Skip to main content
  1. CTF Writeups/
  2. H7CTF Finals/

Same Same But Different

·
rev 2000pts 2 solves vigenere
subzcuber
Author
subzcuber
i like to imagine i’m funny
Table of Contents

Author: pattu_sai

Listen to the music and chill https://open.spotify.com/track/2Okgqrcl83f9ZDQ5ZZK3jb

IT’s NOT THE SAME WHAT YOU SEE WITH UR EYES.

ENC FLAG MD5 : 7b757b8049a319a68888c93c53315b16

You were given pseudo for the “pseudocode” of the challenge and flag.enc containing the encrypted data. (it was pretty much just the actual code though)

pseudo
1
2
3
4
5

infile = "flag.png"
with open(infile, "rb") as f:
    data = bytearray(f.read())
for i in range(len(data)):
    print((data[i] + fact(i)) % len(data))

(this was the “fixed” handout, the previous one leaked len(data) as 0x32b7 and also had infile="flag.zip" 💀)

flag.enc
 1
 2
 3
 4
 5
 6
 7
 8
 9
10

138
81
80
77
37
130
746
5050
1371
...

Reconstructing The Image
#

It is not difficult to see the PNG header 0x89 0x50 0x4e 0x47 being formed on reversing the pseudocode

Let’s get the image back

solve.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

f = open("./flag.enc", "r")
image = open("res.png", "wb")
lines = f.readlines()
data = bytearray()

fac = 1

def fact(i):
    if i == 0:
        return 1
    else:
        return fac * i

for i in range(len(lines)):
    val = int(lines[i].strip())
    fac = fact(i) % 0x32b7
    pix = (val - fac) % 0x32b7
    data.append(pix)

image.write(data)

giving us the image

res.png
res.png

O7EDJ{Wdhi_89k25397ewsm5?40o594307j71s3sh4e}

Missing Character
#

In the image you can see there’s one character that’s not entirely visible, we can just bruteforce it and compare it to the hash given to us in the description

bf.py
1
2
3
4
5
6

for i in ascii_letters:
    md = hashlib.md5()
    md.update(flag.replace('?', i).encode())
    if md.hexdigest() == "7b757b8049a319a68888c93c53315b16":
        print(f"[{i}] {flag.replace('?', i)}")
# [c] O7EDJ{Wdhi_89k25397ewsm5c40o594307j71s3sh4e}

Decryption
#

After this we tried every possible encoding/decoding we could think of to no avail. I finally raised a ticket asking to confirm if the flag was encrypted or encoded and the challenge author said it was properly encrypted with a key.

Immediately we tried the Vigenere cipher and tried the guess the key to recreate the flag format

We got the key HCKERS and the flag:

H7CTF{Flag_89a25397afaf5a40e594307f71b3aa4c}
Reply by Email

Related

Starting Out: MemLabs
for rev dfir pe32 binaryninja
WalkThroughs for stuxnet999/MemLabs
Shadow Protocol
rev 318 pts xor
SHADOW PROTOCOL INITIATED
Space Portal
rev 474 pts protocol trauma
i’m traumatised. This ranks very low on the good challenge scale