[ Walkthrough : SyScan 2015 Badge Challenge ]

2days ago, a few of us recently went to SyScan and completed the Badge Challenge that was put together by the SyScan crew.
Here is the a short writeup of our experience with all of the puzzles, their solutions, and the steps to solve them.
Of course, @miaubiz gave us a huge clue for solving the last stage and he also found the “Easter Egg” or “Debug Mode” in it.

Spoiler Alert: The following article is a detailed and methodical walk through of how to solve the challenge.
So please do take note and understand that this document contains MASSIVE spoilers!
If you’d rather try it for yourself, stop reading now and go and play NOW!

 

 

 

 

 

 

 

 

 

 

 

 

Still here?
Alright, lets go!

[ Stage 1 ]

One of the options we had when we power up the badge is “Unlock 1”
So we tried a bunch of options like “Open”, “Open Sesame”, “Open now God Damn It”. But we are always returned with the following QR Code.
IMG_0073
The above QR Code translate to “Try \”Unlock\”
So we thought, why not just try “Unlock”

Surprisingly, we got back another QR Code.
IMG_0075
This QR code translate to “insufficient privilege
Initially, we thought that maybe we need to have a special “Username” before we can unlock this.
So we started brute-force all the possible “usernames” used by “admin”.
But all these still failed until after the 1st tea break, we tried “sudo unlock” as shown in the image below.
IMG_20150328_012534288[1]
w00t h00t, we have successfully unlocked “Stage 1

[ Stage 2 ]
When we tried to unlock “Stage 2” using the same password as “Stage 1”, we got back something that looked like “morse code
IMG_20150328_012730132[1]
After decoding the “morse code“, we got back “ttall
We tried that but alas, it didn’t work at all. Then Thomas give everyone this clue, it’s not a full morse code.

We are wondering could it be “–all” since it sounds and looks like it.
So we entered “–all” but it wasn’t the key to “Stage 2
After another round of tea break, we thought whether could it be that “–all” is be appended to the answer for “Stage 1
So we tried “sudo unlock –all“. “Stage 2” unlocked.

[ Stage 3 ]
For “Stage 3“, we saw a new option for us to choose, “Crypt-analysis
Firing this option, we can see the following instruction.
IMG_0084

Our initial thoughts were, “Let’s use Base32 to decrypt it”.
However, we tried and it failed. We overcome this when @miaubiz gave me a clue, “Try bit flipping technique like +1 and -1 to the character.”
So we listened to his sagely advice and start brute-forcing by using “Ask Oracle
For simplicity sake, we tried the first 2 characters and we saw this english looking-like word.
IMG_0085

srueamishossifrage” seems like an english word so we started “Googling” for this word but no results…then we pondered for a while and realised it could be “squeamishossifrage” and we found this page.
Hmmmm…”The Magic Words” and “Cipher” were found in this Wikipedia page.

So we tried “squeamishossifrage” and Bingo we solved this.
IMG_0086

[ Easter Egg or Debug Mode ]
@miaubiz found this interesting “Easter Egg” or is it “Debug Mode“. It bypass “Stage 1” and “Stage 2” and go straight to “Stage 3“. O_O

So what @miaubiz did was took out the battery, push the joystick to “Up” position and then re-inserted the battery.
Next thing you know, the username is adm1n and you have reached “Stage 3

This “Easter Egg” is useful if you don’t want to keep repeating the process of solving the first 2 stages if your badge resets itself back to default.

Let me repeat this again. @miaubiz is a GENIUS.

Another thing we found out but we are still unclear what use does it have is the secret number in “Waste of Time

When you start the Game, it showed “Game of Life”. One of us are very familiar with “Game of Life” and immediately he found this secret number.
IMG_0064
Could “Godfather” Thomas Lim be giving us 8696 as the winning number for this week’s 4D? xDDD

We hope that this walkthrough is simple to understand. Please let us know if we did anything wrong in our process in solving this.

Well, all the guys here wished that the “Godfather” Thomas will organise another wonderful .SG conference in 2016 if there is no SyScan 2016….or will SyScan 2016 happen? xDDD

Happy Reversing,
Jacob, Damian & Glenn

Leave a Reply