2012 Walkthrough

~The Beginning~

Next Section

Section 1: 4chan
January 4th, 2012


On January 4th, 2012 users browsing 4chan‘s ‘paranormal’ board /x/ were greeted with a modest image, final.jpg . Bearing simple white text on a plain black background, final.jpg did not immediately grab the attention of many users — /x/ is a chaotic internet back alley populated by conspiracy theorists, LARPers, and that weird kid from school; any image or information posted there is to be taken with a grain of salt.
Tales of Bigfoot, alien abductions, and nameless egregors are everyday affairs — grabbing the attention of /x/‘s denizens is not always an easy task.

Gradually throughout the next 48 hours, final.jpg and its associated thread moved up /x/ ‘s popularity rankings. Discussion threads quickly spread to other 4chan boards — namely /sci/ , the science board, and /b/ , the random board.

/sci/ Discussion Thread Archive ::: /sci/ Discussion Thread Archive 2
/b/ Discussion Thread Archive

Accepting 3301‘s challenge, users were quick to try opening the image in common text editors — for example, the widespread Windows program ‘Notepad‘. Doing this shows the user a dump of the image’s constituent bytes, represented in non-human readable form. Soon, it was noticed that a hidden message, standing out from the jumbled background info, was appended to the end of the image’s raw data. Another method to view the message is to use a hex editor.

final.jpg Message


The above message can be divided into two parts: plaintext and ciphertext. The plaintext, or unencrypted text, portion is


This is a reference to a particular sort of cipher, a Caesar Cipher, to be used with the ciphertext portion of the hidden message. Latin transliterated the modern English letter ‘U’ as ‘V’ (this will be important in later years), so TIBERIVS CLAVDIVS CAESAR becomes TIBERIUS CLAUDIUS CAESAR.

A Caesar Cipher, closely related to a Shift Cipher, is one of the simplest and most commonly employed ciphers. It is named after Julius Caesar, who utilized the cipher militarily and personally — 3301 is really starting us off gently here. Tiberius Claudius Caesar was the fourth Roman emperor (when designating Augustus as the first, as is standard) and so we assume that the ciphertext portion of the message was encoded using a Caesar cipher with a shift of +4 to result in what we see:


Since the plaintext portion of the message introduces the ciphertext portion as something ‘said’, we exclude the above quotation marks when manipulating the ciphertext string. Thus we are working with this sequence:


Perceptive individuals may already notice that the first few characters of the ciphertext string bear a similar format to a URL — four letters, then one punctuation mark followed by two additional characters. http:// would be a good guess as to what this may decode to. Thus, this ciphertext could theoretically have been decoded even without the “Tiberius Claudius Caesar says” plaintext hint.

Now, let’s work it out:

Write out the English alphabet, assigning the proper numerical values to each letter based on its position in the alphabet in the form of (A=1, B=2, C=3, D=4 … ). Using this format, assign each letter of the string lxxt>33m2mqkyv2gsq3q=w]O2ntk a numerical value. Since we are only considering standard English letters with this classical Caesar cipher, ignore the numbers and characters like “]” for now, leaving them in place. We’ll get to those in a moment.

So, assigning each letter of the string a numerical value of the sort A=1 where possible and leaving the other characters in place, we are left with the following:

12 24 24 20 > 3 3 13 2 13 17 11 25 22 2 7 19 17 3 17 = 23 ] 15 2 14 20 11

*The unconverted characters have been left in bold.

Because we were given the hint, Tiberius Claudius Caesar says , and because Tiberius Claudius Caesar was the 4th roman emperor, we assume that the Caesar Cipher uses a shift of 4. This would mean that each of the individual letters enciphered was shifted forward 4 places in the alphabet.

Now, consider our above converted string of numbers, subtracting 4 from each entry not in bold. You will be left with the following:

8 20 20 16 > 3 3 9 2 9 13 7 21 18 2 3 15 13 3 13 = 19 ] 11 2 10 16 7

*Again, unaltered characters have been left in bold.

We can now convert this string of numbers back to English, using the standard numerical assignments of (A=1, B=2, C=3 …) . This gives us a nearly complete URL:


Almost there! Now we just have to convert the leftover characters

> 3 3 2 2 3 = ] 2

to a usable format. As noted at the beginning of this section, we can see that > 3 3 likely converts to : / /

This would match up with another sort of +4 shift cipher. Whereas a classical Caesar Cipher only considers alphabetic characters, the conversion of > 3 3 to : / / uses a +4 shift of ASCII Table values. Using the same method as before, we shift the leftover characters > 3 3 2 2 3 = ] 2 by four places on the ASCII Table.

Remember, we’re shifting the ciphertext backwards by four places, even though we’re calling it a +4 shift. This is because it is the original hidden message that was shifted four places forwardsince we’re breaking the code instead of creating it, we’re working in reverse.

The result of this ASCII Table Shift Cipher turns the leftover characters from > 3 3 2 2 3 = ] 2 into

: / / . . / 9 y .

We now have a complete URL of the form


Welcome to the game.