Home > CTF, Forensics > Break In CTF Miscellaneous qn 5 writeup

Break In CTF Miscellaneous qn 5 writeup

This is our first international CTF for the year 2014. We gave a bad start in the beginning, but at the end, we managed to finish the game decently in the 20th position among 127 teams. I didn’t do any of the steganography challenges this time, instead I gave importance in solving challenges related to forensics. The first question which I solved is about Python byte codes. See the question below.

qn5

Also as a hint they gave this image.

killers_fav_food

They gave a .pyc file (click here to download) and we were asked to find the murder’s name (which was the key). First I tried running the file, but it showed an runtime error.

h1dd3ntru7h@bi0s:~/Desktop/ctf/felicity/qn5$ python calling_card.pyc
RuntimeError: Bad magic number in .pyc file

Bad magic number, appears whenever the header (magic number in python) of the compiled byte-code is either corrupted or when you try to running a pyc from a different version of python (usually later) than your interpreter. There are two solutions to rectify this runtime error:

  • Remove the .pyc file ( $ rm *.pyc ) and re-compile the actual .py file.
  • Else you can tinker with the magic number of the byte-code (.pyc file)

As there are no .py file, we need to focus on the magic number. Before starting to search about magic numbers, I tried compiling the .pyc file with various version’s of python interpreter ( an insane idea 😀 ), but all those versions (1,2,2.1,2.2,2.5,2.7,3,3.1..etc) gave the same Run time error. Before getting to the point, let me explain few things about the magic number and why it is used. Whenever python interprets (or executes) a .pyc file, it checks the header to determine whether the file can be executed by the python interpreter which is installed in the machine. For example, if you try to run a .pyc file which belongs to a python version 1.5, with a python version > 2.5, it will produce a runtime error or a Bad Magic number. Now, why should not I focus on making changes in the given .pyc header file instead of installing all the outdated python versions and then make it run without any errors? For that I learned about the python’s magic number and here it is, how python magic numbers are formed!

Python’s 1st 2 bytes forms the magic number. Using that, the python interpreter understands the file.

1. Open the .pyc file in a hexeditor

2. For example, the 1st two bytes of python 2.7.3 is 03 and F3

3. You need to convert this two hex to decimal. You can either use a calculator or a python CMI is enough to do that, please make the hex strings like this, enter values as second byte first and then the first byte i.e F3 03

>>> int (‘F303’,16)

>>> 62211

4. The value displayed is one which is correspond to the magic number aka version of python.

5. Each python version has it’s own magic number, for example here are few magic numbers

Python 1.5:   20121  0x994e
Python 1.5.1: 20121  0x994e
Python 1.5.2: 20121  0x994e
Python 1.6:   50428  0x4cc4
Python 2.0:   50823  0x87c6
Python 2.0.1: 50823  0x87c6
Python 2.1:   60202  0x2aeb
Python 2.1.1: 60202  0x2aeb
Python 2.1.2: 60202  0x2aeb
Python 2.2:   60717  0x2ded
Python 2.3a0: 62011  0x3bf2
Python 2.3a0: 62021  0x45f2
Python 2.3a0: 62011  0x3bf2 (!)
Python 2.4a0: 62041  0x59f2
Python 2.4a3: 62051  0x63f2
Python 2.4b1: 62061  0x6df2
Python 2.5a0: 62071  0x77f2
Python 2.5a0: 62081  0x81f2 (ast-branch)
Python 2.5a0: 62091  0x8bf2 (with)
Python 2.5a0: 62092  0x8cf2 (changed WITH_CLEANUP opcode)
Python 2.5b3: 62101  0x95f2 (fix wrong code: for x, in ...)
Python 2.5b3: 62111  0x9ff2 (fix wrong code: x += yield)
Python 2.5c1: 62121  0xa9f2 (fix wrong lnotab with for loops and storing constants that should have been removed)
Python 2.5c2: 62131  0xb3f2 (fix wrong code: for x, in ... in listcomp/genexp)
Python 2.6a0: 62151  0xc7f2 (peephole optimizations and STORE_MAP opcode)
Python 2.6a1: 62161  0xd1f2 (WITH_CLEANUP optimization)
Python 2.7a0: 62171  0xdbf2 (optimize list comprehensions/change LIST_APPEND)
Python 2.7a0: 62181  0xe5f2 (optimize conditional branches:introduce POP_JUMP_IF_FALSE and POP_JUMP_IF_TRUE)

