FANDOM


After ASCII85 decoding of HALOS.txt on Stormseeker's Website, this message can be observed:


[[Proxyhost@-84-9-123-345.dslgb.com//closed.proxy.accepted//?OTR,3,4,?OTR:[INCOMING TRANSMISSION CLASSIFIED SOURCE]SUBJECT ANALYSIS - TENACIOUS. SITE OFFLINE...... 
...{Primary Servers Overloaded}... USER ACTIVATION REQUIRED... PASSCODE INPUT FOR SITE ACTIVATION REQUIRED...
SET FOR FINAL TEST PATTERN....
ANALYSIS COMPLETE>>> [CLASSIFIED INFORMATION LEVEL 8][OTR//4.0]
b32b003a35badd66577c24c14fc919064346d131a7c54bb82ffe03e022615777247923dc21f62cd4182e91c3b267b545abcaedaf0261510d4eea1e87cd33c7c77131309cc4280eb4243d1154f044f9cf6296d9bff7397e4390987fe63203da0de40278b3a54f5ddc6975fa04f749849e1a62595a9f630b0795913de0153e3aac388c45fb9d850cfe913541d6c08398f2c88332a82fdf00281d62fcdc4fe7e46ae90c51c5c806b41164e33ab92c96862e068b0c16c09990b8381a00da7915b67fe4a20f599b0f1b6d481913c7b9538cee639144f41561ba92e4fe751d1e242cd88f51d695519887136a7c15aabd7b40044922014130a91f170f66ccb3c139463a7e909a37aa863fb27805fc9731c09c8c79067e79930a406546b24c9a629b26c2ce2a4be48f589a375feb731fc4ab225c11848cf89e291fb27133970c063618474a892801edd68f54698c5e5b506746f6765a6f7f1225dea4da1140feb60f650745241c693695883dcb21e6fbfefbb85a2991948036a52b5d
[/][End Transmission]|¬[ABORTIVE.] ~~ [Transmission Ends]]

The inner code seen in this message is 752 hexadecimal numbers (376 bytes or 3008 bits):

B32B003A 35BADD66 577C24C1 4FC91906 4346D131 A7C54BB8 2FFE03E0 22615777
247923DC 21F62CD4 182E91C3 B267B545 ABCAEDAF 0261510D 4EEA1E87 CD33C7C7
7131309C C4280EB4 243D1154 F044F9CF 6296D9BF F7397E43 90987FE6 3203DA0D
E40278B3 A54F5DDC 6975FA04 F749849E 1A62595A 9F630B07 95913DE0 153E3AAC
388C45FB 9D850CFE 913541D6 C08398F2 C88332A8 2FDF0028 1D62FCDC 4FE7E46A
E90C51C5 C806B411 64E33AB9 2C96862E 068B0C16 C09990B8 381A00DA 7915B67F
E4A20F59 9B0F1B6D 481913C7 B9538CEE 639144F4 1561BA92 E4FE751D 1E242CD8
8F51D695 51988713 6A7C15AA BD7B4004 49220141 30A91F17 0F66CCB3 C139463A
7E909A37 AA863FB2 7805FC97 31C09C8C 79067E79 930A4065 46B24C9A 629B26C2
CE2A4BE4 8F589A37 5FEB731F C4AB225C 11848CF8 9E291FB2 7133970C 06361847
4A892801 EDD68F54 698C5E5B 506746F6 765A6F7F 1225DEA4 DA1140FE B60F6507
45241C69 3695883D CB21E6FB FEFBB85A 29919480 36A52B5D

These bytes contain no visible patterns, entropy analysis results in a normalized value of 0.9285159, or 7.428127 bits/byte, which is considered to be similar to that of a random data. Older ciphers do not result in this type of randomness in the encoded message, which means that a more sophisticated/modern cipher was probably used to encode this data.

SOLUTIONEdit

Cipher detailsEdit

Cipher: Rijndael-256-256 (blocksize-keysize) in CFB-8 mode (CFB with an 8-bit feedback shift register.)

Key: "173467321476Charlie32789777643Ta" (as plain text without the quotes)

Key as hex:

 31 37 33 34 36 37 33 32 31 34 37 36 43 68 61 72 6C 69 65 33 32 37 38 39 37 37 37 36 34 33 54 61

IV as hex:

 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Originally deciphered using the tool at rijndael.online-domain-tools.com (note: leave the IV field empty in order to use a zeroed out IV.)

Deciphered messageEdit

HALOS REPORT - SUBJECTS SHOW REMARKABLE TENACITY AND ABILITIES TO USE AVAILABLE TOOLS AT HAND. DETECTED CAMBRIDGE COMP SCI LABS. TEST SUBJECTS SUITABLE FOR TESTING AT MAIN FACILITY. 
PROJECT FILES SECURED. REMAIN SECURE UNTIL PASSCODE GIVEN 
OMEGA LEVEL - [1-7-3-4-6-7-3-2-1-4-7-6-Charlie-3-2-7-8-9-7-7-7-6-4-3-Tango-7-3-2-Victor-7-3-1-1-7-8-8-8-7-3-2-4-7-6-7-8-9-7-6-4-3-7-6]

Details on the solving of the cipherEdit

On Aug 13-14, 2019, after user Flavrans discovered that the stargate-looking gate in Dr. Horn's Xen lair was an Asura gate from the MMORPG Guildwars 2, and shortly after, identified the alphabet for the symbols found in the 21 into 1 drawing, things started rolling in the Discord chat as a result of the excitement of progress being made. After a short while, user Gunsrequiem made another attempt at decrypting the cipher (using this tool), using the deciphered symbols (MYONS) as IV along with a longer version of the Star Trek key, and, lo and behold, heroically found the solution. Part of the beginning of the message was however missing as it turned out that the IV was partially incorrect. User Flavrans then tried with an IV where all the bytes had a byte value of 0, which revealed the complete message.

The key was based on Data's passcode from the Star Trek TNG episode s04e03 "Brothers" with the letters fully spelled out according to the NATO phonetic alphabet: "173467321476Charlie32789777643Tango732Victor73117888732476789764376".

Past TheoriesEdit

Rijndael cipher hint

Rijndael cipher hint

752

Hex Editor view of the code Download

  • A new hint, which can be seen in the image to the right, was found on the "conspiracy whiteboard" located in Dr. Horn's Xen lair. The text reads:
    "Use a Rijndael 256 bit block c on CFB mode. Use that Star Trek ep pass — Message unimportant. It's just to occupy them whilst I escape — he he he ......"
    This means that the cipher can be one of the following:
    • Rijndael with a block size of 128 bits, in CFB mode (unknown IV), and a key size of 256 bits (equivalent to AES-256)
    • Rijndael with a block size of 256 bits, in CFB mode (unknown IV), and a key size of 128, 192, or 256 bits.
    The "Star Trek EP pass" may be referring to the security code in Star Trek TNG episode s04e03 "Brothers" (transcript). Three variants of this code exist, the one heard verbally, the readout from the console screen, and the one from the original script:
    • 173467321476C32789777643T732V73117888732476789764376
    • 17346721476C3278977763T732V731171888732476789764376
    • 413368T181171C4V38880F615335957
    There are no indications as to what the required IV might be. Some of the possibilities may be:
    • The first block of the ciphertext
    • A part of the passcode
    • Some other known string like "1001085139140914" or "BENALOH PAILLIER"
  • Further analysis of the messages sent to Gunsrequiem by 0418 (Storm) indicate that the first capitalized letters of each sentence (as well as the capital "H" in "Hex") spell out:
    • HI, I ARC IIII IT, TWOFISH IT
    • HI, I TWOFISH IT, ARC IIII IT
    • HI, I TWOFISH, WAIT, RC IIII IT
    • HI, I RC IIII, WAIT, TWOFISH IT
    • HI, I ARC IIII IT, TWOFISH, TWIT (lol)
    • Essentially, however you want to read it, it indicates that we need to use ARC4 and TwoFish in succession to decrypt the HALOS.txt file. Now it's just a matter of figuring out the keys!
  • Symmetric Block Cipher
    • ARC4 and TwoFish
    • DES, 3DES, Blowfish, Others
    • Possible password of "benalohpaillier" or "BENALOHPAILLIER"
  • Speculation: "OTR//4.0" (see Stormseeker's Website) is a reference to the Off-the-Record Messaging protocol in version 4.0. This is unlikely though, since nearly all the previous clues used a similar header, and the current OTR protocol is only 3.0.
  • Try all 32,768 uppercase/lowercase permutations of "BENALOHPAILLIER"
  • ROT-1 to ROT-15 performed on the hex digits
  • Hex code in reverse from the clue "This unlocks at the start of the end"

Debunked TheoriesEdit

  • Raw 1-bit (monochrome) or 8-bit (grayscale) pixel array
  • uuEncoded
  • Simple XOR [0-255] on each byte
  • 32-bit and 8-bit bit rotations
  • SSH Key. File length is too short, even with DSA/768.
  • encrypted with openssl

Pseudorandom number sequence test Edit

$ echo -n "b32b003a35badd66577c24c14fc919064346d131a7c54bb82ffe03e022615777247923dc21f62cd4182e91c3b267b545abcaedaf0261510d4eea1e87cd33c7c77131309cc4280eb4243d1154f044f9cf6296d9bff7397e4390987fe63203da0de40278b3a54f5ddc6975fa04f749849e1a62595a9f630b0795913de0153e3aac388c45fb9d850cfe913541d6c08398f2c88332a82fdf00281d62fcdc4fe7e46ae90c51c5c806b41164e33ab92c96862e068b0c16c09990b8381a00da7915b67fe4a20f599b0f1b6d481913c7b9538cee639144f41561ba92e4fe751d1e242cd88f51d695519887136a7c15aabd7b40044922014130a91f170f66ccb3c139463a7e909a37aa863fb27805fc9731c09c8c79067e79930a406546b24c9a629b26c2ce2a4be48f589a375feb731fc4ab225c11848cf89e291fb27133970c063618474a892801edd68f54698c5e5b506746f6765a6f7f1225dea4da1140feb60f650745241c693695883dcb21e6fbfefbb85a2991948036a52b5d" | perl -pe 's/([0-9a-f]{2})/chr hex $1/gie' | ent
Entropy = 7.428127 bits per byte.

Optimum compression would reduce the size
of this 376 byte file by 7 percent.

Chi square distribution for 376 samples is 254.47, and randomly
would exceed this value 50.00 percent of the times.

Arithmetic mean value of data bytes is 115.1941 (127.5 = random).
Monte Carlo value for Pi is 3.096774194 (error 1.43 percent).
Serial correlation coefficient is -0.039323 (totally uncorrelated = 0.0).

Other InformationEdit

  • User:Dr_Horn created the page Tempus omnia revelant (Time reveals all) after the trail on this problem went cold. Stormseeker then updated the forum thread's original post, adding the text 'tempus omnia revelant'. This seems to confirm that the Wikia account for Dr Horn is indeed Stormseeker.
    • The title of the page, Time reveals all, has later been referenced by Stormseeker on at least two separate occasions, where he said that time will indeed reveal all (see quotes).
  • Stormseeker later says on his Steam Profile:
    • "If it's about the ARG, I've not set up or had any sites setup for hacking, so no. There is an answer, but you can't brute force it, the CIA couldn't brute force it. Someone is already close."
  • Stormseeker teased encryption may not be the right idea. "How do you know solving this has anything to do with encryption?"
  • Stormseeker referred to this code puzzle as "HALOS FILE" instead of "752 Hex Code", as the players had come to call it, when he administratively updated the original forum post on December 11, 2012 (after a forum user complained that it was not up to date), suggesting a possible link to the HALOS files mentioned in the decoded message in IRC clue 5.
  • On December 10, 2012, Stormseeker edited/updated the first post of the forum thread (most likely in response to complaints that it was not up to date). Among the things he added was a bulleted list with the title "Handy Info":
    • Halos
    • BenallohPaillier
    • CongratulationsyouwonthePIZZA
    • BMRF.us (site down, due to unforseen circumstances)

    Given the fact that edit was done a month after the hex code puzzle was discovered, and two days before the arrival of the Tempus omnia revelant clue, it is possible that one or more of the items listed may be related to this puzzle.

  • In a private chat with forum user faed in January, 2015, referring to this puzzle, Stormseeker said something to the effect of: "It is an encrypted message that is decryptable."
  • The "BENALOHPAILLIER" password was first found in IRC clue 5. It was referenced again when Stormseeker included it in the "Handy Info" list he added to the original forum post, although with a slight misspelling. A third reference to this password was later found in the metadata of qecode.ogg (see Code C) in the Steam release of Black Mesa, which contained the following text:
    "Oh looky, Dr Horn has gone all open source. HALOS musn't see this, but the password to its area, is those two cryptographer peoples. I think you should get that ok. I'll be in Xen if you need me."
  • The 21 into 1 clue is believed to be relevant to this puzzle.
  • The phrase seek Code out he is watching, which was formed by italicized letters found on the Tempus omnia revelant page, could be a reference to a user named Code_, which was later confirmed to be a non player character created by the puppet master. A message sent from Code_ to forum user Gunsrequiem, where he details his theories regarding this puzzle, could therefore contain clues to this puzzle.
  • Cryptographic Functions - Table displaying common cryptographic functions and their associated key lengths and initialization vector lengths.

External LinksEdit

Community content is available under CC-BY-SA unless otherwise noted.