$ pngtopnm -gamma 8 spawn.png > spawn.ppm
$ file spawn.ppm
spawn.ppm: Netpbm PPM "rawbits" image data
$ zbarimg spawn.ppm
QR-Code:http://forbiddenbits.net/060645cc5ebdf80e84ebc91547641b49
scanned 1 barcode symbols from 1 images in 0.12 seconds
The downloaded content is a long ASCII string of HEX characters, which after conversion results in a data blob.
$ xxd -l64 060645cc5ebdf80e84ebc91547641b49
0000000: 3939 6261 3964 3839 3734 3633 3263 3234 99ba9d8974632c24
0000010: 3262 3266 3734 3732 3637 3633 3632 3231 2b2f747267636221
0000020: 3734 3362 3636 3632 3964 6232 3734 3330 743b66629db27430
0000030: 3636 3633 3633 3638 3735 3732 3637 3633 6663636875726763
>>> from binascii import unhexlify
>>> dat = open("060645cc5ebdf80e84ebc91547641b49", "rb").read(1024*1024)
>>> open("blob.dat", "wb").write(unhexlify(dat))
$ xxd -l512 blob.dat
0000000: 99ba 9d89 7463 2c24 2b2f 7472 6763 6221 ....tc,$+/trgcb!
0000010: 743b 6662 9db2 7430 6663 6368 7572 6763 t;fb..t0fcchurgc
0000020: 6368 7572 6763 6368 7572 6763 6368 7572 churgcchurgcchur
0000030: 6763 6368 7572 6763 6368 7572 6763 6368 gcchurgcchurgcch
0000040: 7572 6763 6368 7572 6763 6368 7572 6763 urgcchurgcchurgc
0000050: 6368 7572 6763 6368 758c bd62 2168 7572 churgcchu..b!hur
0000060: 6763 6368 7572 6763 6368 7572 6763 6368 gcchurgcchurgcch
0000070: 7572 6763 6368 7572 6763 6368 7572 6763 urgcchurgcchurgc
0000080: 6368 7572 6763 6368 7572 6763 6368 7572 churgcchurgcchur
0000090: 6763 6368 7572 6763 6368 7572 6763 9da9 gcchurgcchurgc..
00000a0: 7462 6e63 7768 0a70 6773 626b 6572 6573 tbncwh.pgsbkeres
00000b0: 6396 b073 7962 6269 7372 6763 6368 7473 c..sybbisrgcchts
00000c0: 6662 6269 7473 6566 676f 737b 6f68 6262 fbbitsefgos{ohbb
00000d0: 7571 99a6 6203 6473 6661 616e 737b 6064 uq..b.dsfaans{`d
00000e0: 6162 7375 6d6b 626a 7076 6764 7369 7674 absumkbjpvgdsivt
00000f0: 7576 4358 5032 3703 13e8 847b 7341 515d uvCXP27....{sAQ]
0000100: e5d2 a76b 702d c5a2 8774 472a 2017 9757 ...kp-...tG* ..W
0000110: 311d 6351 5420 273b 2110 e2f6 c663 6c11 1.cQT ';!....cl.
0000120: 0311 17dd 5245 14e1 f1ab 5344 e4e7 f0cb ....RE....SD....
0000130: d1c6 a2b6 802f 02e6 f0c1 d0da b787 99a6 ...../..........
0000140: 6274 7573 6461 6368 7572 6762 6269 7473 btusdachurgbbits
0000150: 6662 6269 7070 6364 6561 7571 6f9d a669 fbbippcdeauqo..i
0000160: 2162 6662 616d 7274 6066 666b 7376 6364 !bfbamrt`ffksvcd
0000170: 6569 7570 6262 606c 6575 4753 2338 8474 eiupbb`leuGS#8.t
0000180: 7203 13e8 d5c2 7471 f3a8 a592 6e77 4698 r.....tq....nwF.
0000190: 6256 5230 405c 6350 2337 10fb b655 5426 bVR0@\cP#7...UT&
00001a0: e0cb 6c45 2400 d060 5335 3534 805a 4330 ..lE$..`S554.ZC0
00001b0: 0207 16cc 8ba9 666e 6168 7471 7761 7369 ......fnahtqwasi
00001c0: 4b73 ebff 1087 ad72 7dad 46a2 769d 6438 Ks.....r}.F.v.d8
00001d0: b219 95ff aa93 bd46 9017 4f10 4601 cb43 .......F..O.F..C
00001e0: e5bf 05ff 0dc4 9368 f3c8 2ec2 72c3 93e2 .......h....r...
00001f0: 8cbc 7d05 fd6f 27ab f03c f67f 7559 8841 ..}..o'..<..uY.A
So, we can see that there's some structure to the decoded data blob, but it seems to be non-sense except for the header part, which may contain "encoded" ASCII characters. We could try and guess the file format and at least attempt basic XOR decryption with common magic values as the key in order to get the real key. Another approach is to assume that the header will contain runs of NULL bytes in which case in simple XOR the key will be as plain-text.
In the end it turned out to be a JPEG image XOR encrypted using the "fbbits" key. The image contains the flag in form of a hash string overlayed in red on top of the image. Also, notice that the "fbbits" key was in fact present in the data blob where the real JPEG had a run of NULL bytes at offset 0xC0, which is part of Huffman table.
No comments:
Post a Comment