Description
Second encoded investigation. More complex encoding than part 1.
Setup
Download the binary and encoded data file.
wget <url>/mysterywget <url>/encodedDatachmod +x mysterySolution
Walk me through it- Step 1Analyze the differences from part 1This challenge uses a more complex encoding. Run the binary and compare its behavior to part 1. Look for multi-byte operations, multiple passes, or a more complex key schedule.bash
./mystery encodedDatabashstrings mysterybashghidra mystery &Learn more
More complex encodings may apply multiple transformations in sequence: first XOR, then shift, then substitute - or the encoding may be position-dependent (the key changes based on the current position in the file). Identifying the sequence of operations is the key challenge.
- Step 2Decompile the binaryUse Ghidra to fully decompile the encoding function. Trace through each operation on the data bytes. Pay attention to any loop variables or counters that modify the transformation.bash
ghidra mystery &Learn more
In Ghidra, the Data Type Manager lets you define structures that match how the program interprets its data. This can make the decompilation output much more readable when the code processes structured binary data.
- Step 3Write the inverse decoderImplement the inverse of each encoding operation in reverse order. Apply to encodedData to recover the flag.python
python3 << 'EOF' with open('encodedData', 'rb') as f: data = bytearray(f.read()) # Apply inverse operations in reverse order # (fill in from Ghidra analysis) for i in range(len(data)): data[i] ^= (i & 0xFF) # example: position-dependent XOR print(bytes(data).decode('ascii', errors='replace')) EOFLearn more
When reversing a multi-step encoding, always reverse the steps in opposite order: if the encoding does A then B, the decoding must do inverse(B) then inverse(A). Forgetting to reverse the order is a common mistake.
Flag
picoCTF{...}
Decompile the binary to find the encoding sequence, then apply each inverse operation in reverse order to decode the flag.