{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-pico-ctf-2024-en","result":{"data":{"markdownRemark":{"id":"95e70fe4-8ab1-5565-b02e-8908ea51e240","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-pico-ctf-2024\">original page</a>.</p>\n</blockquote>\n<p>We participated in picoCTF 2024, held in March, as team 0nePadding and placed 64th out of 6,957 teams.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9904ece8a976e426c281cf842dc90bae/12bff/image-20240427112204206.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 31.666666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA4ElEQVQY03XQ20rDQBDG8X0awaL4An1dUUFFeuddPVTR9lbojUYlqYd2TZp0l+za5O+UeGhquvBjmJlvblYVzkNR/leWeF+ipwVuVpALmxbMXbVruvE2Rz3oMUGsCZIGceU21NyNNPcfa3Lf2eHbC6p9c8zG1R6b1wdif0nVt3qHbHc77HRP2Lo8qu1Wtc53UYPXkP57RH+8QmYDqadPI84WHiMunv/mvzdLtRcGKPxc/oRm8j4dmExaK41jfXYh96hpmpEZw8zYmkwYa5iklmiSonVMItlqZ2q5n5mOE74ALN+xJkP0M14AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9904ece8a976e426c281cf842dc90bae/8ac56/image-20240427112204206.webp 240w,\n/static/9904ece8a976e426c281cf842dc90bae/d3be9/image-20240427112204206.webp 480w,\n/static/9904ece8a976e426c281cf842dc90bae/e46b2/image-20240427112204206.webp 960w,\n/static/9904ece8a976e426c281cf842dc90bae/6ed01/image-20240427112204206.webp 1032w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9904ece8a976e426c281cf842dc90bae/8ff5a/image-20240427112204206.png 240w,\n/static/9904ece8a976e426c281cf842dc90bae/e85cb/image-20240427112204206.png 480w,\n/static/9904ece8a976e426c281cf842dc90bae/d9199/image-20240427112204206.png 960w,\n/static/9904ece8a976e426c281cf842dc90bae/12bff/image-20240427112204206.png 1032w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9904ece8a976e426c281cf842dc90bae/d9199/image-20240427112204206.png\"\n            alt=\"image-20240427112204206\"\n            title=\"image-20240427112204206\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>As usual, this writeup focuses on the Rev and Forensic challenges.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#packerrev\">packer(Rev)</a></li>\n<li><a href=\"#factcheckrev\">FactCheck(Rev)</a></li>\n<li><a href=\"#winantidbg0x100rev\">WinAntiDbg0x100(Rev)</a></li>\n<li><a href=\"#winantidbg0x200rev\">WinAntiDbg0x200(Rev)</a></li>\n<li><a href=\"#winantidbg0x300rev\">WinAntiDbg0x300(Rev)</a></li>\n<li><a href=\"#classic-crackme-0x100rev\">Classic Crackme 0x100(Rev)</a></li>\n<li><a href=\"#weirdsnakerev\">weirdSnake(Rev)</a></li>\n<li><a href=\"#scan-surpriseforensic\">Scan Surprise(Forensic)</a></li>\n<li><a href=\"#verifyforensic\">Verify(Forensic)</a></li>\n<li><a href=\"#canyouseeforensic\">CanYouSee(Forensic)</a></li>\n<li><a href=\"#secret-of-the-polyglotforensic\">Secret of the Polyglot(Forensic)</a></li>\n<li><a href=\"#mob-psychoforensic\">Mob psycho(Forensic)</a></li>\n<li><a href=\"#endianness-v2forensic\">endianness-v2(Forensic)</a></li>\n<li><a href=\"#blast-from-the-pastforensic\">Blast from the past(Forensic)</a></li>\n<li><a href=\"#dear-diaryforensic\">Dear Diary(Forensic)</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"packerrev\" style=\"position:relative;\"><a href=\"#packerrev\" aria-label=\"packerrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>packer(Rev)</h2>\n<blockquote>\n<p>Reverse this linux executable?</p>\n</blockquote>\n<p>The ELF binary provided for this challenge was, as the title suggests, packed with UPX.</p>\n<p>So, I unpacked it with upx.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 826px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/535cc9e40d8025cea9be937953e0f3e3/6a6e9/image-20240316215027169.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 24.583333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABEUlEQVQY011P2VLCQBDMi4AaLS2ViCLmAAm5byDBxBBMASnvosr//5F2dzwefOiamd7tnh7B6uqw+ibcgQ1PMmGIJpZqhvdgjY9oi/U4R34douhHqOQZ6mEG73AEqyXD3ddgtxXYrW/wWSh6AXLJh7unwOtoTJQgvwqwixt8zp/J+NWrsUsavPk1zQ83MQq2JDk1aBGfy9sEPlskxIycnplELuUpMsmjB57mnhl7B0NUyhyLS5/4FevTrguuC8Q7xCeTHxj0V3DaKraTgk6bnVvYsFoOEjLc6AXSCwdPdoUXZ4VFz8ejllKy8GhMJzod9Q90MjdqzJISckHAPobHOqXhvS+OKEnEOF55il8x7//jCzmdlj91uX7sAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/535cc9e40d8025cea9be937953e0f3e3/8ac56/image-20240316215027169.webp 240w,\n/static/535cc9e40d8025cea9be937953e0f3e3/d3be9/image-20240316215027169.webp 480w,\n/static/535cc9e40d8025cea9be937953e0f3e3/40616/image-20240316215027169.webp 826w\"\n              sizes=\"(max-width: 826px) 100vw, 826px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/535cc9e40d8025cea9be937953e0f3e3/8ff5a/image-20240316215027169.png 240w,\n/static/535cc9e40d8025cea9be937953e0f3e3/e85cb/image-20240316215027169.png 480w,\n/static/535cc9e40d8025cea9be937953e0f3e3/6a6e9/image-20240316215027169.png 826w\"\n            sizes=\"(max-width: 826px) 100vw, 826px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/535cc9e40d8025cea9be937953e0f3e3/6a6e9/image-20240316215027169.png\"\n            alt=\"image-20240316215027169\"\n            title=\"image-20240316215027169\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Analyzing the unpacked binary revealed an embedded flag string in hexdump form.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/42753537d65c9e96a5de4a6f753179f7/20f89/image-20240316215557854.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 48.33333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABQklEQVQoz5WSyXKDMBBE+ZiYXYDQAjKrWaqCifP/f9MZyYnLh8R2Dq/moKlWz/R479uG7bxjXRcMw+AYhxHj+H/2fYcnjQZjGYQQ4KJEzguwjCGOYkRRhDiOn5IkievlnMMzY4M8z6GUgq4rVLVyohlha5qmrvkRVjQMw6tgPRxJMINUElVTQ1UKqtYoBL8K01tiXcTJd/2Fe4dVb8hF4gSlVo5SCjAS8sPA8eYfCP9PDoRP2Em9+bzCHA2m6UTBTOj7Hm3XoWtbXJYVn8RlWm58TLPjcqsL9tMMYwzavoPXTh1KIVEPMzpK90Rp2aq0hlEalSTnvCT4Qxhjbko3MmMpcqkhtEFNQiUJWPtZliGiHQW08KcEAYqiuKZs1UVFCTcNBP1iz8ama3nlbCy3UNRRuyQVhcHoh5gS+2l4lfuz+QLeSzxY9quW5QAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/42753537d65c9e96a5de4a6f753179f7/8ac56/image-20240316215557854.webp 240w,\n/static/42753537d65c9e96a5de4a6f753179f7/d3be9/image-20240316215557854.webp 480w,\n/static/42753537d65c9e96a5de4a6f753179f7/e46b2/image-20240316215557854.webp 960w,\n/static/42753537d65c9e96a5de4a6f753179f7/68f19/image-20240316215557854.webp 1213w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/42753537d65c9e96a5de4a6f753179f7/8ff5a/image-20240316215557854.png 240w,\n/static/42753537d65c9e96a5de4a6f753179f7/e85cb/image-20240316215557854.png 480w,\n/static/42753537d65c9e96a5de4a6f753179f7/d9199/image-20240316215557854.png 960w,\n/static/42753537d65c9e96a5de4a6f753179f7/20f89/image-20240316215557854.png 1213w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/42753537d65c9e96a5de4a6f753179f7/d9199/image-20240316215557854.png\"\n            alt=\"image-20240316215557854\"\n            title=\"image-20240316215557854\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Decoding that gave us the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/279315387ec2c0b893c51318bd5f7435/19a6b/image-20240316215545512.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 24.166666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAtklEQVQY04XQ204DIRCAYd7/9fRCo0lbdZs9RNmywEA5/BJbG5ULJ/kyzATCgJo+RjY5cfLrhdNf9aIn7h/vWN5n9Krx4nHedfyPtQSPep4fmN3AZN86w7pnMWM7JIhIyx7x1yxy812nlFA2GCS1RnK93G6OGxSg8itqrZ1SCqrUQi6ZXP9ovbYF6y2v4wvm+h0Xa3ueEEMkhHATY0TxT/hoOegnjtuewewYth1Hc+Ccz22qftJPEKmDwyZB5JEAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/279315387ec2c0b893c51318bd5f7435/8ac56/image-20240316215545512.webp 240w,\n/static/279315387ec2c0b893c51318bd5f7435/d3be9/image-20240316215545512.webp 480w,\n/static/279315387ec2c0b893c51318bd5f7435/e46b2/image-20240316215545512.webp 960w,\n/static/279315387ec2c0b893c51318bd5f7435/812c2/image-20240316215545512.webp 1191w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/279315387ec2c0b893c51318bd5f7435/8ff5a/image-20240316215545512.png 240w,\n/static/279315387ec2c0b893c51318bd5f7435/e85cb/image-20240316215545512.png 480w,\n/static/279315387ec2c0b893c51318bd5f7435/d9199/image-20240316215545512.png 960w,\n/static/279315387ec2c0b893c51318bd5f7435/19a6b/image-20240316215545512.png 1191w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/279315387ec2c0b893c51318bd5f7435/d9199/image-20240316215545512.png\"\n            alt=\"image-20240316215545512\"\n            title=\"image-20240316215545512\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"factcheckrev\" style=\"position:relative;\"><a href=\"#factcheckrev\" aria-label=\"factcheckrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>FactCheck(Rev)</h2>\n<blockquote>\n<p>This binary is putting together some important piece of information… Can you uncover that information?\nExamine this file. Do you understand its inner workings?</p>\n</blockquote>\n<p>Analyzing the challenge binary revealed that it produces no output, but constructs the flag in memory.</p>\n<p>I used gdb to trace the execution up to the point where the flag is expanded in memory, and retrieved the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 819px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/50023513012fa0d2c1c3e3d48aa2292c/97655/image-20240316223819489.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 49.16666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAACKElEQVQozz2S2XLaQBBFVXlJDAEEWAbbYIPYQfuGxCqxxLHBVU6q8v+fctIoxA+3emqm50zP7VaspoupJkwrCZPKEqMSE2gOZvMim1k7wmismT9seZkcOY72pN01u94WT7UwCxOs4vRTijdw+eW+ElQNrMIIuzjC+97HKYmu0S3q+LKOqhNCdUJQHhFWxrgFOb/RRb3PqLhdhz/BGy/DFWup9rJpS6JZkKTSELs0EPAAryQQdZorqPwDu8UB9jX/vxSn5zCuHRjdnRg0PhjVjuy6IatRglEXYMvArU9YaDav4w0/+kvSdkj2FMlPhjnQySvtXYG6w7oesSp7LMoBsRpwnqV8WEeWmsXsyxP2N515bZZfTm5N1vce+07MSn5kyVkOvEpxW5LQXmOpPmbZwa5YHLoxp+mW394Lb1LVabIle4446AmnWZbDouoMX7y0vnZz6EWXBxWnY5OMMrL4g3X4zj48827sOQxSztZPzvYbe31FopkspfPLhiNrK/fw4mcklV8UVqe44rXiPtscGjH7W/GlGrDTAhmPHb4WM70RSOfAprMhawVsmx7pY0jaCqXaRV5pKvuZjNb2wc+bpTh9h0xPibU5jvhnqw6bOxu/FmLVfcLGQrz08LQxs8cJdlPGReRXhqxa4mU/yZXpcwJ1jGLcO1h3AWnvQNBeMWv4LMuGzJrN9DHCVW0iNcRox5gtl0geS2smcc3CfQ4JOgKSjvsS/YbHXxuYKohDNxKeAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/50023513012fa0d2c1c3e3d48aa2292c/8ac56/image-20240316223819489.webp 240w,\n/static/50023513012fa0d2c1c3e3d48aa2292c/d3be9/image-20240316223819489.webp 480w,\n/static/50023513012fa0d2c1c3e3d48aa2292c/6d63c/image-20240316223819489.webp 819w\"\n              sizes=\"(max-width: 819px) 100vw, 819px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/50023513012fa0d2c1c3e3d48aa2292c/8ff5a/image-20240316223819489.png 240w,\n/static/50023513012fa0d2c1c3e3d48aa2292c/e85cb/image-20240316223819489.png 480w,\n/static/50023513012fa0d2c1c3e3d48aa2292c/97655/image-20240316223819489.png 819w\"\n            sizes=\"(max-width: 819px) 100vw, 819px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/50023513012fa0d2c1c3e3d48aa2292c/97655/image-20240316223819489.png\"\n            alt=\"image-20240316223819489\"\n            title=\"image-20240316223819489\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"winantidbg0x100rev\" style=\"position:relative;\"><a href=\"#winantidbg0x100rev\" aria-label=\"winantidbg0x100rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>WinAntiDbg0x100(Rev)</h2>\n<blockquote>\n<p>This challenge will introduce you to ‘Anti-Debugging.’ Malware developers don’t like it when you attempt to debug their executable files because debugging these files reveals many of their secrets! That’s why, they include a lot of code logic specifically designed to interfere with your debugging process.\nNow that you’ve understood the context, go ahead and debug this Windows executable!\nThis challenge binary file is a Windows console application and you can start with running it using cmd on Windows.\nChallenge can be downloaded here.</p>\n</blockquote>\n<p>This was the first challenge in the Windows anti-debugging series.</p>\n<p>Analyzing the binary shows it checks the return value of <code class=\"language-text\">IsDebuggerPresent</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 897px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/2f438e830a58c4d8d02436af48bde6ea/3a737/image-20240316230341350.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 70.83333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACR0lEQVQ4y41TWW7bMBTUaWKttERxFanVdtoCQYv8NPc/yXTIxAbSFkU/Bk+i9JaZNyz224Ht2LAsC+OBddsR+TzPMyIxhYBpmnIM/4FiuswYvUZTV5DGQsYDat6hp4B+HHneoGs7NFWNsiyJ6iP+HUW8rTDBMqmFdwpLMIhWYp4clnlBYOEQIwyfFSeo6/qfKNwyYbQqvyitEEjXOgc9Dhg54fl8hiC6YcioquoT/iiYKXOy8lQyWcAYBcMGSnYYRgnJokPf81sPSfSEkmwkzjm2ZHaiDKfTKaO4ff+C5bJCKQXnLG6XHW8/XvD6fODlemBZV1IO8H7K9J11jFyS9zkaY3KuYuMUi+PbNRe0/GCswbHO+Pn1gjfi9bph3zZsRKR+MUTMH9iWFTO1TTo756GZr7VG4Y8IaUdUZdKkREfanZkg3ISWHRtSTFRK6nPHido9PT19woPy/Py+5bZp0BBCCHpxwXHdcdzoSU6sSHM0LttKk7pUmhqKrGOOXFrKfd/yyh/MmA/uh0YKXGeFI0hs0WLdSZn0Ei01qrwY0YlstbSUrutyXtp6Ebhl5XQu1uaCDYzqcVkcLjM1pa32S1oO7cRFKOolOXGXCrJQmjIVr+8Tzs8bbHS5UMWD1DFZx3mL4A281bxSE7fsMeZtKnp0hBxktk2KaeKHD/0WsrG7toHXPW+K5RYd4ka7LDHbYbQWA+l2QuRrKDhZmi41b5v2Qfeh4aBp4F5QL43JDCw8wJKWzR7TkKTZ871mcrqvv9+We7EUfwEAG8ChwLsIIQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/2f438e830a58c4d8d02436af48bde6ea/8ac56/image-20240316230341350.webp 240w,\n/static/2f438e830a58c4d8d02436af48bde6ea/d3be9/image-20240316230341350.webp 480w,\n/static/2f438e830a58c4d8d02436af48bde6ea/10735/image-20240316230341350.webp 897w\"\n              sizes=\"(max-width: 897px) 100vw, 897px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/2f438e830a58c4d8d02436af48bde6ea/8ff5a/image-20240316230341350.png 240w,\n/static/2f438e830a58c4d8d02436af48bde6ea/e85cb/image-20240316230341350.png 480w,\n/static/2f438e830a58c4d8d02436af48bde6ea/3a737/image-20240316230341350.png 897w\"\n            sizes=\"(max-width: 897px) 100vw, 897px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/2f438e830a58c4d8d02436af48bde6ea/3a737/image-20240316230341350.png\"\n            alt=\"image-20240316230341350\"\n            title=\"image-20240316230341350\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Since this is a classic technique, I patched the binary to bypass the check and then used a debugger to obtain the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7886d85d2dabfdda3c6422610e99406b/d1882/image-20240316235033054.