PicoCTF-2019 Writeup
  • HHousen PicoCTF-2019 Writeup
  • Binary Exploitation
    • L1im1tL355
    • messy-malloc
    • OverFlow 2
    • CanaRy
    • NewOverFlow-1
    • NewOverFlow-2
    • sice_cream
    • seed-sPRiNG
    • leap-frog
    • GoT
    • rop64
    • rop32
    • Ghost_Diary
    • zero_to_hero
    • Challenge Name
    • Heap overflow
    • slippery-shellcode
    • AfterLife
    • SecondLife
    • stringzz
  • Cryptography
    • la cifra de
    • b00tl3gRSA2
    • b00tl3gRSA3
    • AES-ABC
    • john_pollard
    • b00tl3gRSA2
    • waves over lambda
  • Forensics
    • What Lies Within
    • m00nwalk
    • shark on wire 1
    • shark on wire 2
    • Glory of the Garden
    • pastaAAA
    • Investigative Reversing 0
    • Investigative Reversing 1
    • extensions
    • investigation_encoded_1
    • Investigative Reversing 2
    • investigation_encoded_2
    • Investigative Reversing 3
    • like1000
    • Investigative Reversing 4
    • WebNet0
    • B1g_Mac
    • m00nwalk 2
    • WebNet1
    • WhitePages
    • So Meta
    • c0rrupt
  • Web Exploitation
    • Java Script Kiddie 2
    • Empire1
    • Empire2
    • cereal hacker 1
    • Empire3
    • cereal hacker 2
    • Java Script Kiddie
    • JaWT Scratchpad
    • Irish-Name-Repo 1
    • Irish-Name-Repo 2
    • Irish-Name-Repo 3
  • Reverse Engineering
    • Time's Up, Again!
    • Forky
    • droids0
    • Challenge Name
    • droids1
    • droids2
    • droids3
    • reverse_cipher
    • droids4
    • B1ll_Gat35
    • Time's Up
    • Time's Up, For the Last Time!
    • asm1
    • asm2
    • asm3
    • asm4
  • Challenge Name
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag

Was this helpful?

Edit on Git
  1. Forensics

Investigative Reversing 1

PreviousInvestigative Reversing 0Nextextensions

Last updated 4 years ago

Was this helpful?

Problem

We have recovered a binary and a few images: image, image2, image3. See what you can make of it. There should be a flag somewhere. Its also found in /problems/investigative-reversing-1_4_266adcde17fa2ab2ec454e6c5379ad81 on the shell server.

Solution

  1. Run file mystery which shows its is a ELF executable: mystery: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld...

  2. Reverse the binary file using (). Open it and in the symbol tree click on main. The decompiled main function will show on the right.

     void main(void)

 {
 FILE *__stream;
 FILE *__stream_00;
 FILE *__stream_01;
 FILE *__stream_02;
 long in_FS_OFFSET;
 char local_6b;
 int local_68;
 int local_64;
 int local_60;
 char local_38 [4];
 char local_34;
 char local_33;
 long local_10;

 local_10 = *(long *)(in_FS_OFFSET + 0x28);
 __stream = fopen("flag.txt","r");
 __stream_00 = fopen("mystery.png","a");
 __stream_01 = fopen("mystery2.png","a");
 __stream_02 = fopen("mystery3.png","a");
 if (__stream == (FILE *)0x0) {
     puts("No flag found, please make sure this is run on the server");
 }
 if (__stream_00 == (FILE *)0x0) {
     puts("mystery.png is missing, please run this on the server");
 }
 fread(local_38,0x1a,1,__stream);
 fputc((int)local_38[1],__stream_02);
 fputc((int)(char)(local_38[0] + '\x15'),__stream_01);
 fputc((int)local_38[2],__stream_02);
 local_6b = local_38[3];
 fputc((int)local_33,__stream_02);
 fputc((int)local_34,__stream_00);
 local_68 = 6;
 while (local_68 < 10) {
     local_6b = local_6b + '\x01';
     fputc((int)local_38[local_68],__stream_00);
     local_68 = local_68 + 1;
 }
 fputc((int)local_6b,__stream_01);
 local_64 = 10;
 while (local_64 < 0xf) {
     fputc((int)local_38[local_64],__stream_02);
     local_64 = local_64 + 1;
 }
 local_60 = 0xf;
 while (local_60 < 0x1a) {
     fputc((int)local_38[local_60],__stream_00);
     local_60 = local_60 + 1;
 }
 fclose(__stream_00);
 fclose(__stream);
 if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                     /* WARNING: Subroutine does not return */
     __stack_chk_fail();
 }
 return;
 }

