My Attempt at The Pirate Bay’s Cryptic Webpage – Part 1 of 2

The Pirate Bay, the infamous torrent index site, has recently come back online with a fairly puzzling webpage:

View post on imgur.com

It appears that all HTTP requests except for /flipclock.css, /flipclock.min.js, /count.js, and /aes.png direct to that exact page with the following source code:

<html>
<head>
<meta charset=”utf-8″>
<meta http-equiv=”X-UA-Compatible” content=”IE=edge”>
<title>The Pirate Bay</title>
<style>
html,body {margin: 0;padding: 0;background-color: #000;position: relative;text-align: center;}
video {position: absolute;z-index: 0;top: 0;left: 0;width: 100%;height: 100%;overflow: hidden;}
.count {position: relative;z-index: 2147483647;color: #FFF;width: 625px !important;padding: 0;margin: 0 auto !important;}
.thacode {position: absolute; width: 100%; text-align: center; bottom: 0; z-index: 91723981723;}
</style>
<link rel=”stylesheet” href=”/flipclock.css” />
<script src=”http://code.jquery.com/jquery-1.8.2.min.js”></script>
<script src=”/flipclock.min.js”></script>
<script src=”/count.js”></script>
</head>
<body>
<video preload loop autoplay muted>
<source src=”http://openbay.isohunt.to/img/bg.webm” type=”video/webm”>
<source src=”http://openbay.isohunt.to/img/bg.mp4″ type=”video/mp4″>
</video>
<div class=”count”></div>
<div class=”thacode”><img src=”/aes.png” width=”650″ /></div>
<script type=”text/javascript” src=”http://www.adcash.com/ad/display.php?r=287833″></script>
</body>
</html>

Looking at the index page’s source code alone, a few things stand out to me:

  • .count has a z-index of 2147483647, a fairly high number
  • .thacode also has a very high z-index of 91723981723
  • /flipclock.min.js and /count.js
    • clock is counting up
  • advertisement from http://www.adcash.com/ad/display.php?r=287833
  • /aes.png may indicate aes is involved somehow + it is of a string that has a high probability of being relevant

Let’s take a look at these. In CSS, a z-index is the order that entities will be stacked on a webpage – the lowest z-index will be the furthest to the back and the highest z-index will be on the front.

I thought I had recognized 2147483647 from somewhere and it turns out I had seen it before; 2147483647 is the largest possible integer on 32-bit operating systems and the eighth Mersenne prime. On January 19th, 2038 at 3:17:07 GMT, the time_t values on 32 bit machines will be maxed out and therefore set to -2147483647: December 13th, 1901 20:45:52 GMT. Doing a Google search for 131901204552 comes up with nothing. /131901204552 comes up with nothing. /2147483647 comes up with nothing. A Google search of 20381901 (year that it will end + year that it will default to) comes up with irrelevant information.

91723981723 comes up with nothing. Subtracting 2147483647 from it gives 89576498076, a Russian telephone number. Dividing it gives us ~42.7123. 42 is a fairly common pop-culture reference to the Hitchhiker’s Guide to the Galaxy.

It appears I may have hit a dead end and it all may just be a coincidence but I don’t believe in coincidences and I’m confident these numbers are relevant somehow.

FlipClock

Their FlipClock is taken from a GitHub repository published by Justin Kimbrell, a web developer from Noblesville, Indiana and founder of objectivehtml.com. It doesn’t appear that there is any involvement to him and TPB, although I wouldn’t take this as a fact.

count.js brought me to something interesting. A Google search of the code brings me to a stackoverflow question that has one reply on December 10th, 2014 at 21:07 by a user named pjparks. The code is exactly identical to the code in count.js but there’s a catch – it appears pjparks prefers to use spaces to organize his code rather than using indents. The code hosted by TPB is using indents, which may indicate that he was not involved with The Pirate Bay.

flipclock.min.js is commented with 2014-12-12, which means that the creator pulled this version within the last ten days, after the raid. I interpret this as proof supporting the notion that this is a response to the raid.

Speaking of the raid, the timer is counting up and starts at December 9th – the day that The Pirate Bay had a few of their servers seized and became non-functional.

aes.png

JyO7wNzc8xht47QKWohfDVj6Sc2qH+X5tBCT+uetocIJcjQnp/2f1ViEBR+ty0Cz

The above are the characters shown in aes.png, appearing in what looks like the font Comic Sans MS. Wait a second…this looks like a BitTorrent Sync key.

View post on imgur.com

Sadly it appears that everyone has read and write access and I’m not the first person to get there – by the time I got there it was full of child pornography, infected files, and more unuseful files. You’d have thought that the creator would have made it read-only.

Now would be the worst time for there to be a 0-day in BitTorrent Sync.

It’s rumored that the key decodes to “You can’t destroy us, expect the ship to arrive in 20 days”, although no proof has been provided yet. If anyone has the WikiLeaks insurance files it may be worth a shot attempting to try that.

I’ve been working at this for roughly five hours trying a plethora of things but am unsure of what it might be – I’ve compiled a fairly lengthy list of what it isn’t, though. I haven’t completed my analysis so expect a part two sometime in the near future.

 

Leave a Reply

Your email address will not be published. Required fields are marked *