"In het verleden behaalde resultaten bieden geen garanties voor de toekomst"

These are the ramblings of Matthijs Kooijman, concerning the software he hacks on, hobbies he has and occasionally his personal life.

Questions? Praise? Blame? Feel free to contact me.

My old blog (pre-2006) is also still available.

Sun Mon Tue Wed Thu Fri Sat

14

Tag Cloud
&
(With plugins: config, extensionless, hide, tagging, Markdown, macros, breadcrumbs, calendar, directorybrowse, entries_index, feedback, flavourdir, include, interpolate_fancy, listplugins, menu, pagetype, preview, seemore, storynum, storytitle, writeback_recent, moreentries)
Valid XHTML 1.0 Strict & CSS
Day 1: It has begun!

(Disclaimer: This post is about a game. It is all fiction.)

Pandora 2006 has begun. Yet instead of the promised "Pandora Paradise", we were "volunteered" into the Pandora Correctional Center. Us being team E.V.I.L, we found the new environment rather familiar :-)

Hidden in a pie we got by mail, we found a letter from three survivors of last year's edition of PCC, as well as a number of metal parts, bolts and rubber bands. The letter told us about the horrors of last year's Pandora Correctional Center and about the survivor's plan for escape. They offered us a chance to join their escape, but for that they want us to help them with some preparations. So, every night from last night to wednesday, they will give us puzzles to show our dedication.

# Puzzles

So, the first puzzle. A letter from upper management to Pandora security that got into our hands, notifying them about a new mainframe. The information was apparently encoded:

":pp[ rrmd rrm tpmykr"


The encoding was cracked within a few minutes: Find every character on your keyboard and replace it with the character on the key to the left of it. You'll get:

"loop eens een rontje" (Take a walk arount)


The first thing you notice here is the wrong spelling of "rondje" (around). So, this "t" is probably a hint. Since there is a building on campus called the "T-house", we went there and arrived first. No hint there, so we widened our search aroun(d/t) the building and a few other nearby buildings.

This gave us a clue at the Zilverling building, inside which a big screen showed alternating white and black intervals. Having no clue what to do with them, we noted down intervals for a period of time. Failing to find a repeating pattern (about 50 samples, or 100 seconds) Not finding a pattern, we were stuck.

## Faulty puzzles

Just about that time, we received a message from the organisation. They had made a typing error in the clue. The deviant "t" in the message was by mistake, it should have been a "d". Completely turning about the meaning of this hint, we sped towards the "Sintelbaan", a running course on campus. The ideal spot for running around.

Our first search was severely limited due to other teams walking around and our two team members didn't want to get shot. They found nothing. Since there had to be something there, we searched again. In the end we found very small clues with a number and one or two letters, spread around the sides of the course. The trivial way to make something of this was putting the letters in the order given by the numbers, which gave us "HiHi, zuur he, niets vinden?" (HiHi, isn't it sour to find nothing?).

Assuming that this very nice puzzle was meant to give a seemingly useless (and simple) result while in reality it used some more advanced encoding to contain a real clue, we set out for our evil lair to crack it.

## The lemon juice incident

On our way back, we ran into some other teams and they suggested that clues are not valid unless it contains an "authorisation code". Since we didn't find any, we assumed we missed it somehow. Heading back to the Sintelbaan, we did another extensive search, not finding anything. Deciding that we obviously missed something (and the organisation had apparently advised people to "buy" the first hint if they were stuck, even if they thought they had already solved it), we decided to buy the hint. Hurray for wireless network, we got the hint in the field.

The hint read "Have you ever written hidden messages using lemon juice?". So, the initial paper hint we got, didn't just contain ink, but also lemon juice. Using an oven and frying pan to reveal the message, unsuccesfully. Stating that the message really wasn't there, the organisation allowed us to come over and show it (facing real consequences if we were wrong). One quick glance of Frank, one of the organisers showed that the hint was actually there, completely revealed even. We just didn't see it (Hint: Never use received clues to make notes!). So, consequences would follow (I'll write about them tonight).

## More puzzles

The lemon juice message was "6". Immediately setting off to building 6 on the campus ("Paviljoen"). There we found three hints. First, an url. Second the following to lines of some sort of code:

A = reverse(new('06-11'))
A.'v3'.A.'n9'


Third, we found the following line:

01:56A-13:56


The second one looked at first glance like some kind of matrix/vector math (the capital A as a variable name, the . as an operator). "new('06-11')" was obviously 112 (06-11 was the old emergency number, 112 is the new one), so A was 211 (or (2, 1, 1) or something). But, since our matrix math wasn't that fresh on our minds, we couldn't solve it at once.

Another idea I had was interpreting this as some kind of programming language. In that case, A was '211' and A.'v3'.A.'n9' would evaluate to '211v3211n9. At first this didn't make sense standing outside before the clue, but as soon as we wrote it down, it became clear that is was the word "Zilverling", written in some form of leetspeek. So, this is how we should have gotten to the Zilverling clue we found first :-).

The third clue, 01:56A-13:56 was trickier. At first, we thought it to be a time range, perhaps limiting the time between which the screen at Zilverling would produce something useful. This didn't explain the "A" in there, but we ignored that for a moment.

Since we hadn't been at the Zilverling after 01:56, we took a new data sample from the zilverling, 250 samples this time. Though the behaviour seemed changed (a lot more short intervals), there still wasn't a pattern. We met another team there (letting them inside for warmth, the building is only open to people with proper clearance), who made a reference to "the other screen".

Since we only found one screen, we were doing something wrong. Leaving for home, we puzzled on on the 01:56A-13:56 again. It turned out to be briljantly simple. If you read it out loud, it woul be "4 before 2 A - 4 before 2", which would be "42A-42", a room number.

## More data mining

Arriving at Calslaan 42A, we found the second screen in the window of room 42. Nice. So, we obviously needed to get new samples, from both screens in sync (The url says "Synchro authentication"). So, Marijn and I (the last two puzzlers of our team, the rest went to bed) split. He went to the Zilverling, I stayed at the calslaan. We took a synchronized sample set of 40 intervals (trying 4 times, since I had to hold my laptop while standing straight to be able to barely read the screen, typing with my other hand).

Puzzling on this sample space we tried interpreting the two screens as bitstreams, trying various operations on them. Nothing showed any sign of repetition, so we decided to buy another hint. It read "One Time Pad", which is some kind of cryptographical protocol, typically XORing the cleartext with a random pad stream to get cyphertext. Our first ideas were about the same cleartext encrypted with two different, but related padding, the two screens showing the resulting ciphertexts. Yet, any simple relation between the two pads would also result in a visible relation between the two ciphers, which was not the case. Also, interpreting one stream as the cipher and the other as the pad (making the cleartext the XOR of the two streams) didn't result in any repeating bit pattern.

To the right is the dataset we took next morning.

## Time for sleep

So, not having any clue anymore, I went to bed around 0800. Still barely 4 hours of sleep left, I had to give a presentation at 1345.

Around 1200, I was called by Marijn. He said the organisation had suggested our sampled data might be incorrect (probably due to lack of sleep and concentration). So, rushing my breakfast and motivating the rest of our team to help, we took another synchronized sample of around 80 intervals, this time two people per location.

Trying the obvious operations on these streams again didn't give any pattern. Since my time was up, I stopped looking and went to college. Some time later, Frank looked at the nice pictures I made of this and instantly saw a pattern (which I stupidely missed) in the XORed output. He and Marijn continued puzzling on making something of this pattern, while I was kept updated through IRC during my college (yet again, long live WLAN).

## The solution

As soon as I got out of college, I went off to them to help. But, before I got there, they had solved it already and handed in the correct solution. W00t! The bitstream had a repeating 48 bit pattern (so our initial sample space of 40 was to short...) that encoded in ASCII "xs4me". This took some puzzling, since we had made two bit errors in one of the streams, so we got "xs6mE" at first. But, we were the first to solve it. Eventually team Gangstarz also solved it, but no one else. Conclusion: These puzzles were a little to hard for the first night.