You can google to find out the magic numbers of other python versions. Now when I opened my contest file calling_card.pyc, i took the 1st two bytes, it was 11 and 10. I followed the same steps which I mentioned above to get the magic number. And the decimal was 4368. The decimal which I got didn’t correspond to any of the python version’s magic number. The admins have clearly changed the header. To fix it, identify your python version ( mine python 2.7.3 with hex values 03 and F3 as the 1st 2 bytes ) and replace 11 and 10  with 03 and F3. Now the calling_card.pyc file belongs to version 2.7.3! Now save and run the file.

h1dd3ntru7h@bi0s:~/Desktop/ctf/felicity/qn5$ python calling_card.pyc
h1dd3ntru7h@bi0s:~/Desktop/ctf/felicity/qn5$

It’s working! We are on the right track! But running the pyc didn’t show any output. So we need to find the actual py files by decompiling it. I used Uncompyle2 tool to decompile the .pyc file. Click here to download the tool. Now, you will get a decompiled code in the stdout. Look into the code carefully,

1. First line: They used a pickle module ( Matches the hint given : The Pickle image )

2. Add the corresponding function calls and class objects. Now the code looks like this,

import pickle

class Clue(object):

def __init__(self, name, killer):
self.name = name
self.killer = killer

def getKiller(self):
print decode(self.killer)

def encode(s):
a = []
b = []
for i in range(len(s)):
t = ord(s[i])
x1, x2 = divide(t)
a.append(x1)
b.append(x2)

return (a, b)

def decode(s):
a, b = s
final = []
for i in range(len(a)):
t1 = a[i]
t2 = b[i]
p = combine(t1, t2)
x = chr(p)
final.append(x)
print final
return ''.join(final)

def divide(t):
t = str(t)
return (''.join([ t[x] for x in range(0, len(t), 2) ]), ''.join([ t[x] for x in range(1, len(t), 2) ]))

def combine(t1, t2):
p = []
for i in t1:
p += [i]

for i in range(len(t2)):
p.insert(2 * i + 1, t2[i])

return int(''.join(p))

