Obscure File Format

We get an archive with three files: a, k and l. Running file to see what they are doesn’t tell us anything about the first two, but l is a Python script:

$ file a k l
a: data
k: data
l: Python script, ASCII text executable, with very long lines

If we open l, we will see something like the following:

#! /usr/bin/env python3
import zlib;
exec(zlib.decompress(b"lots of data"))

If we replace the exec with print to see what the script executes, we get a similar output:

#! /usr/bin/env python3
import binascii
exec(binascii.unhexlify(b"even more data"))

Again, we replace exec with print, and unsurprisingly run into a similar-looking script… Several rounds of this later, we get the actual code – an obfuscated Python script (see here).

After replacing all the obfuscated imports and function aliases with the original names (pick your favourite automation method here – Emacs macros worked well for me), we are left with a slightly clearer, but not yet readable file. There isn’t much to do except read the file, guess what the variables are meant to be from their usage and deobfuscate it slowly. My deobfuscated version can be found here – some names probably don’t match what the author intended, but it’s enough to get an idea of what the program does.

The program is an archiver that does the following:

The two files can be recognised based on their headers: L0LKSTR\0 for the keystore, and L0LARCH\0 for the archive. We can now recognise that the other two files we have are the keystore (k) and archive (a).

All that remains is to reconstruct the encryption algorithm and file formats, parse them and extract the files. The encryption key consists of an AES key and IV, and a permutation p. The algorithm is:

The keystore format is:

The archive format is similar:

After parsing the two files, we can use the UUIDs to match the files with keys, decrypt and output them (my parser is here1). We get several “filler” files and a file containing the flag.

  1. Note: written during the CTF – not exactly clean code.↩︎