[ARG] The Pizza Code Mystery

Oh dear, I’m sorry I couldn’t reply sooner, but please allow me to clear this up now before there is any more speculation:

In that post you’re referring to, I presented a solution based on my own experiences on this forum earlier this year (2013). My forum account was disabled for 3-4 months after I tried changing the email address in my profile, and the forum just wouldn’t send me any confirmation emails (tried four different email addresses). I’m pretty sure there must have been some sort of issue with the forum, since the forum page would hang for like 20-30 seconds after clicking the save settings button on the “edit password/email” page. I made another attempt in July and finally received the confirmation email so that I could confirm the email change and reactivate my account. It’s a bit odd that it wasn’t reported on the forums, perhaps it only affected a few users. I couldn’t post/PM about it myself, since my account was in a disabled state, awaiting confirmation.

I’m just a regular user here, who happens to be interested in the ARG, and cares about it. That’s all.

However, I should probably remove/change my avatar picture, which I recently added. I have to admit I was a bit worried that something like this might happen when I chose that particular picture, given this context, but I figured I’d just keep it until I found something better. I sincerely apologize if anyone was misled to believe that I had some inside knowledge and was dropping clues here. That was not my intention.

I hope this clears up any confusion.

ssssh…I was having fun with this

Oops! Sorry, I didn’t mean to spoil your fun there.

[NOPARSE]EDIT (Aug 18):[/NOPARSE] I found this in Stormseeker’s Steam profile (in the info box):

It’s probably nothing, but it seems to tie in with the Giordano Bruno quote, which was used as key in the code puzzle found in IRC clue 5, and the “Vox populi vox Dei” quote found in the wiki clue.

I haven’t been involved with the ARG for some time now, and I feel that I have already forgotten quite a few things.

The first 4 codes A,B,C,D (1001,0851,3914,0914), have we used them for anything?

The coordinates in the IRC clues, have we used them for anything?

I did some analysis of the HALOS.txt file (I remember that someone else also did entropy check on the data, but I couldn’t find it). Since all 4 codes inside the game was used to access this file I would assume it is important.

The conclusion is that after the ASCII85 conversion, the data is completely random, with an entropy of 7.43 bits (where 8 is maximum entropy) which is very high (meaning the data is very “random”).

I’m attaching 3 graphs of the data; Histogram, Spectrum and Byte value vs. position in message, which all shows that there is no trend in the data that I can see.

Any guesses what this means?

The hex code is practically indistinguishable from a sequence of bytes generated by a random number generator. But it is very similar to what you would get from a modern cipher, like Triple DES.

Here are some entropy comparisons (the first value is the normalized entropy value where 1.0 is the highest entropy):

HALOS code:
0.928515900207 or 7.42812720165 bits per byte

376 bytes from /dev/random on a Linux box:
0.925949690106 or 7.40759752085 bits per byte

A sample text in English (in ANSI ASCII), 376 characters:
0.526835123208 or 4.21468098566 bits per byte

The same text encrypted with Triple DES:
0.928778473812 or 7.4302277905 bits per byte

Is it also true that we would expect a high entropy from Benaloh/Paillier ciphers?

They are both very similar algorithms, but I am confused why both are mentioned as a solution IRC clue 5.

Has anyone tried to decrypt using Benaloh or Paillier and which number were tested as keys?

After reading about Benaloh and Piallier for a while but never understanding how to implement the algorithm practically (I am not a mathematician and most of the descriptions are to general for easy understanding)

I decided to email Josh Benaloh at Microsoft, to tell him that his name is in this game, and it is related to solving different ciphers, which I hope he finds interesting. I also took the opportunity to ask for his opinion on the Benaloh-Paillier reference and if he had any documentation on how to implement the algorithm.

It’s a long shot, but at least he has something fun to share to his colleges during the coffee break!

It will be interesting to see if he responds to your email.

I, also, think that the Benaloh/Paillier references are very confusing, perhaps the most confusing so far.

But we should consider this: Stormseeker said that someone was close. I would assume that this means that someone is almost literally one step away from solving this. As far as I can tell, no one has mentioned or discussed serious attempts to decrypt the code with the Benaloh/Paillier encryption schemes in this thread. I don’t know if someone has discussed this in the IRC channel; if so, please let us know here. If no one has actually attempted this, would Stormseeker say that someone is close?

What do you guys think?

Also, ev1te, have you looked at the mysterious wiki page that was added on the wiki by Dr. Horn on December 12, 2012? Perhaps someone should add a link to it on the front page, for example under a new section called “Additional clues”. Or create a new page about it, write a brief summary of some of the observations and findings, and link to it from there. That same day, Stormseeker also did some edits in the OP that perhaps could be further clues. This is information that is easily missed by newcomers and people coming back to the ARG, I think.

That is interesting, didn’t know about that wiki page. Also Josh Benaloh did reply my email!

[code]
Richard,

As you suspected, I was not aware of this reference. It is, indeed, rather amusing.

You can find a short description of my cryptosystem as well as the variant by Pascal Paillier in the Wikipedia article on homomorphic encryption at https://en.wikipedia.org/wiki/Homomorphic_encryption.

I hope this is helpful to you and wish you luck in this challenge.

Josh[/code]

He means that he was not aware of his names involvement in this ARG and one other thing caught my eye. He says that Pascal Paillier did a variant of “his” cryptosystem. Does this mean that Paillier is just an “extension” to Banaloh?? I will read some more about this connection and see what I come up with.

The wiki page you mentioned https://thepizzaisalie.wikia.com/wiki/Tempus_omnia_revelant has some codes on it, I found these:

The title “Tempus omnia revelant” means “Time to reveal all”.

The first line “Vox populi vox Dei” means “The voice of the people is the voice of God”.

The wiki message left by DrHorn on the wiki has bold letters, spelling out:
seekCodeoutheisIwatchinsgAI
Maybe I missed some character because some letters does not fit in.

The long table of Nibium isotope data is exactly the same as on wikipedia (exactly the same to all the characters) https://en.wikipedia.org/wiki/Isotopes_of_niobium (but it contains just the middle portion of that large table).

HAFB: Holloman Air Force Base is mentioned again.

Finally this phrase is mentioned “Raphèl maí amèche zabí almi” which is a verse from Dante’s Inferno, XXXI.67.

Benaloh and Paillier cryptosystems are both homomorphic in the same way. This is what you can do with both of them:

Encoding (number1) = Cipher1
Encoding (number2) = Cipher2
Encoding (number1 + number2) = Cipher1*Cipher2

You can do mathematics on the already encoded data, without knowing the original value (a variant of RSA also has this property).

Benaloh encoding (public key is the modulus m and the base g with a blocksize of c):
Encoding(X) = (g^X * r^c) mod m

Paillier encoding (public key is the modulus m and the base g):
Encoding(X) = (g^X * r^m) mod m^2

So I’ve been brainstorming this weekend about this elusive Halos file.

Some things to note:

• One of the IRC clues explicitly says the password to the halos file is ~“benaloh paillier”. Note this message was in all caps, and spaces were inserted at normal intervals with one such space ending up in the middle of the password. This could mean the password may be ‘benalohpaillier’, ‘BENALOHPAILLIER’, ‘benaloh paillier’, ‘BENALOH PAILLIER’, ‘BenalohPaillier’ or ‘Benaloh Paillier’.
• Since we can assume the file is password protected this means a symmetric encryption was applied. But Benaloh/Paillier encryption is assymetric (public key encryption).
• The IRC clues also mention that site activation is required.

With these three clues in mind, my current hypothesis is that the Halos file is actually an SSH key that is password protected. The key would then be used to ssh to terminal.blackmesasource.com and issue some command to activate the site:

ssh -i halos.pem dorn@terminal.blackmesasource.com

But there’s no magic numbers inside the file that would signify what format of key it is.

I’m currently playing around with inserting the binary data as the Blob content of various SSH private key payloads and seeing what I come up with. This is requiring a bit of research on the various pub key formats like PKCS12, PEM OR X509.

If any has some better knowledge about the headers for these formats, give me a shout.

What if the random number waveforms from HALOS.txt is an indicator of what letters of “benaloh pallier” are to be capitalized, based on height?

I don’t really know much about that puzzle, but I’ll just throw this out there.

Ok, so this venture hasn’t been fruitful so far.

OpenSSH private keys are much larger than this 376 byte file size. Even if I set no passphrase and use the lowest encryption level for RSA (768-bit), the raw payload is about 460 bytes.

And also to be sure I’ve tried every I could think of with OpenSSL I updated my script to run through every symmetric cipher available with a list of the possible ‘benalohpaillier’ permutations.

#!/bin/bash

declare -a ciphers=('aes-128-cbc' 'aes-128-cfb' 'aes-128-cfb1' 'aes-128-cfb8' 'aes-128-ctr' 'aes-128-ecb' 'aes-128-gcm' 'aes-128-ofb' 'aes-128-xts' 'aes-192-cbc' 'aes-192-cfb' 'aes-192-cfb1' 'aes-192-cfb8' 'aes-192-ctr' 'aes-192-ecb' 'aes-192-gcm' 'aes-192-ofb' 'aes-256-cbc' 'aes-256-cfb' 'aes-256-cfb1' 'aes-256-cfb8' 'aes-256-ctr' 'aes-256-ecb' 'aes-256-gcm' 'aes-256-ofb' 'aes-256-xts' 'aes128' 'aes192' 'aes256' 'bf' 'bf-cbc' 'bf-cfb' 'bf-ecb' 'bf-ofb' 'blowfish' 'camellia-128-cbc' 'camellia-128-cfb' 'camellia-128-cfb1' 'camellia-128-cfb8' 'camellia-128-ecb' 'camellia-128-ofb' 'camellia-192-cbc' 'camellia-192-cfb' 'camellia-192-cfb1' 'camellia-192-cfb8' 'camellia-192-ecb' 'camellia-192-ofb' 'camellia-256-cbc' 'camellia-256-cfb' 'camellia-256-cfb1' 'camellia-256-cfb8' 'camellia-256-ecb' 'camellia-256-ofb' 'camellia128' 'camellia192' 'camellia256' 'cast' 'cast-cbc' 'cast5-cbc' 'cast5-cfb' 'cast5-ecb' 'cast5-ofb' 'des' 'des-cbc' 'des-cfb' 'des-cfb1' 'des-cfb8' 'des-ecb' 'des-ede' 'des-ede-cbc' 'des-ede-cfb' 'des-ede-ofb' 'des-ede3' 'des-ede3-cbc' 'des-ede3-cfb' 'des-ede3-cfb1' 'des-ede3-cfb8' 'des-ede3-ofb' 'des-ofb' 'des3' 'desx' 'desx-cbc' 'id-aes128-GCM' 'id-aes192-GCM' 'id-aes256-GCM' 'rc2' 'rc2-40-cbc' 'rc2-64-cbc' 'rc2-cbc' 'rc2-cfb' 'rc2-ecb' 'rc2-ofb' 'rc4' 'rc4-40' 'rc4-hmac-md5' 'seed' 'seed-cbc' 'seed-cfb' 'seed-ecb')

declare -a passes=('benalohpaillier' 'BENALOHPAILLIER' 'benaloh paillier' 'BENALOH PAILLIER' 'Benaloh Paillier' 'BenalohPaillier')

for p in "${passes[@]}"
do
        for c in "${ciphers[@]}"
        do
                echo "====================================================="
                echo "== Algo: $c  Pass:\"$p\""
                echo "====================================================="
                openssl enc -d -$c -nosalt -nopad -in $1 -pass "pass:$p"
                echo ""
                echo ""
        done
done

I still just got a lot of junk back. :
decrypter.sh.txt (1.86 KB)

Ok, one final update for the night. Updated the script again. It will now use the linux ‘file’ command to automatically check the output and flag anything that looks interesting:

