FlareOn 9 - Challenge 9 Writeup
Challenge Statement and Files
Challenge Name: Nur geträumt Challenge Files:
- README.TXT
- Nur geträumt.img
Abbreviated Challenge Statement, taken from README.TXT:
This challenge is a Macintosh disk image (Disk Copy 4.2 format, for those who need to
know) containing a 68K Macintosh program. You must determine the passphrase used to
decode the flag contained within the application.
Happy solving! Be curious!
Getting the disk image to load in an emulator
I used the Mini vMac as an emulator. Starting up Mini vMac, gives the following:
As you can see a vMac.ROM file is necessary to emulate anything. In order to load the “Nur geträumt.img” disk, we need to first provide vMac.ROM which can be found some place online. Dragging the “Nur geträumt.img” into the window of Mini vMac gives the following prompt to insert a floppy:
The vMac.ROM is prompting the User to insert a floppy
Trying to drag and drop the “Nur geträumt.img” into the emulator gives:
I had the suspicion that to load the disk, an operating system was required. So I set out and downloaded MacOS System 7.0.1, a “graphical user interface-based operating system for Macintosh computers”.
Draggin the system 7.0.1 rom into the emulator gives
Finally, a usable GUI! Let’s load “Nur geträumt.img”
Oh no! It still does not work. The culprit here is the filename containing the umlaut ä. After renaming the “Nur geträumt.img” to not contain an umlaut, the disk loads fine:
Nur geträumt.img shows up on the desktop! The disk contains the executable “Nur geträumt.exe” which prompts for a password and outputs a flag value computed from the password.
Extracting the challenge executable from the disk image
In order to find the password, I set out to get my hands on the binary “Nur geträumt.exe” contained inside the “Nur geträumt.img” disk image. The disk image format is Apple DiskCopy 4.2. Find more information on the file format here.
The format is really simple. The raw data starts at byte offset 0x54. With this information, I used the following commands in WSL to extract the raw data of the disk image
$ mv 'Nur geträumt.img' thing.img
$ dd skip=84 bs=1 if=thing.img of=thing.bin
1474560+0 records in
1474560+0 records out
1474560 bytes (1.5 MB, 1.4 MiB) copied, 0.966041 s, 1.5 MB/s
$ file thing.bin
thing.hfs: Macintosh HFS data (mounted) block size: 512, number of blocks: 2874, volume name: Nur getr\\212umt
As you can see the raw data is a HFS (Hierarchical File System). I then used HFSExplorer to inspect the filesystem more closely.
The hfs in HFSExplorer with the desired executable highlighted.As you can see the filesize of the binary is zero. This stumped me at first but is a consequence of the hfs file format. In the hfs file format, the bytes making up a file are actually spread between two “forks”, the data fork and the resource fork. The file size shown in the screen shot above shows the size of the data fork. The actual content of this file is in the resource fork. Extracting the resource fork to the windows filesystem is easily done with HFSExplorer:
Extended Attributes refers to the resource fork
Solving the Challenge
With the binary extracted, I first looked at the strings contained in the binary. These are strings of interest:
Have fun, and enjoy the challenge! If you're still having
trouble, maybe try asking the program if it has a bit of time for you; perhaps
it will sing you a song.
and
99 Luftballons
The strings reference the 1983 hitsong “99 Luftballons” by Nena as well as hinting that the program might sing a song for us, if asked nicely.
Specifically, the hint references the following lyrics of “99 Luftballons”:
Hast du etwas Zeit für mich
Dann singe ich ein Lied für dich
which translates to
Do you have some time for me
Then I'll sing a song for you
well let’s try to enter a variation of “Hast du etwas Zeit fur mich” into the password prompt:
Not quite the flag yet, but getting there.As you can see the flag becomes already recognizable, it is the second line of the above song lyric with the usual suffix.
To be 100% sure that I got the right flag, I downloaded a german Version of the operating system which allows me to enter the ü in “Hast du etwas Zeit für mich?”
Note the umlaut in the password promptPressing try, confirms this input as the correct password:
The password is correct! This was a really fun challenge and I learned a lot about retro computing and old MacIntosh. Thanks to the challenge author!