SGVscCBtZSE=
March 31, 2007 9:48 AM
What encoding is this source code? Alternately, any ideas on this puzzle?
First and foremost, let me say that this is NOT a self-link by any means.
There's a website at themearthmeteors.com with a lot of code (1mb's worth!) snuck in the html as comments. From a cursory glance, it seems like the data is ASCII85-encoding or uuencode encoding, but I can't seem to extract anything.
Also, the images of Earth have rollovers implemented that turn into a circular barcode-like image...
Any ideas? I do hope this isn't viral marketing of some sort -- it's just that the data and its encoding has been bothering me for a while. Thanks hivemind!
First and foremost, let me say that this is NOT a self-link by any means.
There's a website at themearthmeteors.com with a lot of code (1mb's worth!) snuck in the html as comments. From a cursory glance, it seems like the data is ASCII85-encoding or uuencode encoding, but I can't seem to extract anything.
Also, the images of Earth have rollovers implemented that turn into a circular barcode-like image...
Any ideas? I do hope this isn't viral marketing of some sort -- it's just that the data and its encoding has been bothering me for a while. Thanks hivemind!
If it ends in equal signs, it's usually base 64 encoding.
posted by smackfu at 10:35 AM on March 31, 2007
posted by smackfu at 10:35 AM on March 31, 2007
Could be something simple, like Base64 style ASCII armoring of binary data. That would be a pretty boring puzzle step though, you may have to do some real crypanalysis. Start with a simple frequency analysis (how often does each character occur?). Then maybe check for cyclical patterns, and repeating groups, if you notice a lot of groups of 8 I'd bet you a sack of cash it's armored binary data. Then you'll have to figure out the file type...
I'd love to do this, but I've got schoolwork.
posted by phrontist at 10:39 AM on March 31, 2007
I'd love to do this, but I've got schoolwork.
posted by phrontist at 10:39 AM on March 31, 2007
Unless you used a title in a different encoding just to be clever.
posted by smackfu at 10:40 AM on March 31, 2007
posted by smackfu at 10:40 AM on March 31, 2007
I should preview. I'll add that it could be like base64, but it certainly isn't, because there are many characters in there other than the 64 defined in the linked to standard.
posted by phrontist at 10:41 AM on March 31, 2007
posted by phrontist at 10:41 AM on March 31, 2007
Yeah, no, it's not Base64 -- there are tildes and @ symbols. This AskMe title is just 'Help Me' in Base64, just for fun.
posted by provolot at 11:05 AM on March 31, 2007
posted by provolot at 11:05 AM on March 31, 2007
Scrolling through, the HTML itself is hard to find. Which leads me to wonder if the "code" is nothing more than noise to hide the page structure. I don't know what this site is to know if that's reasonable.
posted by DU at 11:15 AM on March 31, 2007
posted by DU at 11:15 AM on March 31, 2007
Doubtful. Here's the stripped out HTML:
Could be something in the javascript, but I sort of doubt that. My money's on the comments.
posted by middleclasstool at 11:31 AM on March 31, 2007
<HTML>
<HEAD>
<TITLE> Them Earth Meteors </TITLE>
<SCRIPT type="text/javascript" src="./FrontPage.js"></SCRIPT>
</HEAD>
<BODY bgcolor=black>
<BR><BR><BR><BR>
<TABLE align=center cellspacing=0 valign=center width=75%>
<TR>
<TD align=center>
<SCRIPT type="text/javascript">makeFrontPage();</SCRIPT>
</TD>
</TR>
</TABLE>
</BODY>
</HTML>
Could be something in the javascript, but I sort of doubt that. My money's on the comments.
posted by middleclasstool at 11:31 AM on March 31, 2007
For completeness, here's the js:
posted by middleclasstool at 11:34 AM on March 31, 2007
function makeFrontPage() {
document.write("<OBJECT classid='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000'");
document.write(" codebase='http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0'");
document.write(" WIDTH=875 HEIGHT=350 id='FrontPage2' ALIGN='>");
document.write("<PARAM NAME=movie VALUE='./Flash/FrontPage2.swf'> <PARAM NAME=quality VALUE=high> <PARAM NAME=bgcolor VALUE=#000000> <EMBED src='./Flash/FrontPage2.swf' quality=high bgcolor=#000000 WIDTH=875 HEIGHT=350 ALIGN='");
document.write(" TYPE='application/x-shockwave-flash' PLUGINSPAGE='http://www.macromedia.com/go/getflashplayer' NAME='FrontPage2' swLiveConnect='true'></EMBED>");
document.write("</OBJECT>");
}
posted by middleclasstool at 11:34 AM on March 31, 2007
Frequency analysis with a perl script:
Not much variance here -- if anything, the values are very uniform. Is this still characteristic of armored binary data?
} (125) -> 10625 :: ~ (126) -> 10781 :: (10) -> 1 :: (32) -> 1 :: ! (33) -> 10567
" (34) -> 10441 :: # (35) -> 10742 :: $ (36) -> 10438 :: % (37) -> 10707 :: & (38) -> 10535
' (39) -> 10692 :: ( (40) -> 10613 :: ) (41) -> 10576 :: * (42) -> 10476 :: + (43) -> 10724kj
, (44) -> 10617 :: - (45) -> 10609 :: . (46) -> 10454 :: / (47) -> 10407 :: 0 (48) -> 10454
1 (49) -> 10672 :: 2 (50) -> 10599 :: 3 (51) -> 10749 :: 4 (52) -> 10648 :: 5 (53) -> 10728
6 (54) -> 10607 :: 7 (55) -> 10656 :: 8 (56) -> 10533 :: 9 (57) -> 10632 :: : (58) -> 10429
; (59) -> 10852 :: < (60) -> 10619 :: = (61) -> 10667 :: > (62) -> 10566 :: ? (63) -> 10721
@ (64) -> 10484 :: A (65) -> 10529 :: B (66) -> 10740 :: C (67) -> 10730 :: D (68) -> 10463
E (69) -> 10582 :: F (70) -> 10682 :: G (71) -> 10706 :: H (72) -> 10701 :: I (73) -> 10572
J (74) -> 10550 :: K (75) -> 10707 :: L (76) -> 10590 :: M (77) -> 10440 :: N (78) -> 10646
O (79) -> 10463 :: P (80) -> 10650 :: Q (81) -> 10634 :: R (82) -> 10532 :: S (83) -> 10635
T (84) -> 10576 :: U (85) -> 10577 :: V (86) -> 10595 :: W (87) -> 10609 :: X (88) -> 10569
Y (89) -> 10529 :: Z (90) -> 10538 :: [ (91) -> 10571 :: \ (92) -> 10566 :: ] (93) -> 10884
^ (94) -> 10819 :: _ (95) -> 10708 :: ` (96) -> 10676 :: a (97) -> 10680 :: b (98) -> 10493
c (99) -> 10582 :: d (100) -> 10519 :: e (101) -> 10718 :: f (102) -> 10589 :: g (103) -> 10630
h (104) -> 10709 :: i (105) -> 10603 :: j (106) -> 10539 :: k (107) -> 10681 :: l (108) -> 10503
m (109) -> 10648 :: n (110) -> 10713 :: o (111) -> 10858 :: p (112) -> 10590 :: q (113) -> 10571
r (114) -> 10542 :: s (115) -> 10800 :: t (116) -> 10594 :: u (117) -> 10607 :: v (118) -> 10523
w (119) -> 10469 :: x (120) -> 10644 :: y (121) -> 10633 :: z (122) -> 10564 :: { (123) -> 10471
| (124) -> 10706
posted by provolot at 11:50 AM on March 31, 2007
Not much variance here -- if anything, the values are very uniform. Is this still characteristic of armored binary data?
