English [Sharif University CTF 2016] [Misc 50 – Asian Cheetah] Write Up

Description

We have hidden a message in png file using jar file. Flag is hidden message. Flag is in this format:
SharifCTF{flag}

We have an archive containing:
– png image
– a jar

Resolution

We take the jar and decompile it using http://www.javadecompilers.com/
We have a java class that allows us to hide a text message into an image, so, let’s try to reverse the process to directly get the flag.
The message is hidden bit by bit in the LSB of the image and here is the reversed code allowing us to get the flag:

protected BufferedImage steg(String string, BufferedImage bufferedImage) {
    if ((string = "" + string.length() + ":" + string).length() * 8 > bufferedImage.getWidth() * bufferedImage.getHeight()) {
        System.out.println("There won't be enough space to store this message!");
        System.out.println("Message length: " + string.length() + " bytes. " + "Image can hold a maximum of " + bufferedImage.getWidth() * bufferedImage.getHeight() / 8);
        throw new RuntimeException("There won't be enough space to store this message!");
    }
    Point point = new Point(0, 0);
    for (int z = 0; z < 100; z++)
    {
    	int tmp = 0;
        for (int i = 0; i < 8; ++i)
        {
        	if (isLeastSignificantBitSet(bufferedImage.getRGB(point.x, point.y)) == true)
        	{
        		tmp += 1;
        	}
            this.movePointer(point, bufferedImage);
            tmp <<= 1;
        }
        tmp >>= 1;
        System.out.print((char)tmp);
    }
    return bufferedImage;
}

protected boolean isLeastSignificantBitSet(int n)
{
    if ((n & 1) == 1)
    	return true;
    return false;
}

And the flag is: SharifCTF{e8e12db2fc654f3b50f3da4901ab986e}

Leave a Reply

Your email address will not be published.