Yesterday Sophos introduced a small Christmas challenge, and I took part it in, it was definitely a fun learning experience.
The first step is deciphering this: =ImYndmbn1ieiBnLmJWdjJmZ
As soon as I saw it I knew it looked familiar but it doesn't decrypt straight away, it's in the wrong order. Swap the lettering around including the = sign, so it should now be ZmJjdWJmLnBiei1nbmdnYmI=
You'll need this to decode it. http://www.opinionatedgeek.com/dotnet/tools/base64decode/
Input the fixed lettering into the calculator and decode it safely as text and you'll get this: fbcubf.pbz-gnggbb
Still doesn't make a lot of sense does it? ah well, lets decode it again. It's encoded using rot13, rot short for rotate, it rotates any letters 13 letters forwards or backwards in the alphabet. http://rot13.com/index.php when it's decoded, you'll get sophos.com-tattoo, remove the - and replace it with /.
* Note, remember "rot13", you'll need it later.
That was rather easy. Now use that URL and get to the second stage.
http://www.sophos.com/en-us/security-news-trends/security-trends/tattoo-puzzle.aspx
======================================================
Second stage:
This is a much harder stage and you'll want either Python or C programming language experience. I went with C and wrote a short little program for this step.
Anyway, download the text file and read the instructions. Now you'll need to decode the block of text.
Now ignore the ascii art in there, it doesn't mean anything towards this, it just looks nice. Start at the top and analyze the code, we can see 504b code, which is code for zip, so we can safely assume this is a zip file.
Now this is where you'll want either Python or C to help out. As I said, I used C, so here is a pastebin or my coding for my program.
http://pastebin.com/LeMpAkSP
It's also worth me mentioning a little extra thing about that block of text. It's hex code, so you can run it through a hex to ascii translator, and you'll be able to decipher some of the real text, you'll also get a hint of what it inside that zip file.
Use my program to strip out any characters that shouldn't be there and put the zip file back together. Once you have the zip file, you'll need to extract the zip file and get the image from inside it, but first, you'll need the password for it. Remember I said you'll need rot13? that's the zip password, so now you can extract the image.
Now once it's extracted, have a peek at it and play around with it. It's just a pink block, that's all you'll see till you open it up. The block actually has some hidden text in it, but your not supposed to know that till later on.
What I mean by that is, open the gif file in Notepad (or whatever word editing program you prefer, Notepad++ personally), now remember these 2 things: Since when was pink a shade of gray? & GIF89a
You'll need those 2 hints later.
Now we can open up the image file and reverse engineer it. Not everyone will be able to do this, but I can because I'm on Windows XP. I used the debugging program through the command line.
cd C:\
cd gif
debug theimage.gif
You'll get just a dash when you open the debugging program, so now you'll want to dump the memory, press d & enter.
Next, you'll notice that GIF89a has re-appeared, I said you'll want to remember that along with the next bit I'll talk you through. Once you dumped the memory, it will come to the - mark again, so press d and do another dump of the memory to get the important part. (-d)
This second block of code has the important bit, you'll see some more bytes of data. F1 BB ED
That's where the hidden text is, there's more than 1 pink in the paint palette and that's why you can't see it normally, no matter what you do. Okay so we now have the bytes where that hidden text is, so we need to change the colour to be able to see it. Back at the - mark, this time type "e 34d", and press enter to edit the data.
You'll see F1 come up, and I changed it to 80 (gray) so I could see it, and I did this for all 3 bytes of text. Type 80 next to the F1, press space, Do the same for BB & ED.
Now you've changed the colour of all 3, press enter to get back to the - mark, type w and press enter to write the new data. 429 bytes of data should be written now, and you can now close the command prompt by typing q at the - mark.
Now open the gif file again and you can see the hidden text. Spy Bounty Recurs? what does that mean?
It's an anagram, this step is somewhat easier. Run it through an online anagram solver, however the last word wont come out right, but from what letters are left, you could work it out. You could also do this manually and go look at NakedSecurity site, the hint is to do with travel and USB's.
ENCRYPT YOUR USBS
Is the answer. Hope you all had fun. :)
Well done explanation.
ReplyDeleteI'm impressed.
MJZ
Thanks JaciwM.
ReplyDeleteBoy oh Boy!
ReplyDeleteI wouldn't have figured that out in months!!!
or maybe even years!
(: