Shall We Play A Game?
It’s been a long time since I did a big puzzle solution post, and even longer since I played a crypto contest at ShmooCon. That’s about to change. :)
After winning three years in a row, and running the ShmooCon contest for four years after that, I finally stepped away from the fray in 2016. But I did help out a little, commenting on the puzzles they were putting together and generally offering advice. This year, though, about 2 weeks before ShmooCon started, it dawned on me: I haven’t heard a single thing about the contest. I CAN PLAY!
But I didn’t jump right in. I even got some taunting comments over Twitter from the contest organizers, urging me to try a few of the puzzles. Then Saturday morning, I went to chat with them in the Chill Out room, and joked that I should just “find the team that’s in 3rd place and help them.” Then I turned to the table next to me, and found out they were, in fact, in 3rd place.
So I sat down and went through what they’d accomplished so far (quite a bit, actually) and gave them some suggestions for a couple other puzzles. But I was determined to stay kind of in the background. Then I started looking more closely at the chain of puzzles which started with the conference badges… and got sucked right in. And that’s how I ended up a (silent) part of the Pikachu Mafia.
My initial attempts to keep my distance were pretty well summed up by this tweet from my wife, regarding whether or not my bag was still hiding in a corner at registration:
The contest followed the same basic pattern that’s been used for the last two years at ShmooCon, which was itself inspired by the 2014 BSidesLV contest. It’s a series of games and puzzles, some of which are just silly things to do, some are harder puzzles, and some are chained-together cryptography challenges.
It included four “tracks” of puzzles, based on the tracks of the conference: One Track Mind (red), Build It (purple), Belay It (blue), and Bring It On (orange). Scoring was based on blocks (10 points), pieces (individual groups making single Tetris-like pieces, 5 points each)), Tracks (both pieces of the same color, 20 points), and rows (completing each of the bottom three rows of the puzzle board, 20 points for each row). A bonus was also added for the first team to complete each of the scoring items (1 point for blocks, 4 for pieces, and 8 points for first to complete individual tracks and rows).
I’m Not a Ringer
I do have a bit of a reputation for these games, and my presence on the team did not go unnoticed by RPISEC and Decipher, the teams which had been jockying for first place since the contest began. However, I’d like to note the following:
- By the time I joined up, Pikachu Mafia had already completed 14 puzzles
- They completed three more, bringing their total to more than half the board, without any further suggestions from me
- For six puzzles, my contribution was mostly “Oh, that looks like X” and the rest of the team knocked it out completely without me (though I finished one when the person working it had to stop due to a dead laptop battery).
- We worked closely, and intensely, on two of the One Track Mind puzzles (the first and last ones).
- I solved five mostly on my own, claiming credit for the team.
- I also completed two of the One Track puzzles on my own, but didn’t submit for team credit. Instead, I gave hints to the rest of the team and they completed them on their own as well.
So this was definitely a team effort. Hats off to the team – they worked their butts off for many of these, and definitely earned their prizes (I didn’t claim any prizes, mostly because I’m on con staff and so don’t need tickets).
Also, I’d like to point out that I have a very well known and documented habit of getting totally bogged down in the wrong path, and definitely got stuck badly on a couple of the puzzles this time.
Belay It 1 - Total Control
This one was built from a series of images on signs around the conference. Each sign included 16 images of a game controller (though one had only 12 images). The only thing that varied amongst these images was the D-pad buttons, which were either totally blank, or completely filled in, or a thin outline of a button. This immediately suggested a trinary code to me, and I said as much to the team. The hard part would be determining the “most significant trinary-bit (trit?).
After suggesting this, I went back into a rabbit hole on other puzzles, and when I came back up for air, they’d finished most of the puzzle. I’m not sure how they solved it, but here’s how I did it myself a few days later.
The D-Pad buttons are either Outlined (O), Filled (F), or Blank (B). Starting with left and going clockwise:
OBOB OBBO OBFO OOOB OOOF OFOB OBBO OBOB OFFF OOBF OOBF OFOB OBFO OOOF OBFF OBOB OBBO OBFO OBFB OOOB OOBF OBFF OFOB OFOF OOFF OFOO OOFO OBFO OOFO OFOO OBFF OFFF OFOO OBOF OBFO OFOO OOFF OOFF OBOB OBBO OBFO OFFO OOOF OOBO OOBO OBFO OOOB OBFO OBFF OOFO OBFO OOOF OBFF OBOB OBBO OBFO OBFB OOBF OOOB OOFF OFFO OFOB OOBF OBFB OFOO OBOF OBFO OOFB OFBF OBFO OFOO OBOF OBFO OBFB OFBF OFOO OBFF OFFO OFOB OFFF OBFO OOFF OOFF OBOB OBBO OBFO OBBO OFOO OFOB OBBO OBFO OFOB
(these are already in the right order, but in practice it’s not hard to reassemble them once you’ve solved the individual sequences).
I didn’t see any “OOOO,” and in fact there’s never anything but the plain “outline” for the leftmost button, so it looks like this encodes numbers from 1-26. Convenient, isn’t it? (222 in trinary is 29 + 23 + 2*1). So “E” would be 5, or 0012 in trinary. To jump-start the decoding, I counted the frequency of each four-character symbol:
LURD (left, up, right, down) 16 OBFO 8 OFOO 8 OBBO 7 OFOB 6 OOFF 6 OBOB 6 OBFF 5 OOBF 4 OOOF 4 OOOB 4 OBFB 3 OOFO 3 OFFO 3 OFFF 3 OBOF 2 OOBO 2 OFBF 1 OOFB 1 OFOF
It’s looking pretty much like OBFO is E (with 16 occurrences), though that might also be a space (likely Z). Let’s assume it’s E. Now, is B the 1 or is F? Another common letter should be T, which is 0202. This could be the symbol at #8 (OBB0) except that it’s in the same two positions as the buttons used for E, where T should use the 9s position. So…#6? OOFF? That’d mean B = 1, F = 2, and the order is Left, Down, Right, Up. (or counterclockwise from left, exactly opposite my initial assumption. Figures.)
