Comment on page

Investigative Reversing 1

Problem

We have recovered a binary and a few images: image, image2, image3. See what you can make of it. There should be a flag somewhere. Its also found in /problems/investigative-reversing-1_4_266adcde17fa2ab2ec454e6c5379ad81 on the shell server.

Solution

  1. 1.
    Run file mystery which shows its is a ELF executable: mystery: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld...
  2. 2.
    Reverse the binary file using Ghidra (cheat sheet). Open it and in the symbol tree click on main. The decompiled main function will show on the right.
    void main(void)
    {
    FILE *__stream;
    FILE *__stream_00;
    FILE *__stream_01;
    FILE *__stream_02;
    long in_FS_OFFSET;
    char local_6b;
    int local_68;
    int local_64;
    int local_60;
    char local_38 [4];
    char local_34;
    char local_33;
    long local_10;
    local_10 = *(long *)(in_FS_OFFSET + 0x28);
    __stream = fopen("flag.txt","r");
    __stream_00 = fopen("mystery.png","a");
    __stream_01 = fopen("mystery2.png","a");
    __stream_02 = fopen("mystery3.png","a");
    if (__stream == (FILE *)0x0) {
    puts("No flag found, please make sure this is run on the server");
    }
    if (__stream_00 == (FILE *)0x0) {
    puts("mystery.png is missing, please run this on the server");
    }
    fread(local_38,0x1a,1,__stream);
    fputc((int)local_38[1],__stream_02);
    fputc((int)(char)(local_38[0] + '\x15'),__stream_01);
    fputc((int)local_38[2],__stream_02);
    local_6b = local_38[3];
    fputc((int)local_33,__stream_02);
    fputc((int)local_34,__stream_00);
    local_68 = 6;
    while (local_68 < 10) {
    local_6b = local_6b + '\x01';
    fputc((int)local_38[local_68],__stream_00);
    local_68 = local_68 + 1;
    }
    fputc((int)local_6b,__stream_01);
    local_64 = 10;
    while (local_64 < 0xf) {
    fputc((int)local_38[local_64],__stream_02);
    local_64 = local_64 + 1;
    }
    local_60 = 0xf;
    while (local_60 < 0x1a) {
    fputc((int)local_38[local_60],__stream_00);
    local_60 = local_60 + 1;
    }
    fclose(__stream_00);
    fclose(__stream);
    if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
    }
    return;
    }
  3. 3.
    We can see that the program opens the flag file, and scatters an encoded version of it across the three image files.
    $ xxd -g 1 mystery.png | tail
    0001e7f0: 82 20 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 . .. .. .. d.2.!
    0001e800: 08 82 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 .. .. .. .B.!#..
    0001e810: 20 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 08 .. .. .. d.2.!.
    0001e820: 82 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 20 . .. .. .B.!#..
    0001e830: 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 08 82 .. .. .. d.2.!..
    0001e840: 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 20 08 .. .. .B.!#.. .
    0001e850: 82 20 08 82 20 08 82 20 64 17 ff ef ff fd 7f 5e . .. .. d......^
    0001e860: ed 5a 9d 38 d0 1f 56 00 00 00 00 49 45 4e 44 ae .Z.8..V....IEND.
    0001e870: 42 60 82 43 46 7b 41 6e 31 5f 38 35 35 36 31 31 B`.CF{An1_855611
    0001e880: 64 33 7d d3}
    $ xxd -g 1 mystery2.png | tail
    0001e7e0: 21 08 82 20 08 82 20 08 82 20 08 42 f6 21 23 11 !.. .. .. .B.!#.
    0001e7f0: 82 20 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 . .. .. .. d.2.!
    0001e800: 08 82 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 .. .. .. .B.!#..
    0001e810: 20 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 08 .. .. .. d.2.!.
    0001e820: 82 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 20 . .. .. .B.!#..
    0001e830: 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 08 82 .. .. .. d.2.!..
    0001e840: 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 20 08 .. .. .B.!#.. .
    0001e850: 82 20 08 82 20 08 82 20 64 17 ff ef ff fd 7f 5e . .. .. d......^
    0001e860: ed 5a 9d 38 d0 1f 56 00 00 00 00 49 45 4e 44 ae .Z.8..V....IEND.
    0001e870: 42 60 82 85 73 B`..s
    $ xxd -g 1 mystery3.png | tail
    0001e7e0: 21 08 82 20 08 82 20 08 82 20 08 42 f6 21 23 11 !.. .. .. .B.!#.
    0001e7f0: 82 20 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 . .. .. .. d.2.!
    0001e800: 08 82 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 .. .. .. .B.!#..
    0001e810: 20 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 08 .. .. .. d.2.!.
    0001e820: 82 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 20 . .. .. .B.!#..
    0001e830: 08 82 20 08 82 20 08 82 20 64 1f 32 12 21 08 82 .. .. .. d.2.!..
    0001e840: 20 08 82 20 08 82 20 08 42 f6 21 23 11 82 20 08 .. .. .B.!#.. .
    0001e850: 82 20 08 82 20 08 82 20 64 17 ff ef ff fd 7f 5e . .. .. d......^
    0001e860: ed 5a 9d 38 d0 1f 56 00 00 00 00 49 45 4e 44 ae .Z.8..V....IEND.
    0001e870: 42 60 82 69 63 54 30 74 68 61 5f B`.icT0tha_
  4. 4.
    The encoding works as follows:
    1. 1.
      Append byte 1 to file 3
    2. 2.
      Add 0x15 to byte 0 and append to file 2
    3. 3.
      Append byte 2 to file 3
    4. 4.
      Append byte 5 to file 3. At the top of the file the variables are listed like so:
      char local_38 [4]; // 4 is length
      char local_34;
      char local_33;
      This means that local_34 will contain the 4th character from flag and local_33 will contain the 5th. So in the below lines the 5th bytes is added then the 4th.
      fputc((int)local_33,__stream_02);
      fputc((int)local_34,__stream_00);
    5. 5.
      Append byte 4 to file 1
    6. 6.
      Append bytes 6 to 9 (inclusive) to file 1
    7. 7.
      Append byte 3 (which has been increased by 4 during the above loop) to file 2
    8. 8.
      Append bytes 10 to 14 (inclusive) to file 3
    9. 9.
      Append bytes 15 to 25 (inclusive) to file 1
  5. 5.
    We need to copy the last 16 bytes from file 1, 2 from file 2, and 8 from file 3 to variable data_1, data_2, data_3 in the script.py, which reverses the scheme explained above.
  6. 6.
    We can reverse this using the script.py and get the flag.

Flag

picoCTF{An0tha_1_855611d3}