LSE Blog

Operating systems, computer security, languages theory, and even more!

  • About us

    • Main website
    • Git repositories
    • @lse_epita

    RSS Feed

  • Categories
    • Events
    • Language
    • Reverse Engineering
    • Security
    • Tutorials
      • Parallelism
    • Writeups
      • CSAW CTF 2012 Quals
      • DEFCON2K12 Prequals
      • SecuInside2K12 Prequals
      • NDH2K12 Prequals
      • Hack.lu CTF 2012
      • NDH2K13 Quals
      • PlaidCTF 2012
  • Authors
    • Gabriel Laskar
    • Bruno Pujos
    • Remi Audebert
    • Pierre Bourdon
    • Franck Michea
    • Ivan Delalande
    • Clement Rouault
    • Samuel Chevet
    • Nicolas Hureau
    • Marwan Burelle
    • Pierre-Marie de Rodat

  • PlaidCTF 2012 "stego" writeup

    Written by Pierre-Marie de Rodat
    May 02, 2012 at 03:47

    1
2
3
4
5
    We are a little unsure what the robots fascination with Star Trek is but it
would seem from the amount of accesses this image has been getting that it
holds something interesting for them. Can you figure out what it is?

http://i.imgur.com/MjYUJ.gif

    stego is an animated image (GIF) made from a Star Trek sequence. The first task was to learn more about the GIF format. I used the spec itself. The main things to know are:

    • Images are represented as an array of palette-based pixels;
    • There is one global color palette and image frames can embed their own local palette;
    • A GIF file contains a “stream” of sections: image frames, metadata sections, etc.

    The first try was to decode completely the given file in order to check the sections against unusual metadata blocks (to maybe find embedded information) or hidden frames, but everything was just usual.

    Then, I took a closer look to the palettes: no image frame had a local palette, so I just looked at the global palette, and I found something surprising: many palette entries had the same color! The consequence was that in some image frames, one could see an uniform area instead of different colors, hidding shapes in the same way the Ishihara test would for color deficient people.

    To reveal these shapes, I replaced the whole palette using random colors in order to remove color “aliasing”. With an image editor, I could then see that the first frame displayed “You’re on the right track but you have to go deeper”. Meh.

    Not deep enough frame

    As a next try, I still looked at palette-related issues (the given hint was “Palette” after all!): are some palette colors over-used, or under-used? Nothing raised from this search, and after some time, someone from the team asked me “have you tried to xor all image frames together?”. Damn, I had not, but could it be so simple… and so palette-unrelated?

    Using a simple Python script, I tried to xor palette indexes for each image frames and it gave me the previous text, plus Key: st3g0_is_s0_ann0y1ng.

    Xored frames

    Tweet
    Permalink & comments
    blog comments powered by Disqus

© LSE 2012 — Main website — RSS Feed