Investigative Reversing 1
Problem
We have recovered a binary and a few images: image, image2, image3. See what you can make of it. There should be a flag somewhere. Its also found in /problems/investigative-reversing-1_4_266adcde17fa2ab2ec454e6c5379ad81 on the shell server.
Solution
Run
file mystery
which shows its is a ELF executable:mystery: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld
...Reverse the binary file using Ghidra (cheat sheet). Open it and in the symbol tree click on main. The decompiled main function will show on the right.
void main(void) { FILE *__stream; FILE *__stream_00; FILE *__stream_01; FILE *__stream_02; long in_FS_OFFSET; char local_6b; int local_68; int local_64; int local_60; char local_38 [4]; char local_34; char local_33; long local_10; local_10 = *(long *)(in_FS_OFFSET + 0x28); __stream = fopen("flag.txt","r"); __stream_00 = fopen("mystery.png","a"); __stream_01 = fopen("mystery2.png","a"); __stream_02 = fopen("mystery3.png","a"); if (__stream == (FILE *)0x0) { puts("No flag found, please make sure this is run on the server"); } if (__stream_00 == (FILE *)0x0) { puts("mystery.png is missing, please run this on the server"); } fread(local_38,0x1a,1,__stream); fputc((int)local_38[1],__stream_02); fputc((int)(char)(local_38[0] + '\x15'),__stream_01); fputc((int)local_38[2],__stream_02); local_6b = local_38[3]; fputc((int)local_33,__stream_02); fputc((int)local_34,__stream_00); local_68 = 6; while (local_68 < 10) { local_6b = local_6b + '\x01'; fputc((int)local_38[local_68],__stream_00); local_68 = local_68 + 1; } fputc((int)local_6b,__stream_01); local_64 = 10; while (local_64 < 0xf) { fputc((int)local_38[local_64],__stream_02); local_64 = local_64 + 1; } local_60 = 0xf; while (local_60 < 0x1a) { fputc((int)local_38[local_60],__stream_00); local_60 = local_60 + 1; } fclose(__stream_00); fclose(__stream); if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); } return; }
We can see that the program opens the flag file, and scatters an encoded version of it across the three image files.
$ xxd -g 1 mystery.png | tail 0001e7f0: 82 20 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 . .. .. .. d.2.! 0001e800: 08 82 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 .. .. .. .B.!#.. 0001e810: 20 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 08 .. .. .. d.2.!. 0001e820: 82 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 20 . .. .. .B.!#.. 0001e830: 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 08 82 .. .. .. d.2.!.. 0001e840: 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 20 08 .. .. .B.!#.. . 0001e850: 82 20 08 82 20 08 82 20 64 17 ff ef ff fd 7f 5e . .. .. d......^ 0001e860: ed 5a 9d 38 d0 1f 56 00 00 00 00 49 45 4e 44 ae .Z.8..V....IEND. 0001e870: 42 60 82 43 46 7b 41 6e 31 5f 38 35 35 36 31 31 B`.CF{An1_855611 0001e880: 64 33 7d d3} $ xxd -g 1 mystery2.png | tail 0001e7e0: 21 08 82 20 08 82 20 08 82 20 08 42 f6 21 23 11 !.. .. .. .B.!#. 0001e7f0: 82 20 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 . .. .. .. d.2.! 0001e800: 08 82 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 .. .. .. .B.!#.. 0001e810: 20 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 08 .. .. .. d.2.!. 0001e820: 82 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 20 . .. .. .B.!#.. 0001e830: 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 08 82 .. .. .. d.2.!.. 0001e840: 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 20 08 .. .. .B.!#.. . 0001e850: 82 20 08 82 20 08 82 20 64 17 ff ef ff fd 7f 5e . .. .. d......^ 0001e860: ed 5a 9d 38 d0 1f 56 00 00 00 00 49 45 4e 44 ae .Z.8..V....IEND. 0001e870: 42 60 82 85 73 B`..s $ xxd -g 1 mystery3.png | tail 0001e7e0: 21 08 82 20 08 82 20 08 82 20 08 42 f6 21 23 11 !.. .. .. .B.!#. 0001e7f0: 82 20 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 . .. .. .. d.2.! 0001e800: 08 82 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 .. .. .. .B.!#.. 0001e810: 20 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 08 .. .. .. d.2.!. 0001e820: 82 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 20 . .. .. .B.!#.. 0001e830: 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 08 82 .. .. .. d.2.!.. 0001e840: 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 20 08 .. .. .B.!#.. . 0001e850: 82 20 08 82 20 08 82 20 64 17 ff ef ff fd 7f 5e . .. .. d......^ 0001e860: ed 5a 9d 38 d0 1f 56 00 00 00 00 49 45 4e 44 ae .Z.8..V....IEND. 0001e870: 42 60 82 69 63 54 30 74 68 61 5f B`.icT0tha_
The encoding works as follows:
Append byte 1 to file 3
Add
0x15
to byte 0 and append to file 2Append byte 2 to file 3
Append byte 5 to file 3. At the top of the file the variables are listed like so:
char local_38 [4]; // 4 is length char local_34; char local_33;
This means that
local_34
will contain the 4th character from flag andlocal_33
will contain the 5th. So in the below lines the 5th bytes is added then the 4th.fputc((int)local_33,__stream_02); fputc((int)local_34,__stream_00);
Append byte 4 to file 1
Append bytes 6 to 9 (inclusive) to file 1
Append byte 3 (which has been increased by 4 during the above loop) to file 2
Append bytes 10 to 14 (inclusive) to file 3
Append bytes 15 to 25 (inclusive) to file 1
We need to copy the last 16 bytes from file 1, 2 from file 2, and 8 from file 3 to variable
data_1
,data_2
,data_3
in the script.py, which reverses the scheme explained above.We can reverse this using the script.py and get the flag.
Flag
picoCTF{An0tha_1_855611d3}
Last updated
Was this helpful?