Writeup – Odrrere (and thoughts on approach)

Posted on May 11, 2016 by Norman

During this weekend’s ASIS CTF, I solved the “Odrerre” challenge. This challenge was relatively straightforward compared to other challenges such as “3Magic” and “binarycloud”, but it’s worth documenting nonetheless.

This challenge started off with a broken PNG file:

hopefully this renders properly...

hopefully this renders properly…

A quick inspection in 010 editor appears to reveal no obvious errors: none of the headers are out of place, a PNG template reports all good:

inside 010 editor

inside 010 editor

The only thing of interest is the IDAT chunks. IDAT chunks contain zlib-compressed data, which represents the actual pixels of the image. If you get more of the blocks in the right order, more and more pieces of the image appear – in this case, the first chunk seems to have been given to us as a freebie.

Half an hour of (manually) fiddling with the order of the IDAT blocks in 010 editor later, and you get the output image and a complete flag:

tada!

tada!

This was solved in time for the CTF, so we scored some internet points for this.

Following the CTF, I engaged in some discussion with a fellow explorer of the internet around other ways we might be able to do this. Specifically, the idea came up that we might be able to optimise our solve, by using measuring the ability of zlib to decompress a given order of images. The train of thought went something like this:

  • Most naive solution: brute force all the orders of IDAT chunks
  • Less naive solution: brute force each “depth” of chunk, by trying each possible chunk and checking for the zlib decompress error. “-5” was better than “-3”
  • Less naive solution: for a given depth x with possible chunks idats_remaining, we feed zlib increasing data from each remaining idat to try. Let’s say idat_a gives a “-5” error when you hit 0x100 bytes, idat_b gives a “-5” error when you hit 0x140 bytes: idat_b would be rated “more optimal” than idat_a

After some brief experimentation in Python, it looks like the zlib interface simply isn’t granular enough to provide the result we need, and this will need some digging through zlib’s source code to identify exactly where decompression fails (but this will doubtless be useful in spotting anomalies in other PNG images).

In other news, I bought myself some SDR equipment to play around with, and after a bit of wrestling with the build process, gqrx and friends work inside a VM on my laptop:

success!

good times.

Fuck yes, time to play with cool technology stuff.

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.