investigation_encoded_2
Problem
We have recovered a binary and 1 file: image01. See what you can make of it. Its also found in /problems/investigation-encoded-2_6_74ebdbfd3962c221df51c8ce5141b275 on the shell server. NOTE: The flag is not in the normal picoCTF{XXX} format.
Solution
Running the binary produces:
Error: file ./flag.txt not found
Lets create a flag with
echo picoctf > flag.txt
and try running again which just causes aSegmentation fault
Decompile the binary file using Ghidra (cheat sheet):
encode()
function decompiled:getValue()
function decompiled:save()
function decompiled:Differences from previous challenge,
investigation_encoded_1
:The
matrix
array was replaced withindexTable
The digits 0-9 (inclusive) are valid for input (the flag can include numbers now). The while loop through the flag adds
K
(75) if the current character is between '\' and '$', which are the ascii values for the digits 0-9. AddingK
is important becausea
(97) is subtracted from each character, regardless whether its a number or not. 48 is the ascii value for 0. Adding 75 yields 123 and subtracting the 97 gives 26. This means that from 0-25 are the letters a-z and then starting at 26 are the numbers 0-9. Since 97 is always subtracted, only a-z,{
,|
,}
,~
, and any exceptions (0-9 and space) are accepted. However, the characters{
,|
,}
,~
would get the same encoding as0
,1
,2
, and3
, so they can be ignored.The program performs some kind of manipulation on the characters before using them as array indices:
There is a
login
function which will crash the program (This was the cause of theSegmentation fault
earlier). It can be skipped over during debugging.
Get
indexTable
andsecret
usingradare2
:Find the sequences that correspond with each letter using the decode.py script:
Unlike the previous script in
investigation_encoded_1
, this script makes use of the C word (4 byte) representation of thematrix
/indexTable
variable instead of the 1 byte representation. To handle this, the* 4
was removed fromindex
andend
. The* 4
effectively selected every 4th value, so removing that and only keeping every 4th value is an alternative way to solve this challenge instead of manually updating the 1 byte representation ofindexTable
as was done in the previous challenge.
Flag
t1m3f1i3500000000000098a9a51
Last updated