[ARG] The Pizza Code Mystery


I was trying to get into the spirit of the ARG and tried to “threaten” HALOS into providing us more information. It didn’t work, and I wasn’t really expecting it to, lol. Worth a shot!


I saw your countdown page but wasn’t sure if that was the ploy you were referencing or if it was an attempt to break the code


Was that quote in a paragraph of its own? If we apply what the quote says to the quote itself:

Take a look deeply at every single message that is given. Even if it looks like a simple response, it WILL have something hidden within it. ARG authors never usually respond to questions for ARGs, as it breaks immersion and the general rules, so if they do, it will be to give a clue.

=> TEA ?

Tiny Encryption Algorithm

In cryptography, the Tiny Encryption Algorithm ( TEA ) is a block cipher notable for its simplicity of description and implementation, typically a few lines of code. It was designed by David Wheeler and Roger Needham of the Cambridge Computer Laboratory; it was first presented at the Fast Software Encryption workshop in Leuven in 1994, and first published in the proceedings of that workshop.

We’ve heard about Cambridge Computer Labs before, and TEA is a 64-bit block cipher.


You’re right—he said he upped the difficulty due to some people from “Cambridge’s computer labs” joining in, but how would he know where they were from? I didn’t hear anything about that until he said it in that interview.

Here’s the whole paragraph. Keep in kind this was before the SECOM solution, but he may have had it planned before then:

“As for advice. I notice a few people blaming the difficulty of the ARG/Puzzletrail on the author, which is just another way to say “it’s too hard for me”.
Ignore them, it just takes time. Take a look deeply at every single message that is given. Even if it looks like a simple response, it WILL have something hidden within it. ARG authors never usually respond to questions for ARGs, as it breaks immersion and the general rules, so if they do, it will be to give a clue.”


Use the trash can icon available at the bottom of the post. Select the three dots … for it to appear


So, as promised I have written a small tool that leverages the nettle cipher library:


Usage: nettle [-h | --help] <cipher_spec> [cipher_spec...]
cipher_spec: direction ':' cipher [ ':' key_values ]
direction: '+' | '-'
cipher: string
key_values: key_value | key_value ',' key_values
key_value: key value
key: 'key' | 'iv'
value: '@' file | string

Example: nettle -CBC:aes128:key="BENALOH PAILLIER",[email protected] < HALOS.bin
This prints to STDOUT a decryption in CBC mode using AES with 128 bits key length,
using "BENALOH PAILLIER" as key and reading the initialization vector from the file iv.dat

Available ciphers names: 

I did not manage to compile it for windows, though.
If you’re on linux, make sure that gcc, make and nettle-dev are installed.

Also, note that blowfish and tea both have 8 bytes block size.

Edit: Here’s a script to test through multiple combinations:


pws=("BENALOH PAILLIER" "Benaloh Paillier" "benaloh paillier")

ciphers=("arcfour128" "blowfish128" "tea128")

modes=("ECB" "CBC" "CTR" "CFB")

for mode in "${modes[@]}"
for ciphera in "${ciphers[@]}"
for cipherb in "${ciphers[@]}"
for pw in "${pws[@]}"
	./nettle -"$mode":"$ciphera":key="$pw" -"$mode":"$cipherb":key="$pw" < HALOS.bin 2>&1 | strings


That’s awesome! I won’t be able to use it (on Windows) but can still help with possible keys.


We should probably be able to compile it for Windows using MSYS2, but it will be a long and clunky procedure.


This might be something, it might be nothing. But taking the symbol for the philosophers stone and aligning it with the grilled pizza(inverted and reversed), the inner circle’s binary is 1010100011101110100101100110011001001100110000010101001100111101101011000011000… translated to base 32 and then run through a rot cipher, I got “AICOREXRDKOY3QGV” breaking that down to words, I have AI Core XRD KOY 3QGV or x-ray diffraction kilogray 3QGV

3QGV= Crystal structure of a thermostable amylase variant

Again, more than likely nothing, just thought it was neat.svg


You forgot or neglected to mention Storm’s positive reply to your tweet regarding this idea. Did he just reply out of courtesy, or does this mean there may be more to the grilled pizza after all?


Hard to know, but after looking at his Twitter page, now I want to get back into GW2. I bought the Heart of Thorns expansion but never played it–maybe this is my cue?

EDIT: Oh, and apparently there’s a new one called Path of Fire! Cool! Definitely time to hop back in for a while :slight_smile:


I didn’t mention it because I did think it was out of courtesy, his reply was that “its an interesting theory”, I didn’t think there was enough there for it to mean anything, but he didn’t say I was wrong either, which has happened once or twice in the past. I will share also, that aside from working on the grilled pizza, I have also been running around black mesa and finding every and anything that has chemicals in it, then looking up the chemicals, as if they are ingredients. Perhaps someone was trying to make an elixir or philosophers stone. It has 4 stages White, Black, Yellow, Red. Where elements are broken down, cleansed of impurities and then put back together. I had the thought that what if we were to carry out the recipe in game, trying to create and bind mercury, sulfur, salt. Looking at how alchemist use to make this stuff, I believe there is plenty in game that could be broken down to complete this. That in mind after reading the message from Dr. Horn on the wiki page, where the caps spell out Dr. Horn… now when I read it, I look at it as giving instructions as what to do to make this, we have conunDrum, stRange, Have, sOlving, peRson, caN …… now what I see is DRUM, RANGE, SOLVENT,FIRE, CAN. There is a range in QE I believe and maybe elsewhere, there are large drums everywhere, there are solvent chemicals, and plenty of cans. What if we had to throw these things into the oven? Has something like this even been considered? The grilled pizza image, I always thought had more to it, because it doesnt make sense that we had stolen the “lie”, if it was just a picture that spelled out congratulations you won the pizza, seems kind of pointless, but when its mentioned that we stole it and that it doesnt matter now, that tells me there is more to it. And last to add, NFPA diamond’s all over the game, and this is just a long shot theory, on pulling chemicals together in game to refine them into something else, those diamonds may help.


So, a quick side note: I’m currently at 35C3, if someone is here too we could do a meetup and work on this in person! You can reach me via DECT 7865.


Hmm… What if Dr. Horn DID die when the Tau was overcharged… What if he is in a bunch of pieces in optronics. What if there is no “Halos”, what if Halos is just the name people have given Dr. Horn because of his high and mighty ways…What if… Dr. Horn needs a new prescription? What if he needs a good dose of resurrection?!?


How come you’re using blowfish instead of twofish?


A couple of issues I’ve found:

  • Your tool only performs ARCFOUR encryption/decryption with a fixed key length of 128 bits. This is because you are using the simple struct nettle_cipher abstraction provided by the nettle library, which doesn’t support the use of variable length keys. ARCFOUR is a variable length key cipher (40-2048 bits).

  • The same problem also applies to Blowfish.

  • If you specify a key that is shorter than the key length of a given cipher, the remaining bytes are undefined because no padding is being done before calling es->cipher->set_decrypt_key, and no (zero) padding is done by the cipher’s ..._set_key function in the nettle library either, because it has no way of knowing the length of the key buffer you are passing to it—it assumes that it is the correct length, which means that the cipher’s ..._set_key function will read past the end of the string.

  • The tool doesn’t support input files larger than 1024 bytes (because the readFile function doesn’t grow the read buffer past the initial buffer size of 1024 bytes). It doesn’t really matter though since the HALOS code is only 376 bytes.

  • To make it work on Windows, a workaround is needed to prevent fread from stopping at the Ctrl-Z (0x1a) character when reading from stdin.

    Windows workaround code (click to expand)
    #if defined(_WIN32)
    #include <io.h>
    #include <fcntl.h>
    int main(int argc, char **argv){
    #if defined(_WIN32)
      _setmode(_fileno(stdin), _O_BINARY);


Because the ciphertext does not align with the block-size of Twofish, but it does with Blowfish.

@Flavrans Thanks.

  • Yes, it might be worth doing a special if() for arcfour. Also, nettle does not provide a struct nettle_cipher for rc4, I had to do that myself.
  • ditto
  • Yes, the fix is to input only proper key lenghts :slight_smile:
  • Broken by design. I didn’t care about text longer than the halos file :slight_smile:
    In a newer version this has been fixed.
  • My god, I wasn’t even aware. I do not usually write code for MICROS~1 products. Applied your patch.
  • You forgot to mention the >9k memory leaks :smiley:


The hint pointed at twofish though. :no_mouth:

The clue that delivered “752” ends with “Abortive” and to me that means the data stream could be truncated. You could still decrypt with twofish and just ignore the last block error, or if nettle won’t work at all with the incorrect length you could just pad the input with some null bytes.

I suspect a successful first decryption with rc4 may reveal some container format header for the second round of decryption with twofish.


Maybe we don’t even need to figure out the key… If we’re running on the assumption that this is RC4 then we only need to know the key stream. RC4 generates a key stream from the key, and then this stream is XOR’d with the plaintext to generate the ciphertext.

If there were certain assumptions we could make about the plaintext then it would be possible to know portions of the key stream. Knowing a portion of the key stream could reveal an intentional pattern, i.e. the key stream could have been manually created from binary data representing a high precision irrational number such as pi.



Would it theoretically be possible to generate something like that from our 1001085139140914?