Published on

Insomni'hack teaser 2022 – DrJeb

Authors

DrJeb

by 123Soleil

Dr. Jeb was able to analyze the virus in depth. He believes in the power of open source so his disassembler is publicly available here.

It's time to check his research with practice.

The GitHub repository provided explains how to use the Virus Disassembler by providing it an image of the virus:

python3 VirusDisassembler.py virus.png
import numpy as np
from PIL import Image
import sys
# Very important
from doctorsecret.const import SECRET

def Dissasemble(img_path):

    img = Image.open(img_path, 'r')
    data = np.array(list(img.getdata()))
    data = data[::SECRET,:]
    tot_pixels = data.shape[0]

    tmp_bits = ""
    for p in range(tot_pixels):
        tmp_bits += (bin(data[p][2])[-1])
    tmp_bits = [tmp_bits[i:i+8] for i in range(0, len(tmp_bits), 8)]

    message = ""
    for i in range(len(tmp_bits)):
        newchar = chr(int(tmp_bits[i], 2))
        message += newchar
    return message


if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Example: python3 VirusDissasembler.py <image_path>")
    else:
        print(Dissasemble(sys.argv[1]))

After running the script and providing it the image we get a weird output as shown below:

D:\CTF\Insomni>python VirusDisassembler.py virus.png
JÈu)¯$涶:f↨c¨³”#[}¥ôöq▬$Ä↓;▲¥ä­€’zù∟1l?ÌÌ1☻Ä(=\£¨k õà\¹É®ÐZ#ÄÉ♂4¤ˆ‡
 àêgM™ÓQ¡T§½1X'Š5V'♂P☻^‰{↑♂]H¾‡œÒžÂæό_—»à↑[email protected]¨g2$ÜP↔ÒÐW)X♥*dÑ↕§LÀr†@Ê▲ƒÔ[♂)°oö¼ØãáM·g^xœQ=SLÁä»øÁG§¥▲ÄÚÓþ?빋♂–:J‰y
5 ©|›²£x´>g⌂k=>¤ò®?ШõY&Áð÷Š{™üµÔÉ▬8¥)àñ▲#DX‡ˆ >I)Ü$Côõz©ïbè‹Ù‹#♦›Ÿ‘‹r$ñv•“ÞÛ☺)¤ªG☻♫l♣¤J“šoÆÇ´:Çҕwïûœv“Ϙ∟‰)^¯€x§►6&%Æ↓ÞG­­ ~ŠŠXµ↑b†ã‡˜Ì^8↨ÿPÍ L‰‘±’xè8í♠ô(0`n►ùd§zGÐ k²¿@/×·l_M(þóìY”˜„SÆß=º♂nt|¡9”tø{¥:˸`Zú휈=P„iwiø÷ñ½R¥ê´♦ø•»¯Èr*CsՄÔ♥bøùÿd¸☻Ñ7ÕÌ摱
♥←♦
ëÛæÏ|j}•«∟«|28èè)Á0Aò­Ð∟dú3’cJ³fdÝ♫´#æþ▬¼þÆNù%(í£œ¶¢hubúƒ▬›°Ì⌂gàÙÊ;Å,1ï☺♦H»·2ç¡¥ìññ±¶Ô/·Ù]☻U4)‹6 a=—Âvò♂˜ç‡¬’—¼§▬ ­♣9u`©←¶)ó↨J·↔☺ª   C£¡↓b♫çl
¸0
qÊۛë2`©q¡gNíÜ4æŸÐî[↑L⌂-$P‼)¤À↓▼Ó▲!¸vGYÊÕ=¡LŸ}² ͯŠË↑(↓œô–§Å~hÁ ‰È%Æ#!PÌ+÷ÓG/¡Áó÷Fm%k²♦°õ§eùŸá▼µTÈÇ:;ão<e♦­Æˆo0Çßö;oãcÙ¬¼'À÷Ö«pi­æëý⌂í×~¿÷ì?G‘tî%Â<·¨Ô~[íì▼£ÿ²^Nï¹o¬±–zäÞ▼·ð?ÿâûŸßðôûUK©U'´_¯ vžÃÞ~ÏÑõ>‡Âò▼‼àÿ_ëü⌂çìŸ♠óý?ôò¿÷Êñ\ºÅZëEH-'„ñž“|_Ãñ~/)ð?7âðÜ
Qæ,e˜·†ÐŽ’’JIXI l%EºÕN³]HQã?gÌý↔#ö⌂¹Ç=çØó¿GνÛ#åè[£pnŒ♠

We notice that in the requirements.txt there is a secret repo:

numpy
# My years of research are contained in this doctorsecret package
git+https://github.com/doctor-jebaited/[email protected]

By accessing https://github.com/doctor-jebaited/secret1234/blob/master/doctorsecret/ we can see a const.py:

SECRET = 133

def GetSecret():
    return SECRET

We replace the SECRET in our script to 133, run it again and get the flag:

import numpy as np
from PIL import Image
import sys
# Very important
from doctorsecret.const import SECRET

def Dissasemble(img_path):

    img = Image.open(img_path, 'r')
    data = np.array(list(img.getdata()))
    data = data[::133,:]
    tot_pixels = data.shape[0]

    tmp_bits = ""
    for p in range(tot_pixels):
        tmp_bits += (bin(data[p][2])[-1])
    tmp_bits = [tmp_bits[i:i+8] for i in range(0, len(tmp_bits), 8)]

    message = ""
    for i in range(len(tmp_bits)):
        newchar = chr(int(tmp_bits[i], 2))
        message += newchar
    return message


if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Example: python3 VirusDissasembler.py <image_path>")
    else:
        print(Dissasemble(sys.argv[1]))

D:\CTF\Insomni>python VirusDisassembler.py virus.png
ATAATGATAATCGATGTTTATGCGCCTGCGGATCATAACTAAAATAAATTCTCAAAAGTACAACGGGTTTCGCGGCGAAGGATTACACACACGGATGGTGGCCGAGCGGTTTATAGTTATTTTCCCATCGGGGATACGTCCGAAATTCATCACTGAGGGGAGTCTCTCAGTCCACCGGACGTCAAGATCGCAGGTGGCTCAGACTACGAGGGTGTCGTTCATGGGTGGAGCCTGTTCGTCTGACCTTAGGCTGTGACTCAGCAAGACATGGTCTCGAGTTCGTCGTTCAGTAGGCGAGGGGCINS{W3LCOME_2o22_1NS0_B3_Car3fuL}GGAAAGTAAGACGTCAGTGTCCTTCTGCTTAGCTCCTAAGGTATGCCGTCTGTTAGTATGTTGCAGAGACTGACTCCGAGAACATCACGATATTCTTGACTATGCGAAAGTGAAGCGACACCTCGGATGGATTCCAGGACTCCGTATTTCCACGTGAAGACCATTGAGAGCGGGGTTCATTGAGAGTGAGGAGGTCTCAAAACGGTGTAATTTAACGACACTGATTGATTTCCGAGCCTCTGAGTGCCAACGACTACATTTTAAGTCCCATGACATCGGACCGAAATGTACGTCCCTCCAAT