated by how
public this blog feels now. There’s also a general feeling permeating
life that I should be trying to present myself professionally to people,
because like a diamond, the Internet is forever.
(Thing negative two: Thing zero, which is at the bottom of this post,
contains two puzzles by me. Skip there if that sounds interesting and
text walls don’t.)
Thing negative one: I abandoned this blog (again). The last month has
been a mess and much of it is political stuff of the sort that I’m the
worst/slowest at writing about.
Thing one: I was on-site for a second MIT Mystery Hunt.
It seems to me like lots of people want this year to be over. Among
all the other things, 2016 is also apparently the year I totally abandon
this blog and put off certain planned posts by several months.
I guess this is what happens when you take five technical classes at
MIT. The extracurriculars aren’t helping. And the fastest and most
confident writing I do is still reactive, when there’s an
externally-imposed deadline or when “somebody is wrong on the internet”.
This blog isn’t.
Oh well, time to make up for it in 2017.
What happened this year? I’ll start with some serious categories: