Investigative Reversing 4
Last updated
Was this helpful?
Last updated
Was this helpful?
We have recovered a binary and 5 images: image01, image02, image03, image04, image05. See what you can make of it. There should be a flag somewhere. Its also found in /problems/investigative-reversing-4_6_f5c1435d5f45ad042614888d32091beb on the shell server.
Reverse the binary file using (). Open it and in the symbol tree click on main. The decompiled main function will show on the right.
```c++ undefined8 main(void)
{ size_t sVar1; undefined4 local_4c; undefined local_48 [52]; int local_14; FILE *local_10;
flag = local_48; local_4c = 0; flag_index = &local_4c; local_10 = fopen("flag.txt","r"); if (local_10 == (FILE )0x0) { puts("No flag found, please make sure this is run on the server"); } sVar1 = fread(flag,0x32,1,local_10); local_14 = (int)sVar1; if (local_14 < 1) { puts("Invalid Flag"); / WARNING: Subroutine does not return */ exit(0); } fclose(local_10); encodeAll(); return 0; }
This script spreads the flag amongst the five ".bmp" image files provided in the challenge. For each image the program:
Jumps to offset 2019 bytes and encodes a byte of the flag using LSB in 8 bytes of the original image file.
Skips 4 bytes by copying 4 bytes from the original image file
However, the above steps are made slightly more complicated in the actual encoding program. It performs a loop 50 times. If the interval tracking variable is divisible by 5, then it will loop through and write 8 bits of the flag. If the interval tracking variable is not divisible by 5, then the program writes writes a value from the original image. This effectively does the above steps.
picoCTF{N1c3_R3ver51ng_5k1115_000000000002eea28cd}
Run the decoding to get the flag.