} (125) -> 10625 :: ~ (126) -> 10781 :: (10) -> 1 :: (32) -> 1 :: ! (33) -> 10567
" (34) -> 10441 :: # (35) -> 10742 :: $ (36) -> 10438 :: % (37) -> 10707 :: & (38) -> 10535
' (39) -> 10692 :: ( (40) -> 10613 :: ) (41) -> 10576 :: * (42) -> 10476 :: + (43) -> 10724kj
, (44) -> 10617 :: - (45) -> 10609 :: . (46) -> 10454 :: / (47) -> 10407 :: 0 (48) -> 10454
1 (49) -> 10672 :: 2 (50) -> 10599 :: 3 (51) -> 10749 :: 4 (52) -> 10648 :: 5 (53) -> 10728
6 (54) -> 10607 :: 7 (55) -> 10656 :: 8 (56) -> 10533 :: 9 (57) -> 10632 :: : (58) -> 10429
; (59) -> 10852 :: < (60) -> 10619 :: = (61) -> 10667 :: > (62) -> 10566 :: ? (63) -> 10721
@ (64) -> 10484 :: A (65) -> 10529 :: B (66) -> 10740 :: C (67) -> 10730 :: D (68) -> 10463
E (69) -> 10582 :: F (70) -> 10682 :: G (71) -> 10706 :: H (72) -> 10701 :: I (73) -> 10572
J (74) -> 10550 :: K (75) -> 10707 :: L (76) -> 10590 :: M (77) -> 10440 :: N (78) -> 10646
O (79) -> 10463 :: P (80) -> 10650 :: Q (81) -> 10634 :: R (82) -> 10532 :: S (83) -> 10635
T (84) -> 10576 :: U (85) -> 10577 :: V (86) -> 10595 :: W (87) -> 10609 :: X (88) -> 10569
Y (89) -> 10529 :: Z (90) -> 10538 :: [ (91) -> 10571 :: \ (92) -> 10566 :: ] (93) -> 10884
^ (94) -> 10819 :: _ (95) -> 10708 :: ` (96) -> 10676 :: a (97) -> 10680 :: b (98) -> 10493
c (99) -> 10582 :: d (100) -> 10519 :: e (101) -> 10718 :: f (102) -> 10589 :: g (103) -> 10630
h (104) -> 10709 :: i (105) -> 10603 :: j (106) -> 10539 :: k (107) -> 10681 :: l (108) -> 10503
m (109) -> 10648 :: n (110) -> 10713 :: o (111) -> 10858 :: p (112) -> 10590 :: q (113) -> 10571
r (114) -> 10542 :: s (115) -> 10800 :: t (116) -> 10594 :: u (117) -> 10607 :: v (118) -> 10523
w (119) -> 10469 :: x (120) -> 10644 :: y (121) -> 10633 :: z (122) -> 10564 :: { (123) -> 10471
| (124) -> 10706
posted by provolot at 11:50 AM on March 31, 2007
That's extremely uniform distribution, nothing less than 10407 or greater than 10884. I don't know enough about crypto to know if it's characteristic of armoring, but no way is that a simple replacement cypher, IM(admittedly amateur)O.
posted by middleclasstool at 12:01 PM on March 31, 2007
posted by middleclasstool at 12:01 PM on March 31, 2007
I take that back. There's only one linefeed character and only one space. Hmm.
posted by middleclasstool at 12:17 PM on March 31, 2007
posted by middleclasstool at 12:17 PM on March 31, 2007
The linefeed and space is my mistake -- that's because I put everything on a line.
That's extremely uniform distribution, nothing less than 10407 or greater than 10884. I don't know enough about crypto to know if it's characteristic of armoring, but no way is that a simple replacement cypher, IM(admittedly amateur)O.
middleclasstool, I agree. Actually, the super-even distribution and the fact that the index.html file is 999998 bytes long leads me to think that DU may be right, even; that it's all just random noise generated with ASCII values 33 to 126, deliberately byte-matched to be 999998 or something...
Hmm. Any other ideas?
posted by provolot at 12:28 PM on March 31, 2007
That's extremely uniform distribution, nothing less than 10407 or greater than 10884. I don't know enough about crypto to know if it's characteristic of armoring, but no way is that a simple replacement cypher, IM(admittedly amateur)O.
middleclasstool, I agree. Actually, the super-even distribution and the fact that the index.html file is 999998 bytes long leads me to think that DU may be right, even; that it's all just random noise generated with ASCII values 33 to 126, deliberately byte-matched to be 999998 or something...
Hmm. Any other ideas?
posted by provolot at 12:28 PM on March 31, 2007
Well, if there's nothing in the source comments, then the key must be in the note displayed in the link provided by limon upthread. In the comments section, someone notes the note's connection to a manga series called Death Note. Probably there's a Hollywood adaptation coming out or something.
I really hope not, though. Viral marketing usually depresses me.
There could be something in the patterns you see when you mouse over the earths, too. They're not the same.
posted by middleclasstool at 12:48 PM on March 31, 2007
I really hope not, though. Viral marketing usually depresses me.
There could be something in the patterns you see when you mouse over the earths, too. They're not the same.
posted by middleclasstool at 12:48 PM on March 31, 2007
Interesting. It appears that no single character is repeated. No "33", or "aa", or "pp" to be found. Kind of an odd characteristic for randomly generated crap to have.
posted by polysigma at 1:00 PM on March 31, 2007
posted by polysigma at 1:00 PM on March 31, 2007
Not that it helps much, but stripping out non-Base64 characters and then doing a Base64 decode results in nothing useful ;-)
posted by wackybrit at 1:55 PM on March 31, 2007
posted by wackybrit at 1:55 PM on March 31, 2007
Did anyone else notice the text field if you click on the "M"? It validates against http://themearthmeteors.com/submitUName.php
posted by niles at 2:37 PM on March 31, 2007
posted by niles at 2:37 PM on March 31, 2007
Apparently once you solve the puzzle it redirects to:
http://themearthmeteors.com/PuzzleSolved.php
Which, of course, since we haven't it redirects from that back to the home page.
posted by basicchannel at 5:00 PM on March 31, 2007
http://themearthmeteors.com/PuzzleSolved.php
Which, of course, since we haven't it redirects from that back to the home page.
posted by basicchannel at 5:00 PM on March 31, 2007
Also, this is definitely a viral ad for the forthcoming Death Note movie (of which there have already been several in Japan).
posted by basicchannel at 5:07 PM on March 31, 2007
posted by basicchannel at 5:07 PM on March 31, 2007
After I read your question, I posted a thread about this to Unfiction and they've done some good dissecting so far, most notably of the circular codes.
posted by Addlepated at 10:07 PM on March 31, 2007
posted by Addlepated at 10:07 PM on March 31, 2007
Even distribution often means it's the result of a compression algorith, especially since there are no letter pairs.
posted by smackfu at 10:02 AM on April 1, 2007
posted by smackfu at 10:02 AM on April 1, 2007
smackfu: I don't see why letter pairs would be omitted if it were compressed data. Wouldn't the lack of digrams limit the possible per character entropy? Wouldn't this be undesirable in a compression algorithm?
posted by phrontist at 1:32 PM on April 1, 2007
posted by phrontist at 1:32 PM on April 1, 2007
Anyone still working on this?
Using swftools reveals quite a bit more info from the flash file.
The string constants are interesting.
Other urls that are called...
http://www.themearthmeteors.com/submitUName.php
http://www.themearthmeteors.com/WelcomeMicrosoft.php
http://www.themearthmeteors.com/Welcome.php
It should be easy enough to set www.theearthmeterors.com to hit localhost in /etc/hosts and then if we can figure out the code for the response code for the password, then we can trick the swf into thinking the password is correct.
I'm still figuring out how to read decompiled actionscript.
posted by kamelhoecker at 1:20 PM on April 8, 2007
Using swftools reveals quite a bit more info from the flash file.
swfdump -D FrontPage2.swf
The string constants are interesting.
( 346 bytes) action: Constantpool(25 entries) String:"loadVars_outUName" String:"theUName" String:"
POST" String:"loadVars_inUName" String:"http://www.themearthmeteors.com/submitUName.php" String:"sendAndLoad" String:
"loadVars_outPass" String:"thePass" String:"loadVars_inPass" String:"http://www.themearthmeteors.com/submitPass.php"
String:"PUZZLE_CONTEST_ACTIVE" String:"LoadVars" String:"onLoad" String:"success" String:"_root" String:"validPuzzleA
nswer" String:"this" String:"validUName" String:"M" String:"getpass" String:"gotoAndPlay" String:"unameback" String:"
validPass" String:"Microsoft" String:"passback"
Other urls that are called...
http://www.themearthmeteors.com/submitUName.php
http://www.themearthmeteors.com/WelcomeMicrosoft.php
http://www.themearthmeteors.com/Welcome.php
It should be easy enough to set www.theearthmeterors.com to hit localhost in /etc/hosts and then if we can figure out the code for the response code for the password, then we can trick the swf into thinking the password is correct.
I'm still figuring out how to read decompiled actionscript.
posted by kamelhoecker at 1:20 PM on April 8, 2007
« Older risperidone for alzheimer's agitation? | looking for a song, goes something like this:... Newer »
This thread is closed to new comments.
posted by limon at 9:56 AM on March 31, 2007