#!/bin/bash

declare -a ciphers=('aes-128-cbc' 'aes-128-cfb' 'aes-128-cfb1' 'aes-128-cfb8' 'aes-128-ctr' 'aes-128-ecb' 'aes-128-gcm' 'aes-128-ofb' 'aes-128-xts' 'aes-192-cbc' 'aes-192-cfb' 'aes-192-cfb1' 'aes-192-cfb8' 'aes-192-ctr' 'aes-192-ecb' 'aes-192-gcm' 'aes-192-ofb' 'aes-256-cbc' 'aes-256-cfb' 'aes-256-cfb1' 'aes-256-cfb8' 'aes-256-ctr' 'aes-256-ecb' 'aes-256-gcm' 'aes-256-ofb' 'aes-256-xts' 'aes128' 'aes192' 'aes256' 'bf' 'bf-cbc' 'bf-cfb' 'bf-ecb' 'bf-ofb' 'blowfish' 'camellia-128-cbc' 'camellia-128-cfb' 'camellia-128-cfb1' 'camellia-128-cfb8' 'camellia-128-ecb' 'camellia-128-ofb' 'camellia-192-cbc' 'camellia-192-cfb' 'camellia-192-cfb1' 'camellia-192-cfb8' 'camellia-192-ecb' 'camellia-192-ofb' 'camellia-256-cbc' 'camellia-256-cfb' 'camellia-256-cfb1' 'camellia-256-cfb8' 'camellia-256-ecb' 'camellia-256-ofb' 'camellia128' 'camellia192' 'camellia256' 'cast' 'cast-cbc' 'cast5-cbc' 'cast5-cfb' 'cast5-ecb' 'cast5-ofb' 'des' 'des-cbc' 'des-cfb' 'des-cfb1' 'des-cfb8' 'des-ecb' 'des-ede' 'des-ede-cbc' 'des-ede-cfb' 'des-ede-ofb' 'des-ede3' 'des-ede3-cbc' 'des-ede3-cfb' 'des-ede3-cfb1' 'des-ede3-cfb8' 'des-ede3-ofb' 'des-ofb' 'des3' 'desx' 'desx-cbc' 'id-aes128-GCM' 'id-aes192-GCM' 'id-aes256-GCM' 'rc2' 'rc2-40-cbc' 'rc2-64-cbc' 'rc2-cbc' 'rc2-cfb' 'rc2-ecb' 'rc2-ofb' 'rc4' 'rc4-40' 'rc4-hmac-md5' 'seed' 'seed-cbc' 'seed-cfb' 'seed-ecb')

declare -a passes=('benalohpaillier' 'BENALOHPAILLIER' 'benaloh paillier' 'BENALOH PAILLIER' 'Benaloh Paillier' 'BenalohPaillier')

OUT="/tmp/tmp.halosoutput"

for p in "${passes[@]}"
do
        for c in "${ciphers[@]}"
        do
                openssl enc -d -$c -nosalt -nopad -in $1 -pass "pass:$p" > $OUT 2> /dev/null
                result=$(file $OUT)
                result=${result:22}
                if [ '$result' != 'data' ] && [ '$result' != 'empty' ]; then
                        echo "======================================================"
                        echo "== Cipher: $c     Pass:\"$p\""
                        echo "== FileType: $result"
                        cat $OUT
                        echo ""
                        echo ""

                fi
        done
done

chmod +x decrypter.sh
./decrypter.sh halos.raw

It appears that all the results coming back thus far are false flags. I see some results marked as “DBase 3 data file with memo(s)”, “MPEG-4 LOAS”, or “DOS executable (COM)” to name a few.

The actual data behind these results doesn’t look very interesting though, still just a lot of random bytes. So I think it’s just getting a false positive hit on some magic numbers in the first few bytes.

Example result:

======================================================
== Cipher: bf-cfb     Pass:"Benaloh Paillier"
== FileType: MPEG-4 LOAS
VéDzUéÞèX<98>³µ<95>Î^A¸öÁ^@Ä/<98><96>°Ù¨D<8d>>pý^Y^U¥^S<9f>Ð^XxùI<83>d^B^He^Oq^Pò^DoÅ<89>Q1ö^Oóe8^_?=É£<85>&/<8b><9b>£¾×^O×<9d>ç       b<8d>½^TIu}'_àÎ?»-^]<8d>ñ°.^HZ^R¨§Ì_zÄl<96>¹Ç(ô/ø§±<92>Q¢â`jÀ:<93>7áCEüg^[^V<9b>ëÔúÀg^OÕߢh!/M^]Üfç¾<9b>k!<93><87>Ý<88>ÅÙâºéA<81>Ñ^^"û«^\ê0¿Î^]¢Íè=ë<85>Ri!ÕOÍ<9f>B<91>Y<86>^Q<97>^G²<81>{<91>1à^?(å<90>´^U^P^Zz«Ô<85><9a>YÑV~°=/lB±ÎïiTW¼ãê<87>scØ=³M^V<98>rË]¤f^[4R¡¢oK^Bò^_
¶^N<87><89>äÄ^R^P^M3Éèrï»^Q/ÍKÕZºg<82>ëo÷°<8a>d^Bp+Zf8¶0mÂQ³<88>((Ä<98><89>S/IF<97>?À@ó¹Æ{^QhÕM<9b>çc-üÁù[ÑÁDÃØ^_À2EÑ^G¬^W<99>q<83><92>xOç¦0u<87>úÄùk!çd<96><84>ã^]Ã<8c>ò<85>è

decrypter.sh.txt (2.12 KB)
halos.raw.txt (376 Bytes)

Another thing you could try is to insert another loop in the script which cycles through different hash algorithms to be used with the key derivation function that OpenSSL uses. The hash algo can be set with the -md option. Available hash algos are: MD4, MD5, MDC2, RIPEMD160, SHA, SHA1, SHA224, SHA256, SHA384, SHA512, WHIRLPOOL.

