Sophos Puzzle Walkthrough

One of my friends told me about this puzzle, and I'm quite thankful to him for that. This was a very fun puzzle to do and I learned a lot.
Essentially hosted a puzzle that's giving out three Lego Mindstorms in celebration of the release of The Girl With The Dragon Tattoo. You can find the original page here. So far as I know everything is going to stay there, which is awesome, because other people can solve it.
Fair warning, this spoils the entire puzzle, so if you want to try it yourself first, which I highly recommend, visit the link above and give it your best shot and come back here if you get stuck. Or just read the whole thing if you're lazy. :p

So, this is a two-part puzzle, the second part being harder, obviously.
The first part, as found on the page above, is this:

Turn =ImYndmbn1ieiBnLmJWdjJmZ into a URL.

Seems simple enough, right? It actually is pretty easy.

You can tell hacking really looks like this, can't you?
If you're familiar with the normal ciphering methods, you'll probably recognize this as Base64, just in reverse. (If you're not familiar with basic ciphering, I'll write a post on that eventually.) A normal Base64 string looks like this: SGVsbG8gd29ybGQ=
Luckily this string has an equals sign at the end, which some strings don't. Some have two (==) or one or none. Look it up on Wikipedia if you want to know more.

For now, the puzzle's cipher reversed is ZmJjdWJmLnBiei1nbmdnYmI=. (I used this to reverse the string, I just Googled 'reverse string' and found it.)

Deciphering the string gives us this: fbcubf.pbz-gnggbb (Using this ridiculously useful cipher tool that you should have bookmarked at all times.)

This pretty much has the format of a URL, but it doesn't make any sense. My first thought, after making sure it wasn't an actual link (it isn't), was that it might be a ROT-13 string. ROT-13 refers to a substitution cipher in which you rotate every letter 13 places to the left. It's popularly referred as the Caesar Cipher. (

Running our string through a ROT-13 decipherer (Here.) Gives us SOPHOS.COM-TATTOO. Assuming they put a dash instead of a slash--for whatever reason--that gives us Which is the correct link for the first puzzle.


Now on to the second part of the puzzle. This is quite a bit harder. Originally I thought I was going to write a post about what I did to solve this, but I'm not so sure now. We'll see how this works out.

So, the text file that was given for the second part of the puzzle essentially said this:

This isn't a cryptographic puzzle in the traditional sense - in other words, you don't have to do any actual cipher cracking to solve it.

You do need a password in this stage of the puzzle. But you'll know it already if you actually solved Stage 1 yourself, instead of just getting this URL off the internet.

That's because the password is the name of the cipher used in Stage 1.

If you're an OCD hacker type, be careful not to overanalyze Stage 2. Be smart, rather than merely clever; be worldly-wise, rather than a geek.

A little bit of technical skill, some lateral thinking and attention to anything which looks like a clue should get you home.

d320ae6fd64| |etde2| |83cba/ || _ \3c| ____|| || |4h| |54ddbf6b47asdl2063
8n34r58be58| |840d6| |04th| (----`| |_) |0| |__30g`---| |----`| |==| |iaderf142179334fld
bwci6cbdfdt| |91b52| |6225c\ \d2aa| _ <63| __|328dbe| |3d1c7| __ |hf87ta3698hr193340 de1f9gdf023| `====.| |1.----) |014| |_) |3| |____f0o87| |e72en| |14| |4t8dct07cde1964dd7 tf914o05b3e|_______||__|f|_______/6a7b|______/c5|_______|95fb|__|85oef|__|al|__|84611d43ai44acsc50 0c154e8t7283b7fa2hsf3lc7bdnba80dca3a8c43r8t1aee241476424a9c52c8060579hdgi6r0414ablbc7wfa7ec3i27et6 5790800013681030ahb11466a84dth81rdge35c538b34d706697a867ff5df7a706156o36e97cadden1t326306t57343718 173t7e92=======.055ao===6371ed6==oea0f7698ea===26c862.==add==.ld=======3di=======a.======7s44493bf d124179/ |tb70/ \88374| |010a6h025/ \1af2a| \s| |l| \e| ____|| _ \5822c768 80c9b2| (----`722/ ^ \18e9| |bdf3n50c/ ^ \1bf3| \| |2| .--. || |__3dd| |_) |e26276r f0d8dd9\ \bdt66f/ /_\ \4ch| |fc295d2/ /_\ \23f| . ` |9| |gi| || __|2f| /d89059c0 e25.----) |52r6/ _____ \34| `====.b/ _____ \5l| |\ |0| '--' || |____4| |\ \====.b07 w08|_______/0496/__/707b4\__\b|_______|/__/01000\__\0|__|2\__|9|_______/0|_______||4_|0`._____|000 504b01021e0314000b0008i00d2t64923hf049t670h7b4b0100002904000r0g27001800000000000000000on0a48100000 000736563757269t74792d61t6t4766963652d666f722od7472616o96e2d636f6dl6d75746572732e6769665554050i003 1bs44ed4the75780bs000ln104f50100r000t4140000005h04b050600000g0i00010001006d000000bc01000000r00lwit

