MSIG 2006 The Fire Lake Game

Crap-U-Hack Solution

How It Works

Teams are split into four groups and sent to four different conference rooms on campus.  Inside each conference room is a laptop.  Each laptop's desktop contains two icons, a text file called hacked.txt, and a shortcut to a program called Crap-U-Hack.  The text file seems to be a vague readme for the program.

Upon launching the Crap-U-Hack application each group was presented with this fairly obvious dialog:

The first three groups to arrive would then have to wait for the remainder to arrive and launch the program.  Once all four groups were there and connected, the main chat window appeared:

This is the primary means of communication between the groups for this puzzle.  The chat interface was not nearly as crappy as it might have been.  Trust me.  Aside from the obvious chat elements.  This dialog also contains a menu bar.  The Hacks menu launches the various mini-puzzles, and the Help menu contains the About dialog, which is part of the meta-hack and final puzzle solution.

Here is a description of each mini-puzzle:

Five-By-Five

This puzzle seems to be nothing more than a blank dialog.  hacked.txt says that this is a mouse-over-network calibration tool, but mousing over and clicking on the dialog doesn't appear to do anything.  However, players quickly realize that instead of seeing their own mouse-over events, they are seeing each of the other players' events, and when multiple players mouse over the same region, the region turns darker.  When all four players mouse over the same region, and turns black and stays black.  The dialog is divided into 25 regions in a square grid (hence the name Five-By-Five).  To "hack" this tool  players must simply turn all 25 regions black.

PongFlood

This puzzle is a fairly straightforward implementation of Pong, except that each player has a paddle, one on each side of the screen.  The ball starts in the middle, and as it heads off in some random direction, players may note that a timer in the title has started counting down from 60.  If players manage to keep the ball alive until the timer hits 40, they may notice that the ball has doubled in speed.  At 20 seconds remaining, a large bitmap covers the half of the playfield opposite each player's paddle, like so:

To "hack" this puzzle, players must simply keep the ball alive for the full 60 seconds.

DateSploit

This is the most traditional puzzle of all the mini-puzzles.  It is simply a small dialog with a MonthCalendar control embedded in it, and players quickly notice that some of the dates are bolded (but each player has different dates bolded):

Sooner or later they also notice that they each have a different year, somewhere between 2003 and 2006.  Some astute player will also realize that none of the bolded dates exceeds 26.  From here it is simple to decode the hidden message.  Take the bolded dates in chronological order and convert them to letters in a standard 1=a, 26=z scheme, and the message reads, SELECT LAS / T PRIME DAT / E IN MONTH WI / TH NO BOLDS.  Collectively, the only month with no bolds is February.  23 is the last prime date in February, except of course for the player with 2004, a leap year, whose last prime date is 29.  Once all players select the correct date the puzzle has been "hacked".

IntrasolarThermonuclearWarfare

hacked.txt tells the players exactly what is necessary to "hack" this puzzle, merely shoot all of the targets.  Players can change the angle and power of their shots, and once all players are ready, all four turrets fire at once.  It's swiftly becomes apparent that the large blue bodies have varying amounts of gravity.  Missiles which leave the screen may return as long as they don't get too far away.  In the end this becomes a simple exercise in Newtonian physics, efficiency, and trial-and-error.  Plus, there's a black hole in the southeast corner.

FourTris

Again, hacked.txt tells the players exactly what is required to "hack" this puzzle.  Just "clear more than 4 lines at once".  (Although many teams seemed to willfully misread the file at first and assumed that the simple feat of clearing a Tetris was sufficient.)  Obviously, in standard Tetris clearing more than 4 lines at once would be impossible.  But in FourTris, all four players drop pieces on the same board at the same time.  The most obvious and most commonly tried method of solving this conundrum is creating a single shaft > 4 blocks tall and waiting for two stick-type pieces.  Unfortunately, this implementation of Tetris follows the old school piece ratio, where sticks are half as common as the rest of the pieces (1/13 pieces are sticks).  Still, this method will work for a patient team with a modicum of Tetris skill (which several teams clearly lacked in at least one player).  Many teams worked out that you only really need one stick and then perhaps an L or J.  The best Tetris players realized that a shaft two blocks wide is far superior to a single-block shaft, as you can then mix and match any of the available pieces to clear five (or more) lines at once.