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 28.750000000000004%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABOklEQVQY03WQ607CMBiGdwMwEIMmBCRBYScY29puPW0g4Ca6qPd/Ma9to4l//PGk/fI176Hepe3Qti26rgPnHIQQUEpRFAWklDgejzgYmqZxs1LqX7TW8F7OZwjzMElTxHHsiKIISZKAlSVUo0EZA2MUZckczMzW2GLvNkCeF8iyDJ6QAsoISiEgTELrVFUVhJkJJSg4QRAExiBGpSSYqLC15tsdkt0OodlZNpsN1us1vNv7KWazGZYPS8zncywcC9xNpy71pb+iEgoll3h7PeGrb9F/fqB77/HcXSHrA6SuIXQDxgW88c0Yk8kEo9EIvu+70zIYDPBkHNWpQbrfuzpKcTRaQNca3LRirDR1mSPLcmxNYm84HDqhv2K/4qvHFagsQfIUtanOeeX+dV8Ql95WjcIQoSH4qf4N9Bm7x0iU1ZwAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7886d85d2dabfdda3c6422610e99406b/8ac56/image-20240316235033054.webp 240w,\n/static/7886d85d2dabfdda3c6422610e99406b/d3be9/image-20240316235033054.webp 480w,\n/static/7886d85d2dabfdda3c6422610e99406b/e46b2/image-20240316235033054.webp 960w,\n/static/7886d85d2dabfdda3c6422610e99406b/f992d/image-20240316235033054.webp 1440w,\n/static/7886d85d2dabfdda3c6422610e99406b/3626e/image-20240316235033054.webp 1562w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7886d85d2dabfdda3c6422610e99406b/8ff5a/image-20240316235033054.png 240w,\n/static/7886d85d2dabfdda3c6422610e99406b/e85cb/image-20240316235033054.png 480w,\n/static/7886d85d2dabfdda3c6422610e99406b/d9199/image-20240316235033054.png 960w,\n/static/7886d85d2dabfdda3c6422610e99406b/07a9c/image-20240316235033054.png 1440w,\n/static/7886d85d2dabfdda3c6422610e99406b/d1882/image-20240316235033054.png 1562w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7886d85d2dabfdda3c6422610e99406b/d9199/image-20240316235033054.png\"\n            alt=\"image-20240316235033054\"\n            title=\"image-20240316235033054\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"winantidbg0x200rev\" style=\"position:relative;\"><a href=\"#winantidbg0x200rev\" aria-label=\"winantidbg0x200rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>WinAntiDbg0x200(Rev)</h2>\n<blockquote>\n<p>If you have solved WinAntiDbg0x100, you’ll discover something new in this one. Debug the executable and find the flag!\nThis challenge executable is a Windows console application, and you can start by running it using Command Prompt on Windows.\nThis executable requires admin privileges. You might want to start Command Prompt or your debugger using the ‘Run as administrator’ option.\nChallenge can be downloaded here.</p>\n</blockquote>\n<p>Reading the binary revealed two anti-debug mechanisms embedded in the following locations.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/6e215a52079edc4f101fff7cdda24744/d7e70/image-20240317014444792.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 35.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABXklEQVQoz32SzXLbIBhF9f7P1UW6SDpJJTepE6uxrR9Lji0JhEAITj9r0ul0U5gzXBi4wIXEOUvfG8wEXTejx5l+cFw76V8t1eGNtg00J4+eDP8rUWriRktTDRgF0yiLxGzoFqIH7yJlcaQsR4piRo0TbrHMyyw4/OJXbf1tzK+mybvOeTr8JFdnfukjb13O9mPPKbTUc01ZV4w6ME0R67wYOmHGefdp/FfHKCd81Cl3zRPfzSvf1DMPfcb9JePRbEnHrRiWGBMligU1KZQTrGKww8offRv3wZM0WrM/91T9LK2huE68t0aYKc6WXbnjfvjKl+aBuy5lEzKe+cEmblaymK1tGlPymJMYNVIePiQvWOYgJ7FotYiWDK1k2JTs1YG0eCVtc176Izu75+gLiaUWTiu16Eu8kFh7e+VxDTSEuGYUCWvfh4WqaQiy2Sg30ELfO/kRlsUvfE77p/wGCHYXjxmBCFcAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/6e215a52079edc4f101fff7cdda24744/8ac56/image-20240317014444792.webp 240w,\n/static/6e215a52079edc4f101fff7cdda24744/d3be9/image-20240317014444792.webp 480w,\n/static/6e215a52079edc4f101fff7cdda24744/e46b2/image-20240317014444792.webp 960w,\n/static/6e215a52079edc4f101fff7cdda24744/3cc91/image-20240317014444792.webp 1286w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/6e215a52079edc4f101fff7cdda24744/8ff5a/image-20240317014444792.png 240w,\n/static/6e215a52079edc4f101fff7cdda24744/e85cb/image-20240317014444792.png 480w,\n/static/6e215a52079edc4f101fff7cdda24744/d9199/image-20240317014444792.png 960w,\n/static/6e215a52079edc4f101fff7cdda24744/d7e70/image-20240317014444792.png 1286w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/6e215a52079edc4f101fff7cdda24744/d9199/image-20240317014444792.png\"\n            alt=\"image-20240317014444792\"\n            title=\"image-20240317014444792\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I patched both locations and ran the binary under a debugger to obtain the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/5fc681a40c927031e19121c38813dbaf/6f2be/image-20240317014335898.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAmUlEQVQY053Q2w6DIAwGYN7/FXcQwWzuTjkL6r+2mUt2OZt8oRzSkqp937FtGzhaa6i1inVd5Yzv/6FKKfDeixgjQghwlNfazhXMKSOlBC68LAsq4Z+eDWWthSF2GKD7Hp3WeI4vzLP7Nso5C24oe1Jykfsf9Ea9xhEPcr13uJAb6XoDbYyMwTlHY4iYpumTB3jCM+bZH+vhDZq1hcRnP5CXAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/5fc681a40c927031e19121c38813dbaf/8ac56/image-20240317014335898.webp 240w,\n/static/5fc681a40c927031e19121c38813dbaf/d3be9/image-20240317014335898.webp 480w,\n/static/5fc681a40c927031e19121c38813dbaf/e46b2/image-20240317014335898.webp 960w,\n/static/5fc681a40c927031e19121c38813dbaf/faf06/image-20240317014335898.webp 1029w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/5fc681a40c927031e19121c38813dbaf/8ff5a/image-20240317014335898.png 240w,\n/static/5fc681a40c927031e19121c38813dbaf/e85cb/image-20240317014335898.png 480w,\n/static/5fc681a40c927031e19121c38813dbaf/d9199/image-20240317014335898.png 960w,\n/static/5fc681a40c927031e19121c38813dbaf/6f2be/image-20240317014335898.png 1029w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/5fc681a40c927031e19121c38813dbaf/d9199/image-20240317014335898.png\"\n            alt=\"image-20240317014335898\"\n            title=\"image-20240317014335898\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"winantidbg0x300rev\" style=\"position:relative;\"><a href=\"#winantidbg0x300rev\" aria-label=\"winantidbg0x300rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>WinAntiDbg0x300(Rev)</h2>\n<blockquote>\n<p>This challenge is a little bit invasive. It will try to fight your debugger. With that in mind, debug the binary and get the flag!\nThis challenge executable is a GUI application and it requires admin privileges. And remember, the flag might get corrupted if you mess up the process’s state.\nChallenge can be downloaded here.</p>\n</blockquote>\n<p>Inspecting the binary revealed it was packed with UPX.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 427px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7e6c23019c79313a568b80ac4ca0a654/a7c74/image-20240317015045417.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 59.166666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAACWUlEQVQoz11TyU7bUBT1P/ZvKnWBKlXdM3TRgQ1CwAJ1gLbQNCFNKSE1HuIkjokd2zHEQzxXoKKWnt73QqyWxdG5z/e+8+5k4cHjXSy9quHJRhNPN1tY21PwbF/lWNtTK/s+Vt/N41beyjxu9Y2Ih+stCFs1ET/LFNdFipurAsDtP/hzh9t7+E10M2f8qr4bbgChdqIhjkIMdAOKqkE8kzmfScSKiu+iBElWCQpOOyJk+iZJClSthw6dRfL3B0NEgY/9pgShKRko8wRhGBFC+L7POUkSpGlaIcsyhEHIfbPZDFEU8TtJnCAmXP8ocKyaEN5/kTAeGTCtMRzbhkyZafQ6C8rz/D/YtoNer09sw7IsjEYmfzgmJFGAg2MFwsevXViGDsM4h+u4UKi0QX/As8rzjGfGwAXJP9R1mOb8cSbep1jPu0CZJfh00oVw+K2LiT3GeGzDcRwSNqqSF2KVIMUYwyGPY4Kq2sVgoCOaxcjicJ7hkTikoQTwg6DqT1mWHEVRVDYD8zMxb+IhoHiW2XQ6RZrlfA5Hog6hftpHeOnxMthAXNelQI8zw6JXTIjxLI65+DzrjLdmMZR2z4bwoSWjr3VpJc4wpqazgbC1kGg4bJXYINrtDq2Rwsu7nPoYmSa1yOF2QFmbls2rZBsjNDsaPIsafa7Dv3CRRj4uHAuXE5vsANdlBs+2MJ04uCL7in4AzzHhey6KJKJhxLDobjJ10RJ7EJbWa3i+28TKzhGWt+vYrKnYafSw3dCw9bnLz9t3Z2Yvzlv1uX/jUMbyTgMvX7fw6MUB/gIaslTS/tpVUgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7e6c23019c79313a568b80ac4ca0a654/8ac56/image-20240317015045417.webp 240w,\n/static/7e6c23019c79313a568b80ac4ca0a654/b957b/image-20240317015045417.webp 427w\"\n              sizes=\"(max-width: 427px) 100vw, 427px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7e6c23019c79313a568b80ac4ca0a654/8ff5a/image-20240317015045417.png 240w,\n/static/7e6c23019c79313a568b80ac4ca0a654/a7c74/image-20240317015045417.png 427w\"\n            sizes=\"(max-width: 427px) 100vw, 427px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7e6c23019c79313a568b80ac4ca0a654/a7c74/image-20240317015045417.png\"\n            alt=\"image-20240317015045417\"\n            title=\"image-20240317015045417\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>So I first unpacked the binary.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/729442a2fa546b49089f151a42ffe996/d7ab4/image-20240317015129655.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 20.416666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA7klEQVQY002PWU/CQBSF+6JGQ7QugKSNtAGNdJtOO3SgLdgi1oW4PfDi//8fx7k3MfHh5MtN5ixj5a6A8iSUkyC1I2h3iW3YoQ06vKcv+Ey2+Km/8C2f8egvUI8kVqMMT5OStfE0q3EVst4drKovoM8C5OZYXadonAz7+Ss+wha7WYNd0ODNsL0pUJybd6f3KAcJqqFAejJFdOAhPvQRH/kQxxNYsneLdlxwy9pRWFzF3KzsmWGFB9NM5m5aoTaF+iKEvoyYtIhC/8siAy0oBwJlP2EuDclAAXTP7YAXbsaaC9ZObr4tOZBWUdAffwEXZXmItHlDIAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/729442a2fa546b49089f151a42ffe996/8ac56/image-20240317015129655.webp 240w,\n/static/729442a2fa546b49089f151a42ffe996/d3be9/image-20240317015129655.webp 480w,\n/static/729442a2fa546b49089f151a42ffe996/e46b2/image-20240317015129655.webp 960w,\n/static/729442a2fa546b49089f151a42ffe996/dd5f8/image-20240317015129655.webp 1014w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/729442a2fa546b49089f151a42ffe996/8ff5a/image-20240317015129655.png 240w,\n/static/729442a2fa546b49089f151a42ffe996/e85cb/image-20240317015129655.png 480w,\n/static/729442a2fa546b49089f151a42ffe996/d9199/image-20240317015129655.png 960w,\n/static/729442a2fa546b49089f151a42ffe996/d7ab4/image-20240317015129655.png 1014w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/729442a2fa546b49089f151a42ffe996/d9199/image-20240317015129655.png\"\n            alt=\"image-20240317015129655\"\n            title=\"image-20240317015129655\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The unpacked binary contained multiple anti-debug mechanisms that would each need to be patched, but for some reason the unpacked binary crashed with an access violation on startup and could not be executed at all — let alone patched.</p>\n<p>I therefore abandoned the idea of using the unpacked binary and decided to use TTD (Time Travel Debugging) to bypass the anti-debug measures while performing the analysis statically to retrieve the flag.</p>\n<p>Analyzing the unpacked binary shows a location where the <code class=\"language-text\">DecryptFlag</code> function is called with the address of a data region called <code class=\"language-text\">HASH</code> as its argument.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 570px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/bd58a7b700b70023c86d6f31f4e3f790/432e7/image-20240318220511767.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 47.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB1klEQVQoz12S3Y6bMBCFeZhNAgQC2BhjsMFA87vZlbbKRaVVpbarXub9L0/HToh2ezEabDzfzJmZwOx6lLWAEAJFUSBNN1jHMcIwRJ7n6LoOSZKA1RXSnCHN6E1eIKY3URR98c4C+zyBVxyyktBae+h6vfbAgjEYY+gcU9IW9TBCaIOsrOgueUA+W2D2FkyWYBTMOfdV5QRdPD3Rd4FGKQ9ntQIXHJUkNUpCUCIHWC6XWK1WDwve3i84vpyw3++x3e2w3W4xDAOs7f3d5XLBNE348+Md15+/cf31gevHX5wOR/TW+refLTh8P8EMHQEGgn1D0zSo69pXq0meSyDKEs/HM17PLzgTaDQWkioXlUBJ/1z/Zwv0rkMhGAqSl2XZTTLZYrFARl7dJXPyJQGkqiF1A9FqL3n1v+T+MFBPKpS89FXNQ4mi0PfQ9vY2ZdmgajvIfoSiuzRNEIURonnK90kH9jSi0hJSSi/XweL72jBGstuWzhFqTTDdQjQKG0qapClBySiZXzXyDhz0x4EyS98LJ8/JdT/mtXFJ3NkNwBgNY0foieBNDdUqKOq3JM9p+i4mcIvNJPdrU7DCy5uBDu4GFFGFrm/taHxgutk8KnTvk/RmLu4fe3JET2sx5kwAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/bd58a7b700b70023c86d6f31f4e3f790/8ac56/image-20240318220511767.webp 240w,\n/static/bd58a7b700b70023c86d6f31f4e3f790/d3be9/image-20240318220511767.webp 480w,\n/static/bd58a7b700b70023c86d6f31f4e3f790/048c8/image-20240318220511767.webp 570w\"\n              sizes=\"(max-width: 570px) 100vw, 570px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/bd58a7b700b70023c86d6f31f4e3f790/8ff5a/image-20240318220511767.png 240w,\n/static/bd58a7b700b70023c86d6f31f4e3f790/e85cb/image-20240318220511767.png 480w,\n/static/bd58a7b700b70023c86d6f31f4e3f790/432e7/image-20240318220511767.png 570w\"\n            sizes=\"(max-width: 570px) 100vw, 570px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/bd58a7b700b70023c86d6f31f4e3f790/432e7/image-20240318220511767.png\"\n            alt=\"image-20240318220511767\"\n            title=\"image-20240318220511767\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The implementation of <code class=\"language-text\">DecryptFlag</code> is as follows. It simply XORs the <code class=\"language-text\">HASH</code> byte array received as an argument with the <code class=\"language-text\">FLAG</code> data region.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 547px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/46482ddfcd4ae335a63d4bc6a5799df7/977f7/image-20240318221149708.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 37.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABS0lEQVQoz42R2U7DMBRE8zNNncRL7OyxaZoKJOAfWlrSlf9/H66TlgqkSjyM7LvozFgOhssBn6cBu90Wl9Me28N50vELu9MFZ+p57fcDhuMBm80H1uv1QwXL5x7dagnrHJy1aNqWZCdR7Zwd+9a2JOo1NG+ahwrcywLlokbMOcL5HEmSII5jJNyfEWazGSlEGP5PQffao+0thODgBK3JJS8KVHWNsiwglYI2epzFZJZcFd+Mk/h6TnXQvfWonhpKxCEJWlc5lEphdAopJVSqYHJDQIGUjDQ92VgHnWe0L8Y9b+j3ohuw7lpwgnk3QU+VeQ5dVhAElCaDripkWpGRovTZePcJoyj6pTHh8n2FZgQKcFoSlJSnKRSBfE9QWmkMtKI71dpQovQO9JCbooiA7cqhdDW4VPcBY2BsPjn7O30WY1MKNs7YD+wv9Bu/HATtMqNIGQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/46482ddfcd4ae335a63d4bc6a5799df7/8ac56/image-20240318221149708.webp 240w,\n/static/46482ddfcd4ae335a63d4bc6a5799df7/d3be9/image-20240318221149708.webp 480w,\n/static/46482ddfcd4ae335a63d4bc6a5799df7/61e23/image-20240318221149708.webp 547w\"\n              sizes=\"(max-width: 547px) 100vw, 547px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/46482ddfcd4ae335a63d4bc6a5799df7/8ff5a/image-20240318221149708.png 240w,\n/static/46482ddfcd4ae335a63d4bc6a5799df7/e85cb/image-20240318221149708.png 480w,\n/static/46482ddfcd4ae335a63d4bc6a5799df7/977f7/image-20240318221149708.png 547w\"\n            sizes=\"(max-width: 547px) 100vw, 547px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/46482ddfcd4ae335a63d4bc6a5799df7/977f7/image-20240318221149708.png\"\n            alt=\"image-20240318221149708\"\n            title=\"image-20240318221149708\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>However, this code sits beyond an infinite loop and is therefore never executed under normal circumstances.</p>\n<p>(That is also why it does not appear in the decompiler output.)</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/10ebf7cc0b85fe6f2256a11fa42ba78d/e996b/image-20240318220445325.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 56.666666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABiUlEQVQoz3VSXZrbIAz0cWwM4tcxJNnkod37H2k6kpPNbps+6BsQMIw0mq6fd9RTRSkVl/sdfXSkUhgZtVbUxrNWECTAOQe3LMTFcPkrNDddft9QSJhJ0sYgZgTvsPoA7z2REbgOAreulnfrkddzz7MQXneny68PI9Tfo3icakTdGoSKY4zIOSPlgpiK7SUliO5VAJWXmo0wBCX3L4VKWHLEGDv2c7cHMUVTLvrAH7G69UtVioeyeZ6/yp6unzfU3uBZznU03M4bxq59Y/82ImN50y+NeX70Tnv7iElN2cbGA4dERaOf2Mt+lCxUmFhyTBYla389AnMxJ2wsV998JzWFrW9YqbCURMdJuJ/MZS1N83pR8bl2j7X3B/5DWPdGy2lKFOwka50K89FsVSUiplDotDlL5cK72nPhOP0gfJpiCnlBnVOXszqtrpJECRUjMdioEPWTJPbpW4XqXm8Jl16tbFWhaozwGSKv2RN1WWxcfirkHCqhXx0+RsU475y7/N7VZf6vy8/cH8klVI5XVR7zAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/10ebf7cc0b85fe6f2256a11fa42ba78d/8ac56/image-20240318220445325.webp 240w,\n/static/10ebf7cc0b85fe6f2256a11fa42ba78d/d3be9/image-20240318220445325.webp 480w,\n/static/10ebf7cc0b85fe6f2256a11fa42ba78d/e46b2/image-20240318220445325.webp 960w,\n/static/10ebf7cc0b85fe6f2256a11fa42ba78d/c139f/image-20240318220445325.webp 1050w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/10ebf7cc0b85fe6f2256a11fa42ba78d/8ff5a/image-20240318220445325.png 240w,\n/static/10ebf7cc0b85fe6f2256a11fa42ba78d/e85cb/image-20240318220445325.png 480w,\n/static/10ebf7cc0b85fe6f2256a11fa42ba78d/d9199/image-20240318220445325.png 960w,\n/static/10ebf7cc0b85fe6f2256a11fa42ba78d/e996b/image-20240318220445325.png 1050w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/10ebf7cc0b85fe6f2256a11fa42ba78d/d9199/image-20240318220445325.png\"\n            alt=\"image-20240318220445325\"\n            title=\"image-20240318220445325\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>In addition, the <code class=\"language-text\">FLAG</code> and <code class=\"language-text\">HASH</code> byte arrays are populated and modified at runtime, making it difficult to recover their values through static analysis alone.</p>\n<p>I therefore used WinDbg’s TTD to perform dynamic analysis while bypassing the anti-debug measures, and observed the initial state of the <code class=\"language-text\">FLAG</code> and <code class=\"language-text\">HASH</code> byte arrays as well as their state immediately before <code class=\"language-text\">DecryptFlag</code> is called.</p>\n<p>TTD stands for Time Travel Debugging; it records a full execution trace of the program.</p>\n<p>When analyzing a TTD trace you cannot manipulate registers as you would in a normal debugger, but you can replay execution while ignoring most anti-debug techniques.</p>\n<p>My TTD analysis showed that <code class=\"language-text\">FLAG</code> and <code class=\"language-text\">HASH</code> were initially empty but were populated immediately after the <code class=\"language-text\">ReadConfig</code> function was called.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 622px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/898527b20c1603593540024cbfd9983e/604ec/image-20240320035426477.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 27.916666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABKUlEQVQY012R227CMAyG+zAM2hJa0jRNeqAlATZamGCgTTBp0m4m7f1f4J+TCW3i4pMt2/l9SFCZGlxkkFJCKQ0hBMIwRBzHWHYd0iQB1woF+bwskWnt8/dEUeTfBF2/hNQSVVmBc+6Djul0CmsMCaaQTYnGdGhItF2tkFHzNJsjo0FuMMZ+BUtTIeWpf+hEXKfJZOKp69rHEp5ByBx5IVAoiVwKJOkMM5o+SQmyEU05Ho8R7M57mJXFZr3BdrtF3/do2xZN0+BwOMBai8vxhK/rB76v7/h8PWF4NHjaWFRV7Zs6XL0j6F8GdGZJgmufUEp5NN1qGHZYUNGe7PXtgvPzEXZBJyr+au4JhM7BZsyP7Y57W9fhPsitwniCuSKfxRg9jBD+q7nnB3Ztw3ibTc9cAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/898527b20c1603593540024cbfd9983e/8ac56/image-20240320035426477.webp 240w,\n/static/898527b20c1603593540024cbfd9983e/d3be9/image-20240320035426477.webp 480w,\n/static/898527b20c1603593540024cbfd9983e/5bf66/image-20240320035426477.webp 622w\"\n              sizes=\"(max-width: 622px) 100vw, 622px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/898527b20c1603593540024cbfd9983e/8ff5a/image-20240320035426477.png 240w,\n/static/898527b20c1603593540024cbfd9983e/e85cb/image-20240320035426477.png 480w,\n/static/898527b20c1603593540024cbfd9983e/604ec/image-20240320035426477.png 622w\"\n            sizes=\"(max-width: 622px) 100vw, 622px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/898527b20c1603593540024cbfd9983e/604ec/image-20240320035426477.png\"\n            alt=\"image-20240320035426477\"\n            title=\"image-20240320035426477\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e740f957f941dfd66bb2e1bd47f46c74/8c381/image-20240320035413140.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 35%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABVklEQVQoz22Q2W6DMBBF+f//6Re0T31pJEgDiIR9x47ZHbbbwSR56kijsSX7zL1XM04fSMMv9OKEJPwEK76B1QFmG9tk0TQxjS6ujgvP2ztCEDBUVQXOOdq2hRBC3eu6hmbbV4RhhCLvkXMB1giMcsYwPbBtUDVNKyzTgmGcYVkmAT3cbjf6F6IsSgUuy/IFtOH7HvK8AuMMohZohwZyljiIG+ZpwunnRKCAlDCkaaEU7eq6rlNTSqlaM2lzFIVEH2gLUw9etT0lTgR0XbJLi30/QhwzMHZ00zQEbJRCIUihrutIkhh9JxEnKSpW/Qu0LEu153lkNSBw8M5tV3icG2iXywVB6FOGLTKyzBsG+ZAYHsMbuCwLDN2AaZoKej7/Yo8qjmNkWabge6b8fofmOI7KMM0owzt/ZtgeGT5rnheKJVa28pzyo7lbHYYB4zii73t1X9cVf5IxDsBIjRt2AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e740f957f941dfd66bb2e1bd47f46c74/8ac56/image-20240320035413140.webp 240w,\n/static/e740f957f941dfd66bb2e1bd47f46c74/d3be9/image-20240320035413140.webp 480w,\n/static/e740f957f941dfd66bb2e1bd47f46c74/e46b2/image-20240320035413140.webp 960w,\n/static/e740f957f941dfd66bb2e1bd47f46c74/6094c/image-20240320035413140.webp 1267w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e740f957f941dfd66bb2e1bd47f46c74/8ff5a/image-20240320035413140.png 240w,\n/static/e740f957f941dfd66bb2e1bd47f46c74/e85cb/image-20240320035413140.png 480w,\n/static/e740f957f941dfd66bb2e1bd47f46c74/d9199/image-20240320035413140.png 960w,\n/static/e740f957f941dfd66bb2e1bd47f46c74/8c381/image-20240320035413140.png 1267w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e740f957f941dfd66bb2e1bd47f46c74/d9199/image-20240320035413140.png\"\n            alt=\"image-20240320035413140\"\n            title=\"image-20240320035413140\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Advancing the trace further revealed that while the <code class=\"language-text\">FLAG</code> value remains constant, the key <code class=\"language-text\">HASH</code> value is updated frequently.</p>\n<p>Specifically, <code class=\"language-text\">HASH</code> is updated every time the periodically-called <code class=\"language-text\">ComputeHash</code> function runs.</p>\n<p>The <code class=\"language-text\">ComputeHash</code> function is implemented as shown below. It loops a number of times equal to its argument (1–3) and applies a transformation to each byte of <code class=\"language-text\">HASH</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/035a1aac43d12c6b8f00ce0d6c9c97e1/48ca3/image-20240320184938462.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 48.75000000000001%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABN0lEQVQoz52SWW6EMBBEOQ6L1zaLDUS5ACgwyv2vUtNtC2US5YPko9TeeF2UXZ2PA8d5Yn984nycOI4PbPuObdv+pYrGAKMVyFt48tBGQzmHtutQ1/WfVfVxgDUGIRAsg4w1cN6BeoLhdaUUOoa3bXtLVZh6tE3DH2t2SBmmVJedCuiCNXzmFlAcymHH7tI8Y31bMAbLc3sbcknOV0MqQMuAmCLmJSE4nR3XdYNGxPuST65Nqb+pOLyA1mKKkV1GLAtrnUuWfFFSwxBy1kSUm2utc96SscQj4+xQMixAw8AJcU7wcuMM8c7A82UZjsORy2ec97m5jAWSKzeSrAuQn438lg8BY0oZuERC4mzfV56vC8I0YeDGkncY+txMXoXASepL3tUwj1+hsq6Mylr3LZ8ry5963X8CBS05gfwP9D0AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/035a1aac43d12c6b8f00ce0d6c9c97e1/8ac56/image-20240320184938462.webp 240w,\n/static/035a1aac43d12c6b8f00ce0d6c9c97e1/d3be9/image-20240320184938462.webp 480w,\n/static/035a1aac43d12c6b8f00ce0d6c9c97e1/e46b2/image-20240320184938462.webp 960w,\n/static/035a1aac43d12c6b8f00ce0d6c9c97e1/dac76/image-20240320184938462.webp 1084w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/035a1aac43d12c6b8f00ce0d6c9c97e1/8ff5a/image-20240320184938462.png 240w,\n/static/035a1aac43d12c6b8f00ce0d6c9c97e1/e85cb/image-20240320184938462.png 480w,\n/static/035a1aac43d12c6b8f00ce0d6c9c97e1/d9199/image-20240320184938462.png 960w,\n/static/035a1aac43d12c6b8f00ce0d6c9c97e1/48ca3/image-20240320184938462.png 1084w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/035a1aac43d12c6b8f00ce0d6c9c97e1/d9199/image-20240320184938462.png\"\n            alt=\"image-20240320184938462\"\n            title=\"image-20240320184938462\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>In the normal case where execution breaks out of the infinite loop and calls <code class=\"language-text\">DecryptFlag</code>, <code class=\"language-text\">ComputeHash(1)</code> is called once immediately beforehand.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 467px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/a7927b6aa8f50b52320e55a1e788e1c3/85ff8/image-20240320192112734.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 55.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAACUUlEQVQozz1SaXeaUBDlxzSNS2OMCIosKklaFQQiKMi+iNq0J+f0/3+4nfeyfJgz78y7c+fOIkR5jOK1Qn4p4e99hGGEOD4iSRJEUQTPc7HdOsiyDEWRw3FdlFWJvCqQpxHqNEB0CLB1HLj0Jzi+B/8YYEdmb20e9DwPruPCsiys12usViv4vo8XirO3d9hhFwV4IW/ZFjabDccxEzRDh2HOoS8NqKoKTdOgKAqm0yn3n6brOuaGAWU2gz7XoUwnmE7kd6P3J04ozzXO/65o3y5I8xRVVfH20jTF8XiktkMcwhCntsX1eqGRhMjqGmlzRlw07z4rEB4OfERCUueo/55QnEuElJylGSdkn/v9HkFA49jteCE2wx21npY1koqR1giTFPvwiGAfcKyQfhCWv2tEccSVsYUwdcwzUkZYkypWyKekojnRO0XbNlQkQ9I0yCjGCYu2wuntjPrPCQmBGGEcx1+kny03lHQ5n6mLCDklF02Lkvzp9RXN9crxbBzCL2cDL36BHWxhPppfGzOXS74IZiotyrZtMosv7dna4tl28Uynsvi5pqU+QWPLoqUJ49kExmoBxVRxP7yHLMmQJAkPD0OIoohOp4NvNzeYUcJo9ICb77dQjDnEsUgEGkaEG4xEjOgqOre3EGRNwcIyoZoahh8kd3d3GA4JOBig3+uh0+3ykzLoxHq9PmbzJSbKDCo7pUfqZLmgAhK6hBNkXcF8vSQzIUoi3ZeCiSyTmhF+9Psc1Ol0IU8mpFLhigeijLFqYKzNIRmPuCeFTF2Piv8H+xicUBTkKMQAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/a7927b6aa8f50b52320e55a1e788e1c3/8ac56/image-20240320192112734.webp 240w,\n/static/a7927b6aa8f50b52320e55a1e788e1c3/45771/image-20240320192112734.webp 467w\"\n              sizes=\"(max-width: 467px) 100vw, 467px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/a7927b6aa8f50b52320e55a1e788e1c3/8ff5a/image-20240320192112734.png 240w,\n/static/a7927b6aa8f50b52320e55a1e788e1c3/85ff8/image-20240320192112734.png 467w\"\n            sizes=\"(max-width: 467px) 100vw, 467px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/a7927b6aa8f50b52320e55a1e788e1c3/85ff8/image-20240320192112734.png\"\n            alt=\"image-20240320192112734\"\n            title=\"image-20240320192112734\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Since TTD does not allow us to modify execution, we obtain the flag from here through static analysis.</p>\n<p>First, we extract the <code class=\"language-text\">HASH</code> and <code class=\"language-text\">FLAG</code> data at the point in the TTD trace just before the infinite loop.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/67fd996b12e1130294a49a0677beecb1/c425d/image-20240317040836128.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 43.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABoElEQVQoz41R2Y6kMAzk/z9tH3pfttXDHaA5A4QjBzANtU6klkYzL2OpJGOccpXtxcEfPLMb1inFwEMU2V+U9Q1i+sBr75DlORhL8Xg8UBQF5QxhGCIIApRliWVZcJ4nbFzXBS8Ob6ie/7CIBrwv0Akf59Hj82ixbxxZliFNEiSEuuZo2w5VVRIqDMOA+TthGMZIWQ7OFwxCoR9HSG0gN4P9OIkwRxRFjpixBnXToWkaDNQ3zzOGvkfHOd7h+f4HWckhpSGFI4qacrVC7xqv10n2Itzvd8RxDJalznKaMqewJDzJdtu29F5Caw3P7mYUI5T6RN+v6IcOi1xhDoOLnMRxAjvUwhJHUUjWa3LEHWlE/611rRUUkXosTcE7IpkVpkm6vOs5xCqwbTstviJLg1NvIaYFq9TkwkCbDfMqYajvdcHB80O6oB/j/giQsCepHGk/glRPNGAhJSOWVUOZA0rvDtJCbeRmot6ZSDUNMRDzCs8WOiJpSYUt2Ev9jMvVv8KG3Zs9jDHGHcda937z+E3wHvX+VsquaXLHqOvKHec/KxCpiWI83sAAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/67fd996b12e1130294a49a0677beecb1/8ac56/image-20240317040836128.webp 240w,\n/static/67fd996b12e1130294a49a0677beecb1/d3be9/image-20240317040836128.webp 480w,\n/static/67fd996b12e1130294a49a0677beecb1/e46b2/image-20240317040836128.webp 960w,\n/static/67fd996b12e1130294a49a0677beecb1/b3d06/image-20240317040836128.webp 1279w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/67fd996b12e1130294a49a0677beecb1/8ff5a/image-20240317040836128.png 240w,\n/static/67fd996b12e1130294a49a0677beecb1/e85cb/image-20240317040836128.png 480w,\n/static/67fd996b12e1130294a49a0677beecb1/d9199/image-20240317040836128.png 960w,\n/static/67fd996b12e1130294a49a0677beecb1/c425d/image-20240317040836128.png 1279w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/67fd996b12e1130294a49a0677beecb1/d9199/image-20240317040836128.png\"\n            alt=\"image-20240317040836128\"\n            title=\"image-20240317040836128\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Next, we pass the <code class=\"language-text\">HASH</code> string captured at that point (<code class=\"language-text\">hjctfeqxtvixjzykxbxcmrmyxcjzuxldslbazydw</code>) into a Python reimplementation of <code class=\"language-text\">ComputeHash</code>.</p>\n<p>The loop count is set to 1.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">FLAG_SIZE <span class=\"token operator\">=</span> <span class=\"token number\">0x28</span>\nparam_1 <span class=\"token operator\">=</span> <span class=\"token number\">1</span>\nHASH <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span>c<span class=\"token punctuation\">)</span> <span class=\"token keyword\">for</span> c <span class=\"token keyword\">in</span> <span class=\"token string\">\"hjctfeqxtvixjzykxbxcmrmyxcjzuxldslbazydw\"</span><span class=\"token punctuation\">]</span>\n\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span>param_1<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">for</span> j <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span>FLAG_SIZE<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        uVar2 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>j <span class=\"token operator\">%</span> <span class=\"token number\">0xff</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">0x55</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span>j <span class=\"token operator\">%</span> <span class=\"token number\">0xff</span> <span class=\"token operator\">>></span> <span class=\"token number\">1</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">0x55</span><span class=\"token punctuation\">)</span>\n        uVar2 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>uVar2 <span class=\"token operator\">&amp;</span> <span class=\"token number\">0x33</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span>uVar2 <span class=\"token operator\">>></span> <span class=\"token number\">2</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">0x33</span><span class=\"token punctuation\">)</span>\n        HASH<span class=\"token punctuation\">[</span>j<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>HASH<span class=\"token punctuation\">[</span>j<span class=\"token punctuation\">]</span> <span class=\"token operator\">-</span> <span class=\"token number\">0x61</span> <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span>uVar2 <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xf</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span>uVar2 <span class=\"token operator\">>></span> <span class=\"token number\">4</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">%</span> <span class=\"token number\">0x1a</span> <span class=\"token operator\">+</span> <span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span><span class=\"token string\">'a'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span>HASH<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>Finally, we XOR the string obtained by the script above (<code class=\"language-text\">hkdvggsauxkalcboydzfoupczfmdxbpitnddbbga</code>) with the <code class=\"language-text\">FLAG</code> byte array to recover the correct flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"python3\"><pre class=\"language-python3\"><code class=\"language-python3\">FLAG = [0x18,0x02,0x07,0x19,0x24,0x33,0x35,0x1a,0x22,0x11,0x05,0x05,0x5c,0x14,0x11,0x30,0x18,0x0a,0x0e,0x0f,0x0b,0x46,0x12,0x04,0x25,0x56,0x15,0x57,0x48,0x52,0x2f,0x0b,0x16,0x08,0x52,0x57,0x00,0x51,0x57,0x1c]\nFLAG_SIZE = 0x28\nKEY = &quot;hkdvggsauxkalcboydzfoupczfmdxbpitnddbbga&quot;\nfor i in range(FLAG_SIZE):\n    print(chr(FLAG[i]^ord(KEY[i%len(KEY)])),end=&quot;&quot;)</code></pre></div>\n<p>This yielded the correct flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 852px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/98e40be3975660247e6f8213d7475f34/47ff6/image-20240317040818493.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 10.416666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAkElEQVQI1w3IywqCQABAUbdBVNCid2RKWKaOKabj+IrC0Yr+/2tuLi4crlF6ijp9kPuSylEoqyE1a5T9QA4unRfR8s5l7ONOBO5U4MxuJOuE37WhtSXazlGLADE6YrSi4Z1pvqmmD5+8w54u6IY02h9+9EGeCi47wdWM8TYh53lMsMoorIp0n5NsM+RBEcxD/hahP9Y2k9hNAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/98e40be3975660247e6f8213d7475f34/8ac56/image-20240317040818493.webp 240w,\n/static/98e40be3975660247e6f8213d7475f34/d3be9/image-20240317040818493.webp 480w,\n/static/98e40be3975660247e6f8213d7475f34/39392/image-20240317040818493.webp 852w\"\n              sizes=\"(max-width: 852px) 100vw, 852px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/98e40be3975660247e6f8213d7475f34/8ff5a/image-20240317040818493.png 240w,\n/static/98e40be3975660247e6f8213d7475f34/e85cb/image-20240317040818493.png 480w,\n/static/98e40be3975660247e6f8213d7475f34/47ff6/image-20240317040818493.png 852w\"\n            sizes=\"(max-width: 852px) 100vw, 852px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/98e40be3975660247e6f8213d7475f34/47ff6/image-20240317040818493.png\"\n            alt=\"image-20240317040818493\"\n            title=\"image-20240317040818493\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"classic-crackme-0x100rev\" style=\"position:relative;\"><a href=\"#classic-crackme-0x100rev\" aria-label=\"classic crackme 0x100rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Classic Crackme 0x100(Rev)</h2>\n<blockquote>\n<p>A classic Crackme. Find the password, get the flag!\nBinary can be downloaded here.\nCrack the Binary file locally and recover the password. Use the same password on the server to get the flag!\nAdditional details will be available after launching your challenge instance.</p>\n</blockquote>\n<p>Analyzing the binary provided as the challenge file revealed the following implementation.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/0f7a93e61ea67ade5d3a8f625e9faffc/fba00/image-20240316235327443.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 42.91666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA+0lEQVQoz52RWXKEMAxEfRvG4A1jmzXjuf+lOi2TUJmvkHy8kgSqlqVW9VXxrBUvic8P1PokFcdxYN/3i23bbqGcM5hzxJQzxjghhAAzGFhjYMwZtdbouu4WaowB61JQSkYm1rkm0Pc9dK+v/C4qxBFTSijbDGP5msejiTQh/Q9BHxy89/DBw3lHUdtW7Yf3xu8hv6EsRSxFUpp4x4ScGSWf4pXLIOssHPG8uWdsNTeyRHwQDfmm9m3FsS5YSJkLFt5RYqJJMiTxHEJmndvA9/z8l85+RhVGj8i1m7tfzv5kGIa/3XCkKZGi3vGGdFiQ50sdvAyxrVGE7/AJaMQWQ9hH60MAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/0f7a93e61ea67ade5d3a8f625e9faffc/8ac56/image-20240316235327443.webp 240w,\n/static/0f7a93e61ea67ade5d3a8f625e9faffc/d3be9/image-20240316235327443.webp 480w,\n/static/0f7a93e61ea67ade5d3a8f625e9faffc/e46b2/image-20240316235327443.webp 960w,\n/static/0f7a93e61ea67ade5d3a8f625e9faffc/f992d/image-20240316235327443.webp 1440w,\n/static/0f7a93e61ea67ade5d3a8f625e9faffc/3e29d/image-20240316235327443.webp 1529w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/0f7a93e61ea67ade5d3a8f625e9faffc/8ff5a/image-20240316235327443.png 240w,\n/static/0f7a93e61ea67ade5d3a8f625e9faffc/e85cb/image-20240316235327443.png 480w,\n/static/0f7a93e61ea67ade5d3a8f625e9faffc/d9199/image-20240316235327443.png 960w,\n/static/0f7a93e61ea67ade5d3a8f625e9faffc/07a9c/image-20240316235327443.png 1440w,\n/static/0f7a93e61ea67ade5d3a8f625e9faffc/fba00/image-20240316235327443.png 1529w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/0f7a93e61ea67ade5d3a8f625e9faffc/d9199/image-20240316235327443.png\"\n            alt=\"image-20240316235327443\"\n            title=\"image-20240316235327443\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Reading the password-verification loop, it compares the input character by character from the beginning. I therefore brute-forced the password character by character using the following Python reimplementation.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">key <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span> <span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span>c<span class=\"token punctuation\">)</span> <span class=\"token keyword\">for</span> c <span class=\"token keyword\">in</span> <span class=\"token string\">\"ztqittwtxtieyfrslgtzuxovlfdnbrsnlrvyhhsdxxrfoxnjbl\"</span><span class=\"token punctuation\">]</span>\nl <span class=\"token operator\">=</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">)</span>\n\nflag <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span> <span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span>c<span class=\"token punctuation\">)</span> <span class=\"token keyword\">for</span> c <span class=\"token keyword\">in</span> <span class=\"token string\">\"ztqittwtxtieyfrslgtzuxovlfdnbrsnlrvyhhsdxxrfoxnjbl\"</span><span class=\"token punctuation\">]</span>\n\n<span class=\"token keyword\">for</span> a <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span>l<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">for</span> b <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x21</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x7f</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        K <span class=\"token operator\">=</span> <span class=\"token number\">0x55</span>\n        M <span class=\"token operator\">=</span> <span class=\"token number\">0x33</span>\n        H <span class=\"token operator\">=</span> <span class=\"token number\">0x61</span>\n        I <span class=\"token operator\">=</span> <span class=\"token number\">0xf</span>\n        tmp <span class=\"token operator\">=</span> flag<span class=\"token punctuation\">.</span>copy<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n        tmp<span class=\"token punctuation\">[</span>a<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> b\n\n        <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">3</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">for</span> j <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span>l<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n                N <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>j <span class=\"token operator\">%</span> <span class=\"token number\">0xff</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">>></span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;</span> K<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>j <span class=\"token operator\">%</span> <span class=\"token number\">0xff</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;</span> K<span class=\"token punctuation\">)</span>\n                L <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>N <span class=\"token operator\">>></span> <span class=\"token number\">2</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;</span> M<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span>M <span class=\"token operator\">&amp;</span> N<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n                tmp<span class=\"token punctuation\">[</span>j<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>H <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>L <span class=\"token operator\">>></span> <span class=\"token number\">4</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;</span> I<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> tmp<span class=\"token punctuation\">[</span>j<span class=\"token punctuation\">]</span> <span class=\"token operator\">-</span> H<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span>I <span class=\"token operator\">&amp;</span> L<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">%</span> <span class=\"token number\">0x1a</span><span class=\"token punctuation\">)</span>\n\n        <span class=\"token keyword\">if</span> tmp<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">:</span>a<span class=\"token operator\">+</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> key<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">:</span>a<span class=\"token operator\">+</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">:</span>\n            flag<span class=\"token punctuation\">[</span>a<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> b\n\n<span class=\"token keyword\">for</span> f <span class=\"token keyword\">in</span> flag<span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>f<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>end<span class=\"token operator\">=</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># zqn}qnqkun}vswigi{nqoofjfwu|sfgyilpp|yjrroitfl|uv}</span></code></pre></div>\n<p>Submitting the password recovered by the solver to the server gave us the correct flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 821px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/73f2b960b0e9cbdb6986ac9ad91bb367/02cd5/image-20240317010641784.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 8.333333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAjUlEQVQI1x3NywqCUABFUT+ioFkvKYyyjDQ1u10fpJmlSQYS2P9/xe7iYLE5o6NdbImwBNIIEHpIdSjIFgEf98EvbPiea1q/pHEKOrXbU0k884gmRxLdJ5q6hGOnJxUtmweU64RUVzVjipUkNyS3paDeZzzNpFftrrystPe2876dbNTRnWBk4Q02+MMtf8ZeROV8ZW+GAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/73f2b960b0e9cbdb6986ac9ad91bb367/8ac56/image-20240317010641784.webp 240w,\n/static/73f2b960b0e9cbdb6986ac9ad91bb367/d3be9/image-20240317010641784.webp 480w,\n/static/73f2b960b0e9cbdb6986ac9ad91bb367/d77d0/image-20240317010641784.webp 821w\"\n              sizes=\"(max-width: 821px) 100vw, 821px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/73f2b960b0e9cbdb6986ac9ad91bb367/8ff5a/image-20240317010641784.png 240w,\n/static/73f2b960b0e9cbdb6986ac9ad91bb367/e85cb/image-20240317010641784.png 480w,\n/static/73f2b960b0e9cbdb6986ac9ad91bb367/02cd5/image-20240317010641784.png 821w\"\n            sizes=\"(max-width: 821px) 100vw, 821px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/73f2b960b0e9cbdb6986ac9ad91bb367/02cd5/image-20240317010641784.png\"\n            alt=\"image-20240317010641784\"\n            title=\"image-20240317010641784\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"weirdsnakerev\" style=\"position:relative;\"><a href=\"#weirdsnakerev\" aria-label=\"weirdsnakerev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>weirdSnake(Rev)</h2>\n<blockquote>\n<p>I have a friend that enjoys coding and he hasn’t stopped talking about a snake recently\nHe left this file on my computer and dares me to uncover a secret phrase from it. Can you assist?</p>\n</blockquote>\n<p>The file provided as the challenge binary appeared to be assembly code from a compiled Python script.</p>\n<p>Reading through the implementation carefully, it simply XORs the flag with a key. I therefore used the following solver to retrieve the flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># l=\"\"\"10,0,4,2,1,54,4,2,41,6,3,0,8,4,112,10,5,32,12,6,25,14,7,49,16,8,33,18,9,3,20,3,0,22,3,0,24,10,57,26,5,32,28,11,108,30,12,23,32,13,48,34,0,4,36,14,9,38,15,70,40,16,7,42,17,110,44,18,36,46,19,8,48,11,108,50,16,7,52,7,49,54,20,10,56,0,4,58,21,86,60,22,43,62,23,105,64,24,114,66,25,91,68,3,0,70,26,71,72,27,106,74,28,124,76,29,93,78,30,78\"\"\".split(\",\")</span>\n<span class=\"token comment\"># arr = []</span>\n<span class=\"token comment\"># for i in range(len(l)):</span>\n<span class=\"token comment\">#     if i % 3 == 2:</span>\n<span class=\"token comment\">#         arr.append(int(l[i]))</span>\n\narr <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token number\">4</span><span class=\"token punctuation\">,</span> <span class=\"token number\">54</span><span class=\"token punctuation\">,</span> <span class=\"token number\">41</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">112</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">,</span> <span class=\"token number\">25</span><span class=\"token punctuation\">,</span> <span class=\"token number\">49</span><span class=\"token punctuation\">,</span> <span class=\"token number\">33</span><span class=\"token punctuation\">,</span> <span class=\"token number\">3</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">57</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">,</span> <span class=\"token number\">108</span><span class=\"token punctuation\">,</span> <span class=\"token number\">23</span><span class=\"token punctuation\">,</span> <span class=\"token number\">48</span><span class=\"token punctuation\">,</span> <span class=\"token number\">4</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9</span><span class=\"token punctuation\">,</span> <span class=\"token number\">70</span><span class=\"token punctuation\">,</span> <span class=\"token number\">7</span><span class=\"token punctuation\">,</span> <span class=\"token number\">110</span><span class=\"token punctuation\">,</span> <span class=\"token number\">36</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8</span><span class=\"token punctuation\">,</span> <span class=\"token number\">108</span><span class=\"token punctuation\">,</span> <span class=\"token number\">7</span><span class=\"token punctuation\">,</span> <span class=\"token number\">49</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10</span><span class=\"token punctuation\">,</span> <span class=\"token number\">4</span><span class=\"token punctuation\">,</span> <span class=\"token number\">86</span><span class=\"token punctuation\">,</span> <span class=\"token number\">43</span><span class=\"token punctuation\">,</span> <span class=\"token number\">105</span><span class=\"token punctuation\">,</span> <span class=\"token number\">114</span><span class=\"token punctuation\">,</span> <span class=\"token number\">91</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">71</span><span class=\"token punctuation\">,</span> <span class=\"token number\">106</span><span class=\"token punctuation\">,</span> <span class=\"token number\">124</span><span class=\"token punctuation\">,</span> <span class=\"token number\">93</span><span class=\"token punctuation\">,</span> <span class=\"token number\">78</span><span class=\"token punctuation\">]</span>\nkey_str <span class=\"token operator\">=</span> <span class=\"token string\">\"t_Jo3\"</span>\nkey <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span>c<span class=\"token punctuation\">)</span> <span class=\"token keyword\">for</span> c <span class=\"token keyword\">in</span> key_str<span class=\"token punctuation\">]</span>\n\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>arr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>arr<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">^</span> key<span class=\"token punctuation\">[</span>i <span class=\"token operator\">%</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>end<span class=\"token operator\">=</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># picoCTF{N0t_sO_coNfus1ng_sn@ke_68433562}</span></code></pre></div>\n<h2 id=\"scan-surpriseforensic\" style=\"position:relative;\"><a href=\"#scan-surpriseforensic\" aria-label=\"scan surpriseforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Scan Surprise(Forensic)</h2>\n<blockquote>\n<p>I’ve gotten bored of handing out flags as text. Wouldn’t it be cool if they were an image instead?\nYou can download the challenge files here:\nchallenge.zip\nAdditional details will be available after launching your challenge instance.</p>\n</blockquote>\n<p>Scanning the QR code provided as the challenge file with an online tool immediately gave us the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/57fdcf1e5146bff27874af4db3a88838/5a791/image-20240317114926306.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 40.416666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABZklEQVQoz23Sy07cMBQG4DxqN93QBfuKd0FCqthU9AEQKguGVTdUQoUiAsMgQHOJk/hux/n57RSqjhrp07Gd+PjYTjV/eER9/4D7+QJ3lPu39RxtJ2GshzauMNbB+fDO/0cer/pOoO8nkrq2QdtuCiHWaEkIjvUS2rlCWYveGMgtylhURr5ALG8hVjX6Zg7EZhI2jBTWSFFhKQTq5wXqpwWemiWElVirDhv9V6N7VM4FKG0LYzw5WG41hAH+XeSYY7Utq225iw6O34xpRBoSMf5pMyHPxtkiP7PZGX5eXGAcR1huw3J7Bc9HctGsV6ZEzaTqDYuxLK4kzBNy9N5jtVyxClHauar8zlAaApfb5v+VthK6PJlVZbkfAm+PcrLHJuLkV8L3q8nZTcKMTq+n/vFlwu+XAZVSGpnWpkQpFW+cvwxvLA7T+eVqzm8CPh5E7HyJ+ESfjyL2vkXsHk79D/sRX39EvAJM32BGWLp+cAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/57fdcf1e5146bff27874af4db3a88838/8ac56/image-20240317114926306.webp 240w,\n/static/57fdcf1e5146bff27874af4db3a88838/d3be9/image-20240317114926306.webp 480w,\n/static/57fdcf1e5146bff27874af4db3a88838/e46b2/image-20240317114926306.webp 960w,\n/static/57fdcf1e5146bff27874af4db3a88838/1b8e7/image-20240317114926306.webp 1248w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/57fdcf1e5146bff27874af4db3a88838/8ff5a/image-20240317114926306.png 240w,\n/static/57fdcf1e5146bff27874af4db3a88838/e85cb/image-20240317114926306.png 480w,\n/static/57fdcf1e5146bff27874af4db3a88838/d9199/image-20240317114926306.png 960w,\n/static/57fdcf1e5146bff27874af4db3a88838/5a791/image-20240317114926306.png 1248w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/57fdcf1e5146bff27874af4db3a88838/d9199/image-20240317114926306.png\"\n            alt=\"image-20240317114926306\"\n            title=\"image-20240317114926306\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"verifyforensic\" style=\"position:relative;\"><a href=\"#verifyforensic\" aria-label=\"verifyforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Verify(Forensic)</h2>\n<blockquote>\n<p>People keep trying to trick my players with imitation flags. I want to make sure they get the real thing! I’m going to provide the SHA-256 hash and a decrypt script to help you know that my flags are legitimate.\nYou can download the challenge files here:\nchallenge.zip\nAdditional details will be available after launching your challenge instance.</p>\n</blockquote>\n<p>I modified the provided decryption script slightly so it brute-forces decryption across all files in the directory, which yielded the flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token shebang important\">#!/bin/bash</span>\n\n<span class=\"token comment\"># # Check if the user provided a file name as an argument</span>\n<span class=\"token comment\"># if [ $# -eq 0 ]; then</span>\n<span class=\"token comment\">#     echo \"Expected usage: decrypt.sh &lt;filename>\"</span>\n<span class=\"token comment\">#     exit 1</span>\n<span class=\"token comment\"># fi</span>\n\n<span class=\"token assign-left variable\">directory</span><span class=\"token operator\">=</span><span class=\"token string\">\"/home/ubuntu/Hacking/CTF/2024/picoCTF/Forensic/Verify/drop-in/files\"</span>\n<span class=\"token keyword\">for</span> <span class=\"token for-or-select variable\">file_name</span> <span class=\"token keyword\">in</span> <span class=\"token string\">\"<span class=\"token variable\">$directory</span>\"</span>/*\n<span class=\"token keyword\">do</span>\n    <span class=\"token comment\"># echo \"Processing $file_name\"</span>\n    <span class=\"token comment\"># Check if the provided argument is a file and not a folder</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">[</span> <span class=\"token operator\">!</span> -f <span class=\"token string\">\"<span class=\"token variable\">$file_name</span>\"</span> <span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span> <span class=\"token keyword\">then</span>\n        <span class=\"token builtin class-name\">echo</span> <span class=\"token string\">\"Error: '<span class=\"token variable\">$file_name</span>' is not a valid file. Look inside the 'files' folder with 'ls -R'!\"</span>\n        <span class=\"token builtin class-name\">exit</span> <span class=\"token number\">1</span>\n    <span class=\"token keyword\">fi</span>\n\n    <span class=\"token comment\"># If there's an error reading the file, print an error message</span>\n    <span class=\"token keyword\">if</span> <span class=\"token operator\">!</span> openssl enc -d -aes-256-cbc -pbkdf2 -iter <span class=\"token number\">100000</span> -salt -in <span class=\"token string\">\"<span class=\"token variable\">$file_name</span>\"</span> -k picoCTF<span class=\"token punctuation\">;</span> <span class=\"token keyword\">then</span>\n        <span class=\"token builtin class-name\">echo</span> <span class=\"token string\">\"Error: Failed to decrypt '<span class=\"token variable\">$file_name</span>'. This flag is fake! Keep looking!\"</span>\n    <span class=\"token keyword\">fi</span>\n<span class=\"token keyword\">done</span>\n\n<span class=\"token comment\"># picoCTF{trust_but_verify_c6c8b911}</span></code></pre></div>\n<h2 id=\"canyouseeforensic\" style=\"position:relative;\"><a href=\"#canyouseeforensic\" aria-label=\"canyouseeforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>CanYouSee(Forensic)</h2>\n<blockquote>\n<p>How about some hide and seek?\nDownload this file here.</p>\n</blockquote>\n<p>The EXIF data of the image file provided as the challenge binary contained a Base64-encoded flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f57553f966a01d4a747b0988b18b9615/7c5b4/image-20240317121047990.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 42.91666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABaklEQVQoz42SW0/CQBCFm2AEEfEWQUEK5S7Qlt5vtEBoERKFGOLlwf//N467g/FBkfBwstlm5+uZmSNM5RBuWYNdNNHLduGUHYS1AFZBZ/cOBrkHhHc6gtshRkxRyYB+1oZ60sAw2/wjYS3HrEDDrObAOu9icm9iLc/oPm/4CBlkcFyDkqlDSdchp6Uf2C6o8OY84ZVp0YlgMuC8GeBFXyCWPKyUmIFdgv0u/N+hmsAvqPSgf1RFUvfx2BoxNxJ6KZEcHQoj4Ie3gn3Zo0fcybRqYyra0E5b0HJsVpltm4e0S8B39xnWxRbIC2LmkLtO2PwW7RBR2SDxOYclHUa+s9/h53hD8+IOuMOZ5DJ58G4UAk0qFpyrPoH4jIfM+d6lbIwlOTFYFHqpCrW7Ylv2CwrMfJdapw1/i0N2KrM9haWVYNzwEEkh5S8Qfcqgku9TBvnJlzZmceJup6JFP+XiHfDvQVGlnLrXA3wBHOAGwZwBCxYAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f57553f966a01d4a747b0988b18b9615/8ac56/image-20240317121047990.webp 240w,\n/static/f57553f966a01d4a747b0988b18b9615/d3be9/image-20240317121047990.webp 480w,\n/static/f57553f966a01d4a747b0988b18b9615/e46b2/image-20240317121047990.webp 960w,\n/static/f57553f966a01d4a747b0988b18b9615/00a34/image-20240317121047990.webp 1309w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f57553f966a01d4a747b0988b18b9615/8ff5a/image-20240317121047990.png 240w,\n/static/f57553f966a01d4a747b0988b18b9615/e85cb/image-20240317121047990.png 480w,\n/static/f57553f966a01d4a747b0988b18b9615/d9199/image-20240317121047990.png 960w,\n/static/f57553f966a01d4a747b0988b18b9615/7c5b4/image-20240317121047990.png 1309w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f57553f966a01d4a747b0988b18b9615/d9199/image-20240317121047990.png\"\n            alt=\"image-20240317121047990\"\n            title=\"image-20240317121047990\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"secret-of-the-polyglotforensic\" style=\"position:relative;\"><a href=\"#secret-of-the-polyglotforensic\" aria-label=\"secret of the polyglotforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Secret of the Polyglot(Forensic)</h2>\n<blockquote>\n<p>The Network Operations Center (NOC) of your local institution picked up a suspicious file, they’re getting conflicting information on what type of file it is. They’ve brought you in as an external expert to examine the file. Can you extract all the information from this strange file?\nDownload the suspicious file here.</p>\n</blockquote>\n<p>This was a pretty interesting challenge: the file could be opened as both a PDF and a PNG.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 697px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/016962ab7eb1bf602865107f18eebba0/7422e/image-20240317044423038.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 55.41666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAIAAADwazoUAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB9klEQVQozyWSW3OaUBSFeW9r0iQdY5NposYLchUQucPhjggIYtrEtE4fMtPp//8BXdiZPc4Bz97rW2tDVVrWeJXHWIlIYtqNZqRRNhUffdeKV3OH31bZ7JUsmdjaNec/rJULWvowCUe6fsNTL1r5Ztbx0GiEpBbjgiE7Mc4XXjpzSi4oWH/LkHTu5AzRv/DaDec/rsk31bmT11cMdbTqn26bTO18QVC4uhPiig+7NtYvuRAv8RiNDbMvBo+ae6/EE6vgAvXzgnpP3/6Wv7eMjxt7OW1X+U6I9nJ2UHMgtEqGWfUyeVbzcKgDG832QMIs+dOM+qGXR7uJRjo0UcCDJrDjJ6tgO2zwp1MbUusrFoZXl7R6uVB6M7mHZnh2mvjJ3LJkM/dwL6c9NIP2bNjP5u7ZkWd/lWAYzlHW7VL6OAX2Edj4D7NBC+aSDxspBWr3KEY4tysEniKnDe0B27tX4L9rBvMvcoAyONOpA1mobWgXVQkRhmYzB4WD0RegrF2zmEIeVPBTmArbeIsMsrO9YKjDOc5YwXmo2R3GJnIKR13mZl9IJlbX/J4c/2xPGIwl42PAJ9F0tAkMI+1KjBF7LSUwZQ+WEICsdStGI2N1QVMncjj5z+HYwPbQj8WCtlsv7SHt/1F1iTC+NVi6d7LSmwdDDdFC+R+yi5fGAQeveQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/016962ab7eb1bf602865107f18eebba0/8ac56/image-20240317044423038.webp 240w,\n/static/016962ab7eb1bf602865107f18eebba0/d3be9/image-20240317044423038.webp 480w,\n/static/016962ab7eb1bf602865107f18eebba0/458b7/image-20240317044423038.webp 697w\"\n              sizes=\"(max-width: 697px) 100vw, 697px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/016962ab7eb1bf602865107f18eebba0/8ff5a/image-20240317044423038.png 240w,\n/static/016962ab7eb1bf602865107f18eebba0/e85cb/image-20240317044423038.png 480w,\n/static/016962ab7eb1bf602865107f18eebba0/7422e/image-20240317044423038.png 697w\"\n            sizes=\"(max-width: 697px) 100vw, 697px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/016962ab7eb1bf602865107f18eebba0/7422e/image-20240317044423038.png\"\n            alt=\"image-20240317044423038\"\n            title=\"image-20240317044423038\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>First, I retrieved the second half of the flag from the PDF.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 856px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/56ac7c17b04a4676f7ed74e01bcc118c/ad12c/image-20240317044413671.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 110.83333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAWCAIAAABPIytRAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA80lEQVQ4y+2QS26DMBRFvZoCqmkFrbCDcMUkoH4kdgBsA9gLUH67wwGJMOHXF1eZl0nUQY7kpzu4x0966PPj3TLNr+PRdV3HcRhjtm0TSjBWHwWyLD8IJElSBU/A82UgQoiu61hVsYo1TXu98AKPUmpZ1sE8QFtRFPgCJjShbxgGNSl7Y8j3/aZpvgVlWWZZlqYpzKIo6roqq6oQ5HmeCSBDs65qz/NQkiTbti3Lsu0kDEMURRGkeZ6XPYASBAGK4xjSuq57N9/lu3xD+ddfr9xq8ziO3akbhqHve962LefTNP9VPg9nznnXdacr0zT942v/AMWnZ/dSyVFQAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/56ac7c17b04a4676f7ed74e01bcc118c/8ac56/image-20240317044413671.webp 240w,\n/static/56ac7c17b04a4676f7ed74e01bcc118c/d3be9/image-20240317044413671.webp 480w,\n/static/56ac7c17b04a4676f7ed74e01bcc118c/e2cd0/image-20240317044413671.webp 856w\"\n              sizes=\"(max-width: 856px) 100vw, 856px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/56ac7c17b04a4676f7ed74e01bcc118c/8ff5a/image-20240317044413671.png 240w,\n/static/56ac7c17b04a4676f7ed74e01bcc118c/e85cb/image-20240317044413671.png 480w,\n/static/56ac7c17b04a4676f7ed74e01bcc118c/ad12c/image-20240317044413671.png 856w\"\n            sizes=\"(max-width: 856px) 100vw, 856px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/56ac7c17b04a4676f7ed74e01bcc118c/ad12c/image-20240317044413671.png\"\n            alt=\"image-20240317044413671\"\n            title=\"image-20240317044413671\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Next, I changed the extension to <code class=\"language-text\">.png</code> and opened the file to retrieve the first half of the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 403px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/c912d4874e53b3fff81e5386da6bfcaf/045fd/image-20240317044433997.