I had a blast in this community since joining, and what is a better way to thank than to make some giveaways. However, what I enjoyed the most, by far, were various puzzles, so I'm obviously making one of my own now.

There are 3 giveaways, first one should be pretty accessible, it's a rather easy encoding/trivia puzzle so a tradition is fulfilled. The real challenge starts from there. I tried to design it so it is hard, but solvable without a requirement of wild mass guessing, divine intervention, bruteforcing or very proficient English command. Thinking is still required though. Mostly logical thinking.. Mostly. Sometimes lateral, too. We'll see how it works out.

Also, I checked everything at least three times and I honestly think it is very unlikely that I messed something up.

I set the giveaways to end on Sunday, May 20th, 2100 ZULU. Lookie, lookie, I even made a handy timer for y'all.

So, onto the first puzzle! Good luck!

http://www.steamgifts.com/giveaway/Xxxxx (no digits)

.---- ... -/.-.. . - - . .-./.. .../.- - --- -- .. -.-./-. ..- -- -... . .-./---../.- -. -../- .... ./.-.. .- ... -/...--/.-.. . - - . .-. .../.... .- ...- ./-- -... .-./.. -.. . -. - .. ..-. .. . .-./----- -..- ...-- .....

Solution

Foreword

I tried to put myself in shoes of a solver and not to do something that would not be logical. Wanted to crate a certain flow in the puzzle with a lot of not crucial detail but hopefully something to appreciate by puzzle connoisseurs. There were only few steps that I considered really hard, intertwined with some easier (but still possibly hard) steps to keep interest and morale up, to give a sense of progress.

It could get bit technical at times, something I guess more technical people (like me) would appreciate, but for less technical people it could become like a meta-puzzle.

With my first puzzle I subtly encouraged searching online for answers, also in my email, so even if something wasn't immedietely recognizable I think it was searchable.

Overall I'm satisfied with the achieved results. The number of solvers/entrants for each giveaway matched quite well what I had in mind when designing this. I expected a bit more on the first one though.. Didn't count exactly how many commenters already had the games, save for the last one where it was easy (one person). I aimed for something around 200/50/10 solvers, got 147(+?)/40(+?)/8(+1).

I don't think I'll make as hardcore puzzle next time. I got stumped on many puzzles, sometimes (not always) imho unfairly, and in my own way wanted to make a few statements, not all of which I'm going to explain :) Anyway, I think I am artistically complete now. xD

Congratulations to all solvers, and especially the winners!

1. The trivial beginning.

• morse code with slashes dividing words

• 1st letter is atomic number 8 = (O)xygen

• last 3 letters have MBR identifier 0x35 = JFS (easily found online; okay as one user pointed out this is technically partition identifier within MBR, so I've used bit of a shorthand there)

• 2nd letter not mentioned, but I didn't want you to brute force. Just take 'x' from pattern. Some people thought (Ox)ygen and it's a lucky coincidence it actually worked out for them :)

• First giveaway code: Oxjfs - it was Time Gentlemen Please! and Ben There Dan That! Special Edition Double Pack

Had some fun with trivia/quiz giveaways concept. The way how you may end up bruteforcing a letter, the way some stuff is easily found on the internets, etc. Morse code thrown in for good measure. This was meant to be rather accessible, but a puzzle that stands on its own nonetheless.

Slashes confused some people (and some tools). Not really intended but there you go, added challenge I guess.

2. The Hidden Email

• A hidden link in the description on giveaway #1. You had to look in the HTML source code of the page
• It was a paste of an email, pretty much what goes over the wire in MIME format
• Text was mostly some elaborate babbling, but it did point out the main puzzle is the attachment, and that it's a good idea to start with artists (whatever that means, right?)
• Some general tips like noting your progress not to get lost.. some fragments of the puzzle work on what you did earlier. Also, pretty much everything in the puzzle was doable online, without offline tools. Literally the only thing I myself couldn't do online was unpacking, but I only tried wobzip.org, no idea why it didn't work, they say they support 7z. Didn't bother to look for anything else online, though.

The email has kind of an easter egg for the very end. Kind of a satire. I have toyed with the idea for it to be the code for the final giveaway, but didn't want to take the risk someone actually figuring that out. So instead it pointed back to the first giveaway. It would still seriously weird out someone if found. In hindsight, I could've probably risked pointing to the second giveaway with some rot13 thrown in for teh lulz.

Pastebin.com didn't like (MI)ME, they called me a spammer! ("Stop spamming! Contact admin@pastebin.com to get this ban lifted"). I had to find another site but as an added bonus it had email syntax highlighting. Nice touch.

3. The Face Value

• Decode the base64-encoded attatchment, but you had to use something that worked with a binary file; alternatively, you could open the downloaded text with a program that understands *.eml files
• What you get is a jpg showing a well known PROBLEM? trollface; the file has many surprises though
• The trollface has dots and dashes on its contour, not particularly hard to spot I think. Yes, it's morse code
• The picture is essentially flipped around one of diagonals (which is two simpler transformations that are available in many tools: rotate 90 degrees clockwise and flip horizontally). This is an important hint, not only a way to mess with the morse code and confuse people to try decoding mirrored morse code
• If read as mirror image, the dots and dashes don't make much sense especially that one 'letter' doesn't even have meaning in morse
• Read properly, these are two "words" (not one!): 7Z and EXIF, designed to hint you for future
• 7z = 7-zip = packing format
• EXIF - Exchangeable Image File Format, to hint you where to look (EXIF metadata). An excellent online tool to view the metadata comes up pretty high on online searches

Imagine that, base64 wasn't invented to make puzzles. It actually was invented to send binary data over a channel that accepted only (lower, 7 bit) ASCII text and some binary data could have control characters and whatnot and mess it up.

In hindsight, I could've put EXIF on top and 7z second, perhaps, to point out you gotta go EXIF route first? I think people discovered entrance to the final message for giveaway #3 too early and got confused. But I said in email, look for artists first. EXIF metadata "artists"! I also repeated many times, there is no random guesswork involved, so there was no point in trying passwords if you were not 100% sure it actually is the password.

4. Artists and (XP)Comments

• Time to read some metadata about artists; for at least some of the OSes, it could be shown in file properties; there are also many tools for that, especially one handy online tool that would also show you a surprise right away.
• Artist names: Hacnpx Zr; Qrpbqr KCPbzzrag Sbe Cnffjbeq; Ebg13 SGJ!!!
• Weird? It is good old rot13, telling you exactly what to do: unpack the file, but first look for the password in XPComment, another piece of metadata. Also, had a very important insight: Rot13 FTW!!!
• Unpack? Yeah, open the image in an unpacking tool. The format is 7z, hinted by the "face value" morse code. WinRAR maybe could deal with it, dunno, haven't checked. But again, no point in trying random passwords until you decode the XPComment. The unpacking step was the only thing I couldn't do online, but didn't try too hard either
• XPComment looks like base64.. but unpacked is a lot of eeccddee and some ETX and EOT chars. Kind of garbage-y. But it had a hint at the end: [Y U NO WANT WIN??!]
• Actually turned out to be a hard reference to get: Y U NO WANT WIN??! Well.. Rot13 FOR THE WIN!!!
• Slightly more subtle: Artists were encoded Rot13 first, why not try this on XPComment?
• XPComment: rot13 first, then base64 second! Lookie lookie, string of 0s and 1s
• Obvious next step: binary
• Bunch of dots and underscore. Wait.. what.. a morse code without separation? That would be dang hard. No, it's much easier and there's a base64 encoded hint at the end
• hint "._"->"01": replace "." with "0" and "_" with "1".
• Now binary and you get: pass=sha1(full_txt_from_exif_thumbnail) - meaning to look for exif thumbnail and whatever text appears there, compute the value of sha1 hash function for it

The idea of binary => base64 => rot13 is ripped off directly from (I mean, inspired by) a puzzle from a month ago. I'd give credit but the author didn't provide solution methinks so not gonna do that. It was basically impossible to solve one part without bruteforcing until he added a very clear hint about using rot13 first. He linked to this puzzle from one of his more recent ones, too. I decided to use this stuff and add some subtler hints. It turned out to be a killer again. Though you actually could get to giveaway #2 without it, seeing the EXIF thumbnail earlier by chance in a tool or file explorer. It was still required for giveaway #3, though.

There was a similar puzzle recently, too, just not with rotated base64, but something else (Welsh). So some experienced puzzlers might have been tipped off.

5. The Trolling QR Code

• It turns out exif thumbnail has a QR Code!
• The QR code as it is, is UNREADABLE. Good software should give you an error, even better software could possibly figure out for you what was wrong, if you were lucky? Baffling for sure, but I repeatedly said if something doesn't work, you got it wrong. I'm sorry if someone used a software that actually had philosophy "garbage in, garbage out", and thought that I actually meant the garbage is something without me giving any hints.
• Troll face was the hint. You had to do the same transformation to the QR Code to make it readable as was required to correct the trollface (flip around a diagonal; mirror image on its own without rotation would probably work too, as software easily accounts for rotation - that's why one of the markers is smaller - but not for mirror image)
• Corrected QR code read as follows:
  YAY! Celebratory midway giveaway: xTuPP. Keep this for later: [anti-crack hint: 0123456789->GINPQRSTVY]
• The giveaway #2 was Hydrophobia: Prophecy The description there was explaining people that if they got QR code bypassing some earlier steps, it's fine, but they need those steps anyway for the final giveaway.

I think too many people couldn't believe me I didn't do anything that was not logical. It was pretty logical (even if not necessarily obvious) to me that if original big image is flipped, the thumbnail is too.

This was actually a base forming my puzzle, something I noticed when playing with QR Codes to get an inspiration for some puzzles. I've noticed that a code flipped around diagonal (rotated 90 degrees right, flipped horizontally) looks legit, but is not. Decided to hide it in thumbnail and add a main picture that would hint a transformation is required. I made it a base for middle tier giveaway, added something fun and light at the beginning to make more people happy, and dang hardcore puzzle based mostly on playing with various encodings for the final giveaway.

I needed a way to hint people to find the thumbnail, if they didn't do it by chance. EXIF on trollface was a pretty good hint already, while XPComment was directing straight there.

6. Diving Deeper

• As Hydrophobia description explains, time to piece everything together and dive deeper
• compute sha1 of the message read from thumbnail: 636ad91c7a69885e6abda390c9548205f8decfe9
• unpack the image with 7z tool, providing the password
• You got a file final_message.txt!

The password was long and effectively random to prevent someone from cracking the archive. I just decided to warn people (in Hydrophobia message) about some potential caveats: keep the qr code message without newline at the end, and you could still end up with lower or upper case, but only one works.

7. The Final Countdown

• Plaintext English message giving you clue(s) to use after the anti-crack clue, followed by actual encoded message.
• Message was first encoded in base 64; decoded stuff looks mostly like garbage, but has some plain text at the beginning You actually want my HEX. Use the anti-crack hint on it.
• So.. take the HEX of the message. Would be best to only take the part excluding the English text, it was separated by 8 nulls from the remainder (starting with F4B36238F4B36238)
• The anti crack hint (from QR Code) is a substitution, digits to some letters. As said, now it's time use it. Snippet above ends up being FQBPSNPVFQBPSNPV
• If you took HEX with spaces and lower case, despite me screaming in CAPITALS all over the relavant places, I'm sorry, you were making things more difficult for yourself, though there is last final warning later on.
• A repeating pattern to notice is NPV
• The VPN clue is actually two things: reversing the string you got after anti-crack substitution, and doing a Caesar cipher shifted by 11. Yes, not rot13 this time. And not a simple substitution of three letters (btw I didn't use "->" this time, commonly used by me earlier to note substitution). Supporting hint was that I considered AUS instead of VPN (that would require shift by 5 to decode)
• so, reverse and rot11: GAYDAMBQGAYDAMBQ
• Another thing heavily hinted by English text was that I have "based on half of the usual 64". This meant, base32
• It's your final warning you need capital letters: base32 uses only capitals. Even if you used anti-crack literally and ended up with uppercase GIN.. you could still have left over hexadecimal digits a - f in lower case.
• base32 decode to get string of "0" and "1" (ok my example ends up being all zeroes 0000000000, but you get the point)
• binary decode to get something that looks (and, as a matter of fact, is) base64 again
• base64 to get.. garbage again, but with a hint at the end: 0->1
• There's a leap to make based on previous steps: I want you to take binary this time, and swap zeroes and ones. Not swapped is again some garbage.
• After swapping 0s and 1s, decode binary to get the final message.

This was a bunch of various text transformations piled up together. I was inspired to use base32 in my puzzle by some forum key giveaway (can't find the link, sorry). It actually got me totally stumped back then as I didn't use base32 earlier at all.. So I decided to use it myself, but hint about it. I played with it, encoded zeroes and ones and noticed this one peculiar repeating pattern. Like I said, it was hard to miss and hard not to use in my puzzle.

8. The Easter Egg

• Final message in plain text:

Very nice, almost there!!! The final
part is a simple substitution cipher.

First alphanumeric string is:

4WES0M3PUZLG1VAYNOH8KTXBIRCJDFQ25769

Second alphanumeric string is:

0ABCDEF12GHIJO3PQRSTUVXYZ4567W8KLMN9

I will let you figure out which
direction to use. 50/50, eh? Casing
should not be a problem.

Oh, yes. You wonder where to use the
cipher. The encoded giveaway code
is back in the MIME boundary, last
part after the dot. Hex encoded 1st.
It may look suspiciously familiar!

• The last 5 hex encoded bytes in the MIME boundary back in the email actually form the first giveaway code
• Final giveaway code after proper substitution: Vx13h - Alan Wake.

The final easter egg was a statement that FOR CRYING OUT LOUD, HOW I WAS SUPPOSED TO FIGURE THIS OUT WITHOUT PRIOR KNOWLEDGE OR INSIGHT INTO THE PUZZLE CREATORS MIND! ;)

Epilogue

In the end, there was a nice and light puzzle for the first giveaway, funky mind bending idea with QR code for the second giveaway, and heaps upon heaps of various decodings required for the final giveaway. A lot of stuff was twisted, though, and hidden in not necessarily obvious places. But there was always a hint on what to do and where to look.

In the encodings area arguably the most funky thing I used was base32. Besides that I only used morse, base64, binary, Caesar shifts including well known rot13, and some substitutions that always had the key provided.

Thank you for participation, I hope you had fun, even if you didn't win anything nor had solved everything.

No, I did not count just how many steps there were.