picoCTF Reverse Engineering Guide

here's how to solve Transformation

Back to the Reverse Engineering Guides

Transformation

Name: Transformation
Description: I wonder what this really is... enc ''.join([chr((ord(flag[i]) << 8) + ord(flag[i + 1])) for i in range(0, len(flag), 2)])
Author: madStacks
Tags: Easy, Reverse Engineering, picoCTF 2021
Challenge from: picoCTF 2021
Files: enc
Hints:
1. You may find some decoders online

Theory

According to the description, to get the flag we have to reverse engineer some python code to decode the enc file. But here's the catch, the code we're given is kind of a one way encryption, technically we could decrypt it but because it's adding the decimal values of every two characters, while the first one has a left shift of 8, it can really be any combination of two letters, and to decode it, we would have to brute force it, and that'll be hard. So instead, read the hint, "decoders online" huh? Yup that's right, the best decoder ever CyberChef. We can put as an input the enc file we're given, and for the recipe, we can just use the Magic block. This block, basically it looks at what type of data it might be. Then we're gonna click on the Intensive Mode option, that literally just goes through every decryption method in CyberChef and rates them from 0 to 5 on how probable it might be that it's the correct method. Also that depth thing, we might not need it, because the code is a couple of basic operations, that doesn't really need to be iterated more than once, but let's just keep it at the default three just in case. So we'll put the Magic block with the intensive mode like this:

Solution

Now that we have the Magic block prepared, let's upload the file and look for something that looks like a flag, and there it is:

Huh, it was UTF-16 instead of 8, yeah that's what the flag says, pretty cool right? So when you don't know what kind of encryption you are working with, that Magic block is a great tool for finding what it exactly is. And so, the flag is:

picoCTF{16_bits_inst34d_of_8_75d4898b}

There we go! That's the flag.

I rated this level as "not good"! :(

https://play.picoctf.org/practice/challenge/104

Explore My Website