secret = (['9',
'9',
'11',
'12',
'11',
'9',
'14',
'11',
'13',
'1',
'9',
'14',
'11',
'9',
'11',
'10',
'15',
'16',
'14',
'17',
'9',
'16',
'11',
'14',
'1',
'12',
'4',
'1',
'4',
'9',
'9',
'9',
'19',
'9',
'15',
'10',
'9',
'9',
'1',
'6',
'18',
'17',
'11',
'1',
'12',
'4',
'1',
'9',
'9',
'9',
'9',
'17',
'15',
'18',
'16',
'15',
'10',
'9',
'9',
'1',
'11',
'9',
'16',
'11',
'9',
'16',
'1',
'12',
'5',
'1',
'7',
'16',
'12',
'5',
'1',
'8',
'12',
'5',
'1',
'4',
'10',
'12',
'5',
'1',
'8',
'3',
'17',
'15',
'18',
'18',
'11',
'14',
'3',
'1',
'12',
'5',
'1',
'4',
'4',
'18',
'12',
'5',
'1',
'8',
'3',
'5',
'3',
'1',
'12',
'5',
'1',
'9',
'8',
'3',
'4',
'4',
'3',
'1',
'12',
'5',
'1',
'9',
'8',
'3',
'4',
'5',
'3',
'1',
'12',
'4',
'4',
'1',
'9',
'8',
'3',
'5',
'3',
'1',
'12',
'4',
'4',
'1',
'9',
'8',
'3',
'5',
'3',
'1',
'12',
'4',
'5',
'1',
'9',
'8',
'3',
'5',
'3',
'1',
'12',
'4',
'5',
'1',
'9',
'8',
'3',
'4',
'5',
'3',
'1',
'12',
'4',
'5',
'1',
'9',
'8',
'3',
'4',
'5',
'3',
'1',
'12',
'4',
'5',
'1',
'9',
'8',
'3',
'4',
'4',
'3',
'1',
'12',
'4',
'5',
'1',
'9',
'8',
'3',
'4',
'5',
'3',
'1',
'12',
'4',
'5',
'1',
'9',
'8',
'3',
'4',
'4',
'3',
'1',
'12',
'4',
'5',
'1',
'9',
'13',
'4',
'4',
'1',
'9',
'13',
'5',
'1',
'9',
'8',
'3',
'4',
'5',
'3',
'1',
'12',
'4',
'5',
'1',
'9',
'8',
'3',
'4',
'4',
'3',
'1',
'12',
'5',
'4',
'1',
'9',
'8',
'3',
'4',
'4',
'3',
'1',
'12',
'5',
'4',
'1',
'9',
'8',
'3',
'4',
'5',
'3',
'1',
'12',
'5',
'5',
'1',
'9',
'8',
'3',
'4',
'4',
'3',
'1',
'12',
'5',
'5',
'1',
'9',
'4',
'18',
'12',
'5',
'5',
'1',
'8',
'3',
'5',
'3',
'1',
'12',
'5',
'5',
'1',
'9',
'8',
'3',
'4',
'3',
'1',
'12',
'5',
'5',
'1',
'9',
'8',
'3',
'4',
'3',
'1',
'12',
'5',
'5',
'1',
'9',
'8',
'3',
'5',
'3',
'1',
'12',
'5',
'5',
'1',
'9',
'13',
'4',
'5',
'1',
'9',
'13',
'4',
'5',
'1',
'9',
'13',
'5',
'5',
'1',
'9',
'13',
'5',
'5',
'1',
'9',
'13',
'5',
'5',
'1',
'9',
'13',
'5',
'5',
'1',
'9',
'13',
'5',
'5',
'1',
'9',
'13',
'5',
'5',
'1',
'9',
'13',
'5',
'5',
'1',
'9',
'13',
'5',
'5',
'1',
'9',
'13',
'5',
'5',
'1',
'9',
'13',
'5',
'5',
'1',
'9',
'13',
'5',
'5',
'1',
'9',
'13',
'5',
'5',
'1',
'9',
'16',
'12',
'5',
'5',
'1',
'15',
'8',
'3',
'10',
'9',
'19',
'11',
'3',
'1',
'12',
'5',
'4',
'1',
'4',
'4',
'18',
'12',
'5',
'4',
'1',
'13',
'4',
'5',
'1',
'9',
'8',
'3',
'4',
'4',
'3',
'1',
'12',
'5',
'5',
'1',
'9',
'13',
'4',
'5',
'1',
'9',
'8',
'3',
'4',
'4',
'3',
'1',
'12',
'5',
'5',
'1',
'9',
'8',
'3',
'4',
'5',
'3',
'1',
'12',
'5',
'5',
'1',
'9',
'8',
'3',
'4',
'4',
'3',
'1',
'12',
'5',
'5',
'1',
'9',
'8',
'3',
'4',
'5',
'3',
'1',
'12',
'5',
'5',
'1',
'9',
'13',
'4',
'4',
'1',
'9',
'13',
'4',
'5',
'1',
'9',
'8',
'3',
'4',
'4',
'3',
'1',
'12',
'5',
'5',
'1',
'9',
'8',
'3',
'4',
'5',
'3',
'1',
'12',
'5',
'5',
'1',
'9',
'8',
'3',
'4',
'5',
'3',
'1',
'12',
'5',
'5',
'1',
'9',
'8',
'3',
'4',
'5',
'3',
'1',
'12',
'5',
'4',
'1',
'9',
'8',
'3',
'4',
'4',
'3',
'1',
'12',
'5',
'4',
'1',
'9',
'4',
'18',
'12',
'5',
'5',
'1',
'13',
'4',
'5',
'1',
'9',
'13',
'5',
'5',
'1',
'9',
'13',
'4',
'5',
'1',
'9',
'13',
'5',
'5',
'1',
'9',
'13',
'5',
'5',
'1',
'9',
'13',
'5',
'5',
'1',
'9',
'13',
'5',
'5',
'1',
'9',
'13',
'5',
'5',
'1',
'9',
'13',
'4',
'5',
'1',
'9',
'13',
'5',
'5',
'1',
'9',
'13',
'5',
'5',
'1',
'9',
'13',
'5',
'5',
'1',
'9',
'13',
'5',
'5',
'1',
'9',
'13',
'5',
'5',
'1',
'9',
'16',
'12',
'5',
'5',
'1',
'15',
'9',
'4'], ['9',
'9',
'1',
'1',
'2',
'5',
'1',
'0',
'0',
'0',
'5',
'1',
'0',
'9',
'1',
'1',
'1',
'1',
'1',
'1',
'9',
'1',
'1',
'1',
'0',
'1',
'8',
'0',
'0',
'9',
'5',
'5',
'0',
'7',
'0',
'1',
'5',
'5',
'0',
'7',
'0',
'1',
'0',
'0',
'1',
'9',
'0',
'9',
'5',
'5',
'8',
'1',
'0',
'0',
'1',
'0',
'1',
'5',
'5',
'0',
'1',
'8',
'0',
'0',
'9',
'1',
'0',
'1',
'0',
'0',
'8',
'1',
'1',
'1',
'0',
'2',
'1',
'2',
'0',
'0',
'0',
'1',
'3',
'0',
'3',
'9',
'0',
'0',
'0',
'0',
'0',
'1',
'9',
'0',
'1',
'4',
'0',
'0',
'0',
'0',
'1',
'5',
'0',
'3',
'9',
'6',
'9',
'0',
'1',
'6',
'0',
'7',
'3',
'9',
'9',
'9',
'9',
'0',
'1',
'7',
'0',
'7',
'3',
'9',
'9',
'7',
'9',
'0',
'1',
'9',
'8',
'0',
'7',
'3',
'9',
'1',
'9',
'0',
'1',
'9',
'9',
'0',
'7',
'3',
'9',
'5',
'9',
'0',
'1',
'9',
'0',
'0',
'7',
'3',
'9',
'7',
'9',
'0',
'1',
'9',
'1',
'0',
'7',
'3',
'9',
'9',
'2',
'9',
'0',
'1',
'9',
'2',
'0',
'7',
'3',
'9',
'9',
'6',
'9',
'0',
'1',
'9',
'3',
'0',
'7',
'3',
'9',
'9',
'9',
'9',
'0',
'1',
'9',
'4',
'0',
'7',
'3',
'9',
'9',
'6',
'9',
'0',
'1',
'9',
'5',
'0',
'7',
'3',
'9',
'9',
'9',
'9',
'0',
'1',
'9',
'6',
'0',
'7',
'0',
'9',
'9',
'0',
'7',
'0',
'6',
'0',
'7',
'3',
'9',
'9',
'3',
'9',
'0',
'1',
'9',
'7',
'0',
'7',
'3',
'9',
'9',
'8',
'9',
'0',
'1',
'0',
'8',
'0',
'7',
'3',
'9',
'9',
'8',
'9',
'0',
'1',
'0',
'9',
'0',
'7',
'3',
'9',
'9',
'6',
'9',
'0',
'1',
'0',
'0',
'0',
'7',
'3',
'9',
'9',
'9',
'9',
'0',
'1',
'0',
'1',
'0',
'7',
'0',
'0',
'1',
'0',
'2',
'0',
'3',
'9',
'2',
'9',
'0',
'1',
'0',
'3',
'0',
'7',
'3',
'9',
'9',
'9',
'0',
'1',
'0',
'4',
'0',
'7',
'3',
'9',
'8',
'9',
'0',
'1',
'0',
'5',
'0',
'7',
'3',
'9',
'0',
'9',
'0',
'1',
'0',
'6',
'0',
'7',
'0',
'9',
'0',
'0',
'7',
'0',
'9',
'0',
'0',
'7',
'0',
'0',
'4',
'0',
'7',
'0',
'0',
'4',
'0',
'7',
'0',
'0',
'4',
'0',
'7',
'0',
'0',
'5',
'0',
'7',
'0',
'0',
'4',
'0',
'7',
'0',
'0',
'6',
'0',
'7',
'0',
'0',
'6',
'0',
'7',
'0',
'0',
'5',
'0',
'7',
'0',
'0',
'5',
'0',
'7',
'0',
'0',
'5',
'0',
'7',
'0',
'0',
'5',
'0',
'7',
'0',
'0',
'5',
'0',
'7',
'1',
'1',
'0',
'7',
'0',
'1',
'3',
'9',
'1',
'7',
'0',
'0',
'9',
'0',
'1',
'1',
'8',
'0',
'0',
'0',
'0',
'1',
'1',
'9',
'0',
'0',
'9',
'0',
'0',
'7',
'3',
'9',
'9',
'9',
'9',
'0',
'1',
'1',
'0',
'0',
'7',
'0',
'9',
'1',
'0',
'7',
'3',
'9',
'9',
'8',
'9',
'0',
'1',
'1',
'1',
'0',
'7',
'3',
'9',
'9',
'3',
'9',
'0',
'1',
'1',
'2',
'0',
'7',
'3',
'9',
'9',
'8',
'9',
'0',
'1',
'1',
'3',
'0',
'7',
'3',
'9',
'9',
'1',
'9',
'0',
'1',
'1',
'4',
'0',
'7',
'0',
'9',
'9',
'0',
'7',
'0',
'9',
'0',
'0',
'7',
'3',
'9',
'9',
'9',
'9',
'0',
'1',
'1',
'5',
'0',
'7',
'3',
'9',
'9',
'2',
'9',
'0',
'1',
'1',
'6',
'0',
'7',
'3',
'9',
'9',
'4',
'9',
'0',
'1',
'1',
'7',
'0',
'7',
'3',
'9',
'9',
'6',
'9',
'0',
'1',
'2',
'8',
'0',
'7',
'3',
'9',
'9',
'9',
'9',
'0',
'1',
'2',
'9',
'0',
'7',
'0',
'0',
'1',
'2',
'0',
'0',
'0',
'9',
'0',
'0',
'7',
'0',
'0',
'4',
'0',
'7',
'0',
'9',
'0',
'0',
'7',
'0',
'0',
'4',
'0',
'7',
'0',
'0',
'5',
'0',
'7',
'0',
'0',
'4',
'0',
'7',
'0',
'0',
'5',
'0',
'7',
'0',
'0',
'6',
'0',
'7',
'0',
'9',
'0',
'0',
'7',
'0',
'0',
'6',
'0',
'7',
'0',
'0',
'4',
'0',
'7',
'0',
'0',
'4',
'0',
'7',
'0',
'0',
'5',
'0',
'7',
'0',
'0',
'5',
'0',
'7',
'1',
'1',
'2',
'1',
'0',
'1',
'8',
'6'])

