The solution to the riddle

Preface

SPOILER ALERT: If you want to solve this riddle on your own, don’t read beyond the preface.

During the last year or so I created an on-line riddle out of boredom. I posted a QR code / string to various friends, work colleagues, and on-line forums where I expected people to be able to solve it.

This is the QR code which decodes to:

#QBdg%HGILH&R9vch)NBTAt5.X3oWb\BxMbn5,GR0wTQ*0xuHBc=

Many people have responded jokingly, posting stuff such as “a cat has walked on your keyboard”, indicating they are not taking the challenge seriously and probably thinking that there is no solution. Ignorance is bliss…

Sadly nobody has been able to solve it so far, which I find a bit strange. No way I’m that awesome that I have created the best way to obfuscate data on the Internet? Probably the right person to solve it has not yet come along, or maybe I wasn’t effective enough at spreading the riddle to enough people capable of solving it.

Anyway, here is the solution.

Step 1

By looking at the string a skilled developer should recognize the striking similarity it has with a base64-encoded string, indicated by the “=” character at the end of the string. However there seem to be a bunch of other characters that do not belong in a base64 string.

A closer look will reveal that, starting with the first character, every 6th character after that doesn’t belong in a base64 string. So there is a pattern. Let’s remove every 6th character and see that we have left:

Base 64 string: QBdgHGILHR9vchNBTAt5X3oWbBxMbn5GR0wTQ0xuHBc=
Characters that don’t belong: #%&).\,*

Now we have a valid base64 string! Let’s decode it and see what we get:

@`borALy_zlLn~FGLCLn

Yeah, it doesn’t make much sense. A skilled developer is now supposed to recognize that the base64 string decodes to binary data. Why would that be the case? Let’s go back to the extra chars that don’t make sense, why did we have those chars there? It is highly possible that the binary data is actually encrypted data and the extra chars are the key. What is the simplest cipher for binary data encryption? The XOR cipher. Alright, let’s write a small script to test this hypothesis:

<?php
$string = "QBdgHGILHR9vchNBTAt5X3oWbBxMbn5GR0wTQ0xuHBc=";
$key = "#%&).\,*";

// Base64 decode
$dec = base64_decode($string);

// XOR decode $dec with $key
for ($i = 0; $i < strlen($dec); $i++) {
  $dec{$i} = $dec{$i} ^ $key{$i % strlen($key)};
}

// Echo the result
echo $dec;

Wow it worked, we get something that makes sense:

c2F5LW15LW5hbWUuY3J5b2Rldi5jb20=

Now let’s base64 decode this and see what we get:

say-my-name.cryodev.com

Step 1 completed.

Step 2

Step 1 provided us with a hostname. Let’s open it up in a browser and see what we get:

Those Greeks have concealed my writing, keep looking…

Interesting, not much information here. But wait, “say-my-name” must be a reference to something. Name -> Domain Name System -> DNS. Alright, let’s see if there are any TXT DNS records for this subdomain:

$ host -t TXT say-my-name.cryodev.com
say-my-name.cryodev.com descriptive text "/bobby-tables"

Step 2 completed.

Step 3

Step 2 revealed a TXT DNS record. It returns "/bobby-tables". So let’s append that to the hostname previously found and visit http://say-my-name.cryodev.com/bobby-tables:

An XKCD comic appears… named exploits_of_a_mom.jpg. Is there an SQL injection vulnerability on the site? Maybe, but currently we cannot find any GET/POST variables on the site to exploit. Let’s keep looking… A skilled developer should recognize that the image ends with .jpg. XKCD comics are always .png! Oh wait, one more thing. Do you remember this quote from earlier?

Those Greeks have concealed my writing, keep looking…

A skilled developer is now supposed to think of Steganography. A quick Wikipedia search reveals:

The word steganography comes from New Latin steganographia, which combines the Greek words steganós (στεγανός), meaning “covered or concealed“, and -graphia (γραφή) meaning “writing“.

Got it now? There must be a message steganographically hidden within the .jpg image. A quick Google search reveals that the most common steganography tool in Linux is steghide. Let’s see if that can decode anything:

$ steghide --extract -sf exploits_of_a_mom.jpg 
Enter passphrase: # try without a passphrase
wrote extracted data to "message.txt".
$ cat message.txt 
?mom

Step 3 completed.

Step 4

Step 3 revealed what we desperately needed all along, a GET variable! Let’s visit http://say-my-name.cryodev.com/bobby-tables/?mom and see what we get:

Come on, I’m spoon-feeding you now!

Alright alright, let’s assign some value to ?mom e.g. http://say-my-name.cryodev.com/bobby-tables/?mom=1:

Name: Robert

Interesting, a reference to Robert “Bobby Tables” from the comic. Let’s seek for an SQL injection at ?mom, e.g. using something like http://say-my-name.cryodev.com/bobby-tables/?mom=1' OR 'x'='x:

Name: Robert
Name: https://www.youtube.com/watch?v=6Ejga4kJUts
Name: https://www.youtube.com/watch?v=jxjeqCd6Zm0
Name: https://upload.wikimedia.org/wikipedia/en/0/00/Machine_Head_album_cover.jpg

Step 4 completed.

Step 5

In step 4 we injected a GET variable and retrieved a bunch of database entries in the form of various links. The first link points to the Cranberries song “Zombie” with the unforgettable chorus “In your head, in your head“. RIP Dolores :'( The second and third links both refer to a band named “Machine Head“.

Did you get it yet? Yes we have to check the HTTP header! A quick inspection in your favorite browser’s inspection tool reveals the following entries that don’t belong there:

Step 5 completed.

Step 6

Step 5 revealed a telnet server and a telnet key. Let’s make a telnet connection and see what we get:

$ telnet bofh.cryodev.com 666
Trying 83.212.84.234...
Connected to bofh.cryodev.com.
Escape character is '^]'.
OQZaPmlBB1wKIGILaSooGFZRfkk7HnY0CgctVxFIUUcHJmUZBHw8B24rcgsbP2YIKXQnJX0oOlsiaDgWIXMPMXo1eEInIHYBUSoKBHggCXk4fwQJDHNBRjsyKkIBeHoVF1lXEX0wYh0jMGUQAnYZKlBcLk4xdwJLCwcyLGofdE00P2UfaSVPA30kelsoCmEJDHMQQBEDXFM3DGVCBHNfBH0/RAcYW1cEKmQrKlE5UQUxeBYMDGMbIHo1NUQPWmEfVDVCD20NAVsoN1sJMnMURBMiOk0CHAoIHHMgEVEvCRkgMG0WKAEncA==
Connection closed by foreign host.

Very interesting, yet another base64 string. Can we decode it directly?

9Z>iA\
 bi*(VQ~I;v4
-WHQG&e|<n+r?f)t'%}(:["h8!s1z5xB' vQ*
x 	y8	sAF;2*BxzYW}0b#0ev*P\.N1wK2,jtM4?ei%O}$z[(
a	s@\S7eBs_}?D[W*d+*Q9Q1xc z55DZaT5Bm
[(7[	2sD":M
s Q/	 0m('p

It doesn’t seem so, we get binary data again. Oh wait, we have the X-Telnet-Key from earlier! Let’s run the XOR cipher once more with the new key and the new base64 string and see what we get:

<?php
$string = "OQZaPmlBB1wKIGILaSooGFZRfkk7HnY0CgctVxFIUUcHJmUZBHw8B24rcgsbP2YIKXQnJX0oOlsiaDgWIXMPMXo1eEInIHYBUSoKBHggCXk4fwQJDHNBRjsyKkIBeHoVF1lXEX0wYh0jMGUQAnYZKlBcLk4xdwJLCwcyLGofdE00P2UfaSVPA30kelsoCmEJDHMQQBEDXFM3DGVCBHNfBH0/RAcYW1cEKmQrKlE5UQUxeBYMDGMbIHo1NUQPWmEfVDVCD20NAVsoN1sJMnMURBMiOk0CHAoIHHMgEVEvCRkgMG0WKAEncA==";
$key = "h4cK3rM4nh4x0rz";

// Base64 decode
$dec = base64_decode($string);

// XOR decode $dec with $key
for ($i = 0; $i < strlen($dec); $i++) {
  $dec{$i} = $dec{$i} ^ $key{$i % strlen($key)};
}

echo base64_decode($dec);

And the result is:

Congratulations! You solved the riddle! There is no prize, I’m too poor for that, I was just bored and made this. Let me know if you would like to brag: <my email here>

Step 6 completed.

Conclusion

That was the riddle. Do you think it was too involved? I think the first step was the hardest, once you recognize the XOR cipher and the fact that it can be reused in step 6 the riddle is not that complicated.

Anyway, I will leave the infrastructure for this riddle up and running for a few more weeks if anyone wants to verify my solution, but then I will take it down.

Thanks for reading!

PS: Don’t try to hack my server using the intentionally created SQL injection, it will not work ;)

Mollymawk tests

Yes, I am alive. I know I haven’t posted anything in three years. There are many reasons behind this, but I will leave this for another time.

As I mentioned in an earlier post, I got into this aviation thing back in 2015. Since then, I have taken it further and completed a commercial pilot’s license with multiple engine and instrument ratings and some other stuff. What does this all mean? I can now fly the big birds for money if an operator decides to hire me. But to the big question, how do you get an operator to hire you?

It is not a simple task; you have to submit countless applications and be prepared never to hear back from anyone. They say there is a pilot shortage, hmm…? If you are lucky, you might be called to an assessment. What? You don’t know what an assessment is? Don’t worry. I got you covered.

In the aviation industry, assessments are what job interviews are in any other field of work. But since pilots are rich (we are rich, right? somebody, please confirm?), assessments have to be complicated money and time-consuming processes. I was partially lucky and got called to an assessment for an operator called SunExpress. Spoiler alert: I didn’t get the job. I have nothing but good things to say about SunExpress. They are very professional in what they are doing and have high standards for their pilots. The reason I failed in my assessment is purely my own fault.

It basically works like this: You get a phone call, which is some kind of unofficial first interview. If they are happy with you after the phone call, you get invited to do an online ITEP English proficiency test. If you pass the ITEP test, you get invited to do some psychometric tests at SunExpress’s own premises. If you pass the psychometric tests, you get invited to do a simulator test-flight in a full-motion Boeing 737-800 simulator. The simulator was a lot of fun to fly, but this is as far as I got. If you pass the simulator test, you get invited to a formal interview, and if you pass the interview, you get the job! Phew…

Boeing 737-800 Simulator
Boeing 737-800 Full Motion Simulator

So what are the psychometric tests? They are the Mollymawk psychometric tests, also used by other operators like CargoLux and Pegasus Airlines. They are split into two categories: skill tests and aptitude tests. The skill tests test your knowledge in math, science, and English. Those were the easy ones for me. The aptitude tests test your memory, orientation skills, and ability to multitask, divided into three computer “games” named “Working Memory” “Spatial Orientation” and “Time Sharing”.

To do the Mollymawk tests, you have to purchase two packages: skill and aptitude tests. Each package costs 150€, and if you fail one subject or game in one package, you have to re-purchase the whole package to do the failed test again. The first time I did the Mollymawk tests, I passed the skill tests but failed the aptitude tests. Thus I had to re-purchase the aptitudes package to do the tests a second time. Luckily the second time, I passed. You only get one second chance. In total, I spent 450€, not counting travel expenses, as a part of what essentially is a job interview for a job that I didn’t get.

