Investigative Reversing 3
Last updated
Was this helpful?
Last updated
Was this helpful?
We have recovered a binary and an image See what you can make of it. There should be a flag somewhere. Its also found in /problems/investigative-reversing-3_1_8670aba71322d7b19d278027f10f2935 on the shell server.
Reverse the binary file using (). Open it and in the symbol tree click on main. The decompiled main function will show on the right.
The flag is encoded using LSB encoding, similarly to the previous challenge. However, this time the encoding starts from offset 0x2d3
and every 9 bytes the image is left as-is. In essence, 8 bits of payload are encoded in the LSB of 8 bytes of the image, and then one byte of the original image is placed as-is.
The encoding script accomplishes the above by looping the following 100 times:
If (local_74 & 1) == 0
(if the last bit of the current iteration index is 0; this effectively switches back and forth between the if and else clauses for each iteration):
Loop 8 times (write 8 bites (1 byte) of the flag to 9 bytes of the image):
Write a bit of the flag to the current byte in the image. The divided by 2 in local_48[(int)local_74 / 2]
is necessary because every other iteration of the outer 100 times loop leaves a bit of the regular image alone. Since, the looping variable is twice the required value, it is divided by
Else (every other loop):
Write a bit of the original image
The above is reflected in the reversal .
Run the and get the flag.
picoCTF{4n0th3r_L5b_pr0bl3m_0000000000000dbd98691}