Fileice.net | Debrideur

| Offset | Size | Meaning | |--------|------|----------| | 0x00 | 8 | ASCII magic "DEBRIDER" | | 0x08 | 4 | (little‑endian) – the “bride” | | 0x0C | 4 | Reserved / version (currently zero) | | 0x10 | … | Payload data (to be “de‑brided”) |

The file format is:

The key table is:

$ ltrace -e crc32 ./debrideur mystery.dat ... crc32(0x0, "abcdefghij...", 0x1c0) = 0x4a1f0c2b The binary uses (the standard polynomial 0xEDB88320). The function is called on the data after the checksum field. Debrideur fileice.net

#!/usr/bin/env bash FILE=mystery.dat FIXED=$FILE.fixed

# run the binary and capture the flag ./debrideur "$FIXED" 2>/dev/null | grep -i flag Running this script prints:

import sys, binascii

[*] Fixed CRC = 0x4a1f0c2b FLAGBr1d3_1s_Just_A_CRC | Topic | What the challenge taught | |-------|---------------------------| | File‑format reverse engineering | Even stripped binaries often expose the checksum routine via library calls ( crc32 ). | | Dynamic analysis | ltrace / strace are great for spotting which functions the binary uses (e.g., crc32 ). | | Checksum reconstruction | Many CTF “repair” challenges involve simply recomputing a checksum after editing a file. | | Simple XOR decryption | A static key table hidden in the binary can be discovered with a quick strings or objdump -s . | | Naming clues | French/English wordplay often hints at the solution (here, “bride” = checksum). | 8. Full Source Code of the Helper Scripts Below are the two scripts you may keep for future reference. 8.1 rebuild.py #!/usr/bin/env python3 """ rebuild.py – Fix the CRC32 “bride” in the DEBRIDER file. """

def rebuild(fname): data = open(fname, "rb").read() payload = data[0x10:] # skip header + checksum field crc = binascii.crc32(payload) & 0xffffffff # rebuild the file new = data[:0x08] + crc.to_bytes(4, "little") + data[0x0c:] open(fname + ".fixed", "wb").write(new) print(f"Fixed file written: fname.fixed CRC=0xcrc:08x")

if __name__ == "__main__": if len(sys.argv) != 2: print(f"Usage: sys.argv[0] <debrideur_file>") sys.exit(1) fix(sys.argv[1]) #!/usr/bin/env bash # run_and_get_flag.sh – Build the bride, run debrideur, extract the flag. | Offset | Size | Meaning | |--------|------|----------|

The checksum is calculated over the , i.e. bytes starting at 0x10 . 4. Re‑building the Bride (Checksum) 4.1 Compute the correct CRC‑32 Python makes this trivial:

$ python3 rebuild.py mystery.dat Fixed file written: mystery.dat.fixed CRC=0x4a1f0c2b $ ./debrideur mystery.dat.fixed Processing block 0... Processing block 1... ... Flag: FLAGBr1d3_1s_Just_A_CRC Success! The flag appears after the binary finishes its “de‑briding” routine. 5. What the Binary Actually Does After the Check Once the checksum passes, the program iterates over the payload in 16‑byte blocks , XOR‑ing each block with a constant key derived from a hidden table (found at offset 0x2000 in the binary). The transformed bytes are written to a temporary file, then the program prints the first line of that file – which is the flag.

# 2️⃣ Execute and filter the flag ./debrideur "$FIXED" 2>/dev/null | grep -i -E 'flag\[^]+\}' Make them executable ( chmod +x rebuild.py run_and_get_flag.sh ) and you’re ready to solve the challenge in one command: | | Simple XOR decryption | A static

static const uint8_t key[16] = 0x13, 0x57, 0x9B, 0xDF, 0x02, 0x46, 0x8A, 0xCE, 0x31, 0x75, 0xB9, 0xFD, 0x40, 0x84, 0xC8, 0x0C ; Each 16‑byte chunk of the payload is XOR‑ed with this key, effectively decrypting the hidden text.

def fix(fname): data = open(fname, "rb").read() payload = data[0x10:] # skip header + checksum field crc = binascii.crc32(payload) & 0xffffffff fixed = data[:0x08] + crc.to_bytes(4, "little") + data[0x0c:] out = fname + ".fixed" open(out, "wb").write(fixed) print(f"[+] Fixed file: out CRC=0xcrc:08x")