Such Confuse: HackMIT 2015 Puzzle Guide (2/4)

Fernando Trujano

(part 2 of [1,2,3,4])

Puzzles three and four focused on encoding information in different, non-traditional ways. We hoped that hackers would get creative and try out many different things before finally arriving at the answer.


Puzzle 3

This puzzle links to a custom-looking url like this: http://0xd09eb17e.dogemit.party/p/Fertogo. It is clear that the last bit of the URL is the user’s GitHub username. The rendered site presents the user with a very large number, a picture of doge, and a short story about how he'd like to decorate his room.

Puzzle 3 homepage

Many hackers went straight to the page’s source code, hoping we left some useful information hidden within. There wasn’t much there so they turned to the image of doge. Some hackers tried looking closer and analyzing the images with different tools in search for some hidden encoded data but didn't get very far as the picture was just there for decoration.

Some users saw the huge number and immediately thought about factoring it, a futile attempt.

People then started to play around with the URL noting that the number would change with a different input. People spent a lot of time on the Slack group talking about this apparent hashing of the username and tried to reverse engineer it by trying lots of different names and looking for a common pattern. They started to notice that all of the numbers generated seemed to start with 56. Interesting, and closer to the right track.

Really, we wanted users to focus on the big number and the word “square”. If hackers’ numbers are converted to binary, a common pattern emerges: all binary representations are either length 441 or 625 — square numbers. Arranging the binary string into a nice square grid revealed that the grid of 0's and 1's was really just a QR code in disguise.

But hackers couldn't just hold their phones up to grids of numbers and expect them to split out an answer. To turn this grid into a scannable QR code, hackers used a bunch of different methods: writing scripts (see a sample below), highlighting in a spreadsheet, printing out the grid and coloring it. From there, a quick scan of the code would reveal the answer. For my link, the solution was many raw.

Solution Overview:

In short, users had to convert their given input to binary, arrange it into a grid, and turn that into a QRcode. A quick scan would show them the answer. Here is the code we used to convert a binary QR to a scannable QR.

def binToQr(bin, width, qrSize, imageName):
‘’’
Generates a qr code image from a binary qr code
@param bin 2d: list representing a binary qr code
@param width: width of each individual square
@param qrSize: size of the entire qr code in pixels
@param imageName: name of the generated png image
‘’’
numSquares = len(bin[0])
im = Image.new(“RGB”, (qrSize, qrSize))
pix = im.load();
def fillSquare(x,y):
for i in range(y, y+width):
for j in range(x, x+width):
pix[i,j] = (255,255,255)
for y,i in enumerate(range(numSquares)):
for x,j in enumerate(range(numSquares)):
if (bin[x][y] == 0): fillSquare(x*width,y*width)
im.save(imageName+’.png’)
print “QR code saved to: “ + imageName + “.png”

Implementation:

Since the puzzle’s data is unique to each person, hackers needed to solve it themselves to get their individual codes. To generate the codes, we take the GitHub username (as specified in the URL) and hash it using SHA-256 and a secret. Then, we sum each character in the returned hash to get an index and use that index to select one doge word (“wow”, “such”, “very”, etc.) and one noun from a sufficiently large list.

From there, we generate a QR code with the answer, transform that into a string of 0’s and 1’s, and convert the binary number to decimal. If you are interested in learning more about the implementation check out the puzzle source!


Puzzle 4

On this static site, users are greeted with a simple image of doge and a caption that reads “don’t tickle doge’s nose or he’ll be upset.” This hint obviously directed hackers to click on doge’s nose, causing two audio clips to play. One of them was a recognizable dog bark and the other was a weird robotic sound, about 4 seconds long.

From here, some hackers grabbed the audio files and tried to use DTMF (dual-tone multi-frequency signaling) hoping we had done something similar to last year’s puzzle. Others thought we had hidden Morse code into the audio file and attempted to decode it that way.

Hackers intrigued about the sound’s properties used a spectrogram analysis to plot the sound’s frequencies over time. This turned out to be the right path, as generating a spectrogram for frequencies up to 20k Hz reveals a phrase in the diagram: such hertz.

Spectrogram analysis of sound file

This challenge is fairly short, and many hackers found it to be the easiest puzzle of the six according to our feedback survey. But the puzzle gets substantially harder from here.


HackMIT Stories

Stories from MIT's largest undergraduate hackathon.

Thanks to Kimberli

    Fernando Trujano

    Written by

    HackMIT Stories

    Stories from MIT's largest undergraduate hackathon.

    Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
    Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
    Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade