Sunday, September 21, 2014

CSAW'14 - 'weissman' writeup

This was a reversing task for 300 points. The task description was simply "Extract the key!". Let's look at the weissman.csawlz file that they provided.

This appears to be a custom file format that uses some form of LZ compression at its core. After some tinkering we managed to figure out the main structure of the file. The "3" means that there are 3 files in the archive. "AAee" is the magic in the header of each file entry.

The compressed files contain a bunch of blocks, with a special "flag" byte in front of each. The LSB of these bytes tells us whether the block is compressed. The rest of the flag is the size of the following block. If the block is compressed, 2 bytes follow, that somehow point to another block that was uncompressed. We did not figure out what (possibly) hashing algorithm was used to point to previous blocks, but it turns out that we don't need it at all.

The hint said that we need to extract key.jpg. However, compressing a jpg file (with this algorithm) makes no sense. Compared to the 500 compressed blocks in the first file, which is an HTML document, the jpg only had about 50. Here we took a leap of faith and just replaced those blocks with the appropriate number of zeroes. Here is the result:

After a fair amount of squinting, we could read the flag. Here it is after some reparations in paint:

And suddenly the whole "Weissman" thing makes sense.

If anyone is interested, here's the code to generate the above picture from a cropped version of the archive, containing only key.jpg's compressed form:
Thanks to RyanWithZombies for this awesome task!

1 comment: