Last active
November 23, 2016 15:20
-
-
Save doegox/1a1bf0bd4a38b99debb3922032170387 to your computer and use it in GitHub Desktop.
GreHack 2016 CTF Daytonaaaaaaaaaa!!!!! write-up
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import struct | |
| import zlib | |
| # Daytonaaaaaaaaaa!!!!! | |
| # by iggy | |
| # 200 points | |
| # | |
| # Never look down and go ahead ! | |
| # | |
| # sha1sum : 0561a37c09185f55baac1dd475adbca8d0cc0984 | |
| # File available here: https://i.imgur.com/6BtRzsa.png | |
| # $ file 1479482698.53_daytona.png | |
| # 1479482698.53_daytona.png: PNG image data, 940 x 663, 8-bit/color RGBA, non-interlaced | |
| # nothing appeared abnormal in the PNG file format | |
| # or in the pixels, so digging deeper in the PNG data: | |
| f=open('1479482698.53_daytona.png', 'rb') | |
| _ = f.read(8) | |
| idat = b'' | |
| while (True): | |
| l, = struct.unpack(">I", f.read(4)) | |
| t = f.read(4) | |
| d = f.read(l) | |
| _ = f.read(4) | |
| if t == b"IDAT": | |
| idat+=d | |
| if t == b"IEND": | |
| break | |
| data=zlib.decompress(idat) | |
| print("got", len(data)) | |
| print("expected", (940*4+1)*663) | |
| print("expected height", len(data)/(940*4+1)) | |
| # Solution: | |
| # * patch image height in the IHDR (replace 0x0297 by 0x02b0) | |
| # * fix IHDR CRC (replace 0x81f1c79e by 0x9c58f210) | |
| # * profit -> https://i.imgur.com/vSZN4cT.png | |
| # Flag: | |
| # GH16{Was_a_f**k_damn_great_game_!} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment