PicoCTF - Investigative Reversing 0

tags: PicoCTF CTF Misc

Challenge: Investigative Reversing 0

Background

fputc() - C語言庫函數 C/C++ fread 用法與範例 C中fread()函数的返回值 C语言之1ULL/1UL/1L区别

Source code - IDA

:::spoiler source code

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int i; // [rsp+4h] [rbp-4Ch]
  int j; // [rsp+8h] [rbp-48h]
  FILE *stream; // [rsp+10h] [rbp-40h]
  FILE *v8; // [rsp+18h] [rbp-38h]
  char ptr[40]; // [rsp+20h] [rbp-30h] BYREF
  unsigned __int64 v10; // [rsp+48h] [rbp-8h]

  v10 = __readfsqword(40u);
  stream = fopen("flag.txt", "r");
  v8 = fopen("mystery.png", "a");
  if ( !stream )
    puts("No flag found, please make sure this is run on the server");
  if ( !v8 )
    puts("mystery.png is missing, please run this on the server");
  if ( (int)fread(ptr, 26uLL, 1uLL, stream) <= 0 )
    exit(0);
  puts("at insert");
  fputc(ptr[0], v8);
  fputc(ptr[1], v8);
  fputc(ptr[2], v8);
  fputc(ptr[3], v8);
  fputc(ptr[4], v8);
  fputc(ptr[5], v8);
  for ( i = 6; i <= 14; ++i )
    fputc((char)(ptr[i] + 5), v8);
  fputc((char)(ptr[15] - 3), v8);
  for ( j = 16; j <= 25; ++j )
    fputc(ptr[j], v8);
  fclose(v8);
  fclose(stream);
  return __readfsqword(40u) ^ v10;
}

:::

Exploit

1. Analyze source code First, it open mystery.png and flag.txt file and read 26 characters in flag.txt Then it append first 6 characters to mystery.png and do some disalignment like rot13.

2. In addition… Observing mystery.png by HxD Seems we got a flag-like answer.

3. Recover it The first 6 character can copy paste. K€k5zsid6 $\to$ F{f0und_1 by minusing 5 based on ascii table q $\to$ t by adding 3 based on ascii table again The rest strings still copy paste again Then we got flag… $\to$ picoCTF{f0und_1t_3d659f57}