[ARG] The Pizza Code Mystery

Black Mesa Archive The Cafeteria
#1441

Yeah, I did some research after I posted, and had my hopes dashed.

#1442

Just a brief update:

Updated the blog poll and ratingā€“you can find that specific post here.

Also wanted to ask if anyone has any new thoughts on the Hex Code, or if we are still looking in the direction of a homomorphic encryption or OTR-related cipher.

#1443

Didnā€™t log in for a while. Now i have found this

https://i44.tinypic.com/a3p57b.jpg

#1444

Thatā€™s been known for a long time, thereā€™s even a way to enter it. Take the top route to the cliffs all the way until it ends, thereā€™s a control panel, press it (thereā€™s no lights) and itā€™ll make a noise. Now backtrack and drop down to the other paths until you find the stash where the dead soldier and 3 grenades are. When you go in there, you should teleport to it.

#1445

I havenā€™t been around for a while either because of a problem with my posts going invisible, so Iā€™m just seeing if itā€™s sorted after seven months by making some new comments.

I donā€™t remember any of these, so Iā€™m finding them as interesting as everyone else is!

#1446

Bump.

#1447

First time posting in this thread, hardly been following this ARG at all.

I have no idea how to work all this high-falootinā€™ cypher-code-gobbledigook, but I did notice something Iā€™m not sure has been posted (forgive me if it has, searching the thread didnā€™t turn up much of anything) - throughout Questionable ethics certain monitors display the lyrics to Wreak Havoc by Angelsplit.

Not sure how or if this can help at all, but at least now I feel like Iā€™ve done something semi-productive with my day.

#1448

Yeah, those lyrics were noted before and thought to be a potential part of the solution to Code D, back when the going theory was that it was a VIC Cipher.

But thanks for being productiveā€“Iā€™ve been checking in on this every once in a while, but Iā€™m completely out of theories/speculation.

#1449

From Stormseekerā€™s steam profile:

stormseeker May 22, 2013 @ 3:47pm
If itā€™s about the ARG, Iā€™ve not set up or had any sites setup for hacking, so no. There is an answer, but you canā€™t brute force it, the CIA couldnā€™t brute force it. Someone is already close.

#1450

I guess that gives us some hope. Now I just need to look through previous pages of the thread.

#1451

in the beginning when you walk in a room a guard says freeman actually did show for today someone here owes me lunch and if you stay a bit longer he says yep thereā€™s a pepperoni pizza in my future but he never gets it the pizza was a lie

#1452

Iā€™ll admit it, I laughed way too hard.

#1453

about what ?

#1454

ā€œthe pizza/cake is a lieā€

#1455

I guess this means Matherunnerā€™s brute force idea is out the window, which is a bit of a bummer since I had already been working on that idea a bit by the time I read this. Oh wellā€¦

This could also mean weā€™re dealing with something with at least 128-bit security. So we can rule out DES (56 key bits). Two-key Triple DES (112 key bits) allegedly only has 80-bit security due to a certain type of attack, so itā€™s possible we may rule that out as well. So, weā€™re left with three-key Triple DES (168 key bits), or possibly other 64-bit block ciphers with a 128-bit key or larger (Blowfish, CAST-128, IDEA, ā€¦).

What if the key is a hash (MD5, SHA-1, ā€¦) of something. The Portal ARG featured the MD5 hash of the string ā€œThe quick brown fox jumps over the lazy dogā€, which is a well-known pangram used for testing typewriters, keyboards and fonts, and hash algorithms as well, apparently. A cryptographic hash is also called a message digest. Perhaps ā€œsteals it, eats itā€ could be a hint towards that, I donā€™t know. An MD5 hash is 128 bits, which is too short for three-key Triple DES, or weā€™d have to do additional hashing rounds in order to generate enough key material like standard key derivation algorithms do. A Tiger hash (192 bits), however, happens to fit nicely as a key for three-key Triple DES. CAST-128 and IDEA ciphers take 128-bit keys. Blowfish accepts keys up to 448 bits.

The question is, is the key based on ā€œBENALOHPAILLIERā€, or could it be based on something else?

#1456

I have to admit, I have no idea what 3/4 of what you said meant. However, Stormseeker said that one of us already has the right idea. If your hash idea is correct, perhaps we should look into SHA-1, as I mentioned it earlier. Granted, I have no idea how such things work, so Iā€™m mainly the guy who generates random ideas for other people to do the legwork on. Thatā€™s probably not a good thing.

#1457

Well, SHA-1 produces a 160-bit (20-byte) hash value. It doesnā€™t match the key sizes for Triple DES which is 192 bits/24 bytes or 128 bits/16 bytes. We could truncate the hash value so it would fit as a 128-bit key, but that doesnā€™t quite feel right. I would primarily focus on hash algorithms that produces hash values of the same size as the key size of the block cipher in question.

Using a hash as decryption key is not really a new idea, but I donā€™t think it has been discussed here at any length before. However, Matherunner explained in a post a while back how hash functions are often used for generating encryption keys.

A hash function is an algorithm that takes an arbitrary block of data and maps it into fixed-size bit string, which is called a hash value or message digest. It acts like a fingerprint for the data input to the algorithm. The hash value is usually represented as a string of hex digits. For example, the MD5 hash of ā€œBENALOHPAILLIERā€ is fba32cbd68e3beb48c8ca0a1152c982. So, if the HALOS message was encrypted with two-key Triple DES in ECB mode, and this was the actual key, we could decrypt it with the OpenSSL command-line utility like this:

openssl enc -d -des-ede -nosalt -nopad -in halos.bin -K fba32cbd68e3beb48c8ca0a1152c982

where halos.bin is a file containing the raw data represented by the HALOS hex code. You can download it from an earlier post by faed, direct link (btw. the link on the wiki page is broken).