Rearranging the columns and converting letters to trinary, and trinary to decimal, then decimal to letters, we get (and including the original arrangement of buttons):
LDRU LURD 16 OOFB 012 - 5 E OBFO 8 OOOF 001 - 1 A OFOO 8 OOBB 022 - 8 H OBBO 7 OBOF 201 - 19 S OFOB 6 OFFO 110 - 11 L OOFF 6 OBOB 202 - 20 T OBOB 6 OFFB 112 - 14 N OBFF 5 OFBO 120 - 15 O OOBF 4 OFOO 100 - 9 I OOOF 4 OBOO 200 - 18 R OOOB 4 OBFB 212 - 23 W OBFB 3 OOFO 010 - 3 C OOFO 3 OOFF 011 - 4 D OFFO 3 OFFF 111 - 13 M OFFF 3 OFOB 102 - 11 K OBOF 2 OOBO 020 - 6 F OOBO 2 OFBF 121 - 16 P OFBF 1 OBFO 210 - 21 U OOFB 1 OFOF 101 - 10 J OFOF
(I didn’t do this all at once, but instead tried a few here and there until I was confident that I was getting reasonable results…but it’s clear that I could’ve gone right to this from my initial guesses). The final message, then, using my original clockwise ordering of the buttons (the last column above), we get:
OBOB OBBO OBFO OOOB OOOF OFOB OBBO OBOB OFFF OOBF OOBF OFOB OBFO OOOF OBFF OBOB T H E R I S H T M O O S E I N T OBBO OBFO OBFB OOOB OOBF OBFF OFOB OFOF OOFF OFOO OOFO OBFO OOFO OFOO OBFF OFFF H E W R O N S J L A C E C A N M OFOO OBOF OBFO OFOO OOFF OOFF OBOB OBBO OBFO OFFO OOOF OOBO OOBO OBFO OOOB OBFO A K E A L L T H E D I F F E R E OBFF OOFO OBFO OOOF OBFF OBOB OBBO OBFO OBFB OOBF OOOB OOFF OFFO OFOB OOBF OBFB N C E I N T H E W O R L D S O W OFOO OBOF OBFO OOFB OFBF OBFO OFOO OBOF OBFO OBFB OFBF OFOO OBFF OFFO OFOB OFFF A K E U P E A K E W P A N D S M OBFO OOFF OOFF OBOB OBBO OBFO OBBO OFOO OFOB OBBO OBFO OFOB E L L T H E H A S H E S THE RISHT MOOSE IN THE WRONS JLACE CAN MAKE ALL THE DIFFERENCE IN THE WORLD SO WAKE UP EAKE WP AND SMELL THE HASHES Obviously I transcribed a couple things wrong, but the message is clear: "The right moose in the wrong place can make all the difference in the world So wake up wake up and smell the hashes"
Belay It 2 - Pseudo-random
Go to /oneymasoon, see text “Setec Astronomy”.
I actually figured out pretty quickly, the night before, that “oneyamasoon” is an anagram for “anonymoose.” But I never tried loading /anonymoose. Duh. Had I done that I would’ve found the answer for the stage:
On the Internet nobody knows you are a moose!
Belay It 3 - Stonecutter
A very simple code using the Pigpen cipher. “Should have used wingdings”
Belay It 4 - Scrapple
This is a simple bacon cipher (essentially, a 5-bit binary code using straight and italicized characters to represent 0 and 1). Decodes to: CAKE IS A LIE” (which will come up again later…)
Belay It 5 - Who you gonna call?
Links to an MP3 file: whoyougonnacall.mp3
This is simply DTMF tones for “0073735963” which is a cheat code from..I guess..a Mike Tyson Punch out game? I would not have got that one (I’d’ve done the decode, but it would’ve taken a while to figure out it was a cheat code from a video game…)
Belay It 6 - Boring Compound
114.81832.065231.03588140.11610215.9994 20.179740.07814.00674.00260239.948 88.9058515.9994238.028911.0079422739.0983
These are atomic weights, with no spaces between the individual elements listed. So you kind of have to manually break it all up. It works out like this (with one notable exception):
In 114.818 S 32.065 Pa 231.03588 Ce 140.116 No 102 [used atomic number, not weight] O 15.9994 Ne 20.1797 Ca 40.078 N 14.0067 He 4.002602 Ar 39.948 Y 88.90585 O 15.9994 U 238.02891 H 1.00794 Ac 227 K 39.0983 In SPaCe NoONe CaN HeAr YOU HAcK
Belay It 7 - (Data, Points)
Follow the white rabbit. (link to a screen full of chessboards).
The chessboard images are named 1A, 1B, 1C, 2A, 2B, 2C, and 3A, 3B, 3C. That sort of implies putting them into a 3x3 grid, and I saw a teammate working with such an image, thinking it would be a QR code. In fact, it was a Data Matrix code, but they were clearly on the right track, and once they completed blotting out every chess piece with a black square (getting something like the image below), we had the answer (a link to the url at /punchout).
The URL is sufficient to win this stage. The content at the URL is needed for the next stage.
Belay It 8 - Screentest
The puzzle simply links to an ASCII punch card (using the word “loom,” possibly a reference to early uses of punch cards for controlling weaving machines):
/-------------------------------------------------------------------------------- / ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ / ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ | 00000000000000000000000000000000000000000000000000000000000000000000000000000000 | 11111111111111111111111111111111111111111111111111111111111111111111111111111111 | 22222222222222222222222222222222222222222222222222222222222222222222222222222222 | 33333333333333333333333333333333333333333333333333333333333333333333333333333333 | 44444444444444444444444444444444444444444444444444444444444444444444444444444444 | 55555555555555555555555555555555555555555555555555555555555555555555555555555555 | 66666666666666666666666666666666666666666666666666666666666666666666666666666666 | 77777777777777777777777777777777777777777777777777777777777777777777777777777777 | 88888888888888888888888888888888888888888888888888888888888888888888888888888888 | 99999999999999999999999999999999999999999999999999999999999999999999999999999999
The result to #7 provides these blocks of hex data:
76 69 20 70 75 6E 63 68 63 61 72 64 20 6C 72 20 6C 72 20 33 6C 72 20 34 6C 72 20 6C 72 20 32 6C 72 20 6C 72 20 34 6C 72 20 32 6C 72 20 32 6C 52 20 20 20 20 20 1B 32 6C 52 20 20 20 20 1B 32 6C 52 20 20 20 1B 32 6C 52 20 20 20 1B 33 6C 72 20 32 6C 72 20 6C 72 20 32 6C 72 20 6C 72 20 33 6C 72 20 6C 6C 52 20 20 20 20 20 20 20 1B 32 6C 72 20 6C 72 20 33 6C 72 20 6C 72 20 6A 30 33 6C 72 20 33 6C 72 20 32 6C 72 20 34 6C 52 20 20 20 20 1B 33 6C 72 20 32 6C 72 20 32 6C 72 20 6C 72 20 36 6C 72 20 33 6C 72 20 6C 72 20 32 6C 72 20 34 6C 72 20 33 6C 72 20 32 6C 72 20 33 6C 72 20 34 6C 52 20 20 20 1B 32 6C 72 20 6C 72 20 34 6C 52 20 20 20 20 20 1B 6A 30 52 20 20 20 20 1B 32 6C 52 20 20 1B 32 6C 52 20 20 20 1B 34 6C 52 20 20 1B 32 6C 52 20 20 20 20 20 1B 33 6C 52 20 20 1B 33 6C 72 20 32 6C 72 20 34 6C 52 20 20 20 20 20 1B 33 6C 52 20 20 20 1B 33 6C 72 20 33 6C 52 20 20 1B 38 6C 52 20 20 20 20 1B 33 6C 52 20 20 1B 6A 30 6C 6C 72 20 31 35 6C 72 20 34 6C 72 20 36 6C 72 20 6A 30 36 6C 72 20 38 6C 72 20 33 35 6C 72 20 31 31 6C 72 20 6A 30 33 6C 72 20 35 6C 72 20 37 6C 72 20 34 6C 72 20 6C 72 20 31 32 6C 72 20 33 6C 72 20 37 6C 72 20 31 32 6C 72 20 37 6C 72 20 6A 30 31 32 6C 72 20 36 6C 72 20 37 6C 72 20 35 6C 72 20 38 6C 72 20 36 6C 72 20 37 6C 72 20 6A 30 31 31 6C 72 20 31 33 6C 72 20 6C 72 20 33 6C 72 20 6C 72 20 38 6C 72 20 32 6C 72 20 34 6C 72 20 34 6C 72 20 39 6C 72 20 6A 30 72 20 31 33 6C 72 20 39 6C 72 20 31 31 6C 72 20 31 39 6C 72 20 6C 72 20 32 6C 72 20 37 6C 72 20 6A 30 36 35 6C 72 20 6A 30 6C 72 20 38 6C 72 20 31 38 6C 72 20 39 6C 72 20 33 6C 72 20 31 31 6C 72 20 38 6C 72 20 36 6C 72 20 6C 72 20 6A 30 35 6C 72 20 31 36 6C 72 20 32 30 6C 72 20 35 6C 72 20 31 33 6C 72 20 34 6C 72
The first decodes simply to “vi punchcard”, which tells you to apply it to problem 8 and that you should be using the vi editor. The second decodes to a sequence of vi commands. If you delete the border of the card (the top and side edges, so that the fuzzy black bar and numbers are against the top and left edges of the editor window), then simply pasting the content from the second block will “punch” out the card for you.
░ ░░ ░░░ ░ ░░░ ░ ░ ░ ░ ░ ░░ ░ ░ ░░ ░ ░ ░░ ░░░░░░░░░░░░░░ ░░░ ░░ ░ ░░░ ░░ ░ ░ ░░░░░ ░░ ░ ░░░ ░░ ░ ░░ ░░░ ░ ░░░ ░░░░░░░░░░░░░░░ 0 0 000 0 00 00 0 000 00 00 00 0000000 00 00000000000000 11 11111111111111 111 11111 1111111111111111111111111111111111111111111111111111 222222 2222222 2222222222222222222222222222222222 2222222222 2222222222222222222 333 3333 333333 333 33333333333 33 333333 33333333333 333333 333333333333333333 444444444444 44444 444444 4444 4444444 44444 444444 4444444444444444444444444444 55555555555 555555555555 55 5555555 5 555 555 55555555 55555555555555555555555 666666666666 66666666 6666666666 666666666666666666 6 666666 66666666666666666 77777777777777777777777777777777777777777777777777777777777777777 77777777777777 8 8888888 88888888888888888 88888888 88 8888888888 8888888 88888 88888888888888 99999 999999999999999 9999999999999999999 9999 999999999999 99999999999999999999
Unfortunately, there were still some problems, and I haven’t looked deeper to figure out whether it’s a problem with vi on the mac, or with errors in the contest code. However, the result is still clear enough to win credit.
We looked around for a while to try and find a good, automatic decoder page. This punch card emulator mostly worked, but had some issues with lowercase letters (basically, it only handled single punches in the top three “control area” rows). One team member (I’m not using their names as I never really got them… :), nor explicit permission to use their names anyway)… One person got most of the puzzle figured out using this page, but then his laptop battery died. I picked up where he left off, manually decoding using the EBCDIC section here. Numbering the rows 12,11,10 at the top, then 1-9 below, the EBCDIC table easily converts from the punch card to text. For example, in the 1st column, 10 (0) and 6 are punched, which corresponds to a capital W. The next column as 12 (top) and 10 (0), as well as 8, which is a lowercase h. And so forth.
Unfortunately, a few columns had too many punches in them, and again I’m not sure where that problem came from. In the end, here’s the decoding we got:
12 ░..░░.░░░..░..░░░.░.░.....░....░...░...░░.░..░..░░.░.......░..░░..░░░░░░░░░░░░░░ 11 ░░░.░░.░.░░░....░░.░.░..░░░░░.░░..░.░░░.░░.░.░░.░░░...░..░░░.....░░░░░░░░░░░░░░░ 10 ....0..0...000..0.....00..00.0.000.....00...00.00..0000000....00..00000000000000 1 11.11111111111111.111.11111.1111111111111111111111111111111111111111111111111111 2 222222.2222222.2222222222222222222222222222222222.2222222222.2222222222222222222 3 333.3333.333333.333..33333333333.33.333333.33333333333.333333.333333333333333333 4 444444444444.44444.444444.4444.4444444.44444.444444.4444444444444444444444444444 5 55555555555.555555555555..55..5555555.5.555.555.55555555.55555555555555555555555 6 .666666666666.66666666.6666666666.666666666666666666..6.666666.66666666666666666 7 77777777777777777777777777777777777777777777777777777777777777777.77777777777777 8 8.8888888.88888888888888888.88888888.88.8888888888.8888888.88888..88888888888888 9 99999.999999999999999.9999999999999999999.9999.999999999999.99999999999999999999 What is the most auctio ed Hend lo thed) item in ShMooCon hz O y?
The correct decoding is “What is the most auctioned (and loathed) item in ShmooCon history?” and the answer, which we simply guessed from “most auctioned item” was “The Stargate.” Which was enough to win credit for the puzzle.
Build It 1 - Press Any key To start
2A1494 AA23A3 129213 931292 39B920 A01898 12921F 9F31B1 28A814 9439B9 1F9F12 921292 32B239 B91494 189839 B930B0 129239 B91E9E 31B115 9539B9 1E9E31 B11595 39B925 A51292 15952A 0282AA
I wasn’t sure where to go with this, and suggested looking up the 1st two bytes to see if it matched the “magic sequence” for any known file types. Then a tweet suggested “hINT 9” for this puzzle. I asked the team what “INT 9” was (for PC interrupts) and was told it’s a keyboard handler. I immediately said “It’s keyboard scan codes.” And next thing I knew, they had the answer:
"There doesn't seem to be any any key!"
Build It 6 - Primary Colors
L G R W F e G t e d u C o O m A T n o W u T c i K Z S q l o M t o l V V h p N P Y a E H L A N y X Q i d I S F N f D z Q g B I z h e M x D J c Q G B a P X s Q U w s I s e y e S W c t g E C j E o G L E R O U O w O i S g y L A A a M D w w J D w U e X U t c G I r z m O C W E N w b o L B o s n D E B m N s a e l c V n Z l a U D K s R L E w V e M h S N H t f w o i p p g a P V T k G L F Q A q Y Z f G M i z Q W X n g At first, I figured this was going to be “zoom in on the image, find the hex value for each color, turn that into ASCII,” and just didn’t want to play. Later, I actually tried zooming in and realized that each letter had varying shades of color, due to the way they were rendered on the screen. Oh, and that it wasn’t an image, but instead HTML code.
Turns out that you simply had to find all letters with a color code that included either half- or full-brightness of a SINGLE color channel only. That is, where the Red, Green, or Blue elements of the hexcode was 80 or FF.
For example, in this fragment:
.... <font color="#0000FF"> T </font><font color="#228B22"> c </font><font color="#006400"> i ....
Only the T letter should be copied out as part of the final plaintext.
Because I’m a geek who would rather spend 20 minutes finding a single shell pipeline to solve a problem, instead of 5 minutes to Just Do It By Hand, here’s a way to solve it quickly:
$ cat colors | sed 's/font/@/g' | tr '@' '\n'| grep '#' | cut -c 10-15 -c 18-19 |egrep '(FF)|(80)' | cut -c 8-8 | tr -d '\n'
In this case, the HTML segment (reproduced above) containing only the colored letters is stored in a file called “colors.” I change all occurrences of the word “font” to “@”, then from “@” to newlines (just because it’s easier than remembering out how to escape \n in the sed command), and filter on only lines with “#” in them. This has the effect of giving me an output like this:
color="#0000CD"> L </ color="#D02090"> G </ color="#006400"> R </ color="#008000"> W </ color="#D02090"> F </ color="#006400"> e </ color="#006400"> G </ color="#006400"> t </ color="#FF0000"> e </
Then, I strip out just the hex color code and the corresponding letter, using the “cut” command, and further filter only on lines with FF or 80 in them (fortunately, none of the composite colors had either of these values…otherwise I would’ve just used a more specific filter). Finally, for those lines which match, I cut out just the last letter, and delete all the newlines I put in earlier, to get:
We do not stop playing because we grow old. We grow old because we stop playing.
HA! Take that, @aschuetz. I waste my time on these silly games to stay young! :)
(I’ve no idea how the team solved this one…they finished before I joined. I solved it up on my own after the con ended…).
Build It 7 - Think Kwick
There are three keys to success.
All three of the puzzle makers had keys around their necks. Members of the team took them to lockpick village and measured the biting on keys. They later tweeted a picture of all the keys, as well. With the decoded values, we had something like this:
Unfortunately, when we first got the codes, we had them in reverse order (41621, 26154, and 14411). We tried a few different decodings, really hoping that octal-encoded ASCII would be the right answer, but got nowhere. Then later we learned that we’d had the numbers backwards, and the right answer was quickly found. The only way to string them together to form ASCII octal was:
12614 11441 45162 126 141 144 145 162 V A D E R
Build It 8 - Now Turnkey
FAFAFD XGDAVG GADVDD ADAVGF DFXFFA DDFAAG GDAXFV GFDFFD DAFGAG FFGDDF
I immediately said “This is an ADFGX cipher,” and pointed the team to some online tools and wiki pages. They noticed the V later in the text (well, now that I look at it, in the second block), and correctly pivoted to the ADFGVX variant, used the word “VADER” from the last puzzle, and submitted the solution:
ITS AN OLDER CIPHER BUT IT CHECKS OUT
Bring It On
Bring It On 3 - Eat bit by bit
This was simple morse code. However, not so simple, was the fact that they left out breaks between letters. So you had to manually try different letter breaks until you eventually got a message that made sense. The team got stuck multiple times about halfway through, but eventually announced “something about maze of ..twisty…?” I recognized the reference, said “Try ‘Maze of Twisty Passages,'” which worked, and boom! Another block solved.
Raw morse code:
Broken up into letters:
-.-- --- ..- ... --- .-.. ...- . -.. .- -- .- --.. . --- ..-. - .-- .. ... - -.-- .--. .- ... ... .- --. . ...
YOU SOLVED A MAZE OF TWISTY PASSAGES
Bring It On 5 - Don’t Use Rumkin
PIG EAR ULG WSV EXU NVG PIG
I looked at this, tried a couple things, and gave up. I figured it was going to be a pain, and just didn’t want pain. Then the guys running the contest started to hound me to try it…to the point where every time I got distracted by helping the Pikachu with another puzzle, they’d say “he’s stopped again!” (their table was next to ours). Finally, I gave in, after they said “Just go to rumkin and do the first, most natural, thing you can think of.”
So I tried a Vigenère cipher with DARTHNULL as key. Didn’t work. Hmpf.
Judging by their reactions, though, I was on the right track, so I tried SHMOOCON, PASSWORD, and eventually got it. I’m not sure if I actually guessed the key or if I tried cribbing it by assuming the result began with “YOU”, but the right key was… “RUMKIN.” Which gave the result:
YOU USED RUMKIN DIDNT YOU
Bring It On 6 - Triskaidekaphobia
What is SHMOOCON XIII?
This was ShmooCon 13, beginning on Friday the 13th, so it was natural that some kind of focus on 13 would happen at some point. This stage, as it turns out, is simply do ROT-13 to “SHMOOCON” to get “FUZBBPBA”. I’d’ve never even submitted that as it just didn’t seem to make sense, but fortunately the rest of the team wasn’t quite so picky.
Bring It On 7 - Get Crackin’
This stage included a link to a password file:
Googling for the first password hash revealed “toor” as the password – the userid, spelled backwards. Unfortunately, the second password can’t be found via Google. However, it’s possible to manually test passwords using the OpenSSL command. For example, the following uses the salt ("/M", between the 2nd and 3rd ‘$’ symbols in the hash), and passes the password “toor” in via standard input, to generate, hopefully, the same hash as seen above:
$ echo -n toor | openssl passwd -stdin -1 -salt /M $1$/M$5GK8.h6z8o0WQLEOWC.YI/
and it does. So, let’s try “moose” backwards for the second one:
$ echo -n esoom | openssl passwd -stdin -1 -salt cd611a44 $1$cd611a44$bxMyZS8ERwc8LwKAEzsZl1
Yup! That’s it. I believe the team simply had to submit the two passwords “toor” and “esoom” for credit (this was completed before I joined).
Bring It On 8 - WHOPPER
The puzzle links to a large map, with a userid and password field. Also completed long before I joined, this one initially had me trying random passwords related to War Games. Turns out that you simply needed to use the “moose / esoom” credentials from the previous stage. After doing that, an animated gif displays:
It takes a moment to get started, but eventually you see a cursor blinking…and as you watch, it should become apparent that the cursor is blinking out a pattern.
To read it out, it’s easiest to film the gif and slow it down… (or, probably simpler, just find an app that lets you edit animated gifs…) Once this is done, you get a list of numbers, 1-5, which I’ve paired together below. (for example: the sequence begins with 3 short blinks, a pause, then a single blink, another pause, another singleton, then 5 blinks, etc…) I’ve paired up the numbers here:
31 15 44 44 23 15 52 34 34 25 24 15 52 24 33
The numbers end up being a Knock code:
1 2 3 4 5 1 a b c d e 2 f g h i k 3 l m n o p 4 q r s t u 5 v w x y z
So “31” tells yo to go to row 3, column 1, for “L”. “15” is likewise “E”, “44” is “T”, etc. The answer, then, is:
LET THE WOOKIE WIN
One Track Mind
Finally, we get to the stage where I did most of my work. Aside from “Don’t Use Rumkin,” the only puzzles I really solved on my own (as opposed to the few I supplied hints or suggestions to the team for) were all in this track. As inspired from multi-stage badge contests going back to ShmooCon 4, these elements all chain together, with the result of each stage providing a hint as to the method, or key, or both, for the next step. As is frequently the case, the hard part is getting started, even though the initial step was far easier than I made it out to be (and, turns out, was used almost exactly the same way multiple times in the past, including in one of my own puzzles.)
One Track Mind 1 - The System is Down
First, collect all the badges. They contained different elements related to video games of the past, but all included an 8-letter string of nonsense letters, and most (all but the Staff badge) included the name of a video game console system.
(attendee) Atari /GNEATDEE (attendee) Gameboy /EWHAFNDI (attendee) Nintendo /ROTGOAAB (events) Xbox /TSSNNRHS (speaker) Playstation /AUIIIDTT (staff) /LINKXORS
The first step, which we totally missed until we had a typo pointed out to us, was easy. Arrange the badges in order of the consoles' introduction (ignoring the staff badges) and read down:
Atari GNEATDEE Nintendo ROTGOAAB Gameboy EWHAFNDI Playstation AUIIIDTT Xbox TSSNNRHS GREAT NOW USE THIS AGAIN TO FIND AND READ THE BITS
As I said, far easier than I’d initially thought (I was toying with ways to XOR all the badge codes together, as implied by the “/LINKXORS” code on the staff badge).
