remoose — TJCTF 2026

Description

I changed just one little thing and my racing moose won't run anymore!

A single binary file chall (16808 bytes) is provided. The file command identifies it as "data" — not a valid executable. The goal is to figure out what was changed, fix the binary, and recover the flag.

Analysis

Initial Recon

The binary is not recognized as an ELF:

$ file chall
chall: data

Hex inspection of the first 16 bytes reveals the corruption:

$ xxd chall | head -1
00000000: 7f45 4c4b 0201 0120 2020 2020 2020 2020  .ELK...

The ELF magic should be 7f 45 4c 46 (.ELF) but byte 3 is 0x4b (.ELK) instead of 0x46. More importantly, the padding bytes that should be 0x00 are all 0x20 (space).

Identifying the Transformation

Counting byte occurrences confirms the pattern:

• Zero 0x00 bytes in the entire file — impossible for a valid ELF which uses nulls extensively for padding, string terminators, and zero-valued header fields
• 14106 0x20 (space) bytes — far too many for a 16KB binary

The "one little thing" that was changed: all 0x00 null bytes were replaced with 0x20 (space). The ELF magic F (0x46) → K (0x4b) change is a +5 shift that's also consistent with the corruption pattern (though the primary transformation is the null-to-space replacement).

Solution

Step 1: Restore the Binary

Replace all 0x20 bytes back to 0x00 and fix the ELF magic byte:

#!/usr/bin/env python3
data = open('chall', 'rb').read()
fixed = bytearray(data)

# Restore all 0x20 (space) -> 0x00 (null)
for i in range(len(fixed)):
    if fixed[i] == 0x20:
        fixed[i] = 0x00

# Fix ELF magic: byte 3 should be 0x46 ('F'), not 0x4b ('K')
fixed[3] = 0x46

open('chall_fixed', 'wb').write(bytes(fixed))

...