PicoCTF - Investigative Reversing 0

tags: `PicoCTF` `CTF` `Misc`

Background

Source code - IDA

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int i; // [rsp+4h] [rbp-4Ch]
  int j; // [rsp+8h] [rbp-48h]
  FILE *stream; // [rsp+10h] [rbp-40h]
  FILE *v8; // [rsp+18h] [rbp-38h]
  char ptr[40]; // [rsp+20h] [rbp-30h] BYREF
  unsigned __int64 v10; // [rsp+48h] [rbp-8h]

  v10 = __readfsqword(40u);
  stream = fopen("flag.txt", "r");
  v8 = fopen("mystery.png", "a");
  if ( !stream )
    puts("No flag found, please make sure this is run on the server");
  if ( !v8 )
    puts("mystery.png is missing, please run this on the server");
  if ( (int)fread(ptr, 26uLL, 1uLL, stream) <= 0 )
    exit(0);
  puts("at insert");
  fputc(ptr[0], v8);
  fputc(ptr[1], v8);
  fputc(ptr[2], v8);
  fputc(ptr[3], v8);
  fputc(ptr[4], v8);
  fputc(ptr[5], v8);
  for ( i = 6; i <= 14; ++i )
    fputc((char)(ptr[i] + 5), v8);
  fputc((char)(ptr[15] - 3), v8);
  for ( j = 16; j <= 25; ++j )
    fputc(ptr[j], v8);
  fclose(v8);
  fclose(stream);
  return __readfsqword(40u) ^ v10;
}

Exploit

Analyze source code

First, it open mystery.png and flag.txt file and read 26 characters in flag.txt

Then it append first 6 characters to mystery.png and do some disalignment like rot13.
In addition… Observing mystery.png by HxD Seems we got a flag-like answer.
Recover it The first 6 character can copy paste.

K€k5zsid6 → F{f0und_1 by minusing 5 based on ascii table

q → t by adding 3 based on ascii table again

The rest strings still copy paste again

Then we got flag… →

picoCTF{f0und_1t_3d659f57}

PicoCTF - Investigative Reversing 0

tags: PicoCTF CTF Misc

Background

Source code - IDA

Exploit

tags: `PicoCTF` `CTF` `Misc`