If I would be there, everything will be ⅙.
⅙ -out of the gravity- by ぼーかりおどP

“May the world you see at this(the) moment(end) be warm to you”
「但願至少在此刻(最終之時)所見的世界是充滿溫暖的」

由你联系起来的这个世界
将未来化为无数闪耀的梦
不知何处的谁的遥远的明日
是我们今天梦的延续

有多少思念着你的人
就有多少由你创造出的未来
那仿佛由你孕育而出的世界
是我的最爱

I love this world
作詞/作曲/編曲：にとぱん
歌：初音ミク
http://www.nicovideo.jp/watch/sm23073336

I love this world
作詞/作曲/編曲：にとぱん
歌：初音ミク
翻译：蓝色之风

「想看到你舞动的身姿」
不知何处的某人这样想
而这样的想象变成了有形之物
在这诞生出了微小的世界

在那空无一物的洁白的世界中
描绘着那夸张而又疯狂的梦
「这样的事情，那样的事情，也都想办到啊」
这样想着一路走到了今天

不知何处的某人创作了什么
不知何处的某人使用了这般
不知何处的某人看到了这般
不知何处的某人露出了笑容

有多少思念着你的人
就有多少由你创造出的未来
那仿佛由你孕育而出的世界
是我的最爱

看到了你舞动的身姿
不知何处的某人这样想
「我也想让你展现绮丽的舞姿」
由此满溢出多彩的未来

无论是谁都会有过
浮想出只属于自己的梦之世界
有了大家的爱 无论什么都能实现
那就开始吧 一起来欢庆

由你联系起来的这个世界
将未来化为无数闪耀的梦
不知何处的谁的遥远的明日
是我们今天梦的延续

在你周围的这个世界
从未有过如此宽广
虽然有时会迷失找寻你的方向
但是绝对不会忘记你的存在

无论是见到了怎样的装束
无论是怎样的表情与故事
无论是如何的舞蹈
都会很期待呢

I Love This World

La…

I Love This World

原文：

「踊っているキミの姿が見たい」
どこかの誰かがそう思った
やがてその想像はカタチになり
小さな世界がそこに生まれた

何にも無い真っ白なその世界に
途方も無い絵空事を夢に描いて
あんなことやこんなこともやってみたいと
そう思いながらここまで来た

どこかの誰かが何かを作って
どこかの誰かがそれを使って
どこかの誰かがそれを見て
どこかの誰かが笑顔になる

キミを想う人の数だけ
キミを創る未来がある
キミを育むようなこの世界が
僕は好きなんだ

踊っているキミの姿を見て
どこかの誰かがこう思った
「ボクもキミを上手に躍らせてみたい」
色んな未来がそこに溢れた

誰にだって一度位あるはずなんだ
自分だけの夢の世界思い浮べたこと
どんなことも叶えるんだ　みんなの愛で
さあ始まるよ　今日はお祭り

世界は繋がるキミを通して
未来は輝く夢の数だけ
どこかの誰かの遠い明日は
今日の僕らの夢の続き

キミを包むこの世界は
こんなにも広くなり過ぎて
ときどきキミを見失いそうになるけど
キミがいること忘れやしないよ

今日はどんな衣装で
どんな表情（かお）でどんな物語（ストーリー）で
どんなダンスを見せてくれるのかな
楽しみだよ

I Love This World

La…

I Love This World

http://www.bilibili.com/video/av3037591/

光影
H.K.君 feat. 初音ミク

[00:02.25]光影
[00:06.19]H.K.君 feat. 初音ミク
[00:12.14]by H.K.君　御江
[00:15.36]LRC：蓝色之风
[00:22.71]
[00:27.69]一人　独り　ひとり  / 一个人 一个人 一个人
[00:33.18]歩いてきたこの帰り道  / 独自走来的归路
[00:39.84]暗い　暗い　くらい  / 阴暗的 阴暗的 阴暗的
[00:45.46]零れた影と粉雪  / 斑驳零落的影子和细碎雪粉
[00:51.59]
[00:52.11]無地な日々続いてた  / 单调无色的日子持续着
[00:57.49]日照りは灰色に染まって  / 日照也染上了灰色
[01:04.96]果てのない時間数え  / 数着没有尽头的时间
[01:09.96]言い出せないこと  破裂しそう  / 说不出口的话 竟似决堤破裂
[01:16.07]
[01:17.00]孤独の夜空下  / 孤独的夜空下
[01:19.89]ここからの景色は  / 从此处望出去的景色
[01:23.11]どうしてこんなに寂しいな  / 为什么会是如此寂寞啊
[01:28.93]モノクロの世界  / 只有黑白的世界
[01:31.30]今　すべて  / 现在 全都
[01:34.51]あぁ 初雪の下  / 湮没在初雪之下
[01:40.94]
[01:56.88]君と　出会う　その日  / 与你 相遇的 那一日
[02:02.38]同じ真っ白くて冷たい  / 也同样雪白而寒冷
[02:09.12]ガラスの壁　越して  / 在玻璃的那一边
[02:14.50]君の初音はいとしくて  / 你的初声是多么令人怜爱
[02:21.33]
[02:21.74]一枚で隔てられ  / 即便隔着一层
[02:26.71]それでも光浴びたように  / 也使我如沐浴柔光一般
[02:33.93]闇を彩った音  / 你那将黑暗染成彩色的声音
[02:39.30]心の曇りも晴れそう  / 将我心中乌云驱散
[02:45.19]
[02:46.02]こんな僕を救った  / 救赎这样的自己的
[02:49.24]君の優しさなんだ  / 正是你的温柔
[02:52.25]僕は　もう独りじゃないから  / 我已不再是孑然一人了
[02:58.58]たくさんの言葉が　  / 千千万万的话语
[03:00.54]今　すべて  / 现在 全都深藏于
[03:03.85]あぁ　白冬の中  / 白色冬天中 
[03:09.95]
[03:41.39]今こそ言い出せるか  / 现在能说出口了么
[03:44.60]このオモイとウタは  / 这份心情和这首歌啊
[03:47.90]君に　だけの　愛言葉  / 只献给你的 爱的话语
[03:53.80]今宵　雪の下  / 今宵 雪之下
[03:56.07]今　すべて  / 现在 全都
[03:59.27]あぁ　届けるなら  / 能传达给你的话
[04:05.37]
[04:06.40]君に出会えたから  / 因为遇见了你
[04:09.08]今の僕がいるんだ  / 才有此刻的我
[04:12.29]きっと　それは　運命さ  / 这一定 就是 命运吧
[04:18.50]世界が終わるまで / 世界终结为止
[04:20.78]歌い続く / 一直唱着
[04:23.88]あぁ 光影の唄   / 光影之歌
[04:30.00]
[05:03.08]End.

0x00: What is The Link?

Link: http://nussoc.com/

0x01: Level 1.

code is in the code.
— From the official hint

From the source of level 1, we can see an AJAX request:

$(document).ready(function(){
    $('#submit').click(function(){
        if($('.password').val().trim() != ''){
            $.ajax({
                    type: 'GET',
                    url: 'submit.php',
                    data:{pass:$('.password').val()},
                    success:function(html)
                    {
                        window.location.href="process.php?unique_code="+$('.password').val();
                    }
            });   
        } else {
            alert('Please enter code!');
        }
    });
});

When the “code” is submitted, it firstly checks against a webpage called submit.php and pass pass as a parameter.

In page submit.php?pass=mypass, there’s a piece of JS code as follows.

function a(){
    var pass = 'mypass';
    var passwd;
    passwd = 'wewanttohireyou';
    passwd= passwd + 'showuswhatyougot';
    passwd= '';
    passwd='youdidit';
    passwd=passwd+'_welldone';
    if (passwd==pass)
    {
        return 'Challenge Passed';

    }
    else
    {
        return 'Challenge Failed';

    }
}

Basically, the passcode supposed to be the value of passwd. Throwing it into a console. (actually can just read, I just kinda lazy). The pass code is youdidit_welldone.

You did it. Well done.

0x02: Level 2

Okay, in level 2, there’s quite some obstacles. let’s solve them one by one.

0x0200: User-agent

Browse “The Link” using “Link”
— Official hint

When the level is first opened, the box shows “BROWSER NOT SUPPORTED”. When checking its source code, there’s a commented “tinyurl” link that points to an article on Wikipedia.

<!-- http://tinyurl.com/5ru8yvp -->

It’s about a browser called Links. (Maybe it just happen that there’s such a browser that have the same name as the hacking event, and with an extra s.) I tried to google for links user agent, then I come across with this site that happened to have the UA string for that classical browser. I then grabbed the first line of it, says:

Links (6.9; Unix 6.9-astral sparc; 80×25)

Using Chrome’s DevTools Device Emulator to change my UA string to it. I successfully accessed the correct page.

0x0201: QR codes.

On the puzzle window, there’s 2 QR codes, and between them, there’s some spacing. Firing up the view-source window, I see this few lines.

<div style="padding:10px;float:left;"><img src="images/qrcode1.svg" width="100px" height="100px"/></div>
<!-- http://nussoc.com/challenges/2/images/qrcode2.svg -->
<div style="padding:10px;float:left;"><img src="images/qrcode3.svg" width="100px" height="100px"/></div>

Obviously, there’s a 1, a 3, and hidden in between, there’s a 2.

Scanning them one by one, this is the result i get.

QR code 1: b25lc3RlcGZ1cnRoZXI=
QR code 2: _tojoin_
QR code 3: a236210022be614ff79d33a8268093ac

So, first one we can see there’s an equal sign at the end, likely it’s a base64 encoded string. In the JS console, I typed:

> atob("b25lc3RlcGZ1cnRoZXI=");
< "onestepfurther"

So here, we got the first portion.

Nothing much to say about the second one. _tojoin_ is _tojoin_.

The last part is a 32-char hexadecimal string. What does it reminds you? MD5, right? Throw it into google, I got this. There’s only 4 results at the time of writing, where the first two of them gives the result of thelink. So, we’ve also got the last portion.

Joining them together, we can easily get the passcode, onestepfurther_tojoin_thelink.

0x03: Level 3

This is a super tough level. I didn’t manage to solve it at the time of writing. But I do get something.

EDiT: Seems I have made a careless mistake. runningkeycipherentrytothelink is the code.

When entering the level, there’s nothing special hidden in the source code. The only clues are:

• In the URL, there’s a parameter says ctext=syfgmcvsreubduijxbuzezskhxeipuadeab
• On the picture, there’s a book titled “Web application security for Dummies”

In the first 5 hours, no one have solved it. The admin has posted quite a lot of hints in the forum.

Did you notice the book in the background? That might give you a hint .

Saying the book is useful.

Heard of “Tabula Recta”?

That is one of the encryption methods used.

Use the book to find the key! http://www.bradreese.com/qualys-web-application-security-for-dummies.pdf

A download link to the book.

How many possible ciphers using book ? We have used one of them ..

A book-related encryption method is used.

Some researches has been done on google, and through trial and error, I found out that the encryption method they used is called Running Key Cipher.

To crack the key using computer, I have found this site (1, 2) which provides a Python script for auto cracking Vigenere Cipher (the base cipher used by Running key).

In fact, what we need to use is only a few things:

• english_quintgrams.txt.zip as a dictionary for language analysis
• ngram_score.py for calculating match score with N-gram algorithm
• pycipher for Vigenere decryption algorithm

To prepare the book, we need some pre-processing to the PDF file. After downloading it, we need to convert it to a txt file. There’s plenty of such tools, just google for it. Then we need to filter out all other characters, left only with letters, and convert them to uppercase. We can do this with Python.

import re

f = open("WAS.txt").read() # read the file
f = re.sub(r'[^A-Z]', '', f.upper()) # convert the string to uppercase and remove other chars
of = open("WAS.out.txt", 'w')
of.write(f) # create a new file and write to it

Then we can write our own script for decryption.

