Rating:
----------------
[Forensics] Dump - 50 points
----------------
> English:
> We know this dump was generated by a process which was executing as root in the computer, and that it was reading directly from a /dev device. Probably it is part of a keylogger module included in a rootkit which is being tested by the Club. Help us to unveil this message, allowing us to discover why they infected this specific machine.
> Submit the flag in the format: CTF-BR{message}
In this task we were given a `dump` file. Looking at it in hexeditor, we quickly notice that it almost repeats every
24 bytes:
```
$ hexdump -C dump | head
00000000 79 8e 8a 56 00 00 00 00 d0 59 0a 00 00 00 00 00 |y..V.....Y......|
00000010 04 00 04 00 28 00 07 00 79 8e 8a 56 00 00 00 00 |....(...y..V....|
00000020 d0 59 0a 00 00 00 00 00 01 00 1c 00 00 00 00 00 |.Y..............|
00000030 79 8e 8a 56 00 00 00 00 d0 59 0a 00 00 00 00 00 |y..V.....Y......|
00000040 00 00 00 00 00 00 00 00 7b 8e 8a 56 00 00 00 00 |........{..V....|
00000050 7f b7 0a 00 00 00 00 00 04 00 04 00 e1 00 07 00 |................|
00000060 7b 8e 8a 56 00 00 00 00 7f b7 0a 00 00 00 00 00 |{..V............|
00000070 01 00 2a 00 01 00 00 00 7b 8e 8a 56 00 00 00 00 |..*.....{..V....|
00000080 7f b7 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000090 7b 8e 8a 56 00 00 00 00 82 2e 0c 00 00 00 00 00 |{..V............|
```
In the task description `/dev` was mentioned. Googling Linux's treatment of keyboard we notice the following structure:
```
struct input_event {
struct timeval time;
unsigned short type;
unsigned short code;
unsigned int value;
};
```
It seems to fit our data - timeval was monotonically increasing, and the size of the structure was 24.
We found that `value` contains 0 or 1, depending on whether the key was pressed or released, the `type` that was
interesting for us was `EV_KEY` (1), and `code` was the keycode. In `keys.h` file from Linux source code there were all
keycode definitions. We copied interesting part of it and wrote a Python script to parse the dump. Running it, we get the
flag:
```
I am suspicious of Fideleetos intentions
```
