ASIS CTF Finals 2015 – Strange (misc 150)

October 12, 2015

After downloading the ASIS typical .tar.xz archive, we got a png file with 14MB. After extracting we noticed that the file has dimensions of 344987×344987 pixels. OK that is huge! Since there was no preview of the picture generated, which would indicate a normal picture with something attached after the picture, we tried to open it with Photoshop and Matlab but that resulted, in my case, with my MacBook telling me there is no memory left while Matlab used 60GB memory. Now let’s inspect the file with a hex-editor:

stange-topsectionstrange-datasection

Here we see there are just zeros, but somewhere in the middle there is some data. So we used binwalk to extract the zlib part of the png file and decompressed the raw zlib stream. This gave us a the raw image data file with a size of 14GB. From inspecting the image with tweakpng we knew the png file uses a palette with two colors and 1bit per pixel.

To get the important information we opened the raw image data file in a hex-editor and search for data. Since the data in the file is a 1 dimensional array which will be converted into a 2 dimensional array by the rendering routine, we have to look for several positions with data. In the middle of the file we found the hex strings shown below. To find them we searched the file for the bit sequence “11” and got several positions.

So we extracted the following hex strings:

“F1FC1F783F7FFC7C3FCF38FFFE3F1EFFFDE3E07E7FFFFC3F1F8F9FFC0FF7E7F3E3FCF38F87C3FCCF”
“F1F98F731EFFF1399FCE627FFC9E4EFFFD89EFFE7FFFF99E4E273FFDFFF7E7F3C9FCE7273399FCE7”
“F5F3EF67DEFFF39BCF8E673FF9CCE6FFFD9CCFFC7FFFFBCCE6733FF9FFF7C7E39CF8E67379BCF8F7”
“E4F3EF67DEF8F39BCF0C27383BFDE68F859CCFF878783BEDE6FA1839FE1787C3BFF0C2F379BEF0F7”
“ECF1FF63FEF273BFDF4E67713A3DF623319DC1FA73313BCDF7F331383CC7A7D3A3F4E6FBFBBCF4F7”
“EEF83F707EE7383F1ECE7077989DF67379C1CCF677B799CDF7F337999DE767B389ECE6FBE39CECF7”
“CE7F0F7E1EEFB39FCCCE673F99CDF6FB799CFE6677FF9C0DF7C73F9FCDE667339CCCE6FBF9C0CCF7”
“C07FE77FCCE037DFCDCE6FB81BEDF6FA7DBEFF6E77F81FEDF79F381FE9F6E773BEDCE6FBF9FEDCF3”
“9F77E76FCDEFF7DBE8066FB39BEDE6FB79BEFF4037F39FCDE73F339FEDE40201BE8066F37DFC8073”
“9F33E767CEEFB79BCFCE6F3799CCE67379BCDE7E77B799DCE67F379BCDE7E7F39CFCE673799DFCF7”
“BF38CF719EF271399FCE62731C9E4E271189CCFE7333199E4E7F33199C47E7F3C9FCE7273399FCF7”
“3FBC1F783EF8F87C3FCE70F8CE3F1E8F85C3E1FE7878CC3F1E0338CC3E17E7F3E3FCE78F87C3FCF7”
“FFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7”
“FFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7”
“FFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE7”
“FFFFFFFFFF7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCF”

 

The end was quite simple: loop through each string, convert it to binary, check if value is 1, if so draw a black pixel, open picture and copy and submit the flag.

from PIL import Image
lines = [
"F1FC1F783F7FFC7C3FCF38FFFE3F1EFFFDE3E07E7FFFFC3F1F8F9FFC0FF7E7F3E3FCF38F87C3FCCF",
"F1F98F731EFFF1399FCE627FFC9E4EFFFD89EFFE7FFFF99E4E273FFDFFF7E7F3C9FCE7273399FCE7",
"F5F3EF67DEFFF39BCF8E673FF9CCE6FFFD9CCFFC7FFFFBCCE6733FF9FFF7C7E39CF8E67379BCF8F7",
"E4F3EF67DEF8F39BCF0C27383BFDE68F859CCFF878783BEDE6FA1839FE1787C3BFF0C2F379BEF0F7",
"ECF1FF63FEF273BFDF4E67713A3DF623319DC1FA73313BCDF7F331383CC7A7D3A3F4E6FBFBBCF4F7",
"EEF83F707EE7383F1ECE7077989DF67379C1CCF677B799CDF7F337999DE767B389ECE6FBE39CECF7",
"CE7F0F7E1EEFB39FCCCE673F99CDF6FB799CFE6677FF9C0DF7C73F9FCDE667339CCCE6FBF9C0CCF7",
"C07FE77FCCE037DFCDCE6FB81BEDF6FA7DBEFF6E77F81FEDF79F381FE9F6E773BEDCE6FBF9FEDCF3",
"9F77E76FCDEFF7DBE8066FB39BEDE6FB79BEFF4037F39FCDE73F339FEDE40201BE8066F37DFC8073",
"9F33E767CEEFB79BCFCE6F3799CCE67379BCDE7E77B799DCE67F379BCDE7E7F39CFCE673799DFCF7",
"BF38CF719EF271399FCE62731C9E4E271189CCFE7333199E4E7F33199C47E7F3C9FCE7273399FCF7",
"3FBC1F783EF8F87C3FCE70F8CE3F1E8F85C3E1FE7878CC3F1E0338CC3E17E7F3E3FCE78F87C3FCF7",
"FFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7",
"FFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7",
"FFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE7",
"FFFFFFFFFF7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCF",

]

im = Image.new("RGB",(400,50),"white")
imo = im.load()
for y,l in enumerate(lines):
  g = bin(int(l, 16))[2:]
  for x,b in enumerate(g):
    if b == "1":
      imo[x,y] = (0,0,0)
im.save("strange-flag.png")

strange-flag

Thanks ASIS for this quite nice challenge 🙂

Leave a Reply