For three-key Triple DES, we need a 192-bit (24-byte) key represented as a string of 48 hex digits:

openssl enc -d -des-ede3 -nosalt -nopad -in halos.bin -K 05f9be7835ea3967f620fd85cd7c325ab2a4f33d218abd8f

The key I used here was the Tiger hash of ā€œBENALOHPAILLIERā€. Note that there are a couple of different versions of the Tiger algorithm around, which produces different outputs.

Obviously, neither of these hashes is the right key, or itā€™s the wrong cipher.

When we use the -K option with OpenSSL to specify the actual key to use, and weā€™re using a cipher in one of the IV-based modes of operation, like the CBC mode, we also need to specify the actual IV to use (in hex) with the -iv option. Example:

openssl enc -d -des-ede3-cbc -nosalt -nopad -in halos.bin -K 05f9be7835ea3967f620fd85cd7c325ab2a4f33d218abd8f -iv 0000000000000000

In real crypto applications, however, a more complex key derivation algorithm is used. A hash function is typically used as a function which is called repeatedly a specified number of times and a (random) salt is also used to further diversify and strengthen the key. This is what OpenSSL does when you use the -pass option to specify a password/passphrase, like in faedā€™s script. The algorithm OpenSSL uses is called with an iteration count of 1 and it uses the MD5 hash algorithm by default. However, you can change the hash algorithm with the -md option. Example:

openssl enc -d -des-ede3 -nosalt -nopad -in halos.bin -md SHA1 -pass pass:"BENALOHPAILLIER"

Available choices here are MD4, MD5, MDC2, RIPEMD160, SHA, SHA1, SHA224, SHA256, SHA384, SHA512, WHIRLPOOL. We may want to try them all with various passphrases.

Iā€™m not sure this will get us anywhere, but I suppose it wonā€™t hurt to try if anyone have some spare time. This is all very technical. Perhaps solving this puzzle is as easy as inputting the right data into the right tool and clicking a button.

EDIT:

As promised, here are a few links to resources related to what I discussed above:

OpenSSL installers for Windows

OpenSSL docs:
https://www.openssl.org/docs/apps/openssl.html
https://www.openssl.org/docs/apps/enc.html#

Hash calculators:

SlavaSoft HashCalc
WinHasher

Some online hash calculators:
https://www.fileformat.info/tool/hash.htm
https://hash-functions.online-domain-tools.com/

A javascript DES/Triple DES encryption tool where you enter the key in hex:
https://etherhack.co.uk/symmetric/des_3des/des_3des.html

If youā€™re using Linux, you may already have OpenSSL installed (if not, just install it with your favourite package manager). For hashing you can use commands like md5sum, sha1sum, sha224sum, sha256sum, sha384sum, sha512sum, tigerdeep, whirlpooldeep (the latter two are part of the md5deep package). Hereā€™s an example how you can hash a string:

echo -n "SecretPassword" | tigerdeep

On a final note, I fear that this will turn out to be yet another dead end.

#1458

There are some other 256-bit encryption methods that we should keep an open mind about, particularly those related to AES and such.

Also, Iā€™m under the sneaking suspicion that we are missing a vital piece of the puzzle. Iā€™m wondering if this is a delay tactic so that Storm has more time to put together further cluesā€“I think this primarily because we decimated a good number of puzzles in a relatively short time-frame.

Anyway, just my two cents.

#1459

Yes, we canā€™t completely rule out AES. After all, the ā€œpizza budget boardā€ does mention an AES-Twofish-Serpent cascade cipher. If one of these ciphers was used, it must have been used in a stream cipher mode like CFB, OFB or CTR. This is because the the block size (not to be confused with key size) of these ciphers is 128 bits (16 bytes), and the length of the HALOS code - 376 bytes - isnā€™t evenly divisible by 16 (but it is divisible by 8, suggesting that a 64-bit block cipher was used). The stream cipher modes donā€™t require that the last part be padded to a full block. In other words, the length of the ciphertext will match the length of the original plaintext, and wonā€™t necessarily be a multiple of the block size. The problem, though, is that these modes require an initialization vector (IV) in addition to the key.

Thereā€™s another cipher Iā€™ve completely overlooked (Iā€™m not sure why), and that is DESX, which is an extension of DES. The purpose of DESX was to provide a simple way of making DES significantly stronger against a brute-force attack. An interesting fact is that Microsoft used DESX with a 128-bit key for file system encryption (NTFS/EFS) in Windows 2000. It could be worth looking into.

It makes sense that he would design a near impossible puzzle in order to slow things down a bit. But it is now nearly nine months since the HALOS file was discovered, and he did recently post a public message saying that ā€œsomeone is already closeā€. Maybe all the necessary pieces are there, but we just canā€™t see them.

#1460

Thatā€™s very trueā€“Storm did mention that someone was getting close. I expect we will receive something from him in the near future if there is no further significant progress or breakthrough, whether that be another clue or a reiteration of the key piece of evidence we should have found by now.

Founded in 2004, Leakfree.org became one of the first online communities dedicated to Valveā€™s Source engine development. It is more famously known for the formation of Black Mesa: Source under the 'Leakfree Modification Team' handle in September 2004.