Rating:
The Hacker Manifesto is an essay written in 1986 by The Mentor and published in Phrack. Viewing hacker_manifesto.txt we see the beginning of The Hacker Manifesto, but after the first few words the text turns into gibberish. We also notice that letters start disappearing after they have been used (such as the a before hacker and the a in hacker). This suggests some kind of compression algorithm that references previously seen byte strings in the file. Looking closer at the first few characters of the file, we notice that printable bytes occurs every three bytes. If the byte appears as we would expect, it is preceded by 0x0000. When a letter is missing, the next letter is prepended by a non-zero two byte string. Since it appears that we are looking at bytes in groups of 3, let's regroup with xxd to make this easier to see with the command xxd -g 3 -c 15 hacker_manifesto.txt|less:
00000000: 000049 000020 000061 00006d 030820 ..I.. ..a..m..
0000000f: 000068 030463 00006b 000065 000072 ..h..c..k..e..r
0000001e: 00002c 080465 00006e 000074 070820 ..,..e..n..t..
0000002d: 120479 030477 00006f 07046c 000064 ..y..w..o..l..d
0000003c: 00002e 01042e 00000a 00004d 000069 ...........M..i
0000004b: 130465 0e0469 000073 240c77 131020 ..e..i..s$.w..
0000005a: 200468 0a0474 050462 130467 170873 .h..t..b..g..s
00000069: 120869 0e0820 070463 04046f 01046c ..i.. ..c..o..l
...
Let's start decoding this by hand before we develop a script to finish the process. If the first two bytes of a group are 0x0000, we copy the third byte directly and move on. This results in the first few bytes:
4920 616d
'I am'
The first "missing" byte occurs at offset 0xc: 0x030820. If we assume that the first byte is the number of bytes to look back, and the second byte is the number of bytes to copy, this doesn't work out correctly. This is because rather than 8 bits being used for the offset and 8 bits for the length, the algorithm uses a 10 bit offset and 6 bit length. First, let's rewrite
0x0308 in little-endian binary notation:
11000000 00010000
If these bits are interpreted using 10 bits for the offset, and 6 bits for the length, we get:
1100000000 010000
This represents an offset of 3 and a length of 2. Copying 2 bytes from 3 bytes back and appending the third byte of the group (0x20) gives us:
4920 616d 2061 20
'I am a '
If we continue this process for the rest of the file, the message decompresses to the Hacker Manifesto and we see the flag towards the end.
flag{TheMentorArrested}
