investigation_encoded_2
Last updated
Was this helpful?
Last updated
Was this helpful?
We have recovered a binary and 1 file: image01. See what you can make of it. Its also found in /problems/investigation-encoded-2_6_74ebdbfd3962c221df51c8ce5141b275 on the shell server. NOTE: The flag is not in the normal picoCTF{XXX} format.
Running the binary produces: Error: file ./flag.txt not found
Lets create a flag with echo picoctf > flag.txt
and try running again which just causes a Segmentation fault
Decompile the binary file using ():
encode()
function decompiled:
getValue()
function decompiled:
save()
function decompiled:
Differences from previous challenge, investigation_encoded_1
:
The matrix
array was replaced with indexTable
The digits 0-9 (inclusive) are valid for input (the flag can include numbers now). The while loop through the flag adds K
(75) if the current character is between '\' and '$', which are the ascii values for the digits 0-9. Adding K
is important because a
(97) is subtracted from each character, regardless whether its a number or not. 48 is the ascii value for 0. Adding 75 yields 123 and subtracting the 97 gives 26. This means that from 0-25 are the letters a-z and then starting at 26 are the numbers 0-9. Since 97 is always subtracted, only a-z, {
, |
, }
, ~
, and any exceptions (0-9 and space) are accepted. However, the characters {
, |
, }
, ~
would get the same encoding as 0
, 1
, 2
, and 3
, so they can be ignored.
The program performs some kind of manipulation on the characters before using them as array indices:
There is a login
function which will crash the program (This was the cause of the Segmentation fault
earlier). It can be skipped over during debugging.
Get indexTable
and secret
using radare2
:
Find the sequences that correspond with each letter using the script:
Unlike the previous script in investigation_encoded_1
, this script makes use of the C word (4 byte) representation of the matrix
/indexTable
variable instead of the 1 byte representation. To handle this, the * 4
was removed from index
and end
. The * 4
effectively selected every 4th value, so removing that and only keeping every 4th value is an alternative way to solve this challenge instead of manually updating the 1 byte representation of indexTable
as was done in the previous challenge.
Run to get Flag: t1m3f1i3500000000000098a9a51
. The script is the exact same as in investigation_encoded_1
, except the decoded_dict
and flag_encoded
were replaced.
t1m3f1i3500000000000098a9a51