Summary
On November 15th the RealILCoinDTeam and Crypto_Puzzles twitter accounts posted a link to a newly launched cryptocurrency puzzle worth 5000 ILCOIN, worth around $350 at the time of writing. In this explanation of the solving process I will only reference files and data relevant to advancing to the next stage.
This lead to the following web-page https://cryptopuzzles.org/puzzles/ILCOIN/
Stage one
On this page there is an animated GIF file that contained frames in the animation, while originally I thought this may be required to advance to the next step, It wasn’t, what it did inspire me to do was create a NodeJS script to read the GIF data byte by byte to extract pixel data and any extra trailing data in the file.
Firstly looking at the hexadecimal data in the file revealed the following;
Basically this hints there is extra data placed in the file, GIF files unlike other formats are a little harder to find and separate the extra data from the legitimate image data so with a little help from the above mentioned script I managed to find the final hexadecimal offset that shows the end for the real GIF data.
Everything after this offset ( 0x192162 ) is ‘extra’ data, that was extracted with a simple NodeJS script to create a new file, although this could also be completed in a hex editor with a copy and paste. This new file took quite a while to figure out what format it was, but after quite a bit of googling of the header data ‘magic numbers’ it appears to be CPIO file.
Inside a bash shell and running the following command returned quite a few files; (replace ‘extractedfiles’ with filename of extracted data)
cpio -i < extractedfilesExtraction results
The files obviously look like ‘parts’ or ‘chunks’ of a PNG file, unfortunately for me, I wasn’t 100% sure how CPIO works to actually rejoin these files, so once again back to NodeJS to join all the parts numbered 0000 to 0012 results in a C64_PRG.png file.
There was also a kaleidoscope.cpio file in there, but the data appeared to just contain the same as the container it was in except for the filename difference, once again not sure how CPIO works on this, but the PNG file was all that was needed.
So it turns out this why the other file name was kaleidoscope, this one didn’t contain any relevant hints or data within the hex data, EXIF or with image stenography, so what we are left with is purely what is contained in the image itself. There were only 3 colours in the image itself, one blue #3e05ff and two magenta colours #ff05ee and #ff03f0, one for the kaleidoscope imagery, and one for the vertical line sections.
Upon reading a few bytes of the first lines section as binary, the data appears to be valid ASCII data in hexadecimal format;
First 632 pixels of data yield the following text;
00000000: 0108 0c08 0000 9e32 3036 3400 0000 0000Time to write another script to visualise and extract all the pixel data as binary. Unfortunately this data was not in the correct order required, but did contain hexadecimal code to identify which ‘line’ is was for;
00000050: dabd 4042 9d00 07bd 2846 9d00 dbe8 d0cd
00000060: 4c5f 0800 0000 0000 0000 0000 0000 0000
00000070: 0000 0000 0000 0000This was pieced together once again in the correct order with code to create a new file minus the initial line references, basically a hex-dump. I’ll name this file rom.prg and here is the reason why.
Looking at the filename of the file it came from the PRG part stands out, a quick google search based on the fact we know this has a C64 theme already revels it is likely a Commodore 64 binary executable.
Loading this in an emulator gives quite a simple output, but none the less takes us to the second stage of the puzzle
LOAD “rom.prg”,8
RUN
Onto the second stage https://cryptopuzzles.org/puzzles/ILCOIN/T0p_S3cr3t_SysT3M_C0nn3cT10n/
Stage two
The first image in the middle of the screen that says ‘Connect’ contains more data in the trailer of the hexadecimal data of the file ‘Y / 4 = Decimal’ more on that hint later.
Clicking this image plays a retro 56k dial-up handshake sound followed by a XMLHttpRequest to the server (CONNECT.php) which results in an error and a second image.
This image also contains extra trailing data, although a lot harder to see as its not as apparent, and being a GIF again I used the previously mentioned script I originally wrote, this tells me that there is 77 bytes of trailing data at offset 0x114221. Following the same process as mentioned above this was extracted again to a new file.
The first two bytes of this file are ’78 9c’ this appears to be compressed Zlib data. Extracting this small portion of compressed data results in the another hint
HTTP Request Error: Did Not CONNECTLooks like this hint is telling us we need to do a CONNECT request to the server instead of the GET request it is currently doing
Connecting to the server in this way returns a link/file
/assets/fl0ppy/diskThis file is a FAT12 image of a floppy disk, luckily I already have a program that opens these files
This results in the following image CALC.PNG
Checking the hexadecimal data nothing really looks out of the ordinary, the final ‘IEND’ bytes ’49 45 4e 44 ae 42 60 82' are expected as normal in a PNG file. But searching more reveals there is another PNG file appended to the end, sneaky, could have been easy to miss this one.
The following file is extracted.
This was actually my favourite part of the whole puzzle, mainly because I’ve never seen this done before and was quite creative.
No standard techniques seem to really work on this, just visually see 36 columns, each with between 1 and 3 parts. After antagonising over this for quite a while, I had what at the time seemed like a dumb but plausible idea. Based on the previous image containing math functions and calculations, and keeping within the theme, could it be… an abacus?
Checking a few types of them online I did find one that seemed to look similar to the layout of this image, so I tried an online tool and it gave me readable output, success it seems to be an abacus, a Chinese suanpan abacus to be exact.
Due to this not being 36 columns wide in the online tool, and making mistakes while moving the beads to the correct places, I also coded this part to be quicker and more accurate.
Basic principle is the top 2 beads count as 5 each when moved down, and the lower 5 count as 1 each when moved upwards.
The resulting hexadecimal was ‘504f53542045543d5068304e335f48306d45’ which represented in ASCII is ‘POST ET=Ph0N3_H0mE’
Looks like we need to make another HTTP request like earlier, this time with the POST method along with the indicated data, results in another link which leads us to the next part of the puzzle.
assets/ed13ec78de4f7fd78083de0cb8cfeee90b154aaa869cef5bf5c8ba9730974714/NWY2NmU4YWU1ZmNmZWNlZGVjMGU3ODRkYTJlOWJjY2IxMjg4ZjZkYmVhOGNmZTY5MTkxZmVhNTI1.pngStage Three
Just the one image here
Nothing of interest in either the hex data or the EXIF, only thing to focus on are the green dots on the image that stand out (#00ff00). Reading the x/y coordinates of these pixel locations and using a previous hint discovered earlier ( ‘Y / 4 = Decimal’ ) I took the Y coordinate value and divided by 4, all of these values were inside the valid ASCII decimal range for readable text ( 32 < Y < 127 ).
But the text appeared to be alphabetically sorted, we need a way to find the order. Taking the X coordinate value and sorting the values numerically results in a URL link for the wallet.
https://ilcoinwebwallet.com/#k2BBl6TGko8WZVhAjJd8vKlgMZqvDb!4af95f96fb
Ready to finally solve and collect the prize money.
It needs a password, unfortunately I didn’t have one, what did I miss? This was slightly infuriating, but after checking every file I had once again it occurred to me I hadn’t even really checked the dial-up sound file from the previous stage ( Connect.wav ), viewing the hexadecimal of the file there appears to be a wireshark dumpcap file.
This contained numerous references to a password recovery page on the puzzle server, none of these actually worked, but served as a refers that we were looking in the right place. Following the capture of these logs it does reveal the password;
Powered-By: PHP/7.2.9
Content-type: text/html; charset=UTF-8
5aaf63b597217754736f3f5e01ba9f2c0aca873e784a3ebdb4723efcdb7a88d4Finally I was able to login to the wallet and transfer the funds.
Puzzle maker: https://cryptopuzzles.org
Discord: https://discord.gg/Qw4MswZ
Thanks to ‘pogo’ for the joint solve and assistance
