Satoshi’s Lost Faucet — Walk-through (pt. 1)

@chainofinsight
Chain of Insight
Published in
8 min readMay 7, 2020

This is part 1 of a 2 part post. If you’re looking for part 2, you can find it here:

In this post we’re taking an in depth look at the design and solution strategies for Satoshi’s Lost Faucet. We’re currently working on a successor puzzle game, perhaps this guide will come in handy to those who compete in our next puzzle.

On February 14, 2020 we launched our first crypto puzzle game “Satoshi’s Lost Faucet”.

About 200 players participated preceding the prize withdrawal. The prize was claimed 5 days after puzzle launch by a Discord user named Pogo (https://www.blockchain.com/btc/address/1KetPzuvM6GLDfC2GAx7a7FHuxk7qqZzPX).

SLF Winner announced on Discord

Preamble

In a fit of hubris, SLF was concocted to fix issues we’d noticed with unsatisfactory puzzles we’d been seeing get released. Puzzles like the Phemex face maze and Satoshi’s Treasure ARG seemed to be using ambiguity to increase difficulty, to us that seemed like a cop out. From a player perspective it can feel like the game designer is moving responsibility for their game’s shortcomings onto a lack of effort or ingenuity in the community. We wanted to create a game that properly respected its players — but could we really do any better?

When a puzzle is first launched, if it’s marketed well, it begins with a flurry of activity. The moment an entire community feels stuck on the same step, a puzzle is at risk of dying out or depleting into a shell of its former community. Remaining players at this point tend to become somewhat fanatical in either their criticism or their praise of the game. They may find themselves disillusioned with the entire play experience.

We can think of it like a Gartner Hype-cycle diagram which never overcomes its “trough of disillusionment” which, for obvious reasons, is not a sustainable product model and one that’s especially devastating for long term games or difficult puzzles that take years to be fully solved (long puzzle example).

The Gartner “Hype cycle” (source)

Our idea was regularly scheduled hints would ensure the community didn’t get unduly stuck. Simultaneously it became our backup plan in case we messed something up 😎 We’d also divide the game into stages, placing the difficult riddles at the very start and end of the game. This allowed us to make hints per puzzle stage based on in-game progress, and provide some safety distance for lead players to get out in front. One design technique was to invert expectation by delaying gratification: if there’s an expected or obvious outcome of a riddle, we can delay gratification by using that solution for a subsequent riddle rather than the current step. Providing proof of funds on day 1 also seemed important. Possibly overkill for such a small prize but we weren’t about to set an ugly precedent.

“I am the owner of this Bitcoin address and I created https://satoshislostfaucet.com/ to give you these coins.”

On to the solving!

Stage 1: Museum Lobby

In stage 1, the player finds they’re inside a Bitcoin history museum. They’re given a rambling back story to explain their arrival on the scene. It’s a dubious story of transaction analysis and IP tracing that’s produced the physical address of this building enshrouded by rumours of an ancient Bitcoin faucet where Satoshi Nakamoto has hidden some Bitcoin.

Inside the museum lobby players are presented with a framed picture and inscription:

https://satoshislostfaucet.com/lobby/

A link can be extracted from this picture using a program for jpeg steganography called JSTEG:

But wait, there’s other extraneous data in the image. A password protected zip file has been embedded in the image. Analysis of the file, even while under password protection, shows a copy of the Times_03Jan2009.jpg source image with a slightly smaller file size, is included in the archive as well as a text file of the same name.

Hang up, try again

Naturally, one might try using the JSTEG link to open the zip file but that doesn’t work. Digging into the Bitcointalk.org thread it makes sense to try some concoction of RIPEMD-160(SHA-256(JSTEG_URL)) but that also fails. Since the Bitcointalk.org link is not helpful for breaking into the zip, now the real fun begins.

There are 3 intended ways to crack into the zip file:

  • Finding the “logical” solution
  • Taking words from the image to perform a dictionary attack on the password protection
  • Using a known plain text attack

Known plain text attack is the clever path to solving this riddle. We were surprised when it was the first method discovered, and it was discovered before any public hints were released and on the same day Satoshi’s Lost Faucet was launched.

Method #1: Finding the “logical” solution

[Username Redacted] 02/18/2020:
lol
are you AOI? 😛
thats some AOI logic right there 😛

Caught some flak over this one but didn’t much worry since we felt secure the other 2 methods were quite viable. Our expectation was people would focus on the image file with tunnel vision forgetting all about the inscription, this did prove to be the case. When you consider the inscription is 1 of 2 objects in the room, solving the puzzle “logically” is difficult but not impossible.

SLF was launched on a Friday and the first round of hints were published the following Monday.

This hint greatly reduces possibilities for length and format of the password making word list and logical methods quite feasible. The “logical” strategy boils down to this:

  • 1) Take the date from the inscription: 03/Jan/2009
  • 2) Write the values as numbers: 03/01/2009
  • 3) “03” and “01” contain leading zeroes so this can’t be a math equation (3 divided by 1, divided by 2009). Since it’s not an equation we’ll treat the forward slashes as separators, removing them gives us: “03 01 2009”
  • 4) A zero can also mean “false” or “nothing”. If we straight up remove these “nothings” we get: “3 1 2 9” or the digits 3, 1, 2, and 9.
  • 5) The password to unzip the file is the 3rd, 1st, 2nd and 9th words of the article body text

Method #2: Dictionary attacking the zip

Using an image OCR tool like https://www.onlineocr.net — or with an unnecessary amount of manual labour — we can transcribe the text of Times_03Jan2009.jpg. This gives us a list of 456 words, or 264 unique words if duplicates are removed. We can limit the list further by removing non-English words such as numbers and names, even further if we take only the body text of the article. The public hint said the password “is just 4 English words”, so the zip can be cracked if we try every single combination of 4 words. This is not a fun task but here we go.

Example dictionary:

wordlist.txt

The above gives us 113,582,855 x 4 possible combinations to slog through. That’s still a lot of combinations. Perhaps praying at this point, we might try splitting the world list into chunks, or taking only top level words up to a certain threshold. See below for a script that solves it in a reasonable time by chunking the word list. At least 1 person solved it by computing the full 400m+ possibilities though, that must have been rough 😅

slf_dictionary_attack.py

Method #3: Known plain-text attack

It might be argued known plain text attacks are an outsider attack vector, rarely feasible in the wild. Yet, this same attack cracked the Enigma cipher machine in World War II and was vital to the Allied victory. When we naively tried to unzip our file without a password, a warning was thrown alerting us to 204707 extra bytes at the head of the file where the jpeg and zip had been concatenated together:

$ unzip Times_O3Jan2009.zip
Archive: Times_O3Jan2009.zip
warning [Times_O3Jan2009.zip]: 204707 extra bytes at beginning or within zipfile
(attempting to process anyway)

This information allows us to reverse engineer the files into their original parts. Separating them gives back the image proper that was used to make the challenge. (We’re also using the extract binary from Pkcrack. We’ll rely on Pkcrack for the rest of our example, but it’s not the only tool that can do a known plain text attack on the SLF zip file.)

If we pause and compare the separated jpeg against archive data we can extrapolate using a program like binwalk, we’ll notice another copy of Times_03Jan2009.jpg included inside the archive which has an identical number of bytes as the separated jpeg. This quantity of bytes also matches the extra data that unzip has warned us about. This is our clue we’ve reconstructed an identical file to 1 of 2 files included in the archive, and that a known plain text attack is possible.

204707 bytes

The rest we can pretty much leave to Pkcrack. First we need to prepare a couple of files. By creating a zipped version of our plain image and extracting the compressed image from it, Pkcrack can run comparisons against the password protected contents and perform its attack.

On modern hardware Pkcrack will expose the zip’s contents within minutes by finding key chain entries with probabilistic tests. If you want to know the actual password you can wait several or many hours (or lol?) for Pkcrack to finish all its stages, but it isn’t necessary as having the keys is enough to unzip the file’s contents without possessing the password.

Chargin mah lazer
Ta-daaaaa!

Putting the above together in an executable script you can just run:

slf_crackzip.sh

Wrapping up

So that’s it for the first level of Satoshi’s Lost Faucet 😎 Ya, feel me? In the next section we’ll walk-through solving the rest of the puzzle stages. There are several difficult steps remaining and some easy ones too.

Continue to Part 2

--

--