XOR? OR NOT XOR?
Since string on Onion no 2 is growing; we expect it is like it was reddit in 2012 and twitter in 2013.
Most agree that XOR Would be good guess
- shout out to our boys at OTP22 for creating this tool (crashdemons):
Documented effort:
- http://codeseekah.com/cicada/zN4h51m.file.txt [300kb] (approx. 20 bytes, fed through file(1), nothing interesting it seems)
- http://codeseekah.com/cicada/3301.file.txt - 2mb of file(1) output scavange away, nothing interesting it seems, please check closer
Tool for XORing:
http://codeseekah.com/cicada/xor.html
List of strings to look for:
- Look for any ASCII characters
- look got FF D9 of FF D8 for jpgs
- look for Gzip
- Look for all File signatures http://www.garykessler.net/library/file_sigs.html
LIST OF THINGS THAT HAD BEEN XORDED AND RESULTED STRINGS
(please keep that link in order to keep on track with the recent process)
FLASHBACK FROM THE PAST
- look at this: http://prntscr.com/2hdya7
- search this article for "padding"
- last year
twitter feed was also automatic and constantly posting
we did clever XORring (ymgve did)
and we predicted last tweets
http://uncovering-cicada.wikia.com/wiki/Tweeter,_XORing,_Gematria_Primus_and_two_TOR_adresses search this articles for "padding"
Output was much larger than BASE64 needed for png, so it was padded with filler. Part of file after base64 contain only repeating string: 3301033010330103301033010...
MAYBE WE HAVE SIMILAR PADDING NOW - http://static2.wikia.nocookie.net/__cb20130112052317/uncovering-cicada/images/9/98/DIAGupdated.jpg
here is diagram of last year
swhowing what was xored
http://prntscr.com/2heqsw !!! to get base64 encoded png, we XORED three things!
tweets XOR mp3 XOR 560.13 = BASE64 encoded png
Blackpit73 zip file of binnaries from 3301 2014
[00:29] <blackpit73> ok, I did upload a large mega_xor.zip now, containing 2186 files generated by all current binaries xoring them together in all permutations with each file either: ignored, xored or the reverse xored. and one of the files included is ff.bin, that is a file containing only 0xFF, i.e. XORing the complete result.
[00:29] <blackpit73> the ZIP is 63MB... so have a lot of fun analyzing the hell out of it -- but when that is done, we can surely say that file-xoring does not deliver results -- or maybe we find the jackpot ;-)
[00:29] <blackpit73> https://www.dropbox.com/s/o4kaxnyoumd46p6/mega_xor.zip
[00:29] <blackpit73> I'll have to go offline now (GMT+1...), in case of questions I'll be here tomorrow, or you can also write to me an gmail
Afer 11.1.2014 22:22 .onion 3 page was updated with different string than few minutes before
- source code contained two interesting things, the < !---3301---> html comment, and the number 57 in last line.
- first image was same as previously
- second image was corrupt http://prntscr.com/2irn86
- http://prntscr.com/2irc8q first different byte, in mirrored jpg that was mirored alredy
- http://prntscr.com/2irdbi last different byte, in mirrored jpg that was mirrored alredy
- Here is hexdump of filediference (1.00 MB (1,055,041 bytes):
- https://infotomb.com/4l8ku# (from original, not mirrored)
- https://infotomb.com/tr3d1# (mirrored, same order as it would be if that would be bottom jpg)
- here is 7z file of both strings, 4jpgs, 3 outgueesed msgs, and hidden string (mirr and notrmal)
Add more files
Add more files
May the enlightening field upon all of you.
-3301
Progress of PUZZLE is above this title