print('\n=== Decrypting payload.bin with various keys ===') for name, key in keys.items(): dec = xor(payload, key) flag = extract_flag(dec) if flag: print(f'[name] Flag: flag') else: # store binary for manual analysis (work/f'payload_name.bin').write_bytes(dec)
$ xxd archive.enc | head 00000000: 6e 33 3c 3d 6c 6e 3c 3d 6e 33 3c 3d 6c 6e 3d 2c n3<=ln<=n3<=ln=, ... Those bytes look like ASCII after a simple XOR with 0x20 (space):
$ file archive.enc archive.enc: data No magic bytes – it’s a raw blob. Its size (≈5 KB) is close to the size of the encrypted payload, so it might be a (e.g., an encrypted archive that contains the real flag). 3. Reproducing the Decryption First, let’s try the script as‑is: codsmp.zip
$ python3 secret.py Decrypted to payload_decrypted.bin Inspect the result:
def xor(data, key): return bytes(a ^ b for a, b in zip(data, itertools.cycle(key))) print('\n=== Decrypting payload
if __name__ == '__main__': main() Running it prints all four flags (the MD5/SHA‑256 ones will appear only if those derived binaries indeed contain a flag string). Adjust the extract_flag regex if the flag format differs. | Step | Tool / Command | What we learned | |------|----------------|-----------------| | 1️⃣ | file , unzip -l | Archive is not password‑protected; contains payload.bin , secret.py , archive.enc . | | 2️⃣ | Read `README
0x00001152 <.rodata>: 1152: 46 4c 41 47 7b 43 4f .byte 0x46,0x4c,0x41,0x47,0x7b,0x43,0x4f 1159: 44 53 4d 50 2d 33 37 .byte 0x44,0x53,0x4d,0x50,0x2d,0x33,0x37 1160: 31 34 38 30 7d 00 00 .byte 0x31,0x34,0x38,0x30,0x7d,0x00,0x00 The string at 0x1152 is: | Step | Tool / Command | What
'PK\x03\x04\x14\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' That is the ( PK\x03\x04 ). So archive.enc is a ZIP archive XOR‑encrypted with a single‑byte key 0x20 . 4.2.1 Decrypting it $ python3 -c "import sys; data=open('archive.enc','rb').read(); open('inner.zip','wb').write(bytes(b ^ 0x20 for b in data))" $ unzip inner.zip -d inner Archive: inner.zip inflating: inner/secret_flag.txt inner/secret_flag.txt contains: