Investigative Reversing 0

Description

We have recovered a binary and an image. See what you can make of it. There should be a flag somewhere.

Now we have two files mystery and mystery.png

I staretd with the analysis on the image file . For that purpose i used aperisolve and hexeditor

Aperisolve

HexEditor

we can clearly see it the flag but it is encoded. Hmm...Now lets check the binary file

In order to decompile binary you can use any tool . I am using dogbolt

int32_t main(int32_t argc, char** argv, char** envp)
{
    void* fsbase;
    int64_t rax = *(fsbase + 0x28);
    FILE* fp = fopen("flag.txt", u"r…");
    FILE* fp_1 = fopen("mystery.png", u"a…");
    
    if (!fp)
        puts("No flag found, please make sure …");
    
    if (!fp_1)
        puts("mystery.png is missing, please r…");
    
    char buf;
    
    if (fread(&buf, 0x1a, 1, fp) <= 0)
    {
        exit(0);
        /* no return */
    }
    
    puts("at insert");
    fputc(buf, fp_1);
    char var_37;
    fputc(var_37, fp_1);
    char var_36;
    fputc(var_36, fp_1);
    char var_35;
    fputc(var_35, fp_1);
    char var_34;
    fputc(var_34, fp_1);
    char var_33;
    fputc(var_33, fp_1);
    
    for (int32_t i = 6; i <= 0xe; i += 1)
        fputc((&buf)[i] + 5, fp_1);
    
    char var_29;
    fputc(var_29 - 3, fp_1);
    
    for (int32_t i_1 = 0x10; i_1 <= 0x19; i_1 += 1)
        fputc((&buf)[i_1], fp_1);
    
    fclose(fp_1);
    fclose(fp);
    int64_t rax_32 = rax ^ *(fsbase + 0x28);
    
    if (!rax_32)
        return rax_32;
    
    __stack_chk_fail();
    /* no return */
}

• The program opens flag.txt, reads 26 bytes from it, and writes a manipulated version to mystery.png.

• Key processing:

  • Bytes 6–14 are incremented by 5 before being written.

  • 15^th Byte is decremented by 3 before being written.

  • Bytes 16–25 are written as-is.

We have the encoded version of flag, now we can write a simple python script to get the original flag

encFlag="picoCTK.k5zsid6q_d1deedaa}"
flagSplit= [x for x in encFlag]
for i in range(6,15):
    flagSplit[i] = chr(ord(flagSplit[i])-5)

flagSplit[15] = chr(ord(flagSplit[15])+3)


print("".join(flagSplit))