UplinkFan

Monday, October 31, 2011

Getting Book 4 of the Uplink Game Bible

Ok this books has been brought out later, and it supposed to be availeble by those peer to peer programs like "Kazaa". But since almost no one can find it there, I have decided to put a direct link here:
Gamebible book4(mirror 1)

This link (http://members.multimania.nl/uplink/downloads/gamebiblebook4.zip.file) still works, you can download book 4 in unencrypted form there.

So supposedly, Book 4 was originally posted on Kazaa. I don't know if Introversion published any hints, encoded or otherwise, as to this fact. It may be that the location of Book 4 was encrypted in this text from the "book2.html" file included with the encrypted Book 2 of the game bible:

1234564651234561548945231324564 - 2.6Khz - 4564564123487548451656561616448
6782314897648763287623487623467 - 5.2Khz - 4748923785897298754238973287483
1234564651234561548945231324564 - 10.4Khz - 4564564123487548451656561616448
9939482813848903282398488499939 - 20.8Khz - 8299298474567729104857089372737

What to make of this? Each block of numbers is 31 decimal digits. The first and third rows of digits are the same. Each frequency is twice the previous.

From the Wikipedia entry for Kazaa, I read the following:

Kazaa started as a peer-to-peer file sharing application. Kazaa was commonly used to exchange MP3 music files.

Given that decoding Book 2 required using the bytes in a .MP3 file, it may be that the pages of Book 4 were distributed encrypted inside a .MP3 file. Perhaps the frequencies in the above message were to be used in extracting the individual pages of Book 4 from this MP3 file?

The person who encrypted the Uplink game bible has been previously known to use square wave forms in an MP3 file, namely the "world.dat" file used as the key for decrypting Book 2. I used the "Audacity" application (available for free, see http://audacity.sourceforge.net/ ) to zoom in on the waveform in the "world.dat" file to see the square waves. In the case of the "world.dat" file (which is actually an MP3 file), the square waves did not encode anything other than "0 1 0 1 0 1", i.e. zeroes and ones repeating.

Some key quotes from the decrypted readme.txt for Book 4 are:

You've successfully managed to break the code on book 4 of the designers bible. Well done. ... Finally, this file (JohnPhilips.dat) is designed to be downloadable from Kazaa and other File-Sharing programs.

These quotes indicate that the file was originally encrypted, and that it was available on Kazaa. My guess is that the "JohnPhilips.dat" file was an MP3 file which contained the pages of Book 4. It may very well be that some people have been distributing files named "JohnPhillips.dat" which are not the original encrypted file but which are instead just zip files containing the pages of book 4 of the game bible.

There is a "JohnPhillips.dat" file available for download in the http://www.introversion.co.uk/uplink/downloads/ folder, but this is just a text file containing the following message:

You're on the right track, but not quite there yet.
You're looking in the wrong place.
Try again John Philips.

This must mean that somehow you were supposed to be able to decode the text, "JohnPhillips.dat" in order to know what file to go looking for.

Friday, October 21, 2011

Getting Book 3 of the Uplink Game Bible

Spoiler alert - these posts tell how to decrypt the books of the Uplink Game Bible. Be advised that all the books of the Uplink Game Bible are available in unencrypted form in the Uplink Developer CD which can be downloaded via BitTorrent. I use the Vuze BitTorrent client on a Mac and the website btjunkie.org

A word of warning - the challenge of getting the Uplink Game Bible was mostly intended for other Software Developers or hard-core computer enthusiasts.

It is not necessary to hack the Game Bible in order to play the game. The Game Bible only contains design notes and sketches the Introversion developers made while developing Uplink, it does not contain any strategy hints, tactics, or secrets necessary to complete the game(AFAIK).

Book 3 was posted on the web in an unadvertised location. An encrypted message containing this location appears at the end of the Readme.txt for Book 2 (you must decrypt the Book 2 Readme.txt file to read this message).

The text that appears at the end of the Readme.txt file for Book 2 is:

Maybe you're wondering where book 3 is? Well, it wouldn't be right for us to just give it too you. You're going to have to work at it. And this time, it's going to be a challenge.

Here's a code for you to get breaking. Best of luck.

Chris
Lead designer

01 04 01
14 18 02
06 12 07
18 01 05
14 03 04
11 32 02
09 04 07
20 06 02
18 09 04
17 10 01
04 26 01
19 05 03
16 31 02
12 19 04
09 02 06

01 15 03

03 12 03
13 04 01
04 28 02
04 24 01

21 18 01
11 05 01
03 02 01

01 06 01
01 14 03

11 21 01
12 21 04
12 32 02
16 38 02

15 10 08
04 06 01
14 31 01
11 11 01
09 08 02
02 14 06
15 05 07
16 12 03
16 11 03

15 24 03
08 12 02
19 18 05
17 20 03

19 17 03
20 05 01
12 30 01
03 10 05

14 03 01
06 32 02
18 30 02

04 25 04
17 07 02
18 20 02
21 15 01
22 05 01
15 04 01
12 14 03
08 04 09

12 12 01
18 18 01
01 11 05
09 19 07

02 21 01
16 10 07

02 02 01
01 02 02
19 28 03
11 10 01

06 04 04
15 03 02
16 30 01

18 20 01
17 04 02

13 03 05
05 02 10
16 33 04

12 07 02
12 06 02

19 19 01
17 18 03
03 16 02
12 26 04

09 23 09
15 14 01
14 18 03
12 30 04
09 09 07

04 22 01
08 07 01

11 20 06
16 12 02
12 18 02

21 14 03
15 29 04
09 17 02
06 06 02
16 26 08
12 14 05
02 03 03
16 04 03
12 11 02

04 29 01
20 13 05
04 13 01
20 11 03
15 01 02

06 19 05
11 30 03
02 09 02
20 12 01
14 31 09
03 08 03
19 11 08

17 30 07
14 29 04

06 09 04
04 12 02
18 09 03
12 05 02

06 30 04
12 14 02
16 18 01

10 03 01
06 29 03
11 32 01
15 32 05
15 31 03
17 02 08
12 05 02

04 14 01
14 08 01
17 30 01

02 07 02
12 19 04
15 29 03
10 09 06
03 10 02
20 13 06
18 34 05
12 25 05
09 17 02
12 01 01
11 07 01
17 29 06

06 21 04
12 04 02

11 24 02
22 05 04

11 29 03
17 11 02
12 31 04
08 10 01
17 17 01
18 07 02
08 17 01
12 11 02
19 29 01
01 10 02
21 19 02
12 18 01

02 06 01
14 10 04
06 13 02
17 26 02
15 13 01
14 20 02
04 07 03
17 09 01
02 25 05

06 03 02
17 13 02
08 27 07
20 02 02
09 01 01
08 25 02
04 02 02
15 17 02

18 09 01
16 31 02
15 07 04
15 26 03
06 29 06
03 13 02
01 01 07
01 21 05
16 21 03

17 01 01
04 27 03
04 17 01
14 21 04
03 04 01
04 07 02
11 11 01
15 18 05

16 09 01
12 07 03
02 05 05
10 09 02
04 25 03
17 05 01
06 32 04
11 13 03
04 25 02
12 32 04
13 01 02
14 17 03
06 04 02
14 22 02
20 12 02
16 24 01
20 04 01
06 10 02
08 27 02
06 11 08
21 17 01
11 12 03
22 05 01
01 21 04

The blocks of numbers are an encrypted message.

As I said earlier, a decrypted version of Game Bible Book 3 is available on the Uplink Developer CD, which can be downloaded for free via BitTorrent using a torrent found on http://www.btjunkie.org. But I'm not interested in just having the decrypted Game Bible Book 3, I want to know how the message was encrypted in the first place. What cipher was used?

To figure out the cipher it would help to know the decrypted text of the above message (the plaintext). Luckily the user "danilo" on the Introversion Uplink forums (a.k.a Angel Knight on his website) thoughtfully included some of the plaintext of the message at http://members.multimania.nl/uplink/ (click the "Game Bible" link on the left side of his web page).

His web page has this text:

Book 3

I finally got this book, so if you want it too, the only thing you have to do is to decrypt this HEX to ACSII, and do what the message tells you:

54 68 65 20 63 6f 64 65 73 20 61 74 20 74 68 65 20 65 6e 64 20 6f 66 20 72 65 61 64 6d 65 2e 74 78 74 20 61 72 65 20 61 20 63 6f 64 65 62 6f 6f 6b 20 73 74 79 6c 65 20 73 65 74 20 6f 66 20 6b 65 79 73 2c 20 61 74 65 72 2d 6e 75 6d 62 65 72 22 20 69 6e 20 74 68 65 20 68 61 63 6b 65 72 20 6d 61 6e 69 66 65 73 74 6f 20 74 68 61 74 20 63 6f 6d 65 73 20 69 6e 20 79 6f 75 72 20 55 70 6c 69 6e 6b 20 72 65 74 61 69 6c 20 63 61 73 65 2e 20 20 44 65 63 6f 64 69 6e 67 20 69 73 20 61 20 6c 6f 6e 67 2c 20 73 6c 6f 77 20 70 72 6f 63 65 73 73 2e 20 20 54 68 65 20 66 75 6c 6c 20 74 65 78 74 20 72 65 61 64 73 3a 20 43 54 48 52 45 45 20 4f 46 20 54 48 45 20 44 45 53 49 47 4e 45 52 53 20 42 49 42 4c 45 20 43 4f 4e 4e 45 43 54 20 55 50 20 54 4f 20 54 48 49 53 20 57 45 42 20 41 44 44 52 45 53 53 20 57 57 57 20 49 4e 54 52 4f 56 45 52 53 49 4f 4e 20 43 4f 20 55 4b 20 46 4f 52 57 41 52 44 53 4c 41 53 48 20 42 4f 4f 4b 54 48 52 45 45 20 55 53 45 52 4e 41 4d 45 20 62 6f 6f 6b 74 68 72 65 65 20 50 41 53 53 57 4f 52 44 20 74 68 65 68 61 63 6b 65 72 6d 61 6e 69 66 65 73 74 6f 69 73 63 72 61 70 20

I used the search and replace feature of a text editor (TextWrangler) to replace all the spaces with percent-signs and added a final percent-sign at the beginning of the text to get this text:

%54%68%65%20%63%6f%64%65%73%20%61%74%20%74%68%65%20%65%6e%64%20%6f%66%20%72%65%61%64%6d%65%2e%74%78%74%20%61%72%65%20%61%20%63%6f%64%65%62%6f%6f%6b%20%73%74%79%6c%65%20%73%65%74%20%6f%66%20%6b%65%79%73%2c%20%61%74%65%72%2d%6e%75%6d%62%65%72%22%20%69%6e%20%74%68%65%20%68%61%63%6b%65%72%20%6d%61%6e%69%66%65%73%74%6f%20%74%68%61%74%20%63%6f%6d%65%73%20%69%6e%20%79%6f%75%72%20%55%70%6c%69%6e%6b%20%72%65%74%61%69%6c%20%63%61%73%65%2e%20%20%44%65%63%6f%64%69%6e%67%20%69%73%20%61%20%6c%6f%6e%67%2c%20%73%6c%6f%77%20%70%72%6f%63%65%73%73%2e%20%20%54%68%65%20%66%75%6c%6c%20%74%65%78%74%20%72%65%61%64%73%3a%20%43%54%48%52%45%45%20%4f%46%20%54%48%45%20%44%45%53%49%47%4e%45%52%53%20%42%49%42%4c%45%20%43%4f%4e%4e%45%43%54%20%55%50%20%54%4f%20%54%48%49%53%20%57%45%42%20%41%44%44%52%45%53%53%20%57%57%57%20%49%4e%54%52%4f%56%45%52%53%49%4f%4e%20%43%4f%20%55%4b%20%46%4f%52%57%41%52%44%53%4c%41%53%48%20%42%4f%4f%4b%54%48%52%45%45%20%55%53%45%52%4e%41%4d%45%20%62%6f%6f%6b%74%68%72%65%65%20%50%41%53%53%57%4f%52%44%20%74%68%65%68%61%63%6b%65%72%6d%61%6e%69%66%65%73%74%6f%69%73%63%72%61%70%20

I copied this text to the clipboard, clicked the "Hex Converter" link on the left side of his web page, pasted the above text into the "Hexidecimal Value" box, and clicked the Decode button, producing this text in the "ASCII Text" box:

The codes at the end of readme.txt are a codebook style set of keys, ater-number" in the hacker manifesto that comes in your Uplink retail case. Decoding is a long, slow process. The text reads: CTHREE OF THE DESIGNERS BIBLE CONNECT UP TO THIS WEB ADDRESS WWW INTROVERSION CO UK FORWARDSLASH BOOKTHREE USERNAME bookthree PASSWORD thehackermanifestoiscrap

You could also use the hex-ASCII converter at http://d21c.com/sookietex/ASCII2HEX.html

In the decoded text we see that the secret location to download the unencrypted Book 3 of the Uplink Game Bible was:

http://www.introversion.co.uk/bookthree

Username: bookthree
Password: thehackermanifestoiscrap

I happen to agree.

This is now a dead link. But, as I said, I'm not really interested in the unencrypted Book 3 or the original URL/username/password to get Book 3. I'm interested in the cipher used to encrypt the above message as the blocks of columns of numbers. It will also be fun to use the cipher to decode the rest of the message between the words "CONGRATULATIONS" and "three" (even though I already have this text via having downloaded the unencrypted Readme for Book 3 as part of the Uplink Developer CD).

I noticed that the unencrypted message text from "danilo"'s website ("THREE OF THE DESIGNERS BIBLE CONNECT UP TO ...") lines up with the last blocks of the encrypted blocks of columns of numbers.

Also, the Readme.txt files for the first two Uplink Game Bible books began with the word "CONGRATULATIONS". The first block of numbers in the encrypted text has the same number of letters as "CONGRATULATIONS", so pretty safe to say this word is the plaintext for that block of numbers.

If I write these pieces of known plaintext next to the blocks of numbers, we get this:

01 04 01 c
14 18 02 o
06 12 07 n
18 01 05 g
14 03 04 r
11 32 02 a
09 04 07 t
20 06 02 u
18 09 04 l
17 10 01 a
04 26 01 t
19 05 03 i
16 31 02 o
12 19 04 n
09 02 06 s

01 15 03

03 12 03
13 04 01
04 28 02
04 24 01

21 18 01
11 05 01
03 02 01

01 06 01
01 14 03

11 21 01
12 21 04
12 32 02
16 38 02

15 10 08
04 06 01
14 31 01
11 11 01
09 08 02
02 14 06
15 05 07
16 12 03
16 11 03

15 24 03
08 12 02
19 18 05
17 20 03

19 17 03
20 05 01
12 30 01
03 10 05

14 03 01
06 32 02
18 30 02

04 25 04
17 07 02
18 20 02
21 15 01
22 05 01
15 04 01
12 14 03
08 04 09

12 12 01
18 18 01
01 11 05
09 19 07

02 21 01
16 10 07

02 02 01
01 02 02
19 28 03
11 10 01

06 04 04
15 03 02
16 30 01

18 20 01
17 04 02

13 03 05
05 02 10
16 33 04

12 07 02
12 06 02

19 19 01
17 18 03
03 16 02
12 26 04

09 23 09 t
15 14 01 h
14 18 03 r
12 30 04 e
09 09 07 e

04 22 01 o
08 07 01 f

11 20 06 t
16 12 02 h
12 18 02 e

21 14 03 d
15 29 04 e
09 17 02 s
06 06 02 i
16 26 08 g
12 14 05 n
02 03 03 e
16 04 03 r
12 11 02 s

04 29 01 b
20 13 05 i
04 13 01 b
20 11 03 l
15 01 02 e

06 19 05 c
11 30 03 o
02 09 02 n
20 12 01 n
14 31 09 e
03 08 03 c
19 11 08 t

17 30 07 t
14 29 04 o

06 09 04 t
04 12 02 h
18 09 03 i
12 05 02 s

06 30 04 w
12 14 02 e
16 18 01 b

10 03 01 a
06 29 03 d
11 32 01 d
15 32 05 r
15 31 03 e
17 02 08 s
12 05 02 s

04 14 01 w
14 08 01 w
17 30 01 w

02 07 02 i
12 19 04 n
15 29 03 t
10 09 06 r
03 10 02 o
20 13 06 v
18 34 05 e
12 25 05 r
09 17 02 s
12 01 01 i
11 07 01 o
17 29 06 n

06 21 04 c
12 04 02 o

11 24 02 u
22 05 04 k

11 29 03 f
17 11 02 o
12 31 04 r
08 10 01 w
17 17 01 a
18 07 02 r
08 17 01 d
12 11 02 s
19 29 01 l
01 10 02 a
21 19 02 s
12 18 01 h

02 06 01 b
14 10 04 o
06 13 02 o
17 26 02 k
15 13 01 t
14 20 02 h
04 07 03 r
17 09 01 e
02 25 05 e

06 03 02 u
17 13 02 s
08 27 07 e
20 02 02 r
09 01 01 n
08 25 02 a
04 02 02 m
15 17 02 e

18 09 01 b
16 31 02 o
15 07 04 o
15 26 03 k
06 29 06 t
03 13 02 h
01 01 07 r
01 21 05 e
16 21 03 e

17 01 01 p
04 27 03 a
04 17 01 s
14 21 04 s
03 04 01 w
04 07 02 o
11 11 01 r
15 18 05 d

16 09 01 t
12 07 03 h
02 05 05 e
10 09 02 h
04 25 03 a
17 05 01 c
06 32 04 k
11 13 03 e
04 25 02 r
12 32 04 m
13 01 02 a
14 17 03 n
06 04 02 i
14 22 02 f
20 12 02 e
16 24 01 s
20 04 01 t
06 10 02 o
08 27 02 i
06 11 08 s
21 17 01 c
11 12 03 r
22 05 01 a
01 21 04 p

Now we're getting somewhere.

At this point I scoured the Introversion Uplink forums for more hints. I found out that the Hacker's Manifesto was printed on the inside of the back CD slip of the original Uplink CD's. The Hacker's Manifesto is a short essay written by a teenaged hacker who was caught in the 80's. You can read about it at http://en.wikipedia.org/wiki/Hacker_Manifesto. You can see the original text of the manifesto at http://www.phrack.org/issues.html?issue=7&id=3&mode=txt. There were also plenty of hints in the Introversion Uplink forums that the Hacker's Manifesto was needed to get Book 3 of the Uplink Game Bible.

I started looking at the numbers. The numbers in the first column range from 1 to 22. The numbers in the 2nd column range from 1 to 34. The numbers in the 3rd column range from 1 to 9.

What do the numbers mean? Very likely the 3rd number of each line is letter within a word, because these numbers only range from 1 to 9.

One possibility I spent some time on was that the first number was paragraph within the manifesto, the 2nd number was word within the paragraph, and the 3rd number was letter within the word. But the original text of the Hacker's Manifesto is not clearly broken into paragraphs. I spent a lot of time experimenting with different ways of breaking the manifesto into paragraphs before giving up on this idea.

At this point I was completely OCD about this problem. Honestly, figuring this cipher out is one of the most addictingly fun things I have ever done.

I spent a lot of time trying different things. One idea was to take rows that I had the plaintext letter for, and for which I had the same first two numbers, and then looking through the manifesto to see if any single word had corresponding plaintext characters in the correct character-within-a-word (3rd column) positions. I only found one or two cases in the where I had plaintext for multiple characters for rows that had the same first two numbers. For each of these cases I did find one or more words which had the correct plaintext characters in the correct positions. But the first two numbers in the rows still never made sense as (paragraph, word).

I took the text of the Hacker's Manifesto, copied it into a text file, and removed all the noise and punctuation characters, so that only the plain words of the manifesto remained, like this:

another one got caught today its all over the papers teenager arrested in computer crime scandal hacker arrested after bank tampering damn kids theyre all alike but did you in your three piece psychology and technobrain ever take a look behind the eyes of the hacker did you ever wonder what made him tick what forces shaped him what may have molded him i am a hacker enter my world mine is a world that begins with school im smarter than most of the other kids this crap they teach us bores me damn underachiever theyre all alike im in junior high or high school ive listened to teachers explain for the fifteenth time how to reduce a fraction i understand it no ms smith i didn't show my work i did it in my head damn kid probably copied it theyre all alike i made a discovery today i found a computer wait a second this is cool it does what i want it to if it makes a mistake its because i screwed it up not because it doesn't like me or feels threatened by me or thinks im a smart ass or doesnt like teaching and shouldn't be here damn kid all he does is play games they're all alike and then it happened a door opened to a world rushing through the phone line like heroin through an addicts veins an electronic pulse is sent out a refuge from the day to day incompetencies is sought a board is found this is it this is where i belong i know everyone here even if ive never met them never talked to them may never hear from them again i know you all damn kid tying up the phone line again theyre all alike you bet your ass were all alike weve been spoon-fed baby food at school when we hungered for steak the bits of meat that you did let slip through were pre-chewed and tasteless weve been dominated by sadists or ignored by the apathetic the few that had something to teach found us will-ing pupils but those few are like drops of water in the desert this is our world now the world of the electron and the switch the beauty of the baud we make use of a service already existing without paying for what could be dirt cheap if it wasnt run by profiteering gluttons and you call us criminals we explore and you call us criminals we seek after knowledge and you call us criminals we exist without skin color without nationality without religious bias and you call us criminals you build atomic bombs you wage wars you murder cheat and lie to us and try to make us believe its for our own good yet we're the criminals yes i am a criminal my crime is that of curiosity my crime is that of judging people by what they say and think not what they look like my crime is that of outsmarting you something that you will never forgive me for i am a hacker and this is my manifesto you may stop this individual but you cant stop us all after all were all alike

Note that my plain manifesto text above has all the apostrophe's removed. This actually causes the character numbers in the 3rd column to not match, so save yourself some time and don't remove the apostrophes from the manifesto text.

This plain manifesto text turned out to come in very handy in the near future.

At some point during all the experimentation I decided to take the information I had so far, convert it into CSV format, and open it with Microsoft Excel (I use my Mac at a workplace that is mostly PC's so I need to have Microsoft Office for Mac installed to open the Word and Excel files my coworkers send me).

I converted the above data into CSV format by using a text editor (TextWrangler) to delete all blank lines between the groups and to replace all spaces with commas. I saved the data to a .csv file and opened the file with Excel.

Looking for more cases where I had rows with the first two numbers equal to each other, I sorted the data by column A, then by column B, then column C. In Excel's main menu select Data > Sort.

In the Sort dialog, select to sort by column A, B, C and click OK:

The sorted data looks like this:

It turns out that this sorted data and the plain words of the manifesto are exactly what you need to build the key which is needed to decrypt the rest of the message.

If you continue to assume that the 3rd column numbers are character-within-a-word, when you start scanning down the rows sorted ciphertext data and looking for matching words in the plain text of the Hacker's Manifesto, you quickly see that for all rows where the first number is 1, if you interpret the 2nd number as word-within-a-line and the 3rd number as character-within-a-word, the known plaintext characters match exactly.

For example, the row
1 1 7 r
matches line 1, word 1, character 7 of "another" at the beginning of the manifesto.

The row
1 4 1 c
matches line 1, word 1, character 1 of "caught" at the beginning of the manifesto.

Of course, at this point, the manifesto text is all one big line. The question is, how do we break the manifesto into lines so that the plaintext characters match up?

If you keep scanning down in the sorted data, the rows where the number in column 1 is "2" and for which we have plaintext characters are

2 3 3 e
2 5 5 e
2 6 1 b
2 7 2 i
2 9 2 n
2 25 5 e

That's quite a lot of known plaintext for the 2nd line of the key file. If you experiment with it, you find that it only works if you break the manifesto into a second line after the word "tampering". Once you do that, you repeat the same process, walking down the sorted data and breaking the manifesto into lines so that the known plaintext characters for the next row match up with the manifest characters. It takes a long time, but when you're done, you have the key needed to decrypt the rest of the message. Here is the key:

GAME BIBLE BOOK 3 KEY

1 another one got caught today its all over the papers teenager arrested in computer crime scandal hacker arrested after bank tampering
2 damn kids theyre all alike but did you in your three piece psychology and technobrain ever take a look behind the eyes of the hacker
3 did you ever wonder what made him tick what forces shaped him what may have molded him
4 i am a hacker enter my world mine is a world that begins with school im smarter than most of the other kids this crap they teach us bores
5 me damn underachiever theyre all alike
6 im in junior high or high school ive listened to teachers explain for the fifteenth time how to reduce a fraction i understand it no ms smith i didn't show my work
7 i did it in my head damn kid probably copied it theyre all alike
8 i made a discovery today i found a computer wait a second this is cool it does what i want it to if it makes a mistake its because i screwed it up
9 not because it doesn't like me or feels threatened by me or thinks im a smart ass or doesnt like teaching and shouldn't be here
10 damn kid all he does is play games they're all alike
11 and then it happened a door opened to a world rushing through the phone line like heroin through an addicts veins an electronic pulse is sent out a refuge from the day to day
12 incompetencies is sought a board is found this is it this is where i belong i know everyone here even if ive never met them never talked to them may never hear from them again i know you all
13 damn kid tying up the phone line again theyre all alike
14 you bet your ass were all alike weve been spoon-fed baby food at school when we hungered for steak the bits of meat that you did let slip through were pre-chewed and tasteless
15 weve been dominated by sadists or ignored by the apathetic the few that had something to teach found us will-ing pupils but those few are like drops of water in the desert
16 this is our world now the world of the electron and the switch the beauty of the baud we make use of a service already existing without paying for what could be dirt cheap if it wasnt run by
17 profiteering gluttons and you call us criminals we explore and you call us criminals we seek after knowledge and you call us criminals we exist without skin color without nationality without
18 religious bias and you call us criminals you build atomic bombs you wage wars you murder cheat and lie to us and try to make us believe its for our own good yet we're the criminals
19 yes i am a criminal my crime is that of curiosity my crime is that of judging people by what they say and think not what they look like my
20 crime is that of outsmarting you something that you will never forgive me for
21 i am a hacker and this is my manifesto you may stop this individual but you cant stop us all
22 after all were all alike

Of course, using the above key to decrypt the message is a royal pain, so I converted it to .csv file (remove the line numbers, find and replace spaces with commas) and opened it with Excel:

When the key has the words broken into columns, decrypting the rest of the message becomes much easier.

The full decrypted message, lined up with the original ciphertext data, is:

01 04 01 c
14 18 02 o
06 12 07 n
18 01 05 g
14 03 04 r
11 32 02 a
09 04 07 t
20 06 02 u
18 09 04 l
17 10 01 a
04 26 01 t
19 05 03 i
16 31 02 o
12 19 04 n
09 02 06 s

01 15 03 i

03 12 03
13 04 01
04 28 02 s
04 24 01 t

21 18 01 s
11 05 01 a
03 02 01 y

01 06 01 i
01 14 03 m

11 21 01 v
12 21 04
12 32 02
16 38 02 y

15 10 08 i
04 06 01 m
14 31 01 p
11 11 01 r
09 08 02 e
02 14 06
15 05 07 s
16 12 03 e
16 11 03 d

15 24 03 w
08 12 02 e
19 18 05 l
17 20 03

19 17 03 d
20 05 01 o
12 30 01
03 10 05 e

14 03 01 y
06 32 02 o
18 30 02 u

04 25 04 p
17 07 02 r
18 20 02 o
21 15 01 b
22 05 01 a
15 04 01 b
12 14 03
08 04 09 y

12 12 01
18 18 01
01 11 05
09 19 07 t

02 21 01 t
16 10 07 o

02 02 01 k
01 02 02 n
19 28 03 o
11 10 01 w

06 04 04 h
15 03 02 o
16 30 01 w

18 20 01 t
17 04 02 o

13 03 05 g
05 02 10
16 33 04 t

12 07 02
12 06 02

19 19 01 b
17 18 03 o
03 16 02 o
12 26 04

09 23 09 t
15 14 01 h
14 18 03 r
12 30 04 e
09 09 07 e

04 22 01 o
08 07 01 f

11 20 06 t
16 12 02 h
12 18 02 e

21 14 03 d
15 29 04 e
09 17 02 s
06 06 02 i
16 26 08 g
12 14 05 n
02 03 03 e
16 04 03 r
12 11 02 s

04 29 01 b
20 13 05 i
04 13 01 b
20 11 03 l
15 01 02 e

06 19 05 c
11 30 03 o
02 09 02 n
20 12 01 n
14 31 09 e
03 08 03 c
19 11 08 t

17 30 07 t
14 29 04 o

06 09 04 t
04 12 02 h
18 09 03 i
12 05 02 s

06 30 04 w
12 14 02 e
16 18 01 b

10 03 01 a
06 29 03 d
11 32 01 d
15 32 05 r
15 31 03 e
17 02 08 s
12 05 02 s

04 14 01 w
14 08 01 w
17 30 01 w

02 07 02 i
12 19 04 n
15 29 03 t
10 09 06 r
03 10 02 o
20 13 06 v
18 34 05 e
12 25 05 r
09 17 02 s
12 01 01 i
11 07 01 o
17 29 06 n

06 21 04 c
12 04 02 o

11 24 02 u
22 05 04 k

11 29 03 f
17 11 02 o
12 31 04 r
08 10 01 w
17 17 01 a
18 07 02 r
08 17 01 d
12 11 02 s
19 29 01 l
01 10 02 a
21 19 02 s
12 18 01 h

02 06 01 b
14 10 04 o
06 13 02 o
17 26 02 k
15 13 01 t
14 20 02 h
04 07 03 r
17 09 01 e
02 25 05 e

06 03 02 u
17 13 02 s
08 27 07 e
20 02 02 r
09 01 01 n
08 25 02 a
04 02 02 m
15 17 02 e

18 09 01 b
16 31 02 o
15 07 04 o
15 26 03 k
06 29 06 t
03 13 02 h
01 01 07 r
01 21 05 e
16 21 03 e

17 01 01 p
04 27 03 a
04 17 01 s
14 21 04 s
03 04 01 w
04 07 02 o
11 11 01 r
15 18 05 d

16 09 01 t
12 07 03 h
02 05 05 e
10 09 02 h
04 25 03 a
17 05 01 c
06 32 04 k
11 13 03 e
04 25 02 r
12 32 04 m
13 01 02 a
14 17 03 n
06 04 02 i
14 22 02 f
20 12 02 e
16 24 01 s
20 04 01 t
06 10 02 o
08 27 02 i
06 11 08 s
21 17 01 c
11 12 03 r
22 05 01 a
01 21 04 p

Note that there are some blanks in the above message where some of the characters from my key didn't quite make sense. It's obvious what those characters are from the context of the plaintext message, so it's no big deal. Rather than take the extra time to fix the remaining glitches in my key file, I chose to just leave the message as-is.

The fully decrypted message (punctuated and formatted) looks to be:

CONGRATULATIONS!

I must say I'm very impressed. Well done.

You probably want to know how to get to book three of the Designers Bible.

Connect to this web address: www.introversion.co.uk/bookthree.

Username: bookthree
Password: thehackermanifestoiscrap

This is a book cipher. For more information, see http://en.wikipedia.org/wiki/Book_cipher.

Monday, October 17, 2011

Getting Book 2 of the Uplink Game Bible

1 encrypted readme.txt file
52 encrypted image files - these are the pages of book 2 of the Uplink Game Bible
a "book2.html" file with the message, "Book II is located on this CD in the book2 directory. You'll also find a readme.txt file, detailing how to find Book III. You didn't think it was going to be easy did you?" Basically the author throws down the gauntlet.

When you use a hex editor to look inside the readme.txt file and the image files, you see that all the files begin with the same 16 bytes:

I used HexEdit for Mac by SoftTonic which is available at http://hexedit.en.softonic.com/mac .

The encrypted readme.txt file and the 52 encrypted image files all begin with 15 bytes which spell "ONETIMEREDSHIRT" followed by a 0 byte (a null). This 16 byte header is a hint that the file is somehow encrypted using both one-time-pad encryption and REDSHIRT encryption.

After reading lots and lots of posts in the Introversion Uplink forum, forcing one to wade through lots of posts from douche-bags taking way too much enjoyment out of being in the know, the answer becomes clear. What the "ONETIMEREDSHIRT" header actually means is, "This file was one-time-pad encrypted using the bytes in a key file. The key file is itself encrypted with REDSHIRT encryption."

You can read about one-time pad encryption at http://en.wikipedia.org/wiki/One-time_pad. In the case of Uplink Game Bible book 2 it means that the original file had each byte XOR'ed with some of the bytes inside another file. This other file is the one-time-pad, also known as the key file. The key file is used for both encrypting the original unencrypted plaintext message and for decrypting the encrypted ciphertext message.

XOR is a reversible operation. For encryption, you XOR the plaintext file bytes (the original unencrypted bytes) with some of the bytes in the one-time-pad key file. To reverse the process and decrypt the encrypted text (the ciphertext) you XOR the encrypted bytes with the same bytes in the key file to get the unencrypted plaintext.

The "world.dat" file is the one-time-pad key file used to both encrypt and decrypt the "Readme.txt" file and the encrypted Book 2 image files. The "world.dat" file itself comes encrypted using "Redshirt" encryption. You must first decrypt the "world.dat" file before you can use it as a key file to decrypt the "Readme.txt" file and the image files.

The "world.dat" file is installed to the "C:\Program Files\Uplink" folder when you install Uplink on Windows. AFAIK, the file is not included if you install Uplink on a Mac via download from Steam (as I did) instead of installing from an Uplink CD or CD image.

I got my original copy of the "world.dat" file by creating a virtual Windows machine on my Mac (using Sun VirtualBox), downloading an Uplink Version 1.51 CD ISO image from BTJunkie using the Vuze BitTorrent client, and extracting the Uplink CD ISO image with IsoBuster. Please don't pirate a copy of Uplink, support Introversion by buying the game. Supporting Introversion is in your best interest because we want them to make more awesome games.

Regarding the REDSHIRT encryption that's used to encrypt the world.dat file, here is the best description I found of it:

REDSHIRT is an encryption system whereby every byte is XOR'd by 128 (0x80). It is used on various files in the game Uplink by Introversion Software, to prevent people from hacking the game too easily. The name itself is a Trekkie joke, referring to the red-shirted crew members who inevitably die within the episode. Obviously this encryption was intended to be broken ;)

When you XOR a byte by 128, you flip the highest bit of the byte. This makes the encrypted text look like gibberish when viewed in a HEX editor.

When you encrypt a file using Redshirt encryption, first you XOR each byte in the file with 128, then you add a 9 byte header to the file. The 9 byte header consists of the bytes for the word "REDSHIRT" followed by a 0 byte (a null).

When you decrypt a file that has been encrypted with Redshirt encryption, you remove the first 9 bytes of the file, then you XOR each byte in the file with 128 (since XOR is reversible).

Introversion has a Redshirt encryption / decryption utility for Mac which will do redshirt encryption / decryption for you. The Redshirt utility is available for download in the Uplink addons page at http://www.ambrosiasw.com/games/uplink/addons - use the "RedshirtX.sit" link. The direct link is http://www.ambrosiasw.com/assets/modules/addonfiles/download.php?addon=3157. To unzip the ".sit" file, I used a Mac app called "The Unarchiver" which I downloaded for free from the Internet (just Google for it).

It turns out the decrypted "world.dat" key file is actually an encrypted MP3 file. After you use the Redshirt utility to decrypt the "world.dat" file, you can rename the file to "world.mp3" and then actually play the file using any MP3 player. You should hear lots of slowly modulating electric guitar feedback. It definitely sounds like someone goofing around with an electric guitar, it does not sound like random white noise. If you hear something that sounds like what I describe, you know you're on the right track.

Hiding data like a one-time-pad inside a .MP3 file in such a way that the .MP3 file is still usable as a music file is an example of Steganography - very cool. My guess is that the Uplink designers just recorded some electric guitar sound to an MP3 file and used whatever bytes happened to result as the key file. AFAIK, they didn't encode anything else into the MP3 using full-bore steganography software like that found at http://www.petitcolas.net/fabien/steganography/mp3stego/, but who knows, maybe there's something else in that "world.mp3" file.

Once you get the "world.dat" file decrypted and renamed to "world.mp3" and verify that the "world.mp3" file plays in an MP3 player, the next step is to use the bytes of the "world.mp3" file as a key to do one-time-pad decryption on the "Readme.txt" file and the image files of Book 2.

It might be tempting to think that for each file to be decrypted you can just XOR byte 0 of the file with byte 0 of "world.mp3", then XOR byte 1 of the file with byte 1 of "world.mp3", etc. Unfortunately it turns out that you can only start at byte 0 in the "world.mp3" file when decrypting the "Readme.txt" file, not when decrypting the image files.

The key bytes for each image file are indeed inside the "world.mp3" file, but for each image file the key bytes start at a different offset within the "world.mp3" file.

The way to find the offset within "world.mp3" where the key bytes for an image file start is to take advantage of the fact that all unencrypted .jpg image files start with the bytes "FF D8 FF" - see http://en.wikipedia.org/wiki/Magic_number_(programming). For each encrypted image file, if you XOR the first 3 bytes of the encrypted file with the bytes "FF D8 FF", you get the first three key bytes. You can search inside the "world.mp3" file for these three key bytes using a good Hex Editor. I used HexEdit for Mac by SoftTonic which is available at http://hexedit.en.softonic.com/mac. The offset within the "world.mp3" file where you find those 3 key bytes is the offset within "world.mp3" where the key bytes needed to decrypt the image file begin.

Here is the C++ code to XOR the bytes of the encrypted files with bytes starting at an offset within the "world.mp3" file:

#include <iostream>
#include <fstream>
#include <stdlib.h>
Saving...
int main( int argc, char *argv[] )
{
// there are no error handling because this program
// are only used in one way:
// otp <in_file> <key_file> <offset> <out_file>

//std::cout << "Hello, World!\n";

int offset = atoi(argv[3]);
char ic = 0, kc = 0;
std::ifstream I(argv[1]);
std::ifstream K(argv[2]);
std::ofstream O(argv[4]);
for(int i = 0;i<offset;i++)
{
K.get(kc);
}
while(I.get(ic))
{
K.get(kc);
O << (char)(ic^kc);
}
I.close();
K.close();
O.close();
return 0;
}

I used Xcode to turn the above C++ code into an executable application to decrypt the files. Xcode is included on the OS X Snow Leopard DVD. When installing Xcode, select the option to include
"UNIX Dev Support". The Xcode application is installed at "/Developer/Applications/Xcode.app". In Xcode, from the main menu select "File > New project". In the New Project dialog select category "Application", select the type "Command Line Tool", and in the Type drop-down select "C++ stdc++". In the file browser dialog name the project "otp" (one-time-pad) and create a folder for it. In the project window, double-click the main.cpp file and overwrite the contents with the above code. From the main menu select Build > Build. In the project window, right-click the project node and select Reveal in Finder. In the "Build/Debug" folder copy the executable and paste into the folder containing the encrypted "Readme.txt" and image files.

So the process to decrypt the "Readme.txt" file and each image file of Book 2 is:

Use the Redshirt utility to de-redshirt the "world.dat" file.

Rename the "world.dat" file to "world.mp3". Copy the "world.mp3" file to the folder containing the encrypted "Readme.txt" file and the encrypted image files.

Listen to the "world.mp3" file in an MP3 player. If the file plays and you hear lots of slowly modulating electric guitar feedback you know you decrypted the "world.dat" file correctly.

For the encrypted "Readme.txt" file and for each encrypted image file, do the following:

Strip the 16-byte header from each file. The header contains the bytes to spell "ONETIMEREDSHIRT" and a trailing 0 byte (null). All 16 bytes, including the trailing null byte, must be stripped. I used HexEdit to do this.

Use HexEdit to see the first 3 bytes of the file to be decrypted. If you have a shortcut to the HexEdit application in the dock, you can just drag a file from a Finder window to the shortcut in the dock to open the file with that application.

XOR the first 3 bytes of the file to be decrypted with the bytes "FF D8 FF" to get the first 3 key bytes. To XOR the first 3 bytes of the file with "FF D8 FF", I used the Calculator app that comes with OS X. From the Calculator main menu select View > Programmer. Click the "16" button in the upper-right corner to select Hexadecimal mode. Use the XOR button to XOR the numbers. Or just do the XOR in your head for fun.

Use HexEdit to search for the first 3 key bytes within the "world.mp3" file. Write the offset of the 3 key bytes down. For example, the offset for the encrypted "Readme.txt" file will be 0, the offset for the encrypted RIMG0001.JPG file will be 3511.

From a shell window, cd to the folder containing the encrypted files and the "otp" program. Run the command "chmod +x otp" to make the "otp" file executable (you only need to do this once). Run the "otp" program with the following command-line arguments: ./otp <in_file> <key_file> <offset> <out_file>

Examples:
md decrypted (you only need to do this once)
./otp Readme.txt World.mp3 0 decrypted/Readme.txt
./otp RIMG0001.JPG World.mp3 3511 decrypted/RIMG0001.JPG
...

The ciphers used for Book 2 are a substitution cipher (Redshirt) and one-time pad encryption.

Sunday, October 16, 2011

Getting Book 1 of the Uplink Game Bible

Spoiler alert - these posts tell how to decrypt the books of the Uplink Game Bible. Be advised that all the books of the Uplink Game Bible are available in unencrypted form in the Uplink Developer CD which can be downloaded via BitTorrent. I use the Vuze BitTorrent client on a Mac and the website btjunkie.org

A word of warning - the challenge of getting the Uplink Game Bible was mostly intended for other Software Developers or hard-core computer enthusiasts.

It is not necessary to hack the Game Bible in order to play the game. The Game Bible only contains design notes and sketches the Introversion developers made while developing Uplink, it does not contain any strategy hints, tactics, or secrets necessary to complete the game.

Book 1 is available as an encrypted zip file. AFAIK, the file is not included if you install Uplink on a Mac via download from Steam (as I did) instead of installing from an Uplink CD or CD image.

I got my original copy of the encrypted Book 1 file by creating a virtual Windows machine on my Mac (using Sun VirtualBox), downloading an Uplink Version 1.51 CD ISO image from BTJunkie using the Vuze BitTorrent client, and extracting the Uplink CD ISO image with IsoBuster. Please don't pirate a copy of Uplink, support Introversion by buying the game. Supporting Introversion is in your best interest because we want them to make more awesome games.

In the Uplink installation CD, in the "misc" folder, is a "gamebible.zip" file. You can use Windows File Explorer to browse into this zip file to see that it contains "book1", "book2", and "book3" folders.

The "book2" and "book3" folders are empty - they're just there to give you a hint that the Game Bible has three books (or had three books as originally conceived - a fourth book was added later).

The "book1" folder inside the "gamebible.zip" file contains a "readme.txt" file and one image for each page of Book 1, 40 images in all. The "readme.txt" file and all the image files are password-protected files.

Following some hints on the Introversion Uplink forum, I did some quick Google Images searches for words like Uplink, box, cover, back, and looked for the strange string on the Uplink CD back cover.

The password appears encoded on the back of the Uplink CD box as this string:

746f6f206D616E7920736563726574733f

This is a hex-encoded string which decodes to the Game Bible Book 1 zip file password. The password is, "too many secrets?".

To decode the hex string, add a percent-sign before each 2 characters so that it looks like this:

%74%6F%6F%20%6D%61%6E%79%20%73%65%63%72%65%74%73%3F

then go to a handy HEX to ASCII conversion tool like one of these:
http://d21c.com/sookietex/ASCII2HEX.html
http://members.multimania.nl/uplink/ (click HEX Converter link)

Enter the string into the HEX box and click decode. The decoded text, "too many secrets?", will appear in the ASCII box.

In Windows File Explorer, right-click the "gamebible.zip" file and from the context menu select "Extract all". Enter the password "too many secrets?" and click Enter.

On a Mac, you cannot use the Archive Utility to unzip a password-protected .zip file. I used a separate utility called "The Unarchiver" instead: see http://www.macupdate.com/app/mac/22774/the-unarchiver.

So what kind of encryption do password-protected .zip files use? AES (Advanced Encryption Standard).

Getting the Uplink Game Bible

All four of the Uplink Game Bible books have been available for some time in decrypted form in the Uplink Developer CD, which can be downloaded for free via BitTorrent (I used the Vuze BitTorrent client running on a Mac and downloaded an Uplink Developer CD torrent found via http://www.btjunkie.org).

But if you're like me (a Software Engineer with too much free time on his hands), having the decrypted Uplink Game Bible books is not enough. You'll also want to know the algorithms used to encrypt the files in the first place.

Despite the fact that the game Uplink was released in 2001, the source code for the game has been published, and the four decrypted Game Bible books have been published, AFAIK no one has published the methods used to encrypt the four Game Bible books in the first place.

This piqued my curiosity, so I set out to discover how the books were originally encrypted, starting from the original encrypted copies, and in some cases taking advantage of the available decrypted copies of the books (a "known plaintext attack" against the original encryption ciphers).

In the posts that follow, I detail how I reverse-engineered the ciphers that were used to encrypt each of the four books of the Uplink Game Bible. Beware - spoilers follow. Another motivation for me to post this information was all the douche-bags on the Introversion Uplink forums who thought people should have to wade through every post in the forums to get this information. I regard that as a waste of people's time, hence these posts.

As I found out, finding the ciphers that were used to encrypt the Uplink Game Bible books is harder for some of the books than others.

Getting Book 1 of the Game Bible requires ASCII-decoding the password for a password-protected zip file.

Decrypting Books 2 and 3 requires familiarity with hexadecimal numbers, ASCII encoding, file formats, the command prompt, C programming, and binary operations (XOR). Also helpful are familiarity with hex editors, regular expressions, Microsoft Excel, and Star Trek.

Getting Book 4 only required finding the book on a BitTorrent tracking site. This original file can no longer be found, but of course Book 4 is available on the Uplink Developer CD via BitTorrent.

In my next post, I'll detail how I determined how Book 1 of the Uplink Game Bible was originally encrypted.