Cracking the DerbyCon Code

To commemorate the final DerbyCon, TrustedSec did something a little special on our challenge coin. Along the outer edge of the coin was a code, and anyone who could figure it out by DerbyCon’s final day at noon got a prize.

I was lucky enough to design the code and was asked by many people to post the solution. There are obviously spoilers herein, so if you want to try to figure it out on your own, look at the image below and stop scrolling. Sadly, there are no more prizes to give out.

The code is contained around the edge of the coin in a long string of characters. Due to the small letters, probably one of the hardest things to do was to copy the string off the coin. A few letters—such as l and 1, and i and j—were difficult to differentiate between. Fortunately, due to the way the code worked, it did not matter if you got them wrong. Once you solved it (or thought you did), you would know if one of the letters was incorrect and could easily fix it.

The encoded string around the edge of the coin was:

CwwDBgERST8IGQQ/BggBHAREJQcJCigdAR0bDVQkAAACNRABHB8HVilFGg0jHQYAHQ9TNQYbBDQMQh0bDVQkAAACNRABHB0NVikbGQQoHRoGHwdTKUcqADQLFyocBkYjGwsTIxtA

Stage 1

This is a base64 encoded string. Often, you can tell an encoded string uses base64 if it ends in one (1) or two (2) equal sign (=) characters, which are used to pad the string to a proper length. Unfortunately, that did not happen here. However, there are a few ways you can determine this is a base64 string.

First, the string length is a multiple of four (4). Second, the string is only composed of the characters of the default base64 alphabet: A-Za-z0-9+/=. Finally, when you base64 decode the string, it does not error out.

Stage 2

Once you decode the string, you get a blob of binary data. This was the tough part. In challenges like these, binary data could be anything. It could be encrypted or compressed. It could be some weird file format. It could be bit-shifted. There are hundreds of things the data could be.

In this case, it was XOR encoded. XOR is a common type of encoding because it is fast and easy to perform. However, it does require a key. Figuring out the key is often the hardest part of breaking XOR encoded data, but there are a few tricks you can use to help you out.

  1. Anything XOR’d by zero (0) is itself. When large files are XOR encoded, such as executables, a large area of zeroes will be XOR’d at some point and the key will leak. Unfortunately, that was not the case here.
  2. If you know, or can guess, some of the plaintext of the XOR encoded data, you can try all combinations of that plaintext encoded with various keys to see if any match up or decode the rest of the file. This is how Didier Steven’s xorsearch tool works. This could have worked here, but you would have to have a really good guess.
  3. Finally, you can just brute-force the key until you get something that decodes properly. Unfortunately, if you have a key longer than four (4) bytes or so, it starts to become too time consuming. This would not have worked in this case.


How then do you solve it? Good, old fashioned intuition and thinking!

Anyone who came up to me and asked for a hint was told two (2) things:

  1. Do not overthink the solution.
  2. You do not need anything other than the coin itself to solve it.

Since this coin was at the final DerbyCon, I wanted to include something from DerbyCon into the challenge itself. Looking at the coin, there are a number of things we could have included: the con name and number, the derby hat, or even something from TrustedSec. Instead, I used the con tagline: Finish Line.

Using “Finish Line” as the XOR key pops out the following string:

Memoryisawayofholdingontothethingsyoulove,thethingsyouare,thethingsyouneverwanttolose.DerbyConforever.

After adding in whitespace (which I had to take out to make sure it could fit on the coin), you get:

Memory is a way of holding on to the things you love, the things you are, the things you never want to lose. DerbyCon forever.

The first part of this is a quote by Mr. Kevin Arnold. If you do not know who he is then 1) you are making me feel old and 2) you need to go watch The Wonder Years right now.

The whole challenge could be figured out using CyberChef, which is an amazing tool with a lot of functionality within it.

About 10 people were able to solve it, and I suspect a lot of people were really close. If you did try it and did not get it, I hope you at least got some enjoyment out of it because that was the point. If you enjoyed it, let me know. Who knows—maybe we will come out with a new one at some point!

Tyler Hudak

Author: Tyler Hudak

Tyler has over 20 years of real-world experience in incident handling, malware analysis, computer forensics, and information security for multiple organizations. He has spoken and taught at a number of security conferences about topics ranging from incident response to penetration testing techniques.