Writeups – RE100, digital_fortrees.exe (Whitehat ’11) + Late Writeup – the dog picture thingy (TJCTF)

Today, I participated in the WhiteHat Contest ’11 (wargame.whitehat.vn). This wargame was unusual for it’s extremely short 8-hour duration, which roughly aligned to the Australian afternoon – I checked after lunch and it was up, so I gave it a go. During this time, I was able to solve two challenges: RE100, and digital_fortrees.exe. Without further ado:


RE100 was presented as a zip file (re1_d3309936b177b41dada3796c4c3acadf). Unzipping this file showed a 64-bit Linux binary, so our next step is a bit of IDA Pro to understand what it does.

The main function contains some anti-debugging and decoy code which we can quickly ignore. The following portion of code, directly in the main function, shows the first half of the key check function:


One double click later, and the confuseKey function is quickly revealed as a very simple chunk shuffling function:


Given that:

  • We know the flag format is {…} and it’s 42 characters in length
  • We know that the first part of the key is “53fc275d81”
  • We know the last part of the key is “4938ae4efd”
  • We know the obfuscated whole key is “{daf29f5903 4938ae4efd 53fc275d81 053ed5be8c}”
  • We know that confuseKey just shuffles equal size blocks around, and we know the first and last blocks

It is then a simple matter of brute forcing which one of two possibilities is the actual flag (spaces for readability):

{53fc275d81 053ed5be8c daf29f5903 4938ae4efd}

An easy 100 points.

digital_fortrees.exe (Late – Just!!)

This challenge was presented as an executable file, which I’ve zipped so WordPress can not cry about me uploading an exe: df

This is a 32-bit Windows executable, but our first attempt with IDA quickly reveals this to be a frozen Python executable.



My first instinct was to run binwalk against it, but this cost me precious time, as it unpacked all the modules which py2exe had packed along with the executable as well as chunks of compressed data which it had detected, leaving me with a haystack of files, and no clean way of extracting the needle.

A bit of Google (and one WoW Cataclysm Timewalking dungeon – fuck yeah welfare gear) later, and my second try was with the unpy2exe tool:



Uncompyle2 quickly reveals the source code to digital_fortrees.py, as well as letgo.py and drawmap.py.

You can even run this at home:


A little bit of analysis of the source code later shows that it generates an infinite* number of folders, corresponding to prime numbers – and then, it listsl all the directories in the current directory (the “room numbers”), multiplies them together, and checks that the value is 1000012277050240711531267079 (letgo.py).

Fortunately, factordb has nicely factored the number down to it’s three prime factors: 1000004059 * 1000004099 *  1000004119.

The key would have been {sha1(room1.room2.room3)}, but unfortunately, the contest ended right before I was able to submit the flag – that’s what you get for playing videogames instead of capturing the flag.

As always, a huge thankyou to the WhiteHat (not to be confused with Whitehat Security, which is another very business excellent organisation) team for putting together this very fun event, even if it made me feel like a dumbass when I couldn’t get the pwning one in time.

There are other CTF problems on their website, which I’d recommend visiting.

Super Late – the dog picture thing (TJCTF)

Recently, I’ve also been going through my CTF archives, looking for old challenges which I hadn’t completed. Unfortunately, this is not always so easy – many challenges rely on servers which have long been silent, or I didn’t download all the components at the time. However, I did solve the following image puzzle from TJCTF:

woof woof you little shit

woof woof you little shit

The clue was something to do with the red pixels. Opening this up in GIMP, we can use the Colors > Threshold tool to play around with which colors we can display – for example, we can select a certain range of colors to display as white, and display everything else as black:


It’s clear here that a flag is hidden in the image, and is “printed” onto the image (as opposed to something like data encoded in pixel LSBs). We can sample the pixels by simply hovering our mouse over white parts of the image, and then using the Python Image Library to tell us the RGB values of these pixels.

In hindsight, this was easily noticeable in the GIMP Color Threshold tool – the “bars” represented the number of pixels with a given RGB profile, and the alternating bars pattern was a dead give-away.

A bit of trial and error later, and it becomes obvious that all the flag pixels have an odd R value (R as in RGB). A quick Python script reveals the key:


Unfortunately, this was too late to score any Internet points.

Tools – Sleuthkit

During the Whitehat CTF, I also tackled the WYGINWYS (What You Get Is Not What You See) challenge. I wasn’t able to solve this to completion but another most esteemed compatriot did, scoring us 200 [?] points.

This challenge was presented as a zip file containing a disk image. Initially, I tried to mount this as an NTFS volume, which only revealed one file: but the “fls” utility from the Sleuthkit package revealed more, including hidden and what appeared to be a deleted file, listed by inode.

The “icat” utility from the same package could then extract the file: icat [image_file] [inode_no] > [out_file].

If you haven’t already, this is a tool which is sure to come in useful in future CTFs.

Update – Websec CTF

I’m currently also competing in the Websec CTF, which is a CTF lasting over a month, with a variety of interesting challenges. Despite starting significantly late, team farmingsimulator are currently in fifth place, with fourth definitively within reach.

There’s a stack of cool writeups coming out of this CTF, but unfortuantely. I can’t write about them just yet. Stay tuned!

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.