def touchFile():
with open('.clue', 'w') as f:
f.write(decode(secret))

f = open('clue','r').read()
flag = pickle.loads(f)

print flag.getKiller()

Running the file, we will get the killer’s name to be

h1dd3ntru7h@bi0s:~/Desktop/ctf/felicity/qn5$ python sol.py
[‘T’, ‘o’, ‘m’, ‘ ‘, ‘M’, ‘a’, ‘r’, ‘v’, ‘o’, ‘l’, ‘o’, ‘ ‘, ‘R’, ‘i’, ‘d’, ‘d’, ‘l’, ‘e’]
Tom Marvolo Riddle

Now md5sum of the killer name will be the flag,

h1dd3ntru7h@bi0s:~/Desktop/ctf/felicity/qn5$ echo -n “Tom Marvolo Riddle” | md5sum
6d41f9485dd1f51d27ad0ca75fb1af26  –

Yipee! Congratulations team bi0s is awarded with 300 pts. 😀

Advertisements
  1. Balty Houssem
    February 26, 2015 at 8:45 pm

    Hey ! i have the same Task but i can’t find the flag would you help me ?

  2. March 2, 2015 at 3:55 am

    Hello! You should be changing the magic number before running the script!

  3. Balty
    March 2, 2015 at 7:19 pm

    I have tried but it wether says “Bad Object” Or “Wrong Magic Number”.

  4. moduqa2nd
    February 23, 2017 at 5:42 am

    You are awesome,like your writing style too!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

This Week In 4n6

Your weekly roundup of Digital Forensics and Incident Response news

bi0s

CTF | Amrita

RAM Slack - Random Thoughts from a Computer Forensic Examiner

Random Thoughts from a Computer Forensic Examiner

InCTF

behind the scenes

DFIR Journal

Trials and Tribulations of a DFIR life

I dont know zilch !

For the noobs out there like me

X-Ways Forensics Practitioner's Guide

The Guide to X-Ways Forensics!

Forensic Focus - Articles

Digital forensics articles and research papers

my abbreviations......

gain,learn and share knowledge!!!!

digirati82

Windows Logging Service (WLS), DFIR, etc.

Belkasoft Forensic: The Digital Evidence Blog

Searching for, analyzing and recovering digital evidence

Gail Tredwell. Amma. Truth. Lies. Scandals. Fraud. And. Reality

Three things cannot be long hidden: the sun, the moon, and the truth.

Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics

Musings about UAVs, search & rescue, computer forensics, cyber security, and the state of play in all .....

Life is beautiful

when the mind is full with love, you see beauty in every thing

Techno Krat

.... Dare To Try .......

%d bloggers like this: