COGBOT 1347–1 Interface

Upon visiting the linked site, we were greeted by a two-way chat interface with what appeared to be an AI helpdesk:

In the AI’s thematic bootup sequence we see:

<< Neon District Help Desk is Online >>

COG 1347–1 version 2.4.2148 (gcc version 7.96 200)

MUR 132118 (GOG MUR 5.5.2393) 2XXX-9–18 22:5:1

BIOS-provided neon RAM map:

BIOS-mur132118: 00000000000000000–000000000009fc00 (usable)

BIOS-mur132118: 0000000000009fc00–00000000000a0000 (reserved)

BIOS-mur132118: 00000000000ce0000–0000000000100000 (reserved)

BIOS-mur132118: 00000000000100000–000000003fff8000 (usable)

BIOS-mur132118: 0000000003fff0000–0000000040000000 (ACPI data)

BIOS-mur132118: 0000000003fff8000–0000000040000000 (ACPI NVS)

BIOS-mur132118: 000000000fff00000–0000000100000000 (reserved) Initializing CPU#0

Dentry cache hasssssssssssssssssssssssssssh

Ramfs: mounted with oooooooooooooooooooooooooopjuhuihrfp8943hh

ERROR

CPU : MURMURMURMURMURMURMURMURMURMUR

SYSTEM_ERROR

Total number of system errors : 5

Manual override recommended.

Although we attempted to use this text for solving steps in the puzzle, which we’ll describe later, the only useful piece of information from this POST message is:

Total number of system errors : 5

Chatting with cogbot leads to mostly meaningless conversation back and forth. Cogbot can express emotions and moves through 5 different emotional states as you speak with him. The color of his eyes depict his current emotion:

Key Responses

As mentioned previously, the important part of the POST text was the cogbot is currently experiencing 5 errors. The goal of this phase of the puzzle was to find those 5 errors.

While speaking with Cogbot, his emotions becoming happy generally led to error message being displayed if you followed the logic of the conversation and asked the correct question. After lots of conversation, the following error strings were discovered.

After some trial and error we eventually asked Cog “Are you broken?” — the responses to which started cycling through several strings that didn’t seem relevant to any conversations and kept being repeated:

Welcome to KRAZY DAVES TACO SHOP!! Where we fit ALL the crazy of Dave into KRAZY DAVE TACOS!!!

THE TIME IS NOW!

Purple Monkey Dish Washer

BLOOD marches through my VEINS LIKE GIANT RADIOACTIVE RUBBER PANTS!!!

PLEASE_REFRAIN_FROM_INQUIRY

I’m gonna sing the doom song now!

These responses led to a few follow up questions:

What is Purple Monkey Dish Washer?

System_Error_20&3B12~26T1N15J

Googling “THE TIME IS NOW” gives you responses related to (and his name is…) John Cena, which led us to asking

What is your Name?

System_Error_4U23C10W

The comments about The Doom Song and Blood Marching through veins were both references to Invader Zim which led us to asking:

What is your Mission?

System_Error_20X22U9B14R1R24L4Q2N15F10D19H17Z6P

At this point we were a little stuck and couldn’t find any more error codes, we started brute forcing words at him and just having hours and hours of conversations that felt like trying to convince someone in an insane asylum who doesn’t know what ETH is to give you keys to their ETH wallet, but we found that Cog was returning some interesting information based on getting him into certain emotional states.

If you got Cog scared enough for a long period of time, he would show you a scary chart:

Getting Cog angry for a long period of time would sometimes yield him showing us one of these scary gifs:

(paranormal scary images — you’ve been warned)

https://i.imgur.com/YYWNvjU.gif

https://i.imgur.com/PMlEqka.gif

https://i.imgur.com/JVqjg8y.gif

https://i.imgur.com/XBFgmEw.gif

Asking Cog about Neon District would give some cool responses

What is Neon District? Neon District is a cyberpunk RPG with NFT assets that evolve.

What is Neon District? Sounds intriguing!

What is Neon District? Neon District is not a trading card game.

For a long time we were convinced that these images were related to the error codes that we were missing and had lots of fruitless conversations with Cog about them. It turns out that these were just easter eggs.

Eventually we were given a tip that led to finding the fourth error code:

Who is your Master?

System_Error_9J19T8H15K1R23O13W

The final code eluded us for some time, but eventually we turned back to the fact that Cog has emotions and starting asking him about how he felt as he changed emotional states.

Are you angry?

System_Error_10N^G3~13N

Methods

We built a tool that would track everything we said to Cogbot, his response, and the associated emotion so that we could track and look for patterns in his behavior:

We had 4 error codes but had a hard time finding the fifth for a couple of days. Once we realized that we were looking to ask Cogbot the correct question, we used this tool in conjunction with some Python code to brute force asking “What is <dictionary word>” to the bot and flagging any responses that returned error codes. We also noticed that for the four error codes that we had, the general format of “<question word> is <subject>” was always returning the appropriate error code if the correct <subject> was mentioned, so we did not need to brute force through When/Where/Why/etc..

It turned out that this brute force method though did not find us what we needed though, and only ended up getting ziot’s VPS banned from chatting with Cogbot:

Thanks for unbanning us ;)

Error Codes

Once we had all 5 error codes it was time to go to work on figuring out what they were hiding.

20&3B12~26T1N15J

4U23C10W

20X22U9B14R1R24L4Q2N15F10D19H17Z6P

9J19T8H15K1R23O13W

10N^G3~13N

We quickly noticed that each code is alternating between a number/symbol and letter/symbol combination — this is shown below just be inserting spaces for readability:

20& 3B 12~ 26T 1N 15J

4U 23C 10W

20X 22U 9B 14R 1R 24L 4Q 2N 15F 10D 19H 17Z 6P

9J 19T 8H 15K 1R 23O 13W

10N ^G 3~ 13N

After noticing this pattern, we started with ordering and reorganizing the data with these pairings in mind. At first just alphabetically and numerically sorting:

After these methods did not help, we started plugging the codes into a grid. One axis being the number depicted, the second the letter. The catch was that we didn’t know at first how to represent the symbols we had in the codes (~^&) so for the time being, we just guessed.

This step sent us down some more invalid rabbit holes for a few days.

For a while we were convinced that this method was going to create a QR code, or a starting point for a Conway’s Game of Life grid. But both of those theories did not get us far, as we did not have enough data to make either a feasible solution.

Next we started thinking about substitution ciphers that can be represented on a grid like this.

Vigenere was our first stop so we started filling out our grid with a classic Vigenere pattern.

Here was a starting point that we had for the code 4U 23C 10W

Purely by coincidence we noted that adjacent letters to the ones listed (in the UCW order) would spell out the word RUN

By another coincidence almost simultaneously, we noticed that using a Vigenere alphabet of 40 characters, which can be achieved by adding all of the symbols on the keyboard’s top row: 14 symbols ~!@#$%^&*()_+-= results in the same Vigenere decryption using DWJ as your keyword where D=4 W=23, and j=10, also gathered from the code:

Using the same method for the rest of the codes did not return anything useful, but at this point we knew we were looking for substitution ciphers, and since our method that resulted in a valid word for this first code did not work on the rest, it was likely going to be a different cipher for each code.

At this point we searched for ciphers that would work, including assuming that a letter layout related to the AZERTY keyboard was relevant since that keyboard layout is shown underneath Cog’s interface:

After searching for a solution for some time to no avail, CogBot started to give us hints.

Along with the error codes being displayed when asked the appropriate question came some other information. At first one set of information about the letter A, and secondly, a few days later, information about the letter B:

20&3B12~26T1N15J

23B = A

2H = 4R = B 4U23C10W

2B = A

4C = 4E = B 20X22U9B14R1R24L4Q2N15F10D19H17Z6P

4B = A

2K = 5J = B 9J19T8H15K1R23O13W

2D = A

3F = 5N = B 10N^G3~13N

1Z = A

3W = 5W = B

These hints were giving us key data about each cipher’s shifts:

Each cipher starts with writing the letter A at the origin of 1A (or 26A for later ones) on a 26x26 grid (We labeled columns A-Z and rows 1–26 to match the given format in the clue). Clue 1 indicates how to locate the remaining 25 A’s on the board by giving the incremental step to the first one. So for example, 2B = A means you need to go right 1, down 1 from the origin A to locate the next A and repeat this process to locate all 26 A’s. 2D = A would mean you need to go right 3, down 1 and when you reach an edge you wrap around. Clue 2 is given to indicate that this grid isn’t a normal Vigenere grid where you start at A and fill in the alphabet to the right until you wrap around and the letter Z hits the letter A. Instead, clue 2 is telling you that starting at every A on the grid, you fill in the remaining row by filling in as much of the alphabet in order by going both directions. So you fill in the grid with ABC… starting from A and going right, and the same thing going left and stopping when you hit an edge rather than wrapping around. Finally you use the given error codes as coordinates to extract letters from the grid.

