[ARG] The Pizza Code Mystery


The PyPI repository doesn’t have Windows binaries for pycrypto, only the source, so when you try to install it with pip, it tries to build the binaries from the source. This will require a proper build environment to be setup in order for the install to succeed.

That said, yes, pycrypto doesn’t appear to be actively developed anymore. pycryptodome is a fork of pycrypto (or more of a full rewrite by the looks of it) that is meant to replace pycrypto. If you look at the available pycryptodome files in the PyPI repo, you can see that there are binaries for various platforms and Python versions.


Okay, so I could theoretically use the latest version of Python with the appropriate cryptodome version and simply implement the RC4 with that–then, for the TwoFish portion, there seem to be some other resources that may work, such as pycryptoplus (which is an extension of pycrypto, but I suppose could theoretically work with pycryptodome, right?)

I’m really sorry for being such a pain in the ass about this–I wish I knew more about it, and I’m just really excited to have something that I know works versus using random (somewhat shady) decrypters online. I mean, I have no idea if they work or not, and at least this way I feel I’m getting something that someone who knows what they’re doing has signed off on.

Honestly, at this point I would be happy if anyone solved it. If you, sfsdfd and Snalty have the environment to run the scripting, I’m more than happy to put my efforts into figuring out possible keys.

EDIT: I will spend some time tomorrow reading up on Python and hopefully garner a deeper understanding of it. Honestly, it won’t even amount to a fraction of the zany theories and such I’ve invested time in until this point, so I’m more than happy to do it. You are all very kind and have been wonderfully helpful, and I don’t want to take it for granted. I know there are others in my shoes who are extremely grateful as well, in fact I think a lot of people dropped out because they thought it would be too difficult in the long run to do the cryptography bit (shameless pun)—so hopefully they will see how helpful everyone is and come back and join in the fun!


Oh, man. I didn’t want to go down this path, because I tried several different packages - including pycryptodome and pycryptodomex - none of which had the right functionality. I actually considered using those libraries, but I encountered some comments that there might be implementation quirks… I just didn’t want to get into that, whereas pycrypto had a straightforward implementation. But it looks like you’re running into the same brick wall.

For the record, we’re only using pycrypto for ARC4. Twofish is a separate standalone library. The instructions at the top of my script condense the installation of both packages into one line:

pip install --user pycrypto twofish

…but you could just as easily use pip to install pycrypto and twofish individually and separately.

Gunsrequiem, I share your enthusiasm (and the fact that, for the first time in this whole ARG, I have something to contribute!) - so yes, post your data files somewhere and I or someone else will run the script on them.

General open offer: If anyone needs the script tweaked in any way to run certain kinds of searches, I’m game. (Also, I wrote it to be extremely easy to read and edit, so anyone here with even a modest, non-Python-oriented software background should be able to make small tweaks.)


I really appreciate that and I will do my part on my end to figure out how to get a stable version of all that up and running and verify that it works using the test files that you provided. I’m assuming if I get the same thing we are good to go.

It’s funny you say that about the programming because I was looking over it and although some of the syntax is different, the statements and general “math” don’t really change it seems. I’ll just need to pull it apart and figure out all the nuances of it. At this point of the game, it’s definitely worth whatever effort it takes to get a grasp of it because going forward the difficulty may only increase. So why not build a foundation now?

If push comes to shove and I am simply limited by my system or the implementation thereof, then I will definitely take you up on your offer, and I sincerely appreciate it. No need to rush it at this point, now that we’ve come this far, so in the meantime I’ll do my due diligence so I can contribute.


We’ll get there, Gunsrequiem. This is a very small technical gap that we need to bridge!

And here’s some good news - I’ve converted the code to run on Python 3:

Python 3 version: pizza_arg3.py

The code is nearly identical. Print statements converted, and a few niggling differences with the corresponding Python3 libraries that required an explicit decode(‘utf-8’) - that’s it.

The upshot here is that, yes, the same libraries (pycrypto and Twofish) are available for Python 3. The only hiccup is that if you have both Python 2.7 and Python 3 running side-by-side, pip tends to default to installing packages for Python 2.7. The canonical solution is to tell pip to install packages into a specific virtual environment (virtualenv) for Python 3 … but that’s kind of a whole 'nother topic, and one that I don’t really think is worth exploring to solve this task.

The easier option is to install the libraries via pip3, which is often installed automatically alongside Python 3… but sometimes not, and you have to install it separately. If you can install pip3, then you can install the packages the same as with the Python 2.7 version:

pip3 install --user pycrypto twofish

Sorry that this process seems so weedy. Python is really a great environment, but it does have a disappointing amount of baggage due to some technical debt and questionable design choices by the development team. They’re traversable, but annoying.


That twofish library just implements the cipher, and not any of the block cipher modes of operation, which increase the security of the cipher. So that limits us to doing Twofish decryption in the simplest of modes, which is called Electronic Codebook (ECB). If we are going to try some other modes, we are going to have to implement them ourselves, which probably shouldn’t be too difficult, but that means extra work.


Something even crazier–if you add in the other capitalized letters from the mention of “Block Cipher,” “Off the Record,” “Rjindael” and the lowercase “w” from the start of the one sentence in the message, you can get:


Apache Whirr is definitely a plausible part of this puzzle, as we do have the BMRF location in Google Maps that is right in Apache Junction. Question is, how far down this rabbit hole do we need to go? Twofish and ARC4 are bad enough–is there more to this puzzle?

I think we should take a closer look at Lab C and determine if there are any other hints there about this puzzle, just in case.

EDIT: I guess “Lab C” could refer to either Sector C or Lab C within the Questionable Ethics chapter. I’m assuming the latter since it would be in Storm’s chapter, but it could refer to Sector C, which on this map shows up as being the Anomalous Materials Labs, the High-Energy Particle Labs, the Control Facilities, and the Area 3 Security Ops:

Although Storm likely wouldn’t outright confirm any of this, I’m hoping we may get some sort of new “layer” to the puzzle now that we’ve discovered the hidden message. Even though we “think” we’ve pulled all we can out of it, this is one of those cases where even interpreting one word wrong can completely throw off how we try to solve it. That coupled with the fact that we still need keys and all that . . . for a day or two I was thinking we were definitely going to crack this with time, and now I’m again starting to doubt what exactly it is that we need to do.

I mean, we can still move forward with it, I just worry that we’re going to put all this work into it only to determine that what we thought it said actually wasn’t real, or was interpreted wrong. And maybe I’m worried for nothing–who knows anymore?


That twofish library just implements the cipher, and not any of the block cipher modes of operation, which increase the security of the cipher. So that limits us to doing Twofish decryption in the simplest of modes, which is called Electronic Codebook (ECB). If we are going to try some other modes, we are going to have to implement them ourselves, which probably shouldn’t be too difficult, but that means extra work.

Python has a lot (a lot a lot) of encryption libraries, including several implementations of Twofish. My guess is that whatever flexibility we need in Twofish, we can find a library to satisfy it.

However, I have to question the extent to which Storm would have expected us to use a specific Twofish implementation. The puzzle piece of needing to use some combination ARC4 and Twofish has eluded the community for, what, six years? (And even now, we’re not even sure of the sequential order, right?)

ARGs often face this challenge of making puzzles too esoteric that the community needs to harness classic-Batman logic to solve it, right? We’re already kind of on the edge of that, and hinting toward not just Twofish but a specific Twofish seems like a bridge (or five) too far.

(A bit of meta: I feel a little compelled to explain myself, since I just popped into the forum literally two days ago. I’m an occasional ARG participant - AI / “The Beast,” and then ilovebees, and then that brief Portal 2 ARG. Life changes have prevented more participation than that, with the exception of passively reading this forum for developments. I jumped in this week on the rare instance where my skills are relevant to the task at hand.)


Great to hear that you have some experience with these! I’ve only ever done one a long time ago in a GamePro magazine (the answer was “syzygy”) although I’ve always had a love for puzzles and a love for challenges. This one has definitely tested my limits, though!

I agree that it seems a bit against the flow of the ARG, especially since we are assuming with this new information that we went from a flawed OTP (that was encoded to actually allow us to solve it) right to a double-encode with modern ciphers. I mean, it’s possible, but it seems odd.

Is it possible that the information in this message is meant to tell us what the encode is not, rather than what it is? Perhaps by following the clues, it will allow us to pare down what ciphers we shouldn’t use, and lead us to what we should use. I was reading some of the old posts, and I realized this page was mentioned: http://users.telenet.be/d.rijmenants/en/download.htm

That’s where we originally found the SECOM decoder, and Storm had let us right to it in a message he sent me. Now, the SECOM decoder doesn’t seem to be there anymore, and the one named Krypta that was based on ARC4 is no longer there either. Anyway, my point is that we always had the tools we needed to move forward, and now it’s like we’re having to create our own or rely on potentially flawed methods. I think maybe we should look for more hints. For example, Storm stated in that message that every message we get from the ARG creator is meant to help us, and that there will be a hidden message in any reply we get. I think we should take that to heart and take another look at everything. Even though this feels like a breakthrough, we are still kind of at odds with what we need to do.

I’ll take another look at everything a bit later when I get home, and see if there’s anything else I can pick out. I mean, it would be great if it is telling us exactly what we need, but at the same time I wonder if it’s to tell us what not to use. If you look at the actual message, he offers up some other encryption methods, and mentions specifically that SSH is likely not involved (which would exclude the whole Whirr thing, right?)

Anyway, it’s still at a halt, it seems, but I hope we are at least making some progress after so many years of a standstill. I really want to avoid us stagnating again, especially because it got our hopes up (mine, at least).

EDIT: Had a bit more fun with anagrams:

If you take Storm’s second most recent reply, you’ll notice that a bunch of the sentences start with lowercase letters. So, I took the capital letters from the beginning of the sentences, along with the capital E from English and L from Latin. You can make a couple things that make sense with this:


If you add in his most recent reply, you can get two more capital letters: G and S. This possibly produces:

THAT TWIG LIES (is Stone a twig? Lol)

Anyway, it’s all probably just nonsense, and is probably confirmation bias because I picked out things that lined up with ARG themes. But at least it was fun.

EDIT 2: If you go back and look at all the messages Storm sent before these two messages, take the capital letters at the beginning of sentences from those, you get:


You can make some things from this, one of which is:


If you add in the lowercase “o” that begins one of the sentences, you can get:


Meh, these are stretching it a bit, but he did say in a message to me that an ARG creator never gets involved unless it’s to drop off a hidden message:

“Take a look deeply at every single message that is given. Even if it looks like a simple response, it WILL have something hidden within it. ARG authors never usually respond to questions for ARGs, as it breaks immersion and the general rules, so if they do, it will be to give a clue.”

Wishful thinking probably, and it doesn’t really add anything even if it is legitimate, but it’s fun anyway.


Oh wow, this is getting rather interesting. And finally registration has been opened again :smiley:

One thing I noticed: The HALOS.bin length is not divisible by the twofish block size (128 bit=16 bytes), there are eight bytes too many (or too few).
Has anyone found out what to do with this?

Eight bit are too few as proper initialization vector for most cipher modes (CBC, CTR, CFB)

Also, Note that RC4 and TwoFish might be flipped (i.e. the ciphertext c=(RC4∘Twofish)(m) vs c=(Twofish∘RC4)(m))

Otherwise, there is a really nice C library doing all sorts of cryptographic primitives called nettle:
An example of it doing Twofish in (uninitialized) CBC-Mode on stdin is given here:

Lastly, I think “Benaloh Paillier” with a space seems like a promising candidate, since it is exactly 16 bytes long and the source message (IRC clue 5) has been stripped of spaces.


You make some great points, Doeme!

I think we are heading in the right direction. I mean, I did just get a sudden craving for a taco, which is a fine meal, indeed–I just wish that craving didn’t come with such a strong sense of doom, though.


Anyway, let’s keep heading down this path folks! We might be onto something!

EDIT: In regards to an initialization vector, I think we should probably look for language similar to “initialization” and “vector.” This would probably be the only way for Storm to give us an idea of what to use for it, without us randomly guessing.

With that in mind, I did some forum digging, and I came across this post by “Lachnummer” (who is mentioned in the Wiki for this, as well). In it, he talks about the aeronautical chart in the taco shack, and if you pull up the link from the chart, you get this page: SkyVector

Here is the original chart found in the game:

Anyway, SkyVector at least has similar language, and it is found in an ARG hotspot. I think it’s worth at least taking a look!

Also, since it’s used for flight planning, and there are three tacos right on the desk next to it, that indicates to me that Horn and his associates were planning to fly away from the BMRF disaster. The SkyVector map itself shows Ohio, and the little map tacked to it shows Ellsworth Air Force Base. It would make sense that Horn and his crew got away, and it would explain Bottomley’s original mention about living in “a major American city.” My money’s on one of these locations being the current temporary location of our three amigos.

$20 says they got the military to get them to a base away from the BMRF, then hopped a charter or private plane to Ohio to live as “civilians.”

EDIT 2: So I was looking through the wiki, and I found this image with the hidden texture that is part of Horn’s shack and can only be seen in the Hammer editor:


Is that a backwards “HINT” right outside the window there? So if we were outside looking into the shack, it would read the proper way? I’m going to spend some time in that area tonight when I get home. Maybe it won’t bring up anything new, but I suppose it can’t hurt.

EDIT 3: In regard to "Lachnummer"s post, I think we should definitely take it into account, as it’s most likely Storm. “Lachnummer” means “bad joke, laughing stock”–which is likely his way of stating that what he’s putting in there is the opposite of how we should take it. For example, in that post, Lachnummer says: “Summary: Looks like a dead end to me.”

That should most likely indicate to us that it’s not a dead end, and may in fact be very, very important. Why else would it be in his shack, one of the central focal points of the ARG? Furthermore, that’s the only post that Lachnummer ever made, so I think it’s most likely important information–I mean, he tore apart everything in that shack and gave us resources (some of which are now broken, but still) to find more information in regards to them. That’s pretty much the exact same behavior that 0418/Code_ exhibited with the whiteboards.

Needless to say, I think we should consider what’s in that post very, very carefully, and perhaps even look for some more examples of these helpful/seemingly unhelpful hints.

@Doeme, in response to your question about it being 8 bytes short, it’s either that we need to do it in reverse order, or affix the 1001085139140914 to it before running it through the decryption. It’s exactly 8 bytes. Either that or it’s possibly used as an IV.


Lachnummer is also a user on the ARG wiki. They have made one single edit to the wiki, which was on the Code A page.

However, the same user is also an active user on the The Longest Journey wiki (TLJwiki), where they are an admin.


Okay, so it could be that they just popped in, lost interest, and left again?


Maybe they were lurking for a while. It looks like the edit to the wiki was done one year prior to registering on the forums to post in the ARG thread.


That’s a hint brush.


Ah, okay–thanks for clarifying that. And yeah, sounds like they were just a lurker. Man, thought we might be onto something there.

EDIT: I have a proposal. When you look up the concept of alternate reality games and locate the wiki, the very first thing it says is this:

" An alternate reality game ( ARG ) is an interactive networked narrative that uses the real world as a platform and employs transmedia storytelling to deliver a story that may be altered by players’ ideas or actions.

The form is defined by intense player involvement with a story that takes place in real time and evolves according to players’ responses. Subsequently, it is shaped by characters that are actively controlled by the game’s designers, as opposed to being controlled by artificial intelligence as in a computer or console video game. Players interact directly with characters in the game, solve plot-based challenges and puzzles, and collaborate as a community to analyze the story and coordinate real-life and online activities. ARGs generally use multimedia, such as telephones, email and mail but rely on the Internet as the central binding medum."

Okay, so we have had the mention of artificial intelligence multiple times, and the main thing we were told was the whole “seek code out, he is watching, is AI” thing. So, here’s a theory–is this Storm’s way of saying that we can control how this is going to go? For example, if I were to post something directly calling out Horn and his cronies, perhaps by identifying that I know where they are hiding, is there a chance that we could goad one of them into spilling the beans? I mean, clearly Dr. Horn is the ringleader, and we know for a fact that he was able to delete part of what Bottomley was trying to tell us. Furthermore, if HALOS is like Cyberax in the sense that it can be everywhere all at the same time, then it’s very important that we do NOT alert HALOS to the fact that we may be trying to “bruteforce” Dr. Horn into giving us more information, because then it could force him not to. It’s very important that if we directly try to initiate contact with Dr. Horn in the context of the ARG, that we do so with this ARG’s rules in mind.

To be more direct, in the “Bugs” show, one of the sayings is “Don’t think of an elephant,” which I believe is a way of them evoking the whole “If I tell you not to think of something, you’ll think of it anyway” kind of thing. So, in a way, even if were to say to Dr. Horn “I know where you are, tell me what I want to know or I’ll send the government/private investigator/etc. after you,” that is immediately going to elicit a response that is going to alert HALOS and immediately shut down that effort.

In that show, Cyberax starts as something Jean-Daniel releases over the internet, and then it turns out that it can be anywhere and everywhere all at the same time (at least that’s how I took it) and it uses humans to power it. In essence, the humans are its processor–how it is eventually destroyed is that the CPU gets blown up. So, instead of goading/provoking Dr. Horn, which would simply throw us into the line of that whole catch-22/elephants thing, I have a better idea.




Also, just that I have it written out at least once: there speaks nothing (practical) against just using 8 bytes as initialization vector, it is just not cryptographically sound.

ATM I’m writing an encryption/decryption tool that uses the nettle library, maybe i’m successful with that. I will update here once it is done.

Edit: I just find it deeply unsettling that the cipher text length does not align with our block length, and adding (semi-)randomly gathered bytes to it seems like a botch.


I ran the code through a few programs that analyze entropy via auto-correlation, the n gram results indicate a weak encryption, but one that results in highly entropic data (which I correlated against a similar data set size from a randomness extractor) when decoded via Hex, which I suspect is a secondary encode, as most encrypted data sent via communications is encoded in order to avoid corruption. This may have skewed the block size analysis done previously (resulting in 376bytes or 64bits).

(from http://thepizzaisalie.wikia.com/wiki/Stormseeker#0418_08151814.27s_PMs_to_Gunsrequiem)

This leads me to believe that we have to decrypt RC4 before TwoFish (or at least to decrypt Twofish last)

Edit: Another thing that bugs me:
Afaik (please, prove me wrong) RC4 is not that insecure that the ciphertext should yield a meaningful auto-correlation as mentioned by 0418_08151814. Might RC4 be the wrong cipher after all?


You’ll notice that he calls it an “encode” there and not an “encryption,” which suggests that it’s likely something quite common that is well-known:

" Encoding is the process of putting a sequence of characters into a special format for transmission or storage purposes

Encryption is the process of translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text ; encrypted data is referred to as cipher text"

Perhaps you are right and it is something that’s simple for that first step, but I’m assuming the RC4 and TwoFish come in at some point. Unless, again, what is found in that message is just completely coincidental. I doubt it, but it is possible.


Oh, yes, indeed, he was talking about the hex-encoding there. Revoco…


My ploy didn’t work.



Which ploy are you talking about?