I felt that more practice would give me a better chance to pass the aptitude tests on the first go. The aptitude tests are essentially a form of primitive computer games. When you purchase the aptitudes package, they give you 10 practice runs in each game you can play at home. They argue that the learning curve is logarithmic and that after 10 practice runs, you have asymptotically reached your optimum ability in playing the games, but I doubt that. As anyone knows, practice makes perfect. So I decided to code my own version of the games and help other pilots truly reach the optimum before doing the final tests.

I have created a Mollymawk test practice website, where I have implemented my own version of the Mollymawk games. A user can register an account and purchase one of the three time-limited packages for playing the games. The games may be played unlimited times!

I have also implemented an interface for the users to track their progress as they are getting better:

Why do I ask for money and not put it out for free if I truly care about the other pilots? Somehow, I have to make back the money I lost during my earlier “job interviews”. After-all, pilots are rich. We rich guys, right? Do we have no problems paying 19€ instead of 150€ for doing the tests a second time?

Anyhow, if you are a pilot and in need of my services, I truly hope I helped and wish you the best of luck!

And remember, when in doubt, go around! (preferably above 1000 feet GND in IMC, unlike me).

Dirty Filthy PCBs

I just received 10 PCBs that I ordered from dirtypcbs.com a couple of weeks ago. I have to say that the quality is amazing. For $14, they are not dirty at all! They lack gold-plated pads, unlike PCBs from OSHpark, but if that is none of your concerns, then it’s a go! I don’t claim that OSHpark is obsolete now, but for simple prototyping, when you want to be allowed to make mistakes, dirtypcbs are filthy enough to allow you to do that.

image

Mooltipass compile and flash guide for MacOSX

Mooltipass

Mooltipass is an open source offline password keeper that started off at Hackaday as an idea from Mathieu Stephan. I am one of the few lucky beta-testers and as such I would like to explain in this guide how to compile and flash its firmware from source. This guide is written for Mac OSX 10.9.

1. First of all: I DO NOT TAKE RESPONSIBILITY IF YOUR MOOLTIPASS AND/OR DVD PLAYER EXPLODES AND/OR YOUR WIFE DUMPS YOU! FOLLOW THIS GUIDE AT YOUR OWN RISK, IT REPRESENTS THE UNOFFICIAL VIEW OF THE VOICES IN MY HEAD.

2. Second, get the required tools. If you don’t already have MacPorts, download and install it from their website.

3. Once this is done, install git, binutils, gcc, avr-gcc, avr-libc and dfu-programmer from MacPorts. Just a note: I already had xcode installed on my mac, so this did it for me. If you install all of these tools and still have problems at compiling, try installing the Command Line Tools.

sudo port install git binutils gcc48 avr-gcc avr-libc dfu-programmer

4. Get the latest source code from github:

git clone https://github.com/limpkin/mooltipass.git

5. Define that you are a beta-tester ;) and compile the source code:

cd mooltipass/source_code
sed -i "" "s/XXXXXXX/BETATESTERS_SETUP/" src/defines.h
make

6. Set your mooltipass in DFU mode:

  1. Disconnect your mooltipass (if connected).
  2. Insert your smartcard upside down, with the chip-side up.
  3. Connect your mooltipass.

7. Flash your newly compiled firmware:

sudo dfu-programmer atmega32u4 erase
sudo dfu-programmer atmega32u4 flash mooltipass.hex

8. Disconnect your mooltipass, remove the smartcard, connect your mooltipass and insert the smart card.

9. Profit?

WiFi Thermal Printer with Arduino

I have been working on a wireless thermal printer for an application that I have in mind.

The system is composed of the following parts:

The WiFi shield uses the SPI bus, which leaves the serial port free for the printer. In the video below, you can see a simple example of Internet-to-Printer connectivity. As a standalone system with no connection to a PC, the system is started up, and it pings Google. When a successful ping response has been received, it prints the letter “P” with the printer. More information could have been printed here, but since I use an Arduino Diecimila with very little memory, the program only fits on the microcontroller as it is.

Here is the code used in the example:

DIY Cellphone, Part 2

The last couple of days, I have been trying to put my cellphone together. Using soldering paste with lead requires good ventilation. The fumes are poisonous, and you shouldn’t breathe them. That’s why I had a big fan by my side. Your friends are; soldering paste, flux for the hard ones, a soldering iron, a tweezer, and patience.

I discovered that I didn’t receive the correct LiPo charger, and I haven’t been able to power the phone to program and use it. I have contacted the supplier (Electrokit), and I am sure they will find and ship the correct one. Still, I have to wait over the weekend before I can use my phone, which is not fun =(

Here are some pictures from the soldering procedure:

DIY Cellphone, Part 1

I believe in a society like today, we need to have better control over our communications. Today’s smartphones have been accused of being devices of mass surveillance. Therefore I have decided to build my own cellphone. I found this guide on the internetz, which describes an open-source cellphone platform based on a GSM module and an AVR microcontroller. I selected it as a starting point for my cellphone. It will most certainly receive software updates from me (I want snake!), and probably even hardware updates in the future. Yes, I know, GSM is not secure at all, and it is vulnerable to man-in-the-middle attacks, but I still prefer the man-in-the-middle over nsa-over-the-internetz.

Enough jabber, for now, let’s get to the fun part! So far, I have received all the needed components from the Bill of Materials (BOM) for the phone’s LCD version, besides the PAS414HR-VA5R SuperCap, which has been discontinued. Since the proposed replacement part isn’t good enough, I managed to find some leftover PAS414HR-VG1 at Farnell and instead ordered a few of those. It will take some scratching and soldering to fit it on the PCB, but its values are correct. Since I am living in Sweden, I had to find alternative suppliers for my materials (Electrokit for some electronics, In-Time for the antennas, Farnell for the SuperCaps). Some had to be ordered from DigiKey anyway. Try to keep your parts ordered from DigiKey below your country’s import tax threshold. Otherwise, you might end up paying import taxes like me, which is not fun.

Here is a picture of the PCBs from OSH Park, which are of excellent quality. More will come once I receive the SuperCaps and start soldering the cellphone.

Cellphone PCBs from OSH Park.
Cellphone PCBs from OSH Park.

Master’s Thesis: Improved traffic safety by wireless vehicular communication

I have recently completed, presented, defended and passed my master’s thesis project. It was a great experience which I believe has the potential of preventing traffic accidents and saving human lives. Bellow you can read the abstract and if you are interested you may download the whole report here:

Abstract

In tomorrow’s vehicle industry vehicles will have the ability to communicate and cooperate with each other in order to avoid collisions and provide useful information to each other. However, for this cooperation to be possible all vehicles will have to be equipped with compatible wireless 802.11p modules that implement the ITS-G5 standard. During the implementation phase of the system, there will be plenty of older vehicles without such equipment.

This thesis addresses this problem by developing the hardware and software for a roadside unit called Drive ITS. It consists of a universal medium-range radar that detects older vehicles, an 802.11p modem that forwards their position and speed vectors to newer vehicles, and an embedded system that utilizes and integrates those two parts.

The hardware for the embedded system is divided into two main parts; a microcontroller board and a single-board microcomputer. The software is written in two programming languages; C++ for the microcontroller and Java for the microcomputer.

Tests have been performed by comparing Drive ITS results to results from other vehicles that already implement the ITS-G5 standard and it has been confirmed that the system works as it was intended to.

This solution will prevent potential accidents of newer ITS-G5 vehicles with older ordinary vehicles thus saving human lives.

Harlem Shake with a Stewart platform

I had a project assignment to do for one of my university courses (Numerical Analysis). The project was about modeling a Stewart platform in MATLAB. I took it a step further and animated a Harlem Shake of the final result. Enjoy the video!

Here is the code that I have written to generate the images compiled in the video above: