Rating:
# solution
I took the :he-brings-you-flag: emoji and photoshopped the flag in text onto the flag. i then wrote a script that OCRs that flag out, hashes it, and uses the first two bytes of the hash to corrupt the image that the flag was written on. the script also embedds itself into a ztxt chunk in the corrupted image. contestants get only the image and have to identify the script and extract it, then RE it to figure out the algorithm. They then need to brute force the two bytes that corrupted the image until they land on a working image. this can be done by eye if you're patient enough as the total amount of possible images is 65535 (it seems like most if not all other than the exact original do not have legible text), otherwise you can use the same technique as the script and just start brute forcing images until one outputs the string "flag" somewhere in the OCR output. On my machine a super naive and unoptimized version of this script takes ~20 seconds to run. I could potentially use 3 bytes of the hash instead, though this likely eliminates the possibility of people doing this challenge manually by eye which would be really funny.
```import zlib, pytesseract, time, io
from PIL import Image
def fix_image(b1, b2, b_arr):
ind = 0
b_arr[ind] = b_arr[ind] ^ b1
ind += b_arr[ind]
b_arr[ind] = b_arr[ind] ^ b2
return b_arr
with open("hebringsyouflag.png", "rb") as f:
img = bytearray(f.read())
idat_loc = img.index(b'IDAT')
idat_sz = int.from_bytes(img[idat_loc - 4:idat_loc], "big")
crc_loc = idat_loc + 4 + idat_sz
raw_image_data = img[idat_loc + 4 : crc_loc]
block_offset = 0x420
ctr = 0
start = time.time()
for i in range(256):
for j in range(256):
img[idat_loc + 4 + block_offset:crc_loc] = fix_image(i, j, raw_image_data[block_offset:])
img[crc_loc:crc_loc + 4] = zlib.crc32(img[idat_loc:crc_loc]).to_bytes(4, "big")
try:
flag = pytesseract.image_to_string(Image.open(io.BytesIO(img))).strip().replace("\n", "").replace(" ", "")
except:
continue
if "flag" in flag:
print(flag)
with open("./out/" + "out.png", "wb") as f2:
f2.write(img)
print("took {} seconds", time.time() - start)
exit(0)```