EDIT: About the space in “BENALOH PAILLIER”. I’m not sure it is supposed to be there. See my earlier post. I believe the spaces in the IRC clue 5 solution must have been inserted there by the wiki editor to allow for line wrapping.

EDIT 3: Actually, if we retain the spaces and the line feed from the original ciphertext found in the IRC clue in question, we get:

THISI SAMES SAGEL EFTFO RDRHO RNJUS TTORE MINDY OUINC ASEOF EMERG ENCIE STHAT THEPA SSWOR DTOTH EHALO SFILE SISBE NALOH PAILL IERIH AVEPR OGRAM MEDHA LOSTO SENDI NLEVE LSEVE NCASE SYOUS HOULD BRING PIZZA S
If we extract only the part with the password, we get: “BE NALOH PAILL IER”. However, the spaces in the original ciphertext don’t have to mean anything, since ciphertexts enciphered with classical ciphers are traditionally written in five letter groups.

EDIT 2: I explored the SSH key theory in early January. I can’t remember all the details, but I think I ran into the same problems you did. Also, if the SSH key is password protected, the name of the block cipher algorithm, used to encrypt it, must be specified in the PEM file, along with a salt value. So, I gave up on that theory.

And, didn’t Stormseeker’s comment in his steam profile pretty much debunk the SSH key theory?

Good idea, but still no results to write home about.

#!/bin/bash

declare -a ciphers=('aes-128-cbc' 'aes-128-cfb' 'aes-128-cfb1' 'aes-128-cfb8' 'aes-128-ctr' 'aes-128-ecb' 'aes-128-gcm' 'aes-128-ofb' 'aes-128-xts' 'aes-192-cbc' 'aes-192-cfb' 'aes-192-cfb1' 'aes-192-cfb8' 'aes-192-ctr' 'aes-192-ecb' 'aes-192-gcm' 'aes-192-ofb' 'aes-256-cbc' 'aes-256-cfb' 'aes-256-cfb1' 'aes-256-cfb8' 'aes-256-ctr' 'aes-256-ecb' 'aes-256-gcm' 'aes-256-ofb' 'aes-256-xts' 'aes128' 'aes192' 'aes256' 'bf' 'bf-cbc' 'bf-cfb' 'bf-ecb' 'bf-ofb' 'blowfish' 'camellia-128-cbc' 'camellia-128-cfb' 'camellia-128-cfb1' 'camellia-128-cfb8' 'camellia-128-ecb' 'camellia-128-ofb' 'camellia-192-cbc' 'camellia-192-cfb' 'camellia-192-cfb1' 'camellia-192-cfb8' 'camellia-192-ecb' 'camellia-192-ofb' 'camellia-256-cbc' 'camellia-256-cfb' 'camellia-256-cfb1' 'camellia-256-cfb8' 'camellia-256-ecb' 'camellia-256-ofb' 'camellia128' 'camellia192' 'camellia256' 'cast' 'cast-cbc' 'cast5-cbc' 'cast5-cfb' 'cast5-ecb' 'cast5-ofb' 'des' 'des-cbc' 'des-cfb' 'des-cfb1' 'des-cfb8' 'des-ecb' 'des-ede' 'des-ede-cbc' 'des-ede-cfb' 'des-ede-ofb' 'des-ede3' 'des-ede3-cbc' 'des-ede3-cfb' 'des-ede3-cfb1' 'des-ede3-cfb8' 'des-ede3-ofb' 'des-ofb' 'des3' 'desx' 'desx-cbc' 'id-aes128-GCM' 'id-aes192-GCM' 'id-aes256-GCM' 'rc2' 'rc2-40-cbc' 'rc2-64-cbc' 'rc2-cbc' 'rc2-cfb' 'rc2-ecb' 'rc2-ofb' 'rc4' 'rc4-40' 'rc4-hmac-md5' 'seed' 'seed-cbc' 'seed-cfb' 'seed-ecb')

declare -a passes=('benalohpaillier' 'BENALOHPAILLIER' 'benaloh paillier' 'BENALOH PAILLIER' 'Benaloh Paillier' 'BenalohPaillier')

declare -a digests=('md2' 'md5' 'mdc2' 'rmd160' 'sha' 'sha1' 'sha224' 'sha256' 'sha384' 'sha512')