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 100%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAIAAAAC64paAAAACXBIWXMAAAsTAAALEwEAmpwYAAACmElEQVQ4y42T20uqURDF/TMNgigIOkn4YFBBkaklVHQjMyoMMgrLB1NM0OyiXUgrkoJKETS07EJlF/Pe+dkGrXPiHOdhM9/sb83MWjNbcnZ29vFpfr/fbrfjFAqFVCpVLBYLn+Z0OpVK5cjIyPT0dGdnZ29v78nJSTqdfnl5kWxtbTkcjsPDQ0Knp6f7+/uLi4vcWSwWt9t9dXUll8vD4bDH47m8vJRKpWazmQKk5pQoFAqTyTQwMLCwsMCFRqPZ29tbWlrS6XTj4+MzMzMrKyv8l81mORsbG71er+iuBO7q6rq7u6POxMTE7OwsiYguLy8fHR1tb2/r9fqhoSEiDw8PnHV1dRsbGxVwR0cH+P7+fprc3d1Vq9V9fX04bW1t7e3t8Xh8cnJSpVL19PSAhzO8KuDh4eFIJFL8tPv7+/f39+fnZy6g/fb2JuhdX1+/vr5+/GUSutVqtTab7eDgANqID3MAa2tr6FnW5ubmZnBw0GAwkL0iGDRoCQ/aTKuhoQEix8fHLS0tiUQiGo1Sn8rr6+sIjorfBGtubq6pqfF6vKOjo1Ctra01Go1cIN7t7e3c3Bzn/Pw81Ag2/WoKhoIVcH19fbeyWygsCrpcLj4ZEgqRAhgpYPH4+AjHnZ2db2pDFc9qtdIYc6Z55JHJZKurq0SYxdjY2ObmJo5ao47FYhXO5+fnQjox7UwmI6SmDrLz09PTUz6fJ4h+Qv+K2qFQSHiogpisGgMvNyYq/OiUwJBhTuwN6cnN9vt8vjL43yZpbW1lsLwbJplMJhmbaLIak7BxYFhpNnFqagrNiVaJL60n2vBog8EgO8BLzuVyRKDwld7PYDBCBkwUDAQCzIb5CeWrAv+hZFVtX1xcCJKFLyYaKfzPfgNGy/hEHZheiQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/c912d4874e53b3fff81e5386da6bfcaf/8ac56/image-20240317044433997.webp 240w,\n/static/c912d4874e53b3fff81e5386da6bfcaf/ca1b5/image-20240317044433997.webp 403w\"\n              sizes=\"(max-width: 403px) 100vw, 403px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/c912d4874e53b3fff81e5386da6bfcaf/8ff5a/image-20240317044433997.png 240w,\n/static/c912d4874e53b3fff81e5386da6bfcaf/045fd/image-20240317044433997.png 403w\"\n            sizes=\"(max-width: 403px) 100vw, 403px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/c912d4874e53b3fff81e5386da6bfcaf/045fd/image-20240317044433997.png\"\n            alt=\"image-20240317044433997\"\n            title=\"image-20240317044433997\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p><code class=\"language-text\">picoCTF{f1u3n7_1n_pn9_&amp;_pdf_53b741d6}</code></p>\n<h2 id=\"mob-psychoforensic\" style=\"position:relative;\"><a href=\"#mob-psychoforensic\" aria-label=\"mob psychoforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Mob psycho(Forensic)</h2>\n<blockquote>\n<p>Can you handle APKs?\nDownload the android apk here.</p>\n</blockquote>\n<p>I extracted the APK with apktool and searched around for a while, but could not find anything resembling a flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">./smali2java_linux_amd64 -path_to_smali<span class=\"token operator\">=</span>/home/ubuntu/Hacking/CTF/2024/picoCTF/Forensic/Mob_psycho/mobpsycho/smali_classes3/com/example/mobpsycho</code></pre></div>\n<p>However, when I renamed the APK’s extension to <code class=\"language-text\">.zip</code> and unzipped it, I found that <code class=\"language-text\">color/flag.txt</code> contained a hexdumped flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 862px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/0f097790e917b2c7d36cc0776bcb24e8/f0551/image-20240320232126514.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 10%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAkElEQVQI1yXDWwqCQABAUT/MDQR9hWXYw9SCzEnNLINGc6YwKALb/zpuUAeOkS0TDlGBWMTkboIYZuycI2E/QoUXlHdEB2ekHaMmKcovyQYrlqZNYI0Jev++OSK0HAwtKnRao4REbyTNukZvb0hf8krudPuWLn/wyVveseIZN1znBdXsgHT3v9U0p/FOlLbgCyBGQZT+RErZAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/0f097790e917b2c7d36cc0776bcb24e8/8ac56/image-20240320232126514.webp 240w,\n/static/0f097790e917b2c7d36cc0776bcb24e8/d3be9/image-20240320232126514.webp 480w,\n/static/0f097790e917b2c7d36cc0776bcb24e8/e32b8/image-20240320232126514.webp 862w\"\n              sizes=\"(max-width: 862px) 100vw, 862px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/0f097790e917b2c7d36cc0776bcb24e8/8ff5a/image-20240320232126514.png 240w,\n/static/0f097790e917b2c7d36cc0776bcb24e8/e85cb/image-20240320232126514.png 480w,\n/static/0f097790e917b2c7d36cc0776bcb24e8/f0551/image-20240320232126514.png 862w\"\n            sizes=\"(max-width: 862px) 100vw, 862px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/0f097790e917b2c7d36cc0776bcb24e8/f0551/image-20240320232126514.png\"\n            alt=\"image-20240320232126514\"\n            title=\"image-20240320232126514\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This gave us the correct flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 924px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/46fb7d5881d939947c70c6c78fa4db68/9a1cf/image-20240317221435869.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 36.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAAA6ElEQVQoz5WQbU/DIBSF+///mh/ULU5dGofd2tL1hQqMl5b0CFQT4haT3eTJuRBy7rlkx/oTzUAhzBe4GjFeBuRkj9d8h7Y7g9YUUkoIIa4I94wxVFWFoihACEH2Qh+xazYoxQEn/uE5+J6gGHM0rEJ7bsE5h9YaSqmof/uAMSaS1eMJTA6wzl/OasX3l0lE7q3MOpOY6QR/thrWWkzThHmeb+Kci8lC4pjwv2mCC5Rlmay0qv7RMCwYhb8L9H2PbFkW3CJUJxts6we8t8/Yd5tV+y3euidQcQT8s5Aw3eIq4a9ZanxPfQPWBh4DSV9fMgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/46fb7d5881d939947c70c6c78fa4db68/8ac56/image-20240317221435869.webp 240w,\n/static/46fb7d5881d939947c70c6c78fa4db68/d3be9/image-20240317221435869.webp 480w,\n/static/46fb7d5881d939947c70c6c78fa4db68/c3b05/image-20240317221435869.webp 924w\"\n              sizes=\"(max-width: 924px) 100vw, 924px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/46fb7d5881d939947c70c6c78fa4db68/8ff5a/image-20240317221435869.png 240w,\n/static/46fb7d5881d939947c70c6c78fa4db68/e85cb/image-20240317221435869.png 480w,\n/static/46fb7d5881d939947c70c6c78fa4db68/9a1cf/image-20240317221435869.png 924w\"\n            sizes=\"(max-width: 924px) 100vw, 924px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/46fb7d5881d939947c70c6c78fa4db68/9a1cf/image-20240317221435869.png\"\n            alt=\"image-20240317221435869\"\n            title=\"image-20240317221435869\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"endianness-v2forensic\" style=\"position:relative;\"><a href=\"#endianness-v2forensic\" aria-label=\"endianness v2forensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>endianness-v2(Forensic)</h2>\n<blockquote>\n<p>Here’s a file that was recovered from a 32-bits system that organized the bytes a weird way. We’re not even sure what type of file it is.\nDownload it here and see what you can get out of it</p>\n</blockquote>\n<p>The file provided as the challenge binary was an unknown byte sequence.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">objdump -M intel -D -b binary -m i386 challengefile</code></pre></div>\n<p>My first instinct was that it might be shellcode, so I disassembled it with objdump, but it didn’t look like meaningful executable code.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 797px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/cc107683d1a858234e2c8d66aad05235/43fbc/image-20240317051826194.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 72.91666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAIAAABr+ngCAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB70lEQVQoz21T72+iQBDlU7XX09oqFRGrUFSswALL7wU80WrTi8l9uP//b7kH65GoTTZkmZk3b+bNrBBNnGjmBbJNOkYouuU0PM6zbORuX8Po2Yz7azZ0EtGO+utMctkLKWSay17wuCL3bwITSSF58ZNJ2lrYW0XP60S04kF14MaxWqrd0kj7fMHXulNhd37oAoLykef3VmxIwFDB+hbcdlvjEe7DHF9+aQ63CL/ft9tphCJBSLtL/9HwuwbctLOgnSUieIpvj7BRgt0sPuhZE4fCMsn5Mopfk2Cj+Ly978HJwEIQCFEnN6ExNJJLLrTZjKn7c85buE0hpC+knEafi7zpEMxIB0k/3tKTWe61FN69mtCucYUXUCHGgxRnRw0GIQYDIZAl6K24+P4tOBnYYPjQUl72mRkwJYARzFBkryWoDq1dgzcKPejsZO4uwJMA0bD/9b9O9u6Pc8BQ/BvlBB4Hqsrx8L9sxa97Zkc9C+rNwbZhkNdgCIs5l7Oo2ptaVbulFmMPZe9UjJBheZjkOli1uxm5168F26vxUWdIn2LD+ibqx27jUr6Gn8sCOkOU4yJjkuN3lxfgYkyhKrRFNH8AYM5lCv1hTIcEOoMcM8dv+PR+Wbbs5SMXsGr7603gS5KIJK3fUGVpazA2296cf5l9iGHrzLn6AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/cc107683d1a858234e2c8d66aad05235/8ac56/image-20240317051826194.webp 240w,\n/static/cc107683d1a858234e2c8d66aad05235/d3be9/image-20240317051826194.webp 480w,\n/static/cc107683d1a858234e2c8d66aad05235/9eee1/image-20240317051826194.webp 797w\"\n              sizes=\"(max-width: 797px) 100vw, 797px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/cc107683d1a858234e2c8d66aad05235/8ff5a/image-20240317051826194.png 240w,\n/static/cc107683d1a858234e2c8d66aad05235/e85cb/image-20240317051826194.png 480w,\n/static/cc107683d1a858234e2c8d66aad05235/43fbc/image-20240317051826194.png 797w\"\n            sizes=\"(max-width: 797px) 100vw, 797px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/cc107683d1a858234e2c8d66aad05235/43fbc/image-20240317051826194.png\"\n            alt=\"image-20240317051826194\"\n            title=\"image-20240317051826194\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Taking a closer look at the beginning of the byte sequence, I noticed <code class=\"language-text\">d8 ff e0 ff</code> — part of the JPEG magic number — stored in non-little-endian byte order.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 688px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/6c96eda03c08ed01ca8aa3d710c3bcbc/ebf47/image-20240317052933573.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 35.416666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAIAAACHqfpvAAAACXBIWXMAAAsTAAALEwEAmpwYAAABUklEQVQY0yWQSU/CUBRGu9XEMUKicWCGjpTyCh3pPJe2UIhEXLiRxI3/f+lXTO7ie9M9513KYvRMTxzimJzmMobR0UPGr6VoK8UHtTho5U7O/J4W9DXrmUwv+mpLkG9p5YGTrkbUWgxP0bHifdSepNtZWPJezrmVGKLWnFdOg0qM0CJjbPFyoLcFcksv7hhyPaEi1v40tzhA+5S2g54WDox4ZMbjVTKxAAwHOioamsjyTcNUW/zinnVeF9ROzX/r07taJOPVdh4XvL+ZRWAi1CQBFoUv1PMkZx2vo+Ss6/dUr6tkrENt5OQ7PuIBaIXgZ7QD1QLmrAuRaGiAjwA1kM3HGV6CmdLWZhZSEWN9GBXa2C9yMNDOs9GD84Rwr8nNUoW5+7YEYL/IYFGcjaiSxD/rr5qkwGIwjacQAFUKjT/yvwj2YaG3Rb+reJ0lJr96kv4ANZtg+KccnhkAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/6c96eda03c08ed01ca8aa3d710c3bcbc/8ac56/image-20240317052933573.webp 240w,\n/static/6c96eda03c08ed01ca8aa3d710c3bcbc/d3be9/image-20240317052933573.webp 480w,\n/static/6c96eda03c08ed01ca8aa3d710c3bcbc/01c7f/image-20240317052933573.webp 688w\"\n              sizes=\"(max-width: 688px) 100vw, 688px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/6c96eda03c08ed01ca8aa3d710c3bcbc/8ff5a/image-20240317052933573.png 240w,\n/static/6c96eda03c08ed01ca8aa3d710c3bcbc/e85cb/image-20240317052933573.png 480w,\n/static/6c96eda03c08ed01ca8aa3d710c3bcbc/ebf47/image-20240317052933573.png 688w\"\n            sizes=\"(max-width: 688px) 100vw, 688px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/6c96eda03c08ed01ca8aa3d710c3bcbc/ebf47/image-20240317052933573.png\"\n            alt=\"image-20240317052933573\"\n            title=\"image-20240317052933573\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I therefore used the following solver to split the data into 4-byte chunks and reverse each one.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"challengefile\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"rb\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n    data <span class=\"token operator\">=</span> f<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\nfix <span class=\"token operator\">=</span> <span class=\"token string\">b\"\"</span>\n\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span><span class=\"token number\">4</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    line <span class=\"token operator\">=</span> data<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">:</span>i<span class=\"token operator\">+</span><span class=\"token number\">4</span><span class=\"token punctuation\">]</span>\n    fix <span class=\"token operator\">+=</span> line<span class=\"token punctuation\">[</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">:</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span>\n\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"fixed.jpg\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"wb\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n    f<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>fix<span class=\"token punctuation\">)</span></code></pre></div>\n<p>This restored the original JPEG file, and we obtained the flag: <code class=\"language-text\">picoCTF{cert!f1Ed_iNd!4n_s0rrY_3nDian_188d7b8c}</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/d173187971e3ecffb6e2ba487d89ad66/35a31/image-20240317053851015.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 37.083333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAIAAACHqfpvAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAdUlEQVQY061QywrAIAzb/3+eiAcVUbwoHhQf6GlbYGOHDcbAFVrSNKGlyzYRC3J9jUtwU57mqc3OOc65EEJKCcAYM8ZQSrXWSilrLVqQIYRjSgjx3p/m1lqMETXnXGtFLaVcuPeOUUrpAGCAxxh/nP3xYU9+B0xtmHORfGBSAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/d173187971e3ecffb6e2ba487d89ad66/8ac56/image-20240317053851015.webp 240w,\n/static/d173187971e3ecffb6e2ba487d89ad66/d3be9/image-20240317053851015.webp 480w,\n/static/d173187971e3ecffb6e2ba487d89ad66/e46b2/image-20240317053851015.webp 960w,\n/static/d173187971e3ecffb6e2ba487d89ad66/5ea8e/image-20240317053851015.webp 1028w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/d173187971e3ecffb6e2ba487d89ad66/8ff5a/image-20240317053851015.png 240w,\n/static/d173187971e3ecffb6e2ba487d89ad66/e85cb/image-20240317053851015.png 480w,\n/static/d173187971e3ecffb6e2ba487d89ad66/d9199/image-20240317053851015.png 960w,\n/static/d173187971e3ecffb6e2ba487d89ad66/35a31/image-20240317053851015.png 1028w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/d173187971e3ecffb6e2ba487d89ad66/d9199/image-20240317053851015.png\"\n            alt=\"image-20240317053851015\"\n            title=\"image-20240317053851015\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"blast-from-the-pastforensic\" style=\"position:relative;\"><a href=\"#blast-from-the-pastforensic\" aria-label=\"blast from the pastforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Blast from the past(Forensic)</h2>\n<blockquote>\n<p>The judge for these pictures is a real fan of antiques. Can you age this photo to the specifications?\nSet the timestamps on this picture to 1970:01:01 00:00:00.001+00:00 with as much precision as possible for each timestamp. In this example, +00:00 is a timezone adjustment. Any timezone is acceptable as long as the time is equivalent. As an example, this timestamp is acceptable as well: 1969:12:31 19:00:00.001-05:00. For timestamps without a timezone adjustment, put them in GMT time (+00:00). The checker program provides the timestamp needed for each.\nUse this picture.\nAdditional details will be available after launching your challenge instance.</p>\n<p>Submit your modified picture here:\nnc -w 2 mimas.picoctf.net 57013 &#x3C; original_modified.jpg</p>\n<p>Check your modified picture here:\nnc -d mimas.picoctf.net 61685</p>\n</blockquote>\n<p>This challenge required modifying the timestamps embedded in the EXIF data and MakerNotes of the provided image file.</p>\n<p>Updating the EXIF timestamps was straightforward with standard tools, but modifying the final MakerNotes timestamp proved more difficult.</p>\n<p>In the end I couldn’t find a tool that supported it directly, so I used a hex editor to locate the bytes encoding the UNIX timestamp in the MakerNotes.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 475px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/3625f30e258213b3d7204e09295d1809/466da/image-20240317184239142.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 55.