picoCTF 2022 bloat.py writeup

Hello friends, picoCTF 2022 concluded a month ago and it was a lot of fun, picoCTF is a CTF that mainly targets beginner who are learning about CTFs.

Enough talking let’s get into the challenge

Challenge

  • The challenge I’ll be talking about today is in the Reverse Engineering category.
The challenge
  • So we basically we have the python program which is in it’s source code and a flag which is encrypted.
  • Let’s open up the python file and look at it

File analysis

Source code
  • The file is obfuscated in a way that it makes it hard for us to read. It also makes AV unable to detect certain strings from the file.
  • We have a long string in variable a which defines some characters for it to use.
  • For those who are not familiar with how strings work, you can use array notations to access by character.
  • Lets try to print out what function arg133 is doing for the if statement.
happychance?
  • So it’s checking whether the argument we supplied is equal to happychance. Let’s do the same for other functions.
We decoded some of the strings.
  • Let’s try renaming some of the functions so it make sense.
Deobfuscated flag
  • So first we open the encrypted flag to be read and save it to arg444.
  • Next we ask the user to input and save to arg432.
  • Now we run the check() function on arg432 which is the user input to see if it matches the string happychance.
  • If it doesn’t matches, the system will exit with code 0, if it does then print the welcomeflag() message.
  • Finally the decoder() function will decode arg444 which is the encrypted flag and save it to arg423.
  • Then the program prints out the flag.
Our flag

Conclusion

Malware most of the time are obfuscated in a way so that the analyst and AV can’t detect them straight away. De-obfuscating is a great way to understand how a program works if its obfuscated. Don’t panic when having to deal with obfuscated file since there is always a way to de-obfuscate them :)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
FarisArch

FarisArch

Student that loves FOSS and hacking