forensicsfreeeasy

Obscure Crusher 1

tjctf

Task: 169-byte binary file containing three embedded file format identifiers (icns, ttf, lzma) and XOR-encrypted flag data. Solution: known-plaintext XOR attack using flag prefix to recover 16-byte key constructed from the file's non-zero header bytes.

$ ls tags/ techniques/

known_plaintext_attack lzma xor_encryption file_format_analysis custom_binary_format icns ttf

xor_known_plaintext_attackbinary_structure_analysiskey_reconstruction_from_headerfile_format_identifier_recognition

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Obscure Crusher 1 — TJCTF 2026

Description

What if I make it so you need 3 keys to unlock the flag...

A 169-byte binary file (chall.bin) is provided. The file command identifies it as "Mac OS X icon (icns)" but the file is actually a custom binary container embedding three file format identifiers as the "3 keys" to decrypt the flag.

Analysis

File Structure

Hex dump analysis reveals the binary has a carefully crafted structure:

Offset	Content	Purpose
0-7	`icns` magic + size field (256)	File format identifier #1
8-76	Second `icns` marker + zero padding with `0x01` bytes	Padding/structure
77-88	`name` field with `ttf` and `xy` values	File format identifier #2
89-108	Zero padding	Separator
109-128	LZMA properties (`\x5d\x00\x00\x80\x00`) + `lzma` label + `KLZMA_DATA:` marker	File format identifier #3
129-164	36 bytes of XOR-encrypted flag data	Encrypted flag
165-168	Trailing zeros	Padding

Key Discovery via Known-Plaintext Attack

The XOR encryption key was recovered using the known flag prefix tjctf{:

XOR the first 6 encrypted bytes (at offset 129) with tjctf{
The resulting bytes are: i, c, n, s, \x01, t
These match the beginning of the file's non-zero content sequence: icns...ttf...lzma...
The full 16-byte repeating key is the concatenation of the three format identifiers with their structural separator bytes

XOR Key

Key (hex): 69 63 6e 73 01 74 74 66 02 78 79 6c 7a 6d 61 4b
Key (ascii): icns\x01ttf\x02xylzmaK

...

$ grep --similar

Similar writeups

[forensics][free]Unfinished File— tjctf
[reverse][free]rotated— tjctf
[forensics][free]Thomas Schools of China— tjctf
[forensics][Pro]Skeleton— tjctf
[crypto][free]stained-glass— tjctf