Of course, each element also had a “/” in front, so naturally we had to visit those pages on the ShmooTris site. Each stage provided a different, long, hexadecimal string:
FFFF00001FE0B281FFF8001060006403F9FFEFBFFF7DF990080F803E7C00FFF7DFFF800100FFFFE0207F82C80000000020 112480000060C98125800010602092020A461064C882064808104041820120182C24800101208920200883240000000070 11247FD0007FC9FF2447D01FFFC092020C411064CC8206480FF04041820220182224FD01FE2149203F88FF24081020405F 112480000060C98124300010600092011240D264CA820648081040498201201821A4800101222920200883240000000075 FF0700000060A68107F8001060004C00E1FFEBE0B17DF930080F802F7C00F817DFE0800100FC1820207F82980000000020
Changing these to binary, and putting together one next to the other, you end up with a VERY long 5-pixel wide vertical strip, with text running down in 5x7 character blocks. Unfortunately, trying to scroll sideways wasn’t easy in my terminal program, so I wrote a script that output it in short blocks. And because it was sideways, we had to turn the laptop on edge to read it.
Also, I initially got the bits backwards, so all the letters were reversed… Lots of fun to decode.
Here’s the output of a significantly-improved script that writes the result normally:
* * ***** * * * * ***** *** ***** ***** * * * * * * * * * * * * * * * ** * * * * * * * * * * * * * ** * * ***** **** * * * * *** * **** * * * * * * * * * * * * * * * ** * * * * * * * * * * * * ** * * ***** * * ***** ***** *** * ***** * * * ***** ***** * *** *** * * * *** ***** **** *** * * *** * * * * * * * * * ** * * * * * * * * * * * * * * * * * * * ** * * * * * * * * * * * * *** * * * * * * * * ** **** **** * * * * *** * * * * * ***** * ** * * * * * * * * * * * * * * * * * * * ** * * * * * * * * * * * ***** * *** *** * * * * **** ***** * * *** *** *** **** *** *** *** * * *** * * ***** * * * * * * * * * * * * * ** * * * * * * * * * * * * * * ** * * * * * * * ** * * * * * * * * * * **** * * * * * * * * ***** * * * * ** * * * * * * * * * * * * * * * ** * * *** **** *** * * ***** *** * * ***** * ***** * * * ***** ***** * * ***** *** *** * * * * * * * * * * * * ** ** * * * * * * * * * * * *** * * * ** **** * ***** * *** * * ***** * * * * * * * * ** * * * * * * * * * * * * * * * * * * ***** * * * ***** *** * * * * **
HEY! LISTEN! IT’S DANGEROUS TO GO ALONE! TAKE THIS…. [key]
One Track Mind 2 - Plug and Chug
This next one was even more difficult for me. After much flailing about, we were told that the “key” in the previous message was, literally, a key. To what? Well, the /LINKXORS path from the staff badge provided another hex string, this one broken up into 5-nybble blocks:
6D003 A165B BBE0F 5A3AF 30641 AEA5D 52669 C7B8B A1567 8EEF2 A4C57 3A83D 4ED2D 61DA8
The key was 5-bits wide, too, which kind of also implies a connection.
111 01110 11 11 11011 111 01110 1 00100 11 00110 1 00100 11 00110
I tried multiple approaches, converting the 7 5-bit keys into 8-bit bytes, applying bits to the ciphertext in order, in columns, in all sorts of patterns… One sticking point was that the key was only 35 bits long, which didn’t make much sense either.
Finally, after more hints from the contest team, I got the right approach. First, take the hex stream and write it out in binary, as 4-bit nybbles:
Then write the keystream, just as it appears in the message, underneath it:
When you run out of key, just repeat. XOR the two together and use as index into the alphabet (using A=1).
6 D 0 0 3 A 1 6 1 (hex) 01101 10100 00000 00011 10100 00101 10000 (binary) 01110 11011 01110 00100 00110 00100 00110 (repeating keystream) ----------------------------------------- (xor) 00011 01111 01110 00111 10010 00001 10110 (result) 3 15 14 7 18 1 20 (decimal) C O N G R A T (letters, A=1) CONGRATULATIONS THE TEST IS NOW OVER OR AM I JUST PULLING YOUR CHAIN
So that’s solved now, too. What’s next?
One Track Mind 3 - Key Liem Pie
070E0511 64080174 69096F63 001C630F 0C016D6C 031C626C 09186C08 06056507 1D1B0A0D 07676F1D 076F7207 74091706 65686A1E 0A737B1B 001C1004
I immediately thought this would be similar to a puzzle I used a couple years ago, where the key was a floating point representation of a mathematical constant (I used “e”). Here I’m guessing that it’s “pi”, and that I need to “chain” the plantext together in successive blocks, just like I did on my own puzzle, and as hinted in the last stage solution.
The contest runners thought this was a good start, but that the key was simpler. Then I saw a hint with the name of the puzzle written a little differently: “KEY LIEm PIE”. LIE. Is the Cake a Lie? (which was used as the result to an earlier puzzle as well). I tried “CAKE” as the key and the first block decoded to “DONT”, so I knew I was probably on the right track.
I think, when I did this puzzle before, that I separated the key and the running chain into two different elements, but that wasn’t quite what was done here. Basically, “CAKE” was the key for the first block, then “DONT” was key for the second (giving [space]GO[space]), that was the key for the 3rd, etc. Imagine that the “key” is “00000000” but the IV is “CAKE” and go from there:
070E0511 64080174 69096F63 001C630F 0C016D6C (CT) 43414B45 444F4E54 20474F20 494D2043 4952434C (chained key/IV stream) -------------------------------------------- (xor) 444F4E54 20474F20 494D2043 4952434C 45532E20 (PT) D O N T G O I N C I R C L E S . (text) DONT GO IN CIRCLES. FOLLOW DIRECTIONS. START HERE /LOSTWOODS
I completed this while waiting for dinner, then told myself I’d stop for a while. Yeah. Like I can do that.
