Download free game
Note: This walkthrough represents a complete spoiler. Do not read ahead if you do not want to have answers revealed to you. If you have any questions or feedback, e-mail me at firstname.lastname@example.org
1. Start of game. Fill in the appropriate information in the New Game Dialog. When you close the Dialog, you will cause an "Access Violation" in Kernel32.dll.
1. Crash Dialog - The error detail contains a hidden message. Double-click the red X, double-click the text box, and push the Debug button once. Then close the dialog.
2. Read the first e-mail. Tell Cash that you will assist him by replying to his message - put the word "YES" somewhere in the reply.
3. Read the next group of e-mails and all the information found in the database. Using the "Status Change" e-mail, you should be able to get the Peter Dubin's meeting location at "9 Villiers Street". Do an internet search for "9 Villiers Street". We know that the contact was British from the "Update" e-mail. Eliminating non-British page hits should lead you to "The Griffin Tavern".
4. Enter "The Griffin Tavern" into the database. Get the name of the tavern's owner, Wallace Grundle. Enter Grundle's name into the database. Close the database dialog.
5. Open the next e-mail from Cash. He has attached a document found in Grundle's office. The document contains a series of numbers. Entering the number sequences in a search engine should produce information about various royalty in England. Each set of numbers represents a date. The document is actually a roster of aliases for informants that report to Grundle.
6. Enter Henry VIII into the database. This will produce the name Erle Glowfast. Enter Erle Glowfast into the database. Read Glowfast's profile.
7. Handle the Instant Message conversation.
8. Open the Telnet window. Telnet to the IP address contained in the intercepted e-mail from Glowfast to Grundle (the originating server): 188.8.131.52. Once logged in, use the L:P of jrembrandt:torch. jrembrandt is just a consolidation of one of Glowfast's aliases. Torch is the code name for the invasion of Algiers in 1942 by the British where Glowfast won a Medal of Honor for Bravery.
9. Once logged in to the server, download all the files. Examine default.htm. You should find two hidden files in the HTML source. Unhide these files on the server by changing the attributes. Download the two new files. You should also notice what appears to be an encrypted sequence of characters in the middle of the HTML code. The note.txt file mentions the need to decrypt an intercepted message using the same specialist that created their encryption algorithms the year before. It mentions Sharif Watomba as the only way to get to Dr. Cortan, the encryption expert.
10. Look up Watomba in the database. Read the e-mail that Cash sends you, and then look up the encryption sequence he wants in the database. To find Watomba you need to collect the 10 cities he has recently been to. The first six cities are mentioned in the Watomba information in the database, as well as in note.txt and watomba.nfo. The data contained in watomba.nfo is a list of all ten cities, by name and by number and letter. The numbers in parentheses are degrees. Using a map, draw a line from the two cities along the degrees specified to find the third city. The combination of the 3rd cities along the degrees specified finds the 10th city. You should find the following cities from East to West:
11. Send a mail to Cash with the encryption sequence: vabnrevemogabspslnmd
12. Once watomba is found, player is given a picture called coran.bmp. This picture contains the office of Dr. Cortan (in the Gul building). Cash asks for the street address and city name. The clues are: 1) phone number contains 91-33-xxx-xxxx which is city code for Calcutta, India. 2) The street name "Raja" can be found on a street sign on the corer. 3) The address 111 and 109 are found on the surrounding buildings on the awnings (these are tough to see unless you are observant). Send an e-mail to Cash with the address:
110 Raja Street, Calcutta, India.
13. Read the e-mail from Emma Gray. You learn that she is actually an agent for the CIA investigating the potential spy Peter Dubin. Cash's life is in danger but you cannot warn him.
14. Cash finds Dr. Cortan's office. Cortan is not there, but his computer contains a java program file with the letters E.I.R. in the comments. This is the program used to encrypt the message found on Glowfast's server home page. You need to figure out what the program code does, and reverse engineer the encryption sequence.
15. To decipher the program's logic, you need to first straighten out all indentation, brackets, etc... The code should be much more readable this way. Then follow through the program code line by line. Notice how many variables are initialized in the beginning and then reinitialized later on. You can throw out the first initializations. Some variables are modified using the increment and decrement operators. The encryption algorithm is as follows: 1) add extra character after every 3rd character, 2) reverse each block of 4 characters, 3) Add 1 to each character's ascii value producing a new character.
The encoded string:
The unencoded string:
Download info.dat. Rename to info.zip. The zip password is "Manchester United".
16. Go back to Glowfast's server and unhide the info.dat file. Rename to info.zip and extract the files using the password "Manchester United". You should find the file news.bmp and sample.bmp. Sample.bmp contains a picture of a waterway, news.bmp contains a text note.
17. The text note contains a hidden message. Paint the note black to reveal the message: : I've attached a picture of the new warehouse in Venice. When you get there we can discuss how to move the equipment to HQ. We will need to arrange transport for the hazardous materials and also avoid any naval interferences along the way. I've encoded additional information in the picture that you will need. Remember, multiply street address by 3X.
18. Using the information found in news.bmp, unencode the message in sample.bmp. The encoded message is located in the bottom left as a string of colors. The message is encoded as follows:
Letter ASCII Code X 2 (refer to database info on EIR regarding 2X char. encoding in encrypted images)
A 65 = 130
B 66 = 132
C 67 = 134
The word "ABC" forms the RGB color 130,132,134.
Getting the RGB values for all the colors, dividing them by two, should product all letters of the hidden message. The message says: "The warehouse is located at 152 Piazza Roma. The gate security code is 88372651."
19. Per the instructions in news.bmp, multiply the street address by 3X to find the real address, which is 456 Piazza Roma. Send Cash the corrected message.
20. Cash will send you an e-mail from the EIR's warehouse describing the contents and telling you about the Trierge MicroSystems security panel guarding the front door. He has recorded the activation sequence but cannot seem to get it to work. He has attached the recording so you can work on it.
21. Telnet to www.trierge.com. Save all the files and load index.htm in your browser. Read the scrolling marquee text. Send an e-mail to email@example.com to get a demo of their latest sound activated security panel, Bach Bite. You will receive an authorization form. Reply to the NDA with the code at the top of the e-mail (83A95TG6331). You will receive an e-mail confirming your demo. The demo will activate once you close the e-mail.
22. The demo is limited to 3 notes only. You need more notes. Notice the bach.cfg file in the game directory. We need to replace the Key=eval with a valid key. Go back to the Trierge home page - the marquee mentions the Bach Bite "Find the Easter Egg Contest" - there is an Easter Egg in the security demo that we need to find. Ctrl-Double Right Click on the Trierge logo. This should activate the Easter Egg put in by the design team. One of the QA personnel put a web site address in the Easter Egg.
23. Telnet to the web site address: www.hackers.r.us.com found in the Easter Egg. Download readme.txt. The author of the file, Cedric Potter, was fired from Trierge for advertising his web site in the Easter Egg. He is upset at Trierge. Using the e-mail address he provided, firstname.lastname@example.org, e-mail him and ask him if he has anything related to Trierge or to Bach Bite. He will send you a small home-made program he wrote that generates keys for the Bach Bite demo. Use the license key it generates: 7X5K-34B-1001Q. Enter this key in the Key= section of the bach.cfg. Restart the Bach demo. This should register the product and give you unlimited notes.
24. The musical encryption sequence is as follows: There are 13 wav files assigned to various numbers. the wav file that plays is a combination of the current number AND the prior two numbers. If there are not 2 prior numbers, then those values are 0. The wav files are assigned as follows:
0 1 2 = 6.wav
3 = 12.wav
4 5 6 = 2.wav
7 8 9 = 7.wav
10 = 1.wav
11 12 13 = 9.wav
14 = 13.wav
15 16 17 = 4.wav
18 = 10.wav
19 20 21 = 8.wav
22 = 11.wav
23 24 25 26 = 3.wav
27 = 5.wav
Analyze each note in the activation.wav file and you should be able to create a sequence of numbers that will produce the correct sequence. The important trick here is that no one ever said the activation sequence had to start with the first note played...
Sound order is: 1 7 2 9 8 3 8 9 2 2 7 9 1 13
More than 1 key sequence can trigger the correct sound order.
One possible key sequence is:
25. Close the window after finding the sequence. Handle the Instant Message that comes in. You will next receive an e-mail from inside the secure area of the warehouse.
26. The "Got In" e-mail gives you two files. Open the "New Ips.txt" file. It explains that many of the Ips for the system had to be changed due to a hacker break in, but that some of the Ips are still accessible from the outside. You need to find one of the accessible Ips and telnet to it. The ones that have been changed are listed in the document - you can deduce one of the unchanged Ips from the range that is provided. Telnet to 184.108.40.206 to get into the system. You do not have the correct login or password information at this time - but save the "old pws.txt" file for future use.
27. Open the e-mail from Emma Gray. She needs your help to break into the Personnel Room. Save the attachment "warehouse.bmp" and study it carefully. It has three main pieces of information on it: dimension data to help calculate the right amount of liquid nitrogen, office numbers, and IP address extensions.
