picoCTF 2021 Transformation Writeup

Transformation is a Reverse Engineering puzzle worth 20 points.

A file named enc is provided, along with a Python snippet:

''.join([chr((ord(flag[i]) << 8) + ord(flag[i + 1])) for i in range(0, len(flag), 2)])

On first glance, this is encoding two characters at a time and doing some basic bit shifting. It may be a known encoding scheme, so I threw it through CyberChef’s Magic recipe.

To do this, I first had to dump the enc file as hex, because my terminal was jacked up and not copying the contents of enc correctly:

daniel@LAPTOP ~ % xxd enc
00000000: e781 a9e6 8daf e48d 94e4 99bb e384 b6e5  ................
00000010: bda2 e6a5 b4e7 8d9f e6a5 aee7 8db4 e38c  ................
00000020: b4e6 919f e6bd a6e5 bcb8 e5bd a5e3 84b4  ................
00000030: e385 a1e3 81a6 e39d bd                   .........
daniel@LAPTOP ~ % xxd enc | awk {'print $2$3$4$5$6$7$8$9'}
e781a9e68dafe48d94e499bbe384b6e5
bda2e6a5b4e78d9fe6a5aee78db4e38c
b4e6919fe6bda6e5bcb8e5bda5e384b4
e385a1e381a6e39dbd.........

My recipe was simple; pasted the hex bytes shown above into the Input, and used From Hex and Magic with Intensive Mode enabled. This revealed the flag, encoded with UTF-16 Big Endian.

Writing a quick python script confirmed this:

#!/usr/bin/env python3

import sys

with open("enc") as fp:
    flag = fp.read()

print(flag.encode("utf-16-be"))

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s