The Crap-U-Hack

After each hack is completed, teams receive a block of text in the chat window.  Each block of text is a snippet from a single bug in a bug database for the very program they're using.  The bug describes steps to use the chat client to hack the chat server.  In full, the text reads:

Opened by tester_a
I think I've found a potential security issue in the About dialog. setBox takes user input and feeds that directly into the scripting engine without any preprocessing to make sure it doesn't do anything evil. We should just change setBox to accept plaintext.
Assigned by triage to tester_a
What is setBox in the About dialog? I only see the copyright info. Please add more info and reassign to active.
Assigned by tester_a to active
There's an easter egg in the About dialog. Basically if you click on the digits in the year backwards a text box and a button appear, which allows you to enter some text. It gets sent to the server, which does some strange thing with it. But the text goes through the scripting engine on the server, which is dangerous.
Resolved as Postponed by triage
We don't have time to fix this now unless you can show that this is a real security issue.
Activated by tester_a
I've found a definite attack. It requires two clients, both of which should enter the following text into the egg:
"%s",sendText+"
This causes the scripting engine to forward the send text from one of the clients to the other. But since that one also has the same text, it bounces right back, and it goes on like that. This causes the server's text-forwarding cache to overflow. You can even see the error message on the clients. We shouldn't be reflecting server error messages to the client, I've opened another bug on that.
Assigned by triage to dev_a
Resolved as Not Repro by dev_a
i can't get overflow to happen.
Activated by tester_a
Make sure both clients' About dialogs are open. Once you close the About dialog the text is cleared from the server and the overflow is repaired by the server.
Edited by dev_a
this is interesting. when the servers text-forwarding cash overflow the next area of memoryis the password buffer. this overflow attack could probably by used to inject a password into the buffer. if theres a password in there the server assumes that the client is an administrator. seems pretty bad, working on fix
Edited by dev_a
hmm okay. so the password memory area already gets flushed every two seconds as security measure. youd have to spam the password at the server via the chat dialog at least once per two seconds for at least ten times while two other clients do the overflow exploit. then i guess youd need a fourth client to actually act as administrator while third client is spamming. looks like you could do anything then, worst would probably be "/dumpmem", also in the chat, cause youd get everytihng in memory on the server. recommend hotfix
Edited by triage
But an attacker would still need the server's password for this attack, correct?
Edited by dev_a
well yes, unless the serevr was using the default "password" password.
Resolved as Won't Fix by triage
No one is that dumb.

This final hack simply requires the team to read and understand each step and to coordinate their actions.

Solution

Once the final hack is completed, the server displays the location of the next puzzle in the chat area.

Design Notes

This puzzle started out way back when as a Rube Goldberg type puzzle.  At least, that was the original seed of an idea.  The first full-fledged idea was called Crap-U-Chat, and it even had a mostly-working prototype.  It was completely inscrutable.  I would describe the entire idea here, but it would be at least three times as long as anything else on this page.  Suffice it to say, if you think using the chat client was annoying in Crap-U-Hack and you felt like you wanted to kill your teammates after playing FourTris, Crap-U-Chat would have actually resulted in bodies on the ground.

So I moved away from that towards the mini-game style puzzle that became Crap-U-Hack.  It was written entirely in Managed C++, primarily by one person, although the netcode got some badly needed tweaking (overhaul) by a couple of other people. Yes, there is still horrible lag for PongFlood and FourTris, but at least it doesn't cause the server to melt any more. IntrasolarThermonuclearWarfare and FourTris use Managed DirectX, which turns out to be rather easy to use.

Originally, we were going to run the game on Vista.  It probably would have worked, too, if it hadn't been for a bug in the .NET Framework where if you have a bolded date in a Vista-style MonthCalendar control and click on the year it crashes. >< Fortunately, they're fixing that bug for Orcas!

GC Notes

If you ever wanted to know what teams really think of each other, you're in luck!  The server you hack (called Server-U-Hack) was configured to record every conversion which took place, even the ones in Polish.  Here they are, though you should be warned that the majority of them are definitely rated R for verbal abuse and sexual, scatological, and blasphemous language.  If you're sensitive but still want to read them, just skip from the first occurrence of "Clients started FourTris" to "Clients hacked FourTris":

Cerulean; Fuschia; Indigo; Laser Lemon; Midnight Blue; Outer Space; Outrageous Orange; Pine Green; Radical Red; Red; Screamin' Green; Shadow

One team (that I know of) actually hacked the client.  This was not totally unexpected, but was rather funny since they tried to hide what they were doing by talking in Polish.  Unfortunately, many of the words associated with hacking (like "hardcoded" and "finalnym hascku") don't actually translate well into Polish.  Also, I doubt this saved them much time.  Even though they got access to the meta text early, they still solved all of the puzzles.

The lag during FourTris and PongFlood was not intentional, although it didn't prevent anyone from completing the hacks.

Also, "You have to ride on top of me" ranks high among my list of unintentionally funny things said while playing Tetris.