28. Calculate the liquid nitrogen mixture as follows:
Room 2420 - 14520 square feet (72")
Subtract objects (height of object in parentheses):
Plant 7.0685 14.137 (24")
Plant 7.0685 14.137 (24")
Desk 43 107.500 (30")
Post 4 24 (72")
2 Sm Files 108 540 (5')
2 Med Files 156 780 (5')
2 Large Files 216 1080 (5')
11960.226 cubic feet below 72"
We need 1 oz for every 150 cubit feet for space, so 11960.226 / 150 = 79.73484 oz.
Next, we need to convert oz to ml. Use the U.S. conversion (as opposed to the Imperial conversion):
29.5737 ml/ fluid oz. 79.73484 * 29.5737 = 2358.0542 ml. Reply to Gray with 2358 ml.
29. Once in the File Room, Gray will find two documents, a phone extension list and one page from a phone bill. Use the phone extension list to match up the office of the person that use IP address 220.127.116.11. This is possible because the last digit of each IP is listed on the warehouse diagram along with the room number. The computer that we broke into is located in Office 311, occuppied by Alexander Karov. E-mail Cash and tell him to go to Office 311. Save Cash's reply for step 31.
30. Examining the phone extension list further should reveal the name "Victor Straus", a.k.a. Peter Dubin, at extension x2331. It should be clear at this point the Peter is a spy working for the EIR. Using the phone bill, you will see numerous calls made by Dubin from x2331, all to the number 44-20-7235-6040. This number will produce the name of the Sheraton Belgravia Hotel in London on most search engines. Reply to Gray and tell her to go to the Sheraton Belgravia.
31. Cash replies from Karov's office, telling you that the computer network name taped to the side of the computer is TAHITI. He also tells you that based on the operating system, the system's startup directory is located at "C:/WINNT/Documents and Settings/All Users/Start Menu/Programs/Startup". If a program can be placed into the startup directory, it will launch when Karov next starts his computer. Cash wants to place a small decoy password dialog box in the startup so that Karov will enter his name and password into it the next time he loads his system. The only problem is that the network logon is locked. If you can get in through the web interface by telnetting, you will be able to place the file where you need to.
32. First, figure out the login name and password. The login is uncomplicated, just "akarov". The password can be obtained by examining the list of expired passwords from step 26. TAHITI lists 3 old passwords: 2T3H5V7E1N1E, 1o3H1E7E1N9I, 2T3H2o9E3E1E. The "old pws.txt" file also mentions that some people used sequences in their passwords. That is the case here as well. You must determine the 4th password in the sequence. The sequence works as follows:
Numbers and letters are alternating. The numbers are the sequence of prime numbers from 1 to 31. The letters are determined as follows: spell out the number before the letter, and then take the character from the spelled out number that corresponds to the placement of the letter in the password (1st, 2nd, 3rd...). Therefore, the first number in PW1 is "TWO", so take "T". The fourth number in PW1 is "SEVEN", so take "E". If the spelled out number is too short, just wrap back to the first letter. To make things more difficult, letters with curves in them are lower case, while letters with only straight lines are upper case.
Therefore, the last password is: 3T7E4u1o4F3T
33. Once into the system, save the index.html file to disk. The file contains a simple HTML FORM that uploads files onto Karov's system. Notice the 'action' attribute which determines where the data is being sent: http://18.104.22.168/Documents and Settings/Karov/Web Uploads/dl.asp?action=upload.
Internet servers can specify a particular IP address to start in an actual directory. So in this case, Karov has chosen C:/WINNT/ as his web directory (not too intelligent - but Karov is using his system for dev purposes so his motives are unclear).
You need to modify the file so that the post goes not to the "Web Uploads" directory, but to the "Startup" directory instead. Therefore, change the action parameter so the new page reads:
action='http://22.214.171.124/Documents and Settings/All Users/Start Menu/Programs/Startup/dl.asp?action=upload'
Save the file and upload it to the server. Cash will be able to place his decoy .exe in the Startup directory through the web interface.
34. Open Cash's next e-mail. He has been able to get into Karov's desktop, and finds a file that contains some notes and the time 11:30. The clue leads to the Marco Polo airport in Venice. E-mail Cash and tell him to go to the Marco Polo airport.
35. Once Cash gets to the airport, he will find the EIR cargo bay and obtain a flight plan that contains distances between cities, but no destinations. We need to find where the plane is headed. Starting from Venice, find the chain of cities until you find the final destination:
0 0 km Venice, Italy
1 944 km Barcelona, Spain
2 1220 km Casablanca, Morocco
3 2304 km Dakar, Senegal
4 2999 km Natal, Brazil
5 2038 km Rio de Janeiro, Brazil
Send Cash an e-mail and tell him to go to Rio de Janeiro.
36. While Cash is travelling to Brazil, open the last e-mail sent by Gray at the Sheraton Belgravia. You learn that Glowfast and Dubin were communicating from Room 410 last October 4. You also find out that the hotel has an automated voice message system that can be accessed over the internet by hotel guests for convenience. The voice message system will activate when you close the e-mail.
37. Open the messaging system. The first step is to find the correct login and password. Unfortunately, there is no available password, so we will need to create our own login and password by hacking the belgravia.dll file located in the game directory. Open the .dll file in notepad. Find the two sections of code that say:
These two lines of code are where the passwords are obtained from. Currently, they call functions that obtain the id and password from the main server. We can hack this code and change it to the following:
You can use any id and password to get into the system. Restart the message utility. Now that we are in the system, we are assigned a random room since the server does not recognize us. The second step is to obtain system admin mode. Find the line of code that says:
Change this to read:
Restart the system. You should be in admin mode now. Go to room 410 and get the messages. You should find that there are no messages. That is because we are not looking for the correct date. We need message placed last October 4, 2000.
Step three is to change the console's date. Close the message dialog and click on the console date. Enter October 4, 2000. Restart the dialog. Go to Room 410. Obtain the messages.
The first message mentions that work on the missile site has begun, and that you need mask "0xC0C0C0" to obtain further information. Write this down for later. The second message gives you an address: "113 Chaucer Road". Send Gray to this address via e-mail.
38. Once in Glowfast's apartment, save the file that contains the picture of the image Gray found. This image contains a message in color mask 0xC0C0C0(192,192,192). To find the message, you will need to remove all other colors. You can do this by transpaently copying the picture to a new location where the background color contains one of the foreground colors from the picture. Once copied, then paint the background white. Grab a new color and paint it to another section of the screen. Copy the image to this section again. Paint the background white. Repeat until all colors are gone EXCEPT for 192,192,192. The hidden message gives two clues: 1) zip password is 'freedom' and 2) use sb1-4. Save this information for later.
39. Cash has now made it to Rio. He needs help penetrating the outer defenses of the EIR base. Using the map provided, time all the guards' movements so that you can travel from A to B to C to D in the quickest time possible. At no time can any guard be within 100 yards of your path while you are travelling. It is assumed that they can see the entire path when they are within 100 yards of it. Solving this puzzle requires you to track the guards movements until you find a block of time large enough to travel from point to point without being seen. The cameras in the final block work the same way - just write down when they are on and when they are off until you find a block of time to travel in. Choose only the fastest time. The solution is:
9:07:20 9:10:30 9:14:30
40. Once inside the compound, you must disable the security system. It resets every minute or so so you have to be quick. To disable the security system, press the following keys in the designated order:
41. Once the security system is disabled... open the e-mail from Cash and send an e-mail to email@example.com containing the location of the launch site and the clearance code:
BRAVO TANGO ZULU RODEO CHARLIE NINER ECHO
This will order an immediate air strike of the missile facility.
42. Open the e-mails from Hart and from Gray. Your coordinates were wrong. How did this happen? You need to contact Cash and straighten things out. Use one of his e-mail addresses and e-mail him immediately.
43. After the second e-mail to Cash, it is clear he is no where to be found... Open the e-mail from Gray. The special ops team found the HQ and raided it. The only thing they found was a disk full of data in an encrypted zip file. Use the password obtained in step 38 to unlock the zip: "freedom".
44. Once you have unlocked the zip, you can extract sb1.dat, sb2.dat, sb3.dat, and sb4.dat. Once again, step 38 provides a clue here. You need to use sb1-sb4 to solve the puzzle. sb1 - sb4 are actually all part of the same file split into 4 parts. You need to combine the files to solve the puzzle.
Examining sb3.dat in a text or binary editor will reveal that it starts with the characters "BM". These bits signify the beginning of a bitmap image (.bmp). Combine the files using an editor that does not change the binary data in the following order: sb3, sb1, sb4, sb2. Once all files are combined into one, save the file and rename it to have a .bmp extension. Open the file in any bmp viewer.
45. The new bitmap contains a surveillance photograph for the missile site, along with the actual coordinates that the site is at. Send an immediate e-mail to Gray with the new coordinates: 14:12:03S 51:36:05W.
46. At this point you have completed Spy! Unfortunately, you have been aiding a terrorist all along. John Cash used you to obtain the missiles - now that he has them, you are no longer of use to him. You'll need to catch him in J.D. Spy II!