One Track Mind 4 - Mutex
Following the URL from the last stage provides the following text:
WE SNE NSE SNE WE WSE SNE SS WSE SWN SWNW WN SS NNE SNE NE SS WE WNW NWN SS NNE SSE NE SS SWS NS NS SS WSW SWS SWNE SE SS NWN WNW SS WSW SWS SWNE SE
There was no clue given for puzzle, though “Mutex” is a bit of a hint, as many programming systems use “semaphores” to help manage mutual exclusion of programming threads. Or something like that. It’s in wikipedia. Regardless, I immediately recognized that this would be a naval semaphore flag code, but put my phone down and ate dinner. Then as we were winding down and waiting to pay…I couldn’t leave well enough alone, and started decoding it, flipping back and forth between a note entry with the ciphertext and plaintext in progress, and a google image of semaphore codes.
In this representation, imagine (for example) that “SNE” means a flag held straight down (S) and another up-and-to-the-left (NE), from the perspective of the viewer. This is an E.
WE SNE NSE SNE WE WSE SNE SS REVERSE WSE SWN SWNW WN SS NNE SNE NE SS SKIP 5 WE WNW NWN SS NNE SSE NE SS ROT 7 SWS NS NS SS WSW SWS SWNE SE SS ADD HALF NWN WNW SS WSW SWS SWNE SE TO HALF REVERSE SKIP 5 ROT 7 ADD HALF TO HALF
One Track Mind 5 - Just Following Orders
At this point, I went up to my room to relax a bit before the party, and started coding up the solution to this. I recognized all the elements: “REVERSE SKIP” made perfect sense to me, as did the “ROT 7”, and I had a pretty good idea of how “ADD HALF TO HALF” would work. But no matter what I tried, or which halves I added, I couldn’t get anything that made sense. I pinged the contest team, and they said they’d be outside the party for a bit, so I stopped by and told them where things were breaking down. Turns out there was some kind of glitch with they way they created the ciphertext. They fixed it and assured me that it’d work now – and that the result of the first couple steps would give a clear intermediate result.
I then went to the party, found the rest of Team Pikachu and let them know where I was on this puzzle, then hung out for a few hours chatting with people… Sometime after midnight (maybe closer to 1? I forget) I returned to our room and knocked out the solution…but it still didn’t work.
Turns out…they used the “One Time Pad” at Rumkin in “DECRYPT” mode, which subtracts. And for that, order matters… So….subtract “ALMOST DONE” from “DZZHRE….” (D-A, 3-0, 3, D. Z-L, 25-11, 14, O. etc.)… and it works. Here are all the steps put together:
Ciphertext: QIHHMQLARHMFXLGTRKBMOFAWNHTSGUWESXXXVWXGBYMAHFLXMWLLUMMKSMXLBALRHLUXMFWTULETBKNTOBNC Reverse: CNBOTNKBTELUTWFMXULHRLABLXMSKMMULLWMXLFHAMYBGXWVXXXSEWUGSTHNWAFOMBKRTGLXFMHRALQMHHIQ * * * * * * ..... [skip 5, select letter, repeat...] Skip 5: TEFHLMWHGXUNMGHMCNLMRXMMAXXGWBLRHNKUXLMUXMWSSAKXAHBBTUASLLYVETFRFLIOTWLBKLFBXWHOTMQQ ROT 7 ALMOSTDONEBUTNOTJUSTYETTHEENDISYOURBESTBET DZZHREHOIIABHZSSFCLAMYMSPVADSIRSMIEDOVATXX Add halves: DONTZLEAVEZHOMEZWITHOUTZIRWQPAZUYONCKDHSTE (really, subtract, I think..it's all weird) DONT LEAVE HOME WITHOUT IRWQPAZUYONCKDHSTE
Whew! I submitted the answer, copied the rest of the team, suggested what they should try next, and went to bed.
Well, not really…I just had to finish the next, trivial, stage first.
One Track Mind 6 - Timber
10000110011 10111011011 11101101100 00100111101 11000111011 00100100101 10001100101 01000111111 10101011101 10111110110 10011111000 10100001100 01101111100 01111010011 10011101010 11101101111 10100100001 11000101000 01100011100 00101010000 00110001111
I recognized this immediately as a Huffman tree. It’s used in data compression, to convert commonly-used letters to short “symbols” of bits, and less-frequently used letters to longer symbols of more bits. Fill out the boxes at the bottom with the letters from the last stage (IRWQPAZUYONCKDHSTE), then navigate the tree using the binary stream, with a “0” meaning “go left” and “1” for “go right”. Thus, since the string starts with “10000” or “RLLLL”, this brings you to the 8th box on the bottom, or “U”. “1100” (RRLL) gets to the 3rd from the end, or “S”, “111” to the last box on the right, “E”, etc.
USE THE HINTS TO PROCEED THE KEY IS HERE AND THE WAY IS SQUARE
I confirmed this with the contest team but asked to not be credited for it yet…instead, I gave the rest of the Pikachu Mafia some hints and explained what Huffman coding was, and let them solve it Sunday morning.
One Track Mind 7 - Mass Transportation
5 4 1 4 4 5 1 4 2 1 3 5 5 4 3 2 2 5 4 4 1 4 2 1 2 5 4 4 3 3 1 3 2 5 4 4 1 4 3 1 2 2 1 5 2 5 5 4 1 4 4 5 4 3 3 1 3 3 2 1 2 2 3 5 1 5 1 2 2 2 3 5 3 5 2 5 2 1 3 2 2 5 1 1 3 5 2 2 1 1 1 2 3 5 1 4 3 5
I’d guessed pretty early on that this was another 5-square based cipher, like the Knock code or ADFGVX. In this case, it’s a Polybius Square (hinted by “THE WAY IS SQUARE” i the last stage. I found an online tool and started trying various keys.
In many implementations, this cipher uses two stages: A substitution key (where the alphabet in the cipher square is scrambled by the key) and a transposition key (where the result is further scrambled). So I started off trying different keys, related to mass transportation near the con. “SUBWAY” and “DUPONT CIRCLE” and “METRO” and stuff like that, all because of the “KEY IS HERE” hint in the last stage.