OUT="/tmp/tmp.halosoutput"

for p in "${passes[@]}"
do
        for c in "${ciphers[@]}"
        do
                for d in "${digests[@]}"
                do
                        openssl enc -d -$c -nosalt -nopad -in $1 -md $d -pass "pass:$p" > $OUT 2> /dev/null
                        result=$(file $OUT)
                        result=${result:22}
                        if [ '$result' != 'data' ] && [ '$result' != 'empty' ]; then
                                echo "======================================================"
                                echo "== Cipher: $c     Pass: \"$p\"    Digest: $d"
                                echo "== FileType: $result"
                                cat $OUT
                                echo ""
                                echo ""
                        fi
                done
        done
done

./decrypter.sh halos.raw > output.txt

decrypter.sh.txt (2.28 KB)
halos.raw.txt (376 Bytes)

I’ve tried a boatload of passwords with every combination of digest and cipher and still have nothing to show for it.

‘benalohpaillier’
‘BENALOHPAILLIER’
‘benaloh paillier’
‘BENALOH PAILLIER’
‘Benaloh Paillier’
‘BenalohPaillier’
‘BE NALOH PAILL IER’
‘be naloh paill ier’

‘superbus via inscientiae’
‘superbusviainscientiae’
‘SUPERBUS VIA INSCIENTIAE’
‘SUPERBUSVIAINSCIENTIAE’
‘Superbus via Inscientiae’
‘SuperbusViaInscientiae’
‘Superbus Via Inscientiae’

‘lapis philosophorum’
‘LAPIS PHILOSOPHORUM’
‘lapisphilosophorum’
‘LAPISPHILOSOPHORUM’
‘Lapis Philosophorum’
‘LapisPhilosophorum’

‘homomorphic’
‘homomorphic cryptosystems’
‘homomorphiccryptosystems’
‘HomomorphicCryptosystems’
‘homomorphic cryptosystem’
‘Homomorphic Cryptosystem’
‘homomorphic encryption’
‘homomorphicencryption’)
‘Homomorphic’
‘Homomorphic Encryption’
‘HomomorphicEncryption’

It’s starting to feel like Storm just dumped /dev/random on us and has been laughing his ass off for a year now.

The problem with OpenSSL is that it uses its own (nonstandard) password-based key derivation algorithm. So, if Dr. Horn didn’t use OpenSSL with a password to encrypt the message, we get bupkis out of it, even if we used the right cipher and password.

I’ve looked into the key derivation function used by OpenSSL. The function is documented here. This function also generates the IV to use with the IV-based modes of operation.

The OpenSSL command-line utility calls this function with the following arguments:

• cipher method (so that the function can determine the key and IV sizes)
• message digest method (MD5 unless another message digest algorithm is specified on the command-line)
• an 8-byte salt (if specified on the command-line)
• password
• iteration count = 1

Note that if a salt is used, OpenSSL inserts the string “Salted__” followed by the 8-byte salt value at the beginning of the encrypted data. There is no “Salted__” string in the HALOS code, so if OpenSSL was used to encrypt the HALOS code, no salt was used.

In an earlier post, I’ve mentioned a standard password-based key derivation algorithm called PBKDF2, which is described in PKCS #5 v2.0 and RFC 2898. A Javascript implementation is available here. However, the standard recommends that a salt of at least 8 bytes be used. As a result, most implementations have this as a requirement. Another parameter that must be specified, is an iteration count. The higher the iteration count, the more difficult a brute force attack is. The pseudorandom function that is used by the algorithm in its core, is not limited to, but is typically based on the SHA-1 message digest algorithm.

A salt and an iteration count in addition to the password, of course, complicates matters even further. But what if the password really is BENALOHPAILLIER? Then it is a matter of guessing the salt and the iteration count (and possibly the underlying message digest algorithm), and of course the right symmetric cipher (a 64-bit block cipher being the most likely cipher, IMO). The problem is, we’re going to have to code something in order to explore this idea. And with no good leads that support this idea, it would seem like a fruitless exercise, I have to admit.