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAACTElEQVQoz1WR2W7TUBCG/VS8EkhcFi6QoMBF1VApSUUTN4kT73Ycx3XjJbZjO45JK7YuqgDRFqh4lJ85J0WIi9Gc2b5ZjvCgI0LJSzwJQjTiBHvzFFuzEFq9xuMjH+0gwlPPx+tojkFV45HrQVuu8HDqQcxybJEtbL+C8OIlhOfbEJ75OlrOAA1PxtvIRGduoRnoGCwm2PNViHMbvcLD5LxEN7bQik30yNfwFfQyB2LuYid3sLNw0FzPIEilgwOzib4vwih0mLkGNZa4NlIZFvMtVBydulCTEexCg54pcGsb46XJY/GHI5RXc7y/W0Ho5GO0jSaGwRDrq4ySbPQDieAmBqEEbaFDzw2u5USBSfHRXIZeGHDeTaCkKlSKHR73kXxJIXQJuG+2IPk9JBV1pUQ5VWDTW6bCcT2GWZoE1aEkG79OAKd2qImGCUFZXPRELG+X90CasOsdQl9aNIFF0xkcZNBkFtlapvEiJizGwMw/CAYYxSP4H31ulzclhIPMwhtpF21rnzprlCxjGA75RKyAQdlbZasxyVT0aT0GHUUjvkXH7fDY6ufqfkK9Sc4uL2TTsCSTbjiMhhzAfExLdFMOnPVhr2wkVwmfbvZ5Rvd0NiuL9OV/ge6Jy4PT0ylPnKwnCM9DRBcRwovw35vpywgpfcLi24JLcBZgecOAhQODuronU34fBrOqzR3ZGqyQJTPI8afj/3R8GXPJvmZY/16j/lVDMM9SnNzVtH/NR65uK96p+lFxm73L65JL8b3gh+f63i6uNz4GYzf8A2hjl6VRA6leAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/3625f30e258213b3d7204e09295d1809/8ac56/image-20240317184239142.webp 240w,\n/static/3625f30e258213b3d7204e09295d1809/4287c/image-20240317184239142.webp 475w\"\n              sizes=\"(max-width: 475px) 100vw, 475px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/3625f30e258213b3d7204e09295d1809/8ff5a/image-20240317184239142.png 240w,\n/static/3625f30e258213b3d7204e09295d1809/466da/image-20240317184239142.png 475w\"\n            sizes=\"(max-width: 475px) 100vw, 475px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/3625f30e258213b3d7204e09295d1809/466da/image-20240317184239142.png\"\n            alt=\"image-20240317184239142\"\n            title=\"image-20240317184239142\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The original value corresponds to a date in 2023, as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 622px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/2b466aaddcad085788ba0b2beed862bf/604ec/image-20240317184723485.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 35.416666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABTElEQVQoz42P0Y6bMBRE+f9fa6Oqu0kalgQSY2NwIAZiNkuy5dR2tH3pS6808mjkO3cmscNEqS+o+oI2A0V59tyimgFR9VRm9PrI4dSyP3WUqkXIM1I/ufJv2D2WhvfbTCKEZLNNyfYHNr/e2OcCqSoqtUPJDbXeYZrU863XtpytpR1vGOuw1xvz/GC+f3J1Nx6PT5KiyHl9fWG327Jer8nzHHE6UpU/KY/fMPoFLX9EKPHdp62pu57mYun6gWlyOOdYlt+ESYZhoKoqjDERgSul6PySMb6eUBRHQV2fY5L3aWLyBuF17krYH8fRp3s8DYNBwNeltm0py9IbaKSUZNmbT32ImrUX+r6PWPh3lmUhybKM1WpFURQxYdd1pGn6rC5E1MKRpmniAa01KjQaHLWH+5j/msWEIW74fL/fozDPc0waqgT+P/NlFuYPQ8YPsnlssGsAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/2b466aaddcad085788ba0b2beed862bf/8ac56/image-20240317184723485.webp 240w,\n/static/2b466aaddcad085788ba0b2beed862bf/d3be9/image-20240317184723485.webp 480w,\n/static/2b466aaddcad085788ba0b2beed862bf/5bf66/image-20240317184723485.webp 622w\"\n              sizes=\"(max-width: 622px) 100vw, 622px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/2b466aaddcad085788ba0b2beed862bf/8ff5a/image-20240317184723485.png 240w,\n/static/2b466aaddcad085788ba0b2beed862bf/e85cb/image-20240317184723485.png 480w,\n/static/2b466aaddcad085788ba0b2beed862bf/604ec/image-20240317184723485.png 622w\"\n            sizes=\"(max-width: 622px) 100vw, 622px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/2b466aaddcad085788ba0b2beed862bf/604ec/image-20240317184723485.png\"\n            alt=\"image-20240317184723485\"\n            title=\"image-20240317184723485\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I manually changed the UNIX timestamp bytes in the hex editor.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 456px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/0fb8d5006c8fbb6e43a0a83958224890/7f664/image-20240317195353402.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 48.75000000000001%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB70lEQVQozz1Ra5PSQBDMD/eTeOKBRZVYhZLH5kFCEggkhDwgJoE7vatD79QrtXxU+VvamUX40DWZ2e7e6Y3yLDbxxHuDi9gimOimDi4SS+L5ypa1X0whDhu8LH10lgK9wpO1szAwqEK8auYYthFe75dQrEzHwOrD3dqwCgN+PYFTCNiEoHExpd6vXSS30fGsFAhbD+7GQtC68Cob4c5DfDNH/WML5W08xtNRh8Q+qvscIjehrjSoqQZ9bWC8UuG8m0Bb6xCFCS3V4VQTjBMV050PIxeSK6gamYCiUdPVX2BBoqb1YWWGFJqECc10MnK2jhQwrNKSc4N4TuUguAoQXocYBkNaRIXCpMFkAJOIgmJ7jXdGsA+kiGHTmUvR2cze2GdolIYNk0MCf+9D4Zt6oidv9v4L2ICrT5HM0kR4FUqzE/ic+Wwo6K05hUpPMP8wPxpe6pcyIhMkkbbhOVfup7vp0YR+BPP4m5PNrmfShJMwd3G7OBp2ta40440YHJfr7P3sbMgzGZl+CPdssPq0Qv41R/IxQfqQyujKKBqhb/blg7KIb2Ez3oBjM7F8LJF/yc8oHgtknzOsH9aof9bYfNug+dWg/dNCie9ibL9vJZEfNr1PER9iRDcRlndL2bOQtzmBZ6fK5sxvfjfY/93jH4mqWUWLLmSfAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/0fb8d5006c8fbb6e43a0a83958224890/8ac56/image-20240317195353402.webp 240w,\n/static/0fb8d5006c8fbb6e43a0a83958224890/646b7/image-20240317195353402.webp 456w\"\n              sizes=\"(max-width: 456px) 100vw, 456px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/0fb8d5006c8fbb6e43a0a83958224890/8ff5a/image-20240317195353402.png 240w,\n/static/0fb8d5006c8fbb6e43a0a83958224890/7f664/image-20240317195353402.png 456w\"\n            sizes=\"(max-width: 456px) 100vw, 456px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/0fb8d5006c8fbb6e43a0a83958224890/7f664/image-20240317195353402.png\"\n            alt=\"image-20240317195353402\"\n            title=\"image-20240317195353402\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This successfully updated the MakerNotes timestamp.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 682px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/2b5e830345f81b4b7c83daf835a91369/160a3/image-20240317195411938.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 50%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB9ElEQVQoz11Sa08aURDd2tZarW2afmko8lKQ1V2BBRewsDyWZQEBy2qBIjUqotH0kdam/dBok6Zp0l99emcUAn44mZt53TNnRrLVHDqpBtoCfcNBc6OEojeJyNwyovMrY7yJljGs9vFW30bsSWjsjzyezpMsOYO2XkdLs9FQTGReRqHO+qaSqKgm57Ebr6K88holfxqWsJpoPNmQ3tzwonmE/WwLDdVklvrzNWzMBaYSHa2CnYiF9QcexBaCzJJyKDYCM9yOmTirHeCo1EUv0+JmVDDJkArf5/cYimAffxrmnMQzmVlqi6vig+ANQ1sx0E03Wbt2ss6jjTSiJCrUFkOohnMilkPRl0TBq8NwaaivF1jvSiiL/NImfywZgU0RKHLBu60dFj0hGCgPvZBn3JDvucXbh9QLhRkQQ3XWD/WRH6vSKwEX1u57EF241fDcOcbfz7/w59MVrk+/40rg5+ASH5wTlmFg9zAo94TvG/5d/uYY4frsB750zhmk+0hz6Wv3Aif2Pg7NDtM2XHHk3AkexRTbNP0ptnRae4kaCh791peCtbwFO5jh/PFShrU+nHiF9aBRw2JEeWYJYR7nBuSzhU50i3Q2xIbGpI2TJUnGZ/Nxd4hjq8u0qSArxC4F0iw0LYi0pSa0kLJgwydz5womD/w/2vNAY34tenIAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/2b5e830345f81b4b7c83daf835a91369/8ac56/image-20240317195411938.webp 240w,\n/static/2b5e830345f81b4b7c83daf835a91369/d3be9/image-20240317195411938.webp 480w,\n/static/2b5e830345f81b4b7c83daf835a91369/57e27/image-20240317195411938.webp 682w\"\n              sizes=\"(max-width: 682px) 100vw, 682px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/2b5e830345f81b4b7c83daf835a91369/8ff5a/image-20240317195411938.png 240w,\n/static/2b5e830345f81b4b7c83daf835a91369/e85cb/image-20240317195411938.png 480w,\n/static/2b5e830345f81b4b7c83daf835a91369/160a3/image-20240317195411938.png 682w\"\n            sizes=\"(max-width: 682px) 100vw, 682px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/2b5e830345f81b4b7c83daf835a91369/160a3/image-20240317195411938.png\"\n            alt=\"image-20240317195411938\"\n            title=\"image-20240317195411938\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Submitting the modified file to the server yielded the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 848px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/cf19ae80236120188da73b296346c686/d52e5/image-20240317195342407.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 118.33333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAYCAYAAAD6S912AAAACXBIWXMAAAsTAAALEwEAmpwYAAAC+UlEQVQ4y5VVaVMaURDcpBKjJpqYy1sRPJBrYVnu+xRBBAHvK5X//x8606NLKaUGPrzaB7uvt3u6Z9awvDZMM4ZwKAbLY8FcSqG6k0fFlUAveoiB3ZRrA8ehKk5jLQxiTWSXwjj0FlDZSqG+nUHiRwChaTfCs9swTvhwpIaOVccg0UI3coCqO4XGbk5Akyis2ShtxmHPexGd29NDwaktBD66EJhyyd4F8xHMnPHAONjJouUrou7JyBuTSP0MIrNoIvHdj8jnHQWJzj8AkQUPcT+6nP+Ny0wXt4U++vYhLtIdXMq6yffRMWvIr0b1QXPa8+Lhp+BDwHagDLJkTZqy+JtgxfUYgp+2hrVR4FfYPV1GYy+vIDVPGnUBjovU2Defys4uR7TgowzfBLzKnqhkunct++tcDzfy+yrbRTdcR1Jq6rAcC5BSq+60ymYEHPmpXyHsv1+fXHLLV8KJRIVAzf2iAAWVVXkzoU6PAzIiuatSKZl7yr8vnYLuM4eTgCkgmfEgZTOHpY24XuMLPnjfrUqAN1+MyauA2lLxlsgtqAnsDDrsdAtTYM3tji1dgt3BRepYgt0E93ci9644wN/apeaxKv06kWTmjwZQNuWy8XMrlhriNVZF9tpEATd6VkNbjuGmMTWpJbuE7rMc7WBF45RZDI+VR+M82VYgAp8ljtTl28IA9+UzrR/ZsoYcFGOZwuJTLmVTclJajTnkhKFc34eNZzL/K5kOs91oAM3RUSYS+zJcyZiht2SEvQUyvDcjgJTLuHARhIHmCxhyMtZumfYMmb20hqAzj5JpRFlGPjMYX/DD/upF5MuuussHWT8uS/7TJYyd/WjgjQcjBsqQe/bzkb+sA5cvoOM1meY5GWW5ZUs/ByRB9rzHiT4cb2TIutFpyr0SuTf5Hm4l2H/E5XO5xxfRNJrk5DE0vLofwATInH2UzGDzAN+WX4nq2C+u20j/NlUmD/rF6bei8syUdqCiOTzyl1SGU0/GiFcG2/kcjIKQlTJ7AvoPhovUg8g1vkgAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/cf19ae80236120188da73b296346c686/8ac56/image-20240317195342407.webp 240w,\n/static/cf19ae80236120188da73b296346c686/d3be9/image-20240317195342407.webp 480w,\n/static/cf19ae80236120188da73b296346c686/27a2c/image-20240317195342407.webp 848w\"\n              sizes=\"(max-width: 848px) 100vw, 848px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/cf19ae80236120188da73b296346c686/8ff5a/image-20240317195342407.png 240w,\n/static/cf19ae80236120188da73b296346c686/e85cb/image-20240317195342407.png 480w,\n/static/cf19ae80236120188da73b296346c686/d52e5/image-20240317195342407.png 848w\"\n            sizes=\"(max-width: 848px) 100vw, 848px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/cf19ae80236120188da73b296346c686/d52e5/image-20240317195342407.png\"\n            alt=\"image-20240317195342407\"\n            title=\"image-20240317195342407\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"dear-diaryforensic\" style=\"position:relative;\"><a href=\"#dear-diaryforensic\" aria-label=\"dear diaryforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Dear Diary(Forensic)</h2>\n<blockquote>\n<p>If you can find the flag on this disk image, we can close the case for good!\nDownload the disk image here.</p>\n</blockquote>\n<p>Running <code class=\"language-text\">fdisk -l disk.flag.img</code> on the provided image file confirmed it is a Linux disk image.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 770px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/71ee354a63df710fbb08855de206732a/f4b77/image-20240317221743457.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 31.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABRUlEQVQY01WQWU/CUBCFeTCKimti3DEspVCkdKNAaStbWyhlKYsg8cX//yOO9w4R9WFy7yRzzvlmEpHhI6x5rHxEuoe+4MLN2BhWfARSDzNziqUZYfzaRS/TRKwFiModxGoAL2ehcpiBcpLfV2LTmCCWPaz0EGsmXDfG2FoTbFtTxIqHDevfzRH8vI1AsBGW2nh7MiAfZVFNZsmkepz7NZzrAzJZ1kKs6hHm2oDSOU3zRkbrVqHXYuU+6rDvFDL4a/KPsM+wuy91SuWCTtpkq7RonZ90/bwINSVQr54KrBehn4l7Yzm5o+X/xEzxMZLacB40RtUgU/O6TNQ8aMXWHUkdfLoLmtvas/0NzSsJWqqA2mUJxkVxR8iPvDCGNMjF5YM0goJDBvwMH9YUA9HBl7fBUHRpjgdwTT/bhHOvov1co804/Td+UsD6T4WQlgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/71ee354a63df710fbb08855de206732a/8ac56/image-20240317221743457.webp 240w,\n/static/71ee354a63df710fbb08855de206732a/d3be9/image-20240317221743457.webp 480w,\n/static/71ee354a63df710fbb08855de206732a/cf403/image-20240317221743457.webp 770w\"\n              sizes=\"(max-width: 770px) 100vw, 770px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/71ee354a63df710fbb08855de206732a/8ff5a/image-20240317221743457.png 240w,\n/static/71ee354a63df710fbb08855de206732a/e85cb/image-20240317221743457.png 480w,\n/static/71ee354a63df710fbb08855de206732a/f4b77/image-20240317221743457.png 770w\"\n            sizes=\"(max-width: 770px) 100vw, 770px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/71ee354a63df710fbb08855de206732a/f4b77/image-20240317221743457.png\"\n            alt=\"image-20240317221743457\"\n            title=\"image-20240317221743457\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Running <code class=\"language-text\">parted disk.flag.img print</code> revealed that the filesystem is ext4.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/59fd8d2d0f4cd30c488d6ca52761bedc/105d8/image-20240317221824381.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 23.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABAklEQVQY032QW0+DQBSEeTFeorZeIlpf7MViKxRYhFJuBliQtCkGbdNG/f9/Yzy7Rl80PnyZzW7O7MxRuJOBG4/ItQylXiIdpqjZHB/xC96iBu+kK3eOchAiurQQXzHEHSbPgWoiuDARql/45waUFauwnS7RWAXWNPjKnvBsctQGx1LPsBinEt6b0V2Ooh8g7/pkaMNtj+CdjCVum2iNoDTSoJBUWoLk2kFBaYQ+tO4wPb2X6pEKzP0+9J0bGLtdTPZ6v1CqYUw17J9B/0yHc6zJH0PVgn14i4jenSMNEzKxDgb/oogqm1mNtbeQiL2J1KKyqJp0HLkvRoYinRj61r/4BNM8msv4wfBfAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/59fd8d2d0f4cd30c488d6ca52761bedc/8ac56/image-20240317221824381.webp 240w,\n/static/59fd8d2d0f4cd30c488d6ca52761bedc/d3be9/image-20240317221824381.webp 480w,\n/static/59fd8d2d0f4cd30c488d6ca52761bedc/e46b2/image-20240317221824381.webp 960w,\n/static/59fd8d2d0f4cd30c488d6ca52761bedc/446b5/image-20240317221824381.webp 1170w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/59fd8d2d0f4cd30c488d6ca52761bedc/8ff5a/image-20240317221824381.png 240w,\n/static/59fd8d2d0f4cd30c488d6ca52761bedc/e85cb/image-20240317221824381.png 480w,\n/static/59fd8d2d0f4cd30c488d6ca52761bedc/d9199/image-20240317221824381.png 960w,\n/static/59fd8d2d0f4cd30c488d6ca52761bedc/105d8/image-20240317221824381.png 1170w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/59fd8d2d0f4cd30c488d6ca52761bedc/d9199/image-20240317221824381.png\"\n            alt=\"image-20240317221824381\"\n            title=\"image-20240317221824381\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Loading the image into Autopsy and performing a general analysis revealed a suspicious empty file, <code class=\"language-text\">innocuous-file.txt</code>, inside the root directory.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/bb9cdc0de5808130b55d0876dd951a04/cd78c/image-20240320233206583.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 54.166666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABcElEQVQoz62SW0+DQBCF+/9/iK+2MfEn+GxN4yWlBdoFtrAsy3W5H4elVRN9MNVJTs4wZD8ODAvGXAQ+h++dkBclyqqG1g0q3aKuK9S6QlNr6utZeu7btv1Ri729BTt6cB0Gn4dgBH9922HzbMHa7WBZFg6uDc4DeMxDwBh4ECCO409J+dEvPM/HwXGR0HB68lRZlhGAIwwjCHMgQaIUUpobT8kTZXqlUsgkMT7NFn3fQ4Qn2Hsbtm1DiBi5CqEiDvQd4Ud0ukSWxGjJcyXRVAV0kaEiteaeND40egIOUMKllA4lbOj8gG2Q4ubBwe1a4P4lxd1GYrWOSCFWTwLLx7NP12YemdlyQwk7AubSpWQhLlXQQsKsximtERUdqUWUtxBfnSS+zboZmMYOuO9jHGfgMPS4tuiVRxTqiBP30fUzqOt6go9XySSsMvoljg7KsjLAaVHjOe7Ff59wGM03TGT8AfgTUNNmM8mgaPX/AXwHw+BO8SCglncAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/bb9cdc0de5808130b55d0876dd951a04/8ac56/image-20240320233206583.webp 240w,\n/static/bb9cdc0de5808130b55d0876dd951a04/d3be9/image-20240320233206583.webp 480w,\n/static/bb9cdc0de5808130b55d0876dd951a04/e46b2/image-20240320233206583.webp 960w,\n/static/bb9cdc0de5808130b55d0876dd951a04/5b1dd/image-20240320233206583.webp 1236w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/bb9cdc0de5808130b55d0876dd951a04/8ff5a/image-20240320233206583.png 240w,\n/static/bb9cdc0de5808130b55d0876dd951a04/e85cb/image-20240320233206583.png 480w,\n/static/bb9cdc0de5808130b55d0876dd951a04/d9199/image-20240320233206583.png 960w,\n/static/bb9cdc0de5808130b55d0876dd951a04/cd78c/image-20240320233206583.png 1236w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/bb9cdc0de5808130b55d0876dd951a04/d9199/image-20240320233206583.png\"\n            alt=\"image-20240320233206583\"\n            title=\"image-20240320233206583\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This file looked very suspicious, but recovering its original data proved difficult.</p>\n<p>Looking at information found by a team member, it turned out that the <code class=\"language-text\">fls</code> command can be used to excavate deleted files from a disk image.</p>\n<p>Reference: <a href=\"https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Linux Forensics | HackTricks | HackTricks</a></p>\n<p>First, I split the original image into its partitions with the following commands.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">dd</span> <span class=\"token assign-left variable\">if</span><span class=\"token operator\">=</span>disk.flag.img <span class=\"token assign-left variable\">of</span><span class=\"token operator\">=</span>part1.img <span class=\"token assign-left variable\">bs</span><span class=\"token operator\">=</span><span class=\"token number\">512</span> <span class=\"token assign-left variable\">skip</span><span class=\"token operator\">=</span><span class=\"token number\">2048</span> <span class=\"token assign-left variable\">count</span><span class=\"token operator\">=</span><span class=\"token number\">614400</span>\n<span class=\"token function\">dd</span> <span class=\"token assign-left variable\">if</span><span class=\"token operator\">=</span>disk.flag.img <span class=\"token assign-left variable\">of</span><span class=\"token operator\">=</span>part2.img <span class=\"token assign-left variable\">bs</span><span class=\"token operator\">=</span><span class=\"token number\">512</span> <span class=\"token assign-left variable\">skip</span><span class=\"token operator\">=</span><span class=\"token number\">616448</span> <span class=\"token assign-left variable\">count</span><span class=\"token operator\">=</span><span class=\"token number\">524288</span>\n<span class=\"token function\">dd</span> <span class=\"token assign-left variable\">if</span><span class=\"token operator\">=</span>disk.flag.img <span class=\"token assign-left variable\">of</span><span class=\"token operator\">=</span>part3.img <span class=\"token assign-left variable\">bs</span><span class=\"token operator\">=</span><span class=\"token number\">512</span> <span class=\"token assign-left variable\">skip</span><span class=\"token operator\">=</span><span class=\"token number\">1140736</span> <span class=\"token assign-left variable\">count</span><span class=\"token operator\">=</span><span class=\"token number\">956416</span></code></pre></div>\n<p>The Linux filesystem resides in <code class=\"language-text\">part3.img</code>, so all subsequent commands target that file.</p>\n<p>The first command lets you inspect the data inside the image.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ fsstat -i raw -f ext4 part3.img\n<span class=\"token punctuation\">{</span><span class=\"token punctuation\">{</span> omitted <span class=\"token punctuation\">}</span><span class=\"token punctuation\">}</span>\nJournal ID: 00\nJournal Inode: <span class=\"token number\">8</span>\n\nMETADATA INFORMATION\n--------------------------------------------\nInode Range: <span class=\"token number\">1</span> - <span class=\"token number\">119417</span>\nRoot Directory: <span class=\"token number\">2</span>\nFree Inodes: <span class=\"token number\">116979</span>\nInode Size: <span class=\"token number\">256</span>\n\nCONTENT INFORMATION\n--------------------------------------------\nBlock Groups Per Flex Group: <span class=\"token number\">16</span>\nBlock Range: <span class=\"token number\">0</span> - <span class=\"token number\">478207</span>\nBlock Size: <span class=\"token number\">1024</span>\nReserved Blocks Before Block Groups: <span class=\"token number\">1</span>\nFree Blocks: <span class=\"token number\">378721</span>\n\nBLOCK GROUP INFORMATION\n--------------------------------------------\nNumber of Block Groups: <span class=\"token number\">59</span>\nInodes per group: <span class=\"token number\">2024</span>\nBlocks per group: <span class=\"token number\">8192</span>\n\nGroup: <span class=\"token number\">0</span>:\n  Block Group Flags: <span class=\"token punctuation\">[</span>INODE_ZEROED<span class=\"token punctuation\">]</span>\n  Inode Range: <span class=\"token number\">1</span> - <span class=\"token number\">2024</span>\n  Block Range: <span class=\"token number\">1</span> - <span class=\"token number\">8192</span>\n  Layout:\n    Super Block: <span class=\"token number\">1</span> - <span class=\"token number\">1</span>\n    Group Descriptor Table: <span class=\"token number\">2</span> - <span class=\"token number\">5</span>\n    Group Descriptor Growth Blocks: <span class=\"token number\">6</span> - <span class=\"token number\">261</span>\n    Data bitmap: <span class=\"token number\">262</span> - <span class=\"token number\">262</span>\n    Inode bitmap: <span class=\"token number\">278</span> - <span class=\"token number\">278</span>\n    Inode Table: <span class=\"token number\">294</span> - <span class=\"token number\">799</span>\n    Data Blocks: <span class=\"token number\">8390</span> - <span class=\"token number\">8192</span>\n  Free Inodes: <span class=\"token number\">179</span> <span class=\"token punctuation\">(</span><span class=\"token number\">8</span>%<span class=\"token punctuation\">)</span>\n  Free Blocks: <span class=\"token number\">0</span> <span class=\"token punctuation\">(</span><span class=\"token number\">0</span>%<span class=\"token punctuation\">)</span>\n  Total Directories: <span class=\"token number\">300</span>\n  Stored Checksum: 0xB4C7\n\nGroup: <span class=\"token number\">1</span>:\n  Block Group Flags: <span class=\"token punctuation\">[</span>INODE_UNINIT, INODE_ZEROED<span class=\"token punctuation\">]</span>\n  Inode Range: <span class=\"token number\">2025</span> - <span class=\"token number\">4048</span>\n  Block Range: <span class=\"token number\">8193</span> - <span class=\"token number\">16384</span>\n  Layout:\n    Super Block: <span class=\"token number\">8193</span> - <span class=\"token number\">8193</span>\n    Group Descriptor Table: <span class=\"token number\">8194</span> - <span class=\"token number\">8197</span>\n    Group Descriptor Growth Blocks: <span class=\"token number\">8198</span> - <span class=\"token number\">8453</span>\n    Data bitmap: <span class=\"token number\">263</span> - <span class=\"token number\">263</span>\n    Inode bitmap: <span class=\"token number\">279</span> - <span class=\"token number\">279</span>\n    Inode Table: <span class=\"token number\">800</span> - <span class=\"token number\">1305</span>\n    Data Blocks: <span class=\"token number\">8454</span> - <span class=\"token number\">16384</span>\n  Free Inodes: <span class=\"token number\">2024</span> <span class=\"token punctuation\">(</span><span class=\"token number\">100</span>%<span class=\"token punctuation\">)</span>\n  Free Blocks: <span class=\"token number\">270</span> <span class=\"token punctuation\">(</span><span class=\"token number\">3</span>%<span class=\"token punctuation\">)</span>\n  Total Directories: <span class=\"token number\">0</span>\n  Stored Checksum: 0x6A4E</code></pre></div>\n<p>The next command uses <code class=\"language-text\">fls</code> to enumerate directories inside the image.</p>\n<p>When no inode is specified, the root directory inode is used by default.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ fls -i raw -f ext4 part3.img\nd/d <span class=\"token number\">32513</span>:      home\nd/d <span class=\"token number\">11</span>: lost+found\nd/d <span class=\"token number\">32385</span>:      boot\nd/d <span class=\"token number\">64769</span>:      etc\nd/d <span class=\"token number\">32386</span>:      proc\nd/d <span class=\"token number\">13</span>: dev\nd/d <span class=\"token number\">32387</span>:      tmp\nd/d <span class=\"token number\">14</span>: lib\nd/d <span class=\"token number\">32388</span>:      var\nd/d <span class=\"token number\">21</span>: usr\nd/d <span class=\"token number\">32393</span>:      bin\nd/d <span class=\"token number\">32395</span>:      sbin\nd/d <span class=\"token number\">32539</span>:      media\nd/d <span class=\"token number\">203</span>:        mnt\nd/d <span class=\"token number\">32543</span>:      opt\nd/d <span class=\"token number\">204</span>:        root\nd/d <span class=\"token number\">32544</span>:      run\nd/d <span class=\"token number\">205</span>:        srv\nd/d <span class=\"token number\">32545</span>:      sys\nd/d <span class=\"token number\">32530</span>:      swap\nV/V <span class=\"token number\">119417</span>:     <span class=\"token variable\">$OrphanFiles</span></code></pre></div>\n<p>To retrieve data that no longer exists in the root directory, we specify a different reserved inode.</p>\n<p>Among the reserved inodes listed below, we target the Journal inode.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 677px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/3851b5ce38ca55094417ebca6f87e1dc/68de2/image-20240321195031398.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 60.416666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAABgElEQVQoz51TCW7CMBDM/x9XRA4aCEkcOzc5OQRIiKnHCNQjjaoiDWt5D+/MbqyyLCGlRJblSNMUt9sN/N3v93/BqqsKSikUeaELZsZmeQ6lixelPmcpSh1zPl9wuczjer3CiqIIwXaLruu+YLfbYRgG7Pd7tG0L3/dRFAUOhwPGcfwBxjHHqvTrURzDXi7hei5sZ4kgCIwMLMyiBJOe5ynQT/ksVk2SBCvXQ6g7rdmZdp5OJ9PNX3E8Hh8d1lUNIQQc2zGWTrY/RWsOzKnrmpRLxJqy49iGOl/6LelJbeqeBSmfRd4PDW2s/bWhT+04iM9DGoZx9qFXQf6FYfQYitExRCxiyETqNVK6+0hLEaPtepPY9/0kXkNhwVSlWK99bLeBueRuZllmzpSAA6KdA2OapoHFZd5sArwtFlitPHge4WKpO3YcR/s28N995HrZ2cl3KZ6gj3tqNW1jggPdXSKFoUodlVSQSiIKSTmBiBNDPzISCBMjhISgTWLzcfDuA9eihIEGbdqCAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/3851b5ce38ca55094417ebca6f87e1dc/8ac56/image-20240321195031398.webp 240w,\n/static/3851b5ce38ca55094417ebca6f87e1dc/d3be9/image-20240321195031398.webp 480w,\n/static/3851b5ce38ca55094417ebca6f87e1dc/dc474/image-20240321195031398.webp 677w\"\n              sizes=\"(max-width: 677px) 100vw, 677px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/3851b5ce38ca55094417ebca6f87e1dc/8ff5a/image-20240321195031398.png 240w,\n/static/3851b5ce38ca55094417ebca6f87e1dc/e85cb/image-20240321195031398.png 480w,\n/static/3851b5ce38ca55094417ebca6f87e1dc/68de2/image-20240321195031398.png 677w\"\n            sizes=\"(max-width: 677px) 100vw, 677px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/3851b5ce38ca55094417ebca6f87e1dc/68de2/image-20240321195031398.png\"\n            alt=\"image-20240321195031398\"\n            title=\"image-20240321195031398\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Reference: <a href=\"https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout#Journal_.28jbd2.29\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Ext4 Disk Layout - Ext4</a></p>\n<p>Running <code class=\"language-text\">fls -i raw -f ext4 part3.img 8</code> and examining the filenames found in the journal area, we were able to identify the correct flag as <code class=\"language-text\">picoCTF{1_533_n4m35_80d24b30}</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 398px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/0f08118b68942a301d4a0586b5afa117/692d4/image-20240321200250072.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 140%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAcCAYAAABh2p9gAAAACXBIWXMAAAsTAAALEwEAmpwYAAAFBUlEQVRIx4VW+VfiZhT1b6hTRZYkEMgOIQmboA6yiDCgQAQVx6XOjM5yaqc9PRNkOj0zp+3pn337vrCos/WHdxIC3Nz7lvu+JUXVkZBkCAKPpJyAQbFlGYhHBUhiDIWk6j/LGSpsTYapJBCJcOA4DjzP+9f5PYslVTMgKyqiBJhWJaQUCdWM6YOxKNtJlEwdGxQZXUHWUODQ1ZDiPvAcaAGoqAxQow8c5BixivJwNAlcOOS/oLVuo1N00CllUctZ/u9EYi/M2H0BqOkpMNlRQYCVSiNl2qgVi0ioJgw9iXreQZ7kWrIISxGJpeynJBGLInJP9gIwX1hH2jQRjcXhdN4gc+Bh5+h3yPseKv3XeD66gJatQNXTUFJZ8PQ7jossAD5n6edQYkWJJZDe+wWm+x4bh2MCvEV+OMb+2RjN3gvs7p1he/8ZBMUGHwmDJ0U8P487YAJM+oBRMQF77waZwQS1Yw9q14PletgicMkuQ9VSEHUHoQiPcHAV4VAAwWAAIQqOvWAG6gPKskJSqGXaN0j2JygNPWjdMbKDMQ4uPJxef8Lg6i8cvfoX5uM+NKsExXkMO7cFK1eGEFcJNHKPIQEyyWbnBjYxbJ54cNyxD9o5HWOnfYLMdg9ux8VO5xTF5jmKrTO47hm67iVEI0uAoYeATHJm/wbOwQTlIyZ57MveJMnJ9V0YdhG8XsCjlRWsrvxAsYxHPy5j+dEyAoGVhexFDplknSSn3AnlzUOqP4ZCoIck+frNR4xe/YPhsz+RK+/D2Wgis/mEooVSuYWt7TZiStoHXVLYpMiqz9CaFaX9dCqZsWycjLFR68Ncr6Oy3cR2vY/1qkvPXJToWtt10WwNEaeCRUj2kkrNq6ian0MGaB9MGTJ2Rs9DbTTGZn2IYrkNvbCL1VAYwbVVqvCaX+XAWgCrgbtK06RMq8wAWdukCXCbcqj3poCVY2JY7SO30YBZqPmNLVAPCkIU0eg0BEH4sm0WVb5XFKU7A6wPkNt6AqPQQJAY+n1I7NaIXZCCn03OFFC/68NkZ9qHmyQ5TUVxDsY4vvQwuPyA05cf0Th9j2LjBNnqEFblEI3WISqtETjZ9M1kWmX9YWMzyVWaFJMA01SYq2sP7vktrl/e4qerCUZXH7Fz/gnd559wTPdv3/6NUvsZwhzJvs+QVdmZVbkx8ih/1H+UwyZVWcvVkDQzsOw80laOTCKHZDoHla5ZJweD7iN8dAbIckgG65sDSTapD4vDaQ51ymGLANu9S9RoQjKVIQJhHpHQGkKhIM1zEGvBoH/PwLi55Lk5OGxSiOHOjCGbFGYOKSqGahYgpQrkMrGZVU0rK8zdhj2bM1RmDM0ZQ2YO0v6Y7MtD95zZ13M0O09R2b8Er1iLuf1aTB1bUe9mmRjWR1O3YWZbp8ZWszWoyQxkYsmKd99gvwD8LsOBh9455dG9Qqt7gWr3xf8z/NxgnYNb1I/fEUMPdv8dKqMJ5EwFikab0MiAi8YXjfxtQHm6AlJ7v8IcfMDG0QRS7z3yR39g7+Q3PHGvieULVN3XEFSHmjj4vZ0yYxgTYTcuYLdfo9p7CbVxDavzM7LrFcQEDlIiAVEU/U3HQCLcw2X/AFBWp3tZTcShxEXkU7r/pWVoaJcy2GN7maKWSxM4jxjtZbabv8pQIi+MxyX/5JCk04AmiXRS0Pw/iOQkFh0/LFr47DjCjiHs9MBODuwk8bVl/x/7Do66V+YXrAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/0f08118b68942a301d4a0586b5afa117/8ac56/image-20240321200250072.webp 240w,\n/static/0f08118b68942a301d4a0586b5afa117/579c2/image-20240321200250072.webp 398w\"\n              sizes=\"(max-width: 398px) 100vw, 398px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/0f08118b68942a301d4a0586b5afa117/8ff5a/image-20240321200250072.png 240w,\n/static/0f08118b68942a301d4a0586b5afa117/692d4/image-20240321200250072.png 398w\"\n            sizes=\"(max-width: 398px) 100vw, 398px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/0f08118b68942a301d4a0586b5afa117/692d4/image-20240321200250072.png\"\n            alt=\"image-20240321200250072\"\n            title=\"image-20240321200250072\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>The hardest Rev and Forensic challenges were not overly difficult, but the Pwn and Web challenges looked quite tough.</p>\n<p>I’d like to keep improving so I can solve those higher-difficulty challenges as well.</p>","fields":{"slug":"/ctf-pico-ctf-2024-en","tagSlugs":["/tag/rev-en/","/tag/forensic-en/","/tag/english/"]},"frontmatter":{"date":"2024-03-24","description":"picoCTF 2024 Writeup","tags":["Rev (en)","Forensic (en)","English"],"title":"picoCTF 2024 Writeup","socialImage":{"publicURL":"/static/eb087db51ec17d1a9bef35766eaee867/ctf-pico-ctf-2024.png"}}}},"pageContext":{"slug":"/ctf-pico-ctf-2024-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}