, ,

On July 15 [2011], Fidelis Security Solutions announced that they’d be running a crypto puzzle at Black Hat. And that the prize would be $1000. So, naturally, I was quite interested. I went to their site, downloaded the puzzle, and set to work:


It’s immediately obvious that we’re not looking at straight ASCII.

I figured it would be UTF-8 encoded, and verified that quickly. But the question then was whether the decoding work should be in UTF-8 or if, for example, I needed to convert it to UTF-16 first. I even considered that maybe I needed to look to the official Unicode name for each character, instead of the binary representation of it. Here’s the hexdump of the ciphertext, in UTF-8 (with newlines dropped for clarity):

5ec2 a5 c3 90 c2 a7 c2 b5c2 b6 c2 ae c3 86 c3 a4c3 a6 c2 a9 c3 97 c3 a4c3 b7 c4 b3 c5 92 c4 90c6 86 c4 b7 c4 97 c4 b2c5 a6 c5 af c5 b6 c5 abc6 82 c6 90 c6 94 c6 86c5 a6 c6 89 c6 b6 c7 b4c6 86 c6 85 c6 a6 c6 acc7 86 c6 b9 c9 87 ca 83

The little ^ character at the beginning made me think of XOR — since in many languages, that’s the operator used for that. So I need to find some binary key stream that, when XORd with the ciphertext, will give me plaintext.

I played with that for a while, then watched their little promo video again. And there, at the very end of the video, the phrase “ALL YOUR ¥Ð§µ ARE BELONG TO US” zooms past the viewer. So “¥Ð§µ” == “BASE”? Okay, that’s something else I can work with….

At this point, Darth Null issues a warning:

If you’d like to try to solve this, STOP now, as the rest [has] spoilers. The … text above is all you need to get started. Or click here for cipher text and hints revealed during the conference.

Still with me? Okay.

The ending was a surprise! The closing lines, see excerpt below, convey the spirit, though not the particulars. You will need to visit Darth Null’s original post to truly understand why. And maybe even try your hand at solving the puzzle,

To say I was frustrated, well, that doesn’t begin to cover it… So in the end, was this a good or bad puzzle? As much as it pains me to admit it, this was an excellent puzzle. It made me think about UTF-8 encoding (which many, especially us old dumb-terminal types, overlook in favor of flat ASCII). It had a red herring (the ^ making me think of XOR). It had obvious, blatant signs that should have been seen, at least by experienced cryptographers. Like most good riddles, it had a simple, obvious, easy-to-execute solution. 

Thanks, Fidelis, for reminding me to keep my eye on the basics, and for driving home the first rule of cryptanalysis, as defined by the late Robert Morris: “Check for plaintext.”

Via darthnull: Fidelis Puzzle, August 30, 2011.