  3. We can see that the program opens the flag file, and scatters an encoded version of it across the three image files.

     $ xxd -g 1 mystery.png | tail
 0001e7f0: 82 20 08 82 20 08 82 20 08 82 20 64 1f 32 12 21  . .. .. .. d.2.!
 0001e800: 08 82 20 08 82 20 08 82 20 08 42 f6 21 23 11 82  .. .. .. .B.!#..
 0001e810: 20 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 08   .. .. .. d.2.!.
 0001e820: 82 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 20  . .. .. .B.!#.. 
 0001e830: 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 08 82  .. .. .. d.2.!..
 0001e840: 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 20 08   .. .. .B.!#.. .
 0001e850: 82 20 08 82 20 08 82 20 64 17 ff ef ff fd 7f 5e  . .. .. d......^
 0001e860: ed 5a 9d 38 d0 1f 56 00 00 00 00 49 45 4e 44 ae  .Z.8..V....IEND.
 0001e870: 42 60 82 43 46 7b 41 6e 31 5f 38 35 35 36 31 31  B`.CF{An1_855611
 0001e880: 64 33 7d                                         d3}
 $ xxd -g 1 mystery2.png | tail
 0001e7e0: 21 08 82 20 08 82 20 08 82 20 08 42 f6 21 23 11  !.. .. .. .B.!#.
 0001e7f0: 82 20 08 82 20 08 82 20 08 82 20 64 1f 32 12 21  . .. .. .. d.2.!
 0001e800: 08 82 20 08 82 20 08 82 20 08 42 f6 21 23 11 82  .. .. .. .B.!#..
 0001e810: 20 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 08   .. .. .. d.2.!.
 0001e820: 82 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 20  . .. .. .B.!#.. 
 0001e830: 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 08 82  .. .. .. d.2.!..
 0001e840: 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 20 08   .. .. .B.!#.. .
 0001e850: 82 20 08 82 20 08 82 20 64 17 ff ef ff fd 7f 5e  . .. .. d......^
 0001e860: ed 5a 9d 38 d0 1f 56 00 00 00 00 49 45 4e 44 ae  .Z.8..V....IEND.
 0001e870: 42 60 82 85 73                                   B`..s
 $ xxd -g 1 mystery3.png | tail
 0001e7e0: 21 08 82 20 08 82 20 08 82 20 08 42 f6 21 23 11  !.. .. .. .B.!#.
 0001e7f0: 82 20 08 82 20 08 82 20 08 82 20 64 1f 32 12 21  . .. .. .. d.2.!
 0001e800: 08 82 20 08 82 20 08 82 20 08 42 f6 21 23 11 82  .. .. .. .B.!#..
 0001e810: 20 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 08   .. .. .. d.2.!.
 0001e820: 82 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 20  . .. .. .B.!#.. 
 0001e830: 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 08 82  .. .. .. d.2.!..
 0001e840: 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 20 08   .. .. .B.!#.. .
 0001e850: 82 20 08 82 20 08 82 20 64 17 ff ef ff fd 7f 5e  . .. .. d......^
 0001e860: ed 5a 9d 38 d0 1f 56 00 00 00 00 49 45 4e 44 ae  .Z.8..V....IEND.
 0001e870: 42 60 82 69 63 54 30 74 68 61 5f                 B`.icT0tha_

  4. The encoding works as follows:

    1. Append byte 1 to file 3

    2. Add 0x15 to byte 0 and append to file 2

    3. Append byte 2 to file 3

    4. Append byte 5 to file 3. At the top of the file the variables are listed like so:

       char local_38 [4]; // 4 is length
 char local_34;
 char local_33;

      This means that local_34 will contain the 4th character from flag and local_33 will contain the 5th. So in the below lines the 5th bytes is added then the 4th.

       fputc((int)local_33,__stream_02);
 fputc((int)local_34,__stream_00);

    5. Append byte 4 to file 1

    6. Append bytes 6 to 9 (inclusive) to file 1

    7. Append byte 3 (which has been increased by 4 during the above loop) to file 2

    8. Append bytes 10 to 14 (inclusive) to file 3

    9. Append bytes 15 to 25 (inclusive) to file 1

  5. We need to copy the last 16 bytes from file 1, 2 from file 2, and 8 from file 3 to variable data_1, data_2, data_3 in the , which reverses the scheme explained above.

  6. We can reverse this using the and get the flag.

Flag

picoCTF{An0tha_1_855611d3}

Binary
Image 1
Image 2
Image 3
Ghidra
cheat sheet
script.py
script.py