Probably just me looking for random patterns, but the fact that 192 and 168 have come up so close together makes me think of 192.168.x.x IP addresses. Though thinking about it, it probably makes sense for such byte sized numbers to be used as a standard IP format. Either way, probably irrelevant.
I should probably stop browsing here after 2am. It can only be detrimental to all involved. :tired:
Kippered herring. Final letters of Kippered are red. Red herring. Heh.
Kudos to you for finding definitive proof and to Evil Moo for pointing it out. It was a big fat redherring in the end.
If the message was encrypted after being compressed itās going to be nigh impossible to differentiate the real decryption as you said. I think that he probably did not do that, it would crank the difficulty up to eleven.
About the parity bitsā¦ Iām going to try tomorrow something similar. If I understad correctly, we have Benaloh and Paillier, 7 and 8 cases respectively, but when stormseeker added the information on the first post of the thread, he did write Benalloh, thatās eight characters/bytes, maybe benalloh paillier uchiyama or naccachi, they have contributed to partially homomorphic encryption algorithms and have eight letters names. Now, if this is the approach, I guess that he most probably used the names in hex as the key, as they have the appropiate key lenght, and not as a password to generate the key with a digest, though the message did say password, Iām torn here.
Another possibility. āā¦to send out level seven cases. You should bring pizzas.ā If the parity bits were to be added as you said, benalohpaillierpizzas has 21 characters or bytes. Benaloh and paillier are clearly pointed at, and pizzas is what we should bring.
This seems to be headed the right way, letās just hope it is a dead end.
I just noticed on bmrf.us that the images folder lists its directory contents. Found a few images that donāt appear on the main page at all:
If I had to hazard a guess, Iād say the last image may have something hidden inside it, due to the graininess.
I canāt recall the exact method of decrypting it at the moment, but Iām going to look for it.
EDIT: Some of the methods on this wikipedia page may have been used.
Nice catch, faed.
Itās also worth noting that the listing is, in fact, an actual HTML Document as opposed to a list generated by your browser.
Also, it appears that the images match (at least on visual inspection) the ones inside the Thumbs.db file. When shrunk in GIMP using the scale tool, they are slightly blurrier than the Window$ Thumbs.db format.
I took a look at the hex of the .png using WinHex, and it starts out like a normal .png file would: 89 50 4E 47 0D 0A 1A 0A
Here is a table of hex signatures that I have found extremely useful in the past: Hex Signatures Table
What is interesting is that there are a beginning and ending signature for a .jpg file within the hex code of the .png file. It begins with FFD8 and ends with FFD9. The code is much too large to post here, but here is a link to the blog post Iāve added it to: .jpg hex?
Whatās more, the beginning of the .png file contains the following ASCII:
ā°PNG IHDR
Ā± ZĆĆ
@ sBIT | d
Ė pHYs
ĆĆ~Ć¼ tEXtSo
ftware Adobe Fir
eworks CS5qĀµĆ£6
tEXtCreation T
ime 09/19/12
The key here is the bolded part: āText Software Adobe Fireworks CS5 - Text Creation Tim 09/19/12ā
Obviously, this means that the image was edited in Adobe Fireworks, so itās extremely possible that it was edited specifically for the ARG. Of course, it could also mean that it was edited just to be added to the site. However, based on the date of the editing, I think itās at least somewhat likely that it was created for the ARG.
EDIT: Iām not 100% sure how to go about converting the hex to an image fileāI tried pulling it up in Notepad ++ with the Hex-editor plugin enabled and saving it as a .jpg fileāto no avail. The file wouldnāt even open.
Any thoughts?
I donāt think I did this right but I tried php hex2bin and got this:
https://lazersmoke.chickenkiller.com/tester.jpg
And:
echo āhexā > asdf.jpg
And got this:
https://lazersmoke.chickenkiller.com/asdf.jpg
Edit: on the php attempt I curled a var_dump of the hex2bin of the string if that makes any sense
Those pics arenāt showing up for me. Too bad.
They are little grey boxes in the upper left hand corner. They donāt seem to be relevant, though, so my current theory is that they are editing artifacts from fireworks.
Those two images are exactly the same size, and they are both .pngs. I wonāt have time to do further analysis on the two in a hex editor this weekend, but Iām wondering if together, somehow, they can be combined to create a key. If they were the exact same picture, it would be extremely easy to note added code via histogram analysis and a follow-up hex scan; since they are different, it might take a little more digging to note anything out of line. That said, perhaps there is a type of cryptology Iām not aware of that would use two like images to compound a hidden phrase/image?
OTP, with the hex code of both images. But the images do not have the same size, if I recall correctly, fravrans9 posted a link to search for OTP in any kind of files, it was one of the tools used in Cicada, I remember using it with files that contain noise from the game.
If I hide data on a png with openpuff, then use software to run a chi-square test (The software I have needs the image to be bmp, but since png is losseless compression I think the results should be fine), it still shows very clearly on the distribution that there is hidden data. On research-header, and headline 3 (the image with the scientist with lab glasses on bmrf.us) The results are a bit weird, but do not show any conclusive evidence that there is hidden data, the noise could make the distribution look weird. If they are stock images, maybe we will be able to find then, then comparing with the original, it would be far easier to determine if there is hidden data.
BTW, I was not able to test the 3DES theory, this night maybe Iāll have time, I need to modify the script slightly.
Guys, I messed up the php attempt by doing a var_dump which gives some extra characters at the start and end. A link to a more probably correct version is provided below: (as raw data[maybe])
https://lazersmoke.chickenkiller.com/php/fixedphpattempt
A jpg starts with FF D8 FF E0, āĆæĆĆæĆ ā. FF D8 appears in the pngās hex many times, but never with a complete jpg signature.
Hmmm . . . I didnāt notice that it was not a complete image signature. I assumed that it was based on the appearance of the FFD8. My mistake 
Well thatās unfortunate. While looking for another lead I saw that otr messaging was updated to 4.0, the same version as the 752 hex code, but as it was updated after 200X, Dr. Horn or whomever else couldnāt have used it.
unless stormseeker is part of the developers of otr, and he used the arg to promote otr, and ātime will reveal allā meant that we had to wait for the otr 4.0 as it wasnt released yet, but stormseeker probely expected it to release in only a few months not years
OTR? Is OTR On a Rail Uncut or something entirely different?
EDIT: Never mind, I know it isnāt OaR. But what is it then?
Off The Record Messaging. Itās a secure instant messaging system.
Founded in 2004, Leakfree.org became one of the first online communities dedicated to Valveās Source engine development. It is more famously known for the formation of Black Mesa: Source under the 'Leakfree Modification Team' handle in September 2004.