from ngram_score import ngram_score
from pycipher import Vigenere
from itertools import permutations

wl = file("WAS.out.txt").read() # the book

g = ngram_score("english_quintgrams.txt") # the scorer

ct = 'SYFGMCVSREUBDUIJXBUZEZSKHXEIPUADEAB' # the ctext

def w(key):
    """Calculate the key"""
    a = Vigenere(key).decipher(ct)
    return (a, key)

d = [] # used to store all the results

def s(t):
    """Store the deciphered text, score, and key used"""
    s = g.score(t[0])
    d.append((t[0], s, t[1])) 

for i in range(len(wl)-len(ct)+1): # for all possible keys
    s(w(wl[i:i+len(ct)])) # calculate the key

d = sorted(d, key=lambda a: a[1]) # sort by their score

print d[-10:] # Print the best 10 results

After calculation, the best result obtained is:

('RUNNINGKEYCIPHERENTRYTOTHELINKIPNHN', -151.94413608449415, 'BESTEPPINGSTONESTOBIGGERATTACKSORTO')

• 'RUNNINGKEYCIPHERENTRYTOTHELINKIPNHN' is the plain text
• 'BESTEPPINGSTONESTOBIGGERATTACKSORTO' is the key, found on page 34(40) of the book. (“be stepping stones to bigger attack or to leak sensitive …”)
• Highest score of -151.94

After several attempts, none of the codes below are the answer:

• RUNNINGKEYCIPHERENTRYTOTHELINKIPNHN
• runningkeycipherentrytothelinkipnhn
• runningkeycipherentrytothelink
• ipnhn
• IPNHN
• rho
• isrho
• runningkeycipherentrytothelinkisrho # it’s not rho.

Removing the unreadable 5 letters, the key is runningkeycipherentrytothelink.

0x04: Level 4

Somehow easier.

This time there’s an MP3 file on the webpage. The filename of it reads OWASP Appsec Tutorial - Appsec Basics - Challenge. After googling, that’s extracted from a YouTube video.

Through Observation, the audio file is 9 minutes long, but the video is only 8:31. By comparing the difference, there’s some weird sound heard in between.

By googling ‘hide message in MP3’, I found out an method that can hide image in the spectrogram of the audio file. Using a tool to show out the spectrogram, words can be seen.

I forgot to include the “One” in the beginning.

The tool I used is called Sonic Visualiser

So the passcode is GoodJob_AllSetForLastOne.

0x05: Level 5

Not as difficult as Level 3.

Nothing special on the webpage. Checking the source code, I see a link of .pcap packet file.

<!-- http://nussoc.com/challenges/5/files/challenge5.pcap -->

Open it with Wireshark, I see some HTTP packets. Filtering all the HTTP packets, this is what I get:

Reading them one by one, I observed there’s a web app that allows file uploads, and the client is keep uploading something.

In fact, only two of the packets are useful.

No. 32: POST /app/uploader.php HTTP/1.1 (application/octet-stream)

A file is uploaded. (That’s the Hex of the file)

   52 61 72 21 1a 07 00 cf 90 73 00 00 0d 00 00 00
   00 00 00 00 b9 60 74 24 94 35 00 50 00 00 00 3c
   00 00 00 02 9d 58 3d cd f2 93 28 47 1d 33 08 00
   20 00 00 00 63 32 56 6a 63 6d 56 30 fe 64 5e 03
   8d 9b fd b3 00 b0 02 b0 4c 46 eb 7c 93 d3 a0 06
   9f 3e 88 d2 67 5e 6a 78 1c 3f 28 19 50 5e b1 aa
   cd d2 18 ee 89 88 b4 9e fb 3d 33 1e 24 b6 ac 4c
   24 86 73 67 f0 64 c5 34 8b 41 5e 67 9f 6f 40 66
   a8 a5 50 7d b7 4c d5 af 91 ef b0 69 19 86 f1 4e
   1c 3c d4 49 2b dc 2a fc 1b c4 3d 7b 00 40 07 00

52 61 72 71 is Rar!, so we can confirm it’s an RAR file.

Opening the archive, there’s a file called c2VjcmV0, password protected.

No. 52: POST /app/uploader.php HTTP/1.1 (text/plain)

A plain text file is uploaded. iamhere.txt which says:

password is welcome

Okay, password is welcome.

Using this password, we can open the file in that RAR archive. It says:

VFdsemMybHZia052YlhCc1pYUmxaRjlYWld4amIyMWxWRzlVYUdWTWFXNXI=

Umm… [A-Za-z0-9]+={0,2}, yet another Base64.

> atob("VFdsemMybHZia052YlhCc1pYUmxaRjlYWld4amIyMWxWRzlVYUdWTWFXNXI=")
< "TWlzc2lvbkNvbXBsZXRlZF9XZWxjb21lVG9UaGVMaW5r"

Another Base64?! I just don’t know why the setter like Base64 so much. Well…

> atob("TWlzc2lvbkNvbXBsZXRlZF9XZWxjb21lVG9UaGVMaW5r")
< "MissionCompleted_WelcomeToTheLink"

Nothing special, that’s the key. MissionCompleted_WelcomeToTheLink.

0x06: Afterwords

Despite I have spent quite short time to finish the last level, I didn’t manage to get into the ranking. Well, whatever. I got it solved.

And I hope this could help someone.

Just outside of the ranking, my score is 1573.

Yah, that’s the book.

现在我向着明天伸出我的双手
向着同伴说声明天再见了朋友
从背后传来的那声一定要加油
这些熟悉的声音又一次回响在耳廓
与此同时在这柏油路上飞奔的我
沉浸在这温暖的眼泪中
所以说 Bye Bye
“很久很久以前的今天的我”

现在我向着明天伸出我的双手
向着同伴说声明天再见了朋友
从背后传来的声音回响在耳廓
陪伴着你我从最初一刻都未改变过
与此同时面对流出眼泪的你和我
互相露出了温暖的笑
所以说 Bye Bye
“很久很久以前的今天的我”

Time flies. It’s two years from the first time I started this project, and it’s also the project I run the longest. Here I would like to talk about why I want to start such a project.

Since the very beginning, the headline of Lyricova reads “the innermost me, explained”. Same as the current one, “This is what I sing, all day long”, both of them tells the same idea: Lyricova is where I would expose my innermost feeling in a way that most people could understand. I started listening to Vocaloids Since 2011. The first two songs was “the Disappearance of Hatsune Miku” and “Tell your world”. That was the first time I feel such sympathy from a song. From then, I was exposed to more Vocaloid songs. I found myself felt in love with it, not the characters, but the songs per se. As I believe those songs are created by those who are not the mainstream songwriters, by everyone who are enthusiast in music, by those who wants to express their feeling using music. Just like what Google says, “Vocaloids, virtual singers. Everyone, creator.”

Then, I started to sing all the Vocaloid songs, anywhere, anytime, just like what I have done before. As I am not quite an outgoing person, I have a relatively small social circle. Sometime when I feel bad, I found there is really few people I can speak to. I don’t realise anyone who can really quietly listen to me. Meanwhile, even there is such one, I may not really know what I want to say, what I want to tell others. Until when I found Vocaloids. Over the 4 years of encounter with it, I’ve found the feel of sympathy that no where else can give me, and it also gives a media where I can express my feeling to others in a more acceptable way.

Around me, someone complains that despite I sings quite OK, he cannot understand what I’m singing. Vocaloids, in the view of my social circle, is considered as non-popular, or to most of them, “no idea of what it is”. Then I decides to share these lyrics on my SNS accounts, translated, as I hope others would know what I’m singing, the feeling of “want to be cared by others”. Later, I found that there is quite a need for me to keep all the lyrics in an archive, and spread them more efficiently.

Then, I started Project Lyricova.

It is an archive of those lyrics that move me, and more like a place where people want to know the real me. (Though maybe no one would like to do so.) Of Lyricova, I crafted everything from scratch, the blog system, the content, the front end and back end mechanism, as well as all the contents, with translations. It feels like Lyricova is a child of mine, as I have put all my feelings and hard work in it.

Until now, I still believe that eventually someone will read this site, and feels what I feel. With that, I’m satisfied.

Looking back, Lyricova is more like a dairy, a dairy that uses others’ words to express my own feeling.

So, with all of this, I wish you a happy birthday, and a better future, my dear Lyricova.

心を込めて、「お誕生日おめでとうございます」、これからも宜しくお願い致します。

リリコバー、あいがとう。