Investigative Reversing 0
Description
We have recovered a binary and an image. See what you can make of it. There should be a flag somewhere.
Now we have two files mystery and mystery.png
I staretd with the analysis on the image file . For that purpose i used and hexeditor
we can clearly see it the flag but it is encoded. Hmm...Now lets check the binary file
In order to decompile binary you can use any tool . I am using
int32_t main(int32_t argc, char** argv, char** envp)
{
void* fsbase;
int64_t rax = *(fsbase + 0x28);
FILE* fp = fopen("flag.txt", u"r…");
FILE* fp_1 = fopen("mystery.png", u"a…");
if (!fp)
puts("No flag found, please make sure …");
if (!fp_1)
puts("mystery.png is missing, please r…");
char buf;
if (fread(&buf, 0x1a, 1, fp) <= 0)
{
exit(0);
/* no return */
}
puts("at insert");
fputc(buf, fp_1);
char var_37;
fputc(var_37, fp_1);
char var_36;
fputc(var_36, fp_1);
char var_35;
fputc(var_35, fp_1);
char var_34;
fputc(var_34, fp_1);
char var_33;
fputc(var_33, fp_1);
for (int32_t i = 6; i <= 0xe; i += 1)
fputc((&buf)[i] + 5, fp_1);
char var_29;
fputc(var_29 - 3, fp_1);
for (int32_t i_1 = 0x10; i_1 <= 0x19; i_1 += 1)
fputc((&buf)[i_1], fp_1);
fclose(fp_1);
fclose(fp);
int64_t rax_32 = rax ^ *(fsbase + 0x28);
if (!rax_32)
return rax_32;
__stack_chk_fail();
/* no return */
}The program opens
flag.txt, reads 26 bytes from it, and writes a manipulated version tomystery.png.Key processing:
Bytes 6–14 are incremented by 5 before being written.
15th Byte is decremented by 3 before being written.
Bytes 16–25 are written as-is.
We have the encoded version of flag, now we can write a simple python script to get the original flag
encFlag="picoCTK.k5zsid6q_d1deedaa}"
flagSplit= [x for x in encFlag]
for i in range(6,15):
flagSplit[i] = chr(ord(flagSplit[i])-5)
flagSplit[15] = chr(ord(flagSplit[15])+3)
print("".join(flagSplit))Last updated