I was told, though, that “Mass Transportation” was a veiled hint towards the cipher name. A “bus” being a kind of transportation, and “mass” meaning “many” or “poly”, so “poly bus.” Argh.
So I tried “HERE” and “HERE SQUARE” and “HERE AND” and other things, then finally just tried “SHMOOCON.” That worked, using only the substitution elements, not the transposition. So basically:
1 2 3 4 5 1 S H M O C 2 N A B D E 3 F G I K L 4 P Q R T U 5 V W X Y Z
Then take the cipher text in pairs, and index the square in row/column order. “5 4” yields “Y”, “1 4” gives us “O”, etc:
YOUONLYGETONETIMETOFACEYOURFINALCHALLENGESLASHLOL YOU ONLY GET ONE TIME TO FACE YOUR FINAL CHALLENGE SLASH LOL
I’d started this, then got stuck and started working on the next stage (translating Emoji to Hex), then came back to it when the answer hit me in the head. But I was glad that I’d started working on the last stage, as it turns out, as there was a LOT of transcribing to do…
One Track Mind 8 - :)
This would’ve been so much easier if these were presented as codes in HTML. But, no, it was just a picture. Fortunately, they used the same emoji set for this picture (they’re all Android emoji) and so once I found a good reference, at Emojipedia.org, it wasn’t too hard to look up a picture, find its value, and write it down.
I ended up paired with another Pikachu on this, which was great, cause even with two sets of eyes we still had a few errors. Not enough to keep us from completing the stage in the end, but enough to be annoying.
So after what seemed like forever, we had the entire image transcribed into hex. Each emoji entry started with “1F6” as part of their Unicode code point, so really it’s only the last two digits which mattered:
464413384649 15410D420148 491803254509 2A480F09450E 024601382202 030405484B46 3016004F0E45 1B4B091C1E47 071F224F4D0C 1E4E4D30410A 0E474746061E 1044051F0747 084F4D3A474F 022B1F490B48 4B1A
After finishing this, I went back to Polybius, hit on the right answer, and then gave hints to the rest of the team (so they could complete Polybius on their own for team credit). And then…I realized the significance of the Polybius solution:
YOU ONLY GET ONE TIME TO FACE YOUR FINAL CHALLENGE SLASH LOL
Okay, a one-time-pad. That’s easy. Where’s the pad? Oh, it’s at “/LOL.” Which…gives me another screenful of emoji. I actually considered grabbing a box of shmooballs from registration to pour it over the contest teams’s heads. I really didn’t want to transcribe another set of emoji, but we buckled down again and did it. It went a little faster this time, since we had so much practice from the first one.
1F0B4601140C 351545072100 0C4A4C050A4F 0A1B47440A41 41094F160244 4A4A4404071F 1046450E4D00 3B0C4C484B15 464C021B022C 4A0608100943 42130808283E 440C4C4C2702 460B1E1A1307 470B4C1D441A 1234
I wrote a simple script to add the two together (ciphertext and one-time-pad), and got… nothing. Gah.
Then I was told “Yeah, you’re on the right track, but used the wrong function.” Of course…I’m an idiot. It should’ve been XOR. I think I had addition on the brain after the “Just Following Orders” puzzle.
So XORing the two streams together (and eventually correcting the few errors we had in transcription), we got:
YOU'RE THE HERO OF SHMOOCON. FINALLY PEACE RETURNS TO THE HILTON. THIS ENDS THE STORY. (Actually, the apostrophe didn't come through right but I think that was their error, not ours...)
We immediately emailed this answer in, and based in the glow of a completed scoreboard:
So in the end, Pikachu Mafia were the only team to complete every puzzle on the board. Decipher came in a close second, only missing the last two of the One Track Mind track. We were first to solve 13 puzzles (Catch Them All - throw shmooballs at Heidi or Bruce, Triskaidekaphobia, Don’t Use Rumkin, Think Kwick, Now Turnkey, and all the One Track Mind puzzles). We were also first to complete both Bring It On tetris pieces, the second Build It piece, and both OTM pieces. Finally, we were first to complete three of the four tracks (RIPSEC beat us to finishing the Belay It track) and 2 of the three rows (Decipher finished the bottom row before we did).
To get a better handle on the bonuses we scored, I’d asked for the scoring data from the contest team, and so I was able to build this fun graph showing the top four teams.
It’s interesting to see RPISEC and Decipher battling it out for most of Friday, then Pikachu start catching up and, midday Saturday, taking over. Also the Avengers team put in a strong effort and solved a good number of puzzles. Sadly, it looks like RPI kind of fizzled out on Saturday. Decipher, however, put up a hell of a fight, and kept us plugging away at the puzzles without stop (can’t let ‘em catch up!!)
The bulk of the Pikachu Mafia team was called up to the stage during closing ceremonies to claim their prizes. As I wasn’t really able to win any prizes, I just sat back and let them bask in their glory, complete with matching pikachu hats. :) They won 3 tickets to ShmooCon next year, and the 4th team member selected some other prizes from the nice pile of swag on stage. Congratulations to them on a job very well done! Good luck next year! (and congratulations to the other teams, even the teams who only finished a few puzzles… I hope everyone had fun with the contest!)
Will I play again next year? I don’t know. It’s fun, but it’s also fun not to be stressed. This was really the first time I’ve played any of these contests as part of a team (though I’ve teamed up with Alex Pinto for a couple of the Verizon DBIR puzzles), and it was definitely a different experience. Maybe I’ll join the 3rd place team again next year…. Or maybe I’ll even try to win on my own. Or maybe I’ll throw out bad hints just to confuse everyone. :) We’ll see…..
In the meantime, thanks again to the Pikachu Mafia for letting me ride their coattails and giving me incentive to solve the badge track! I’d forgotten how much fun this can be. :)