If only it were this easy.

I know the formatting on the actual puzzle is totally jacked up. Paste it into a text document or download the original text file to see it in better formatting. In the middle, in ASCII art, it says LISBETH SALANDER, which is the name of the main character of The Girl With The Dragon Tattoo, and has nothing to do with the puzzle.

So, what I did at first was run the entire thing through a hex decipherer, as the majority of the numbers and letters are hex, but not all of them.
I got a large amount of gibberish and a string repeated twice: security-advice-for-train-commuters.gif. That isn't important at this point.

The first step is to remove anything that isn't hex. I did this with an online Regex tool, makes it much faster. The Regex I used was [^A-Fa-f0-9]. Anything that isn't A-F, a-f, or 0-9 it removed.
Next is to figure out what to do with the raw hex we have. This is probably the most challenging step if you don't know what you're looking at (like I didn't.)
Pretty much when I was messing around with the hex I put it into Hex Workshop and saw the first two letters of the file was PK, which--after Googling--I found to mean that it was a .zip file.

  • If the first two characters are "BM" the file may be a .BMP bitmap image.
  • If the first two characters are "PK" the file may be a .ZIP archive file.
  • If the first two characters are "MZ" the file may be an .EXE executable file.
  • If the first four characters are "%PDF" the file may be an Adobe .PDF file.
(Taken from

That's just an example, there are many different characters and whatnot, but it's useful for understanding it.

So now that we know it's a .zip file in raw hex we need to figure out how to get it into a binary file on our computer. You could type all the hex manually into a hex editor like Hex Workshop, but that's a waste of time.
How I did it was taking the hex and converting it into Base64 and using this Base64 encoder/decoder. What I use it for it it's option to encode to a binary file that you can download. (If you use this, make sure you select 'Decode the data from Base64' and 'Export to binary file', otherwise it won't work, obviously.)

Once you've done that you now have a, hopefully, working .zip file. Open that (I use WinRAR) and you'll see security-advice-for-train-commuters.gif. Extract that, using the password ROT13 (that was what we used to solve the first puzzle) and you'll have a pink image.

Now open the file in a hex editor, there are many free ones or paid ones, just Google it if you don't already have one. Here is the only part of the puzzle where I still have no idea what's going on, I don't know how images work on the hex level, but I can tell you how to get to the answer.
I found the answer by accident, pretty much. Just add a 00 somewhere in the middle of the file, save it, and look at the image. You'll now, hopefully, see words in the image: "SPY BOUNTY RECURS?"

This is an anagram, and to solve it you should read this article on Naked Security, a subdomian of Sophos.
Read the article and see if you can figure out the anagram, if you aren't already following along. The answer is below, don't peek. ;)


If you've tried and gotten it, or if you don't want to try then here's the answer:

"Encrypt your USBs?"

And that is the end of the Sophos puzzle, boys and girls. I hope that, if you didn't already know this stuff, you learned a lot, as I did.

I'd like to say thank you to Paul Ducklin of Sophos, he helped get me unstuck more than once, and without his help I probably wouldn't have been able to solve the puzzle.

So that's the end of it. If you've got any questions, or if you know how the hex of images works (or a link to it) please feel free to comment.

Edit: Apparently Sophos released a video on how they solved it. I solved it very differently, as I have no idea what those console commands they used are or how they work. I think my version is a little bit easier to understand what's going on. :p
He also explained what was up with the hex in the image, which was informative.


Post a Comment