In each of the shown cipher grids, the blue squares show given information from the clues, the arrows show the logical extension of the pattern through shifting the grid the same number of space each letter, and the green squares show the locations that the Cog codes are asking us to find.

4U23C10W

9J19T8H15K1R23O13W

20X22U9B14R1R24L4Q2N15F10D19H17Z6P

10N^G3~13N

20&3B12~26T1N15J

In the final 2 cases, the catch was that the origin A was located at 26A instead of 1A.

Completing these cipher grids got us 5 words (Note: We never fully explained exactly how the symbols functioned other than ~ = E and & and ^ = U, best guess was maybe those are symbol shortcuts on a phone if you long press those letters):

20&3B12~26T1N15J

SYSTEM 4U23C10W

RUN 20X22U9B14R1R24L4Q2N15F10D19H17Z6P

INTEROPERABLE 9J19T8H15K1R23O13W

PROGRAM 10N^G3~13N

DATA

At this point we started spamming Cog with every combination of these words that we could think of. Uppercase, lowercase, Titles, space delimited, underscore delimited, you name it, in every order combination of words since we did not know what order they should be in.

We had a good guess as the to order we needed — we assumed that the relative difficulty of the ciphers used would give us the order and it made a semi intelligible phrase. This led us to the phrase needing to be:

RUN PROGRAM INTEROPERABLE DATA SYSTEM

After brute forcing every combination against Cog with no results, and even trying to use the number combinations from the original POST message that Cog starts with as a formatting pattern to match, we started thinking about what could have been done to the words that would have prevented brute forcing the answer, and turned to considering 1337 speak — replacing letters with numbers.

We turned to Cog’s full name Cog 1347 and used those numbers as a starting point based of coin_artist’s past history of using 347 as her signature in solutions in that order.

“torched h34r7s”

“b34u7y, truth, and rarity”

“jobs cr347ion”

“whit3r4bbi7”

Brute forcing having 1347 appear in the string in that order was only 13 possible permutations and got us to the answer on the final combo:

run program 1nt3roper4ble da7a system

run program 1nt3roper4ble data sys7em

run program 1nt3roperable d47a system

run program 1nt3roperable d4ta sys7em

run program 1nt3roperable dat4 sys7em

run program 1nterop3r4ble da7a system

run program 1nterop3r4ble data sys7em

run program 1nterop3rable d47a system

run program 1nterop3rable d4ta sys7em

run program 1nterop3rable dat4 sys7em

run program 1nteroperabl3 d47a system

run program 1nteroperabl3 d4ta sys7em

run program 1nteroperabl3 dat4 sys7em

Video / Audio

Upon entering this string into Cog, he returned a video to us:

This returned the following raw JSON data from the request:

{“activity”:”raw”,”emotion”:”sadness”,”response”:”<video width=”320" height=”240" autoplay src=”https://s3.amazonaws.com/neon-district-easter-egg/b33bf85a8fff8ff65f172e07d128b810.mov/%22%3E</video><audio autoplay><source src=”https://s3.amazonaws.com/neon-district-easter-egg/f405f60b8acfdb9093a65e9516eee924.wav/" type=”audio/wav”></audio>”}

The audio and video portions of this were actually split up into two different files:

https://s3.amazonaws.com/neon-district-easter-egg/f405f60b8acfdb9093a65e9516eee924.wav

The audio from the file we identified immediately as being text or patterns masked into the spectrogram of the sound. Running the wav through Sonic Visualizer proved us correct:

Sonic Visualizer

This gave us 18 words.

Turning the video, we had a series of flashing dots

https://s3.amazonaws.com/neon-district-easter-egg/b33bf85a8fff8ff65f172e07d128b810.mov

Importing the video into Photoshop as a layer per frame allowed us to manipulate it as needed — We initially overlayed every frame to see if the dots spelled something out. They didn’t but the three rows immediately made us think of Braille. But how could we separate them out enough to be readable?

Our next thought was by color, this got us closer, but not close enough:

Finally we noticed that the borders around the Braille section of the video slowly go from black to fully colored then resets back to black 14 times throughout the video:

Dot Location 1 -> Dot Location 25 — Notice the changed upper and lower borders

Quickly grouping the frames by black to color passes on the borders and overlaying them all gave us 14 words in Braille:

stagehand

outfielder

nightbird

Etc…

Combined with the audio solve, this gave us a total of 32 words.

Searching for these words showed that the are all PGP Fingerprint words.

Therefore, each word was associated with a hexadecimal value.

eating 54

Bradbury 1a

Belfast 1d

Etc…

Converting the full word list into hex resulted in the final Private key for the ETH wallet associated with the challenge!