Picture of Alexander Taylor located at https://ctf.isis.poly.edu/judges/. I’m putting it there for who missed it:
Image may be NSFW.
Clik here to view.
In first glance, it had nothing but by more focus, we realized the picture contains some extra chunks: xORk, kTXt
Observing the chunks’ names led us to do XOR between xORk chunk data and kTXt. Pictures below make it clear:
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
On pictures, the Red marks are CRC32 checks, the green marks are the extra chunks and Data is selected by mouse. So the extracted data were:
2836382C100304140A150814020708180D00610416110B12000761030C73021F021D0612630408030B1C1403631D0E030A10042A 43534157
The first one represents a non-printable ASCII code which had to be XORed, the second one was apparently the key (Obviously, we had to change the key’s length in order to become equal to encrypted string). Doing XOR by a PHP script:
<?php
function hex2ascii($hex)
{
$ascii='';
for($i=0; $i<strlen($hex); $i=$i+2)
{
$ascii.=chr(hexdec(substr($hex, $i, 2)));
}
return($ascii);
}
function xorhex($hex1, $hex2) {
$len = max(strlen($hex1), strlen($hex2));
$hex1 = str_pad($hex1, $len, "0", STR_PAD_LEFT);
$hex2 = str_pad($hex2, $len, "0", STR_PAD_LEFT);
$xor = "";
for ($i = 0; $i < $len; $i += 6) {
$one = (int)base_convert(substr($hex1, $i, 6), 16, 10);
$two = (int)base_convert(substr($hex2, $i, 6), 16, 10);
$xor .= str_pad(base_convert($one ^ $two, 10, 16), 6, "0", STR_PAD_LEFT);
}
return ltrim($xor, "0");
}
$s1 = '2836382C100304140A150814020708180D00610416110B12000761030C73021F021D0612630408030B1C1403631D0E030A10042A';
$s2 = '43534157435341574353415743534157435341574353415743534157435341574353415743534157435341574353415743534157';
$x = hex2ascii(xorhex($s1,$s2));
echo "\n" , $x, "\n\n";
?>
The flag:
Image may be NSFW.
Clik here to view.
