Solving the Viacoin ‘1337 VIA’ puzzle.
On October 31st 2017 the Viacoin team launched a puzzle, created by YT. She is well known for creating very challenging cryptographic puzzles like Decred’s puzzle and probably her masterpiece, the ‘TORCHED H34R7S’ painting. The Viacoin puzzle shows the image of a girl, who starred in the anime “Serial Experiments Lain”, in a room with 17 monitors. A buzzing noise can be heard in the background. On February 21st 2018 the puzzle was finally solved by a user called ‘Trinitas’, earning him 1337 VIA.
Trinitas was involved in solving the ‘TORCHED H34R7S’ puzzle. https://motherboard.vice.com/en_us/article/kzpqzz/heres-the-solution-to-the-3-year-old-dollar50000-bitcoin-puzzle
Trinitas told us that it took him a month to solve the Viacoin puzzle by spending 6 hours a day on it. Trinitas, and every else trying to solve the puzzle, used a shared Google Docs file to write down each step and share their progress. Trinitas has asked us to publish the solution in this blog post.
Solving the puzzle
17 monitors can be seen in the image, shown at the top of this article. It’s a 238-bit message. Each monitor can be converted to two 7-bits ASCII binary characters. If you read the characters like a book (from left to right) you get:
ViLn6NQxBsr3SdNxEJoXp3omT5bDokAWBZThe address, ViLn6NQxBsr3SdNxEJoXp3omT5bDokAWBZ, will show a transaction with an encoded URL: https://imgur.com/a/OyP0p. The image is a red-gray 320x200 PNG file.
There is also a transaction to the ‘ViLn6NQ’ address fromVfade4eVpz5keMdsq2YNAexXFg9wCNmyHA
The ‘Vfade4e’ address leads to an atomic swap between the Viacoin chain and the Decred chain. The Decred address is: DsfiZZL3DMp7ecBkKwPqK6oPmq5dkxHy1Xd
There was also another clue left. The raw transaction of the atomic swap shows a hex string, 53546b424758414454366, which decodes to ‘STkBGXADT6k’,a Youtube ID. The Youtube video shows a video of Wolfenstein 3D.
The Viacoin address, the Decred and the Wolfenstein 3D video all point towards something called the Fizzlefade function. Applying the Fizzlefade function to the red-gray PNG file, found in the transaction, gives a string of bits starting with an Ethereum address.
0xddFBD99c8Ca1F5Cd4b981b7219A27078FBbC1c50This address is an ERC20 Token Contract creation address which has symbol MZI and decimals 1.
This hints towards an URL: https://mzi.one. Visiting the URL shows you a JPG image of an unlocked padlock. The JPG file is actually a zip file (right click, ‘save image as’ and change the file extension to .zip). The zip file contains 3 files:
- A folder named ‘_MACOSX’.
- A GIF file named ‘finvia2.gif’.
- A zip file named ‘Archive.zip’.
The _MACOSX folder is empty. The finvia2.gif image contains a blinking Viacoin logo, which in binary translates to “bluehorseshoelovesvia”. The gif file was proven later to be a distraction. Extracting the Archive.zip file gives you 3 new files:
- A file named ‘8x26.zip’, which is password protected.
- A file named ‘encrypted’.
- A folder named ‘_MACOSX’.
The password to the 8x26.zip file is ‘blockchainclearinghouseprotocol’. The password was found on https://mzi.one/blog. The words ‘blockchain’ and ‘clearinghouse’ both appeared 8 times and the word ‘protocol’ appeared 6 times (8x2+6).
The 8x26.zip file contains a python script called ‘cipher.py’. Using it on the ‘encrypted’ file, with the key ‘btcdrak’ give you:
“A house has many rooms and a home has many doors. Several are unlocked, though a quick scan didn’t seem to find any. When I dug deeper, I found a safe which had an guide inside. I broke it and it led me to onemzi, where I met Romano, the viadev. He led me to room”
322e0f3c26c8be48d0b6.btcdrak7162c8901050be3b2e51b8af51a448f5Next step is to go to http://mzi.one/onemzi/romano/viadev/322e0f3c26c8be48d0b6/. When doing a simple SQL injecting ”1=1” it will give you the following message: ”Check this out! http://mzi.one/36aa6ff4de973a0eb004/”
http://mzi.one/36aa6ff4de973a0eb004/ was a file upload page. You could get into the server and retrieve an .mp3 file. Access to the url was later disabled and Prasanth Venigalla posted the text file on Twitter instead.
The final part of the puzzle
The header of the text file it says “Garageband”, which is a music program. When change the file extension to .mp3 you get piano sounds in a random sequence with strange cuts and a repeating background pattern. You can listen to the file HERE.
Extracting the notes with Neuratron AudioScore you get this:
EFGFDDACEEEADDEAFDCG AE
FFEBGDEAEACB DDEFGGADDEAFACBADDBFFE
EDBAEABBBABCFAEACA
EFFC
EDEBFFEGADABFCEAEAEBEBEAEACBEDGGEAEFEDBFCABEEAGBBDAFFBGBC
AEAEFG
DDDBEBC
CDDFFCEFDCBADAGBDGBDFECGBCOn this website you can decipher the pattern and use reverse engineering to form the same pattern again with same cuts. We know that they are not really notes so you have to rearrange them first.
CDEFGAB > ABCDEFG optional with a shift cipher and manually change the last letters and then shift them back. The cuts are very important. You have to set them atH and you will get a new string:CDEDBBFACCC...Now you have to use A1Z26 cipher again (ABCDEFGH -> 01234567)and you will get:
2343115022251125310475273326412525067112344511253506511633272165256665
6035250572330721263324515630252526262525062144252321630562254661533646
05252347111626070113302310651546146132046This is a base8 string, which you will have to converte to hex in RapidTables to get a perfect ASCII string. It is a base64 string and using RapidTables again gives you the private key in ASCII format:
7hHEGNZhTNrkEKc6knZjnC9mVbgiEXPQDHmkVY3iCk5zJknzsXK
You can also use Java to decipher the final steps:
The Java code for completing the final steps can be found here: https://gist.github.com/Trinitas/1562376c42628bd31c3a3f7bafb68f78
Trinitas would like to thank Isaac for his great skills of programming and the team behind the puzzle for coming up with this amazing challenge!
Trinitas: Solver.
Isaac: Helper, Java programmer.
@coin_artist: Director/Organizer.
@dhtenshi: Serial Experiments Lain Artwork.
@robmyers: Starting candles puzzle, Fizzlefade encoding, Atomic swap.
@psvcc: CTF (capture the flag), Ethereum address, contract points to target, CTF trail, concludes with the mp3 puzzle.
@g0blinresearch: Testing CTF for vulnerability, security.
@hotkatchina: Viacoin gif, blue horseshoe loves VIA.
