GCHQ Challenge

Is there a hidden stage?

Posted by hossg on December 02, 2013 · 6 mins read

So I haven’t given up on the idea that there might be a hidden stage/problem.

I took the comp3.jpg, and created firstfile.jpg - corresponding to “what is left” once you’ve pruned the answer to stage 4 from the image. When viewed, firstfile.jpg displays the same artefacts in the bottom right of the image as before (this is as I expected if an image renderer simply shows the first image in the file it comes across). If you then look at a hex dump of the image file you note some very odd contents early on in the file:

00000d0: 0a0b ffc4 00b5 1000 0201 0303 0204 0305  ................
00000e0: 0504 0400 0001 7d01 0203 0004 1105 1221  ......}........!
00000f0: 3141 0613 5161 0722 7114 3281 91a1 0823  1A..Qa."q.2....#
0000100: 42b1 c115 52d1 f024 3362 7282 090a 1617  B...R..$3br.....
0000110: 1819 1a25 2627 2829 2a34 3536 3738 393a  ...%&'()*456789:
0000120: 4344 4546 4748 494a 5354 5556 5758 595a  CDEFGHIJSTUVWXYZ
0000130: 6364 6566 6768 696a 7374 7576 7778 797a  cdefghijstuvwxyz
0000140: 8384 8586 8788 898a 9293 9495 9697 9899  ................
0000150: 9aa2 a3a4 a5a6 a7a8 a9aa b2b3 b4b5 b6b7  ................
0000160: b8b9 bac2 c3c4 c5c6 c7c8 c9ca d2d3 d4d5  ................
0000170: d6d7 d8d9 dae1 e2e3 e4e5 e6e7 e8e9 eaf1  ................
0000180: f2f3 f4f5 f6f7 f8f9 faff c400 1f01 0003  ................
0000190: 0101 0101 0101 0101 0100 0000 0000 0001  ................
00001a0: 0203 0405 0607 0809 0a0b ffc4 00b5 1100  ................
00001b0: 0201 0204 0403 0407 0504 0400 0102 7700  ..............w.
00001c0: 0102 0311 0405 2131 0612 4151 0761 7113  ......!1..AQ.aq.
00001d0: 2232 8108 1442 91a1 b1c1 0923 3352 f015  "2...B.....#3R..
00001e0: 6272 d10a 1624 34e1 25f1 1718 191a 2627  br...$4.%.....&'
00001f0: 2829 2a35 3637 3839 3a43 4445 4647 4849  ()*56789:CDEFGHI
0000200: 4a53 5455 5657 5859 5a63 6465 6667 6869  JSTUVWXYZcdefghi
0000210: 6a73 7475 7677 7879 7a82 8384 8586 8788  jstuvwxyz.......
0000220: 898a 9293 9495 9697 9899 9aa2 a3a4 a5a6  ................
0000230: a7a8 a9aa b2b3 b4b5 b6b7 b8b9 bac2 c3c4  ................
0000240: c5c6 c7c8 c9ca d2d3 d4d5 d6d7 d8d9 dae2  ................
0000250: e3e4 e5e6 e7e8 e9ea f2f3 f4f5 f6f7 f8f9  ................
0000260: faff da00 0c03 0100 0211 0311 003f 00fd  .............?..

Now I can’t believe those numeric/alphabetic sections are a coincidence.

The jpeg sections they belong to are Huffman Tables - they begin with the hex sequence FFC4, and although I’m no expert I dont see why huffman tables (which are represented at a bitwise level) should have that sequence.

I have so far tried a few approaches, making the assumption that the english/numeric sequences are markers of some sort:

  1. I took the data in each huffman table upto the begining of the marker and tried to decrypt it using the stage 2 private key
  2. I wondered if the similar (but not identical) marker sequence was intended to be used to align the two sections/surround bytes to XOR the data from the two sections with one another
  3. I took the results of both 1 and 2 and tried both a conventional hex->ascii view and a base64 decode

I’m not really sure what to try now… and it’s all the more frustrating since I don’t KNOW that there’s a problem here to be solved!

I do wonder if it using a “repaired” private key from Stage 2, or using the “extra data” that appears there could be of some use, since that is the only other thread “hanging loose” from the puzzles.

The only other approach I can think of is a binary/bit-level examination of the two sections/huffman tables - given they are (in a normal jpeg) encoded at a bit level rather than a byte level to see if anything looks obvious from there.

I think that’s it for this evening… :(

It’s not looking good… Well I decided on an alternative approach at least to see whether I was chasing a shadow in the first place. Courtesy of google image search (colossus bletchley) I found the same picture as comp3.jpg from an alternative source: http://lowres-picturecabinet.com.s3-eu-west-1.amazonaws.com/43/main/50/129708.jpg

Looking closely at this I see the same vertical/horizontal artefacts at the bottom of the image which suggests these at least are not steganographic side effects courtesy of GCHQ.

If I do an xxd dump of this new file, I notice that it is not precisely the same JPEG, but I do notice a Huffman Table that looks similar:

0000080: 0506 0708 090a 0bff c400 b510 0002 0103  ................
0000090: 0302 0403 0505 0404 0000 017d 0102 0300  ...........}....
00000a0: 0411 0512 2131 4106 1351 6107 2271 1432  ....!1A..Qa."q.2
00000b0: 8191 a108 2342 b1c1 1552 d1f0 2433 6272  ....#B...R..$3br
00000c0: 8209 0a16 1718 191a 2526 2728 292a 3435  ........%&'()*45
00000d0: 3637 3839 3a43 4445 4647 4849 4a53 5455  6789:CDEFGHIJSTU
00000e0: 5657 5859 5a63 6465 6667 6869 6a73 7475  VWXYZcdefghijstu
00000f0: 7677 7879 7a83 8485 8687 8889 8a92 9394  vwxyz...........
0000100: 9596 9798 999a a2a3 a4a5 a6a7 a8a9 aab2  ................
0000110: b3b4 b5b6 b7b8 b9ba c2c3 c4c5 c6c7 c8c9  ................
0000120: cad2 d3d4 d5d6 d7d8 d9da e1e2 e3e4 e5e6  ................
0000130: e7e8 e9ea f1f2 f3f4 f5f6 f7f8 f9fa ffda  ................

While it doesn’t appear to be repeated this does at least suggest that this sequence of characters is not as unlikely as I had assumed in a JPEG file, and hence once again it does not look as if there is further material encoded in the original image.

I’m still wondering what to do with the additional information in the RSA private key file. Perhaps I’ll look at that more tomorrow.
For a further look at this please see: Further Analysis

← Previous Post Next Post