Forensics: Phishy Phishy (500) — SunshineCTF 2018 Writeup (2 of X)

The Given

We were give a .zip file named (phishy_chall.zip) which contains the following data:

Looks tame enough
Yes, it’s a dognut. Don’t stare
%LOCALAPPDATA%\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects
Dognut’s resource files
c l a s s i c
The thumbnail of the phishy_chall project
goldy project. It’s actually bigger than it seems, but that’s irrelevant at this point
goldy files
phishy_chall files
  1. The Nodes_<number>_<string>.bin pattern exists on both projects.
  2. The Resources_Mesh_<number>.bin also exists on both projects.
  3. The <number> value on the above-mentioned files are unique to each project.
phishy_chall files
goldy files
  1. When you look at offset 0x08 to offset 0x0F on the Resources_Mesh files, you can see that the ASCII value FISH was placed there instead of the weird y’s.
  2. The decimal value 18446744069414584347 is equivalent to the value FFFFFFFF0000001B in hex. If you look closely, that’s offset 0x08 to offset 0x0F in reverse for the goldy file. This solidifies our hypothesis that the files in phishy_chall were indeed incorrectly modified.
  3. You can also see that the value FFFFFFFF0000001B appears on the Nodes_n_MeshInstance.bin file, specifically on offsets 0x10 to 0x17 in reverse.
Here fishy fishy
Oooooooooooh

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store