Skip to content

Instantly share code, notes, and snippets.

@marczalik

marczalik/ofrak-ctf.md

Last active April 25, 2023 14:50
Show Gist options
  • Save marczalik/64405297dcae52d527020102c66eb21b to your computer and use it in GitHub Desktop.
Save marczalik/64405297dcae52d527020102c66eb21b to your computer and use it in GitHub Desktop.
Download ZIP
A New Hope
Raw
ofrak-ctf.md

Solving a CTF Challenge with OFRAK

Background

I recently had the opportunity to take part in the Space Heroes CTF hosted by FITSEC and Florida Tech. During this weekend-long event, I worked alongside coworkers to solve a number of space-themed challenges. This is the story of how I found an excellent use of the binary analysis and modification platform OFRAK in recovering a hidden message sent by Princess Leia.

The Challenge

Click the image below to watch how I solved this challenge using OFRAK. Video Walkthrough

The Script

And here is the final script generated by OFRAK, which you can share with your teammates so that they can learn how you recovered the flag.

from ofrak import *
from ofrak.core import *


async def main(ofrak_context: OFRAKContext):

    root_resource = await ofrak_context.create_root_resource_from_file(
        "A_New_Hope.pptx"
    )

    await root_resource.auto_run(all_analyzers=True)

    await root_resource.unpack()

    root_resource.add_tag(ZipArchive)

    await root_resource.save()

    await root_resource.unpack_recursively()

    folder_ppt = await root_resource.get_only_child(
        r_filter=ResourceFilter(
            tags={Folder},
            attribute_filters=[
                ResourceAttributeValueFilter(
                    attribute=AttributesType[FilesystemEntry].Name, value="ppt"
                )
            ],
        )
    )

    folder_media = await folder_ppt.get_only_child(
        r_filter=ResourceFilter(
            tags={Folder},
            attribute_filters=[
                ResourceAttributeValueFilter(
                    attribute=AttributesType[FilesystemEntry].Name, value="media"
                )
            ],
        )
    )

    file_image1_png = await folder_media.get_only_child(
        r_filter=ResourceFilter(
            tags={File, GenericBinary},
            attribute_filters=[
                ResourceAttributeValueFilter(
                    attribute=AttributesType[FilesystemEntry].Name, value="image1.png"
                )
            ],
        )
    )

    await file_image1_png.auto_run(all_analyzers=True)

    file_image2_jpeg = await folder_media.get_only_child(
        r_filter=ResourceFilter(
            tags={File},
            attribute_filters=[
                ResourceAttributeValueFilter(
                    attribute=AttributesType[FilesystemEntry].Name, value="image2.jpeg"
                )
            ],
        )
    )

    await file_image2_jpeg.auto_run(all_analyzers=True)

    file_image3_png = await folder_media.get_only_child(
        r_filter=ResourceFilter(
            tags={File},
            attribute_filters=[
                ResourceAttributeValueFilter(
                    attribute=AttributesType[FilesystemEntry].Name, value="image3.png"
                )
            ],
        )
    )

    await file_image3_png.auto_run(all_analyzers=True)

    file_image1_png.queue_patch(Range(0x0, 0x2), b"\xff\xd8")

    await file_image1_png.save()

    await file_image1_png.auto_run(all_analyzers=True)

    await file_image1_png.flush_to_disk("image1.png")


if __name__ == "__main__":
    ofrak = OFRAK()
    if False:
        import ofrak_angr
        import ofrak_capstone

        ofrak.discover(ofrak_capstone)
        ofrak.discover(ofrak_angr)

    if False:
        import ofrak_binary_ninja
        import ofrak_capstone

        ofrak.discover(ofrak_capstone)
        ofrak.discover(ofrak_binary_ninja)

    if False:
        import ofrak_ghidra

        ofrak.discover(ofrak_ghidra)

    ofrak.run(main)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment