Writeup – glorious.png (Sectalks Sydney June 2016 – Partial)

During this weekend, I missed the SecuInside / cykor.kr CTF event due to being too sick to IDA properly – it turns out it’s super hard to reverse engineer when you’re multitasking trying not to throw up on the keyboard. This event was focussed towards reverse engineering and exploitation, and also included some DARPA CGC challenges. I look forward to attempting these at some point.

Two months ago, I won the SecTalks CTF challenge so I won the prize of designing last month’s challenge together with a comrade (if you’re reading this – let me know if you want named credit). Now that the alloted time for solving this challenge is concluded, I will present the creation and solution of this challenge below, for reference. Without further ado:


in all its glorious glory

in all its glorious glory

The “glorious.png” challenge was presented as a PNG image file, hosted as part of the overall challenge (together with web challenge content). As per many other PNG challenges, one of my first step is to use an 010 Editor template or hex editor to look at the file structure: from this, we can immediately spot data after the IEND section, which is a common CTF trick.


From this, we can immediately determine that an archive file has been appended to the end of the PNG. Separating this out and unzipping it gives us a “pyc” file. A “pyc” file is a compiled Python file. In it’s default form, a “pyc” will come with enough information to reconstruct the source file very accurately, with the “uncompyle2” utility:


From this decompilation, we can determine that this is a basic steganography tool, which performs simple encoding of data, and then hides the encoded data in the red pixel data of the image.

To test the encoding, we can take the encode() function and try to encode some sample data:

 eat my balls -> 1e1a1t1 1m1y1 1b1a2l1s 
 aaaaabbbbb -> 5a5b

From this, we can tell that this is a simple form of run length encoding (against characters, instead of bits), which is simple enough to decode by hand if needed.

Chances are that the data is encoded in the original image, as we don’t have any other files with this challenge: we simply write ourselves  a quick and dirty decoding tool, run it against the original file to retrieve the flag:


You can find the original challenge image above in this post, as well as the data hide tool and data unhide tool I used to “check” the challenge – note that the unhide tool, d.py, doesn’t include sanity checks for the end of encoded data.

I hope everyone had fun with this challenge!

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Computers, Jesting and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s