\n\nThis page has been machine-translated from the original page.
\n
I participated in ESCAPE CTF, which was held on 8/5, as part of 0nePadding.
\nIt was a pretty rough CTF where the challenge pages were inaccessible for most of the contest period, but for now I’ll at least leave a quick writeup of the problems I solved.
\nI’m skipping the problems I couldn’t solve for now, since I haven’t been able to find a single writeup for them.
\n\n\n\nThe enemy has spread ransomware on important systems of the country. Please analyze the ransomware and recover the files!
\n
When I decompiled the EXE provided for the challenge in Ghidra, I found that it performs the following operations.
\nint __cdecl _main(int _Argc,char **_Argv,char **_Env)\n\n{\n char data;\n FILE *_File;\n FILE *_File_00;\n int iVar1;\n \n __main();\n _File = _file_open(\"flag.exe\",\"rb\");\n _File_00 = _file_open(\"flag.exe.enc\",\"wb\");\n while( true ) {\n iVar1 = _feof(_File);\n if (iVar1 != 0) break;\n data = _read_data(_File);\n data = _encrypt(data);\n _write_data(_File_00,data);\n }\n _fclose(_File);\n _fclose(_File_00);\n return 0;\n}Apparently, it reads a file named flag.exe one byte at a time, encrypts each byte with the _encrypt function, and writes the result to flag.exe.enc.
The decompiled _encrypt function looked like this.
char __cdecl _encrypt(char param_1)\n{\n byte bVar1;\n \n bVar1 = param_1 + 5U ^ 6;\n return bVar1 + (char)((int)(char)bVar1 / 0xff);\n}Since the logic was simple, I decrypted the encrypted file provided with the challenge using the following script.
\nwith open(\"enc\", \"rb\") as f:\n data = f.read()\n\nwith open(\"flag.exe\", \"wb\") as f:\n for d in data:\n b = (((d^6)-5) & 0xff).to_bytes(1, byteorder=\"big\")\n f.write(b)\n\n# ESCAPE{ransomeware_decrypt_key_get!}Running the decrypted flag.exe gave me the flag.
\n\nFind the flag hidden in the picture
\n
The JPG file provided for the challenge was actually a pcap file.
\nSo I changed the extension and analyzed it with Wireshark.
\nFrom the pcap file, I could see that image files were being exchanged, so I exported the image and performed steganography analysis on it to obtain the flag.
\nThat’s all.
","fields":{"slug":"/ctf-escapectf-2023-en","tagSlugs":["/tag/ctf-en/","/tag/rev-en/","/tag/forensic-en/","/tag/english/"]},"frontmatter":{"date":"2023-08-06","description":"This is a writeup for ESCAPE CTF 2023.","tags":["CTF (en)","Rev (en)","Forensic (en)","English"],"title":"ESCAPE CTF 2023 Writeup","socialImage":{"publicURL":"/static/c6bf6e3d351797edafd3f95ff64fbabc/ctf-escapectf-2023.png"}}}},"pageContext":{"slug":"/ctf-escapectf-2023-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}