Tuesday 8 September 2015

[Write-up] MMA CTF 2015 - QR code recovery challenge 400

23:23 Posted by Matnacian , , , 3 comments

Problem

You picked up teared QR code fragments. Recover the flag.
Flag is 12 characters without MMA{...}.
problem.png


During the opening time  of MMA CTF, I don't know what to do with this picture.
When the CTF ended, I googled "QR code recovery challenge" to find the write-up of this chal, and found this link: https://ctf.mma.club.uec.ac.jp/problems/92


problem2.png

We will solve problem2.png first!
---
It looks easier, right? I opened GIMP and try to recover it but failed.
After googling, I found a tool named strong-qr-decoder, it can decode corrupted QR code, but only in txt file.
So I tried hard, and found a tool named qr2txt, it can change a bitmap file QR code to a txt file QR code.

Yeah! Go go go!
1. Change problem2.png to problem2.bmp with GIMP, and rename it to qr.bmp
2. $ ./qr2txt
Save it to a text file: $ ./qr2txt > qr.txt

3. User strong-qr-decoder to decode it:
$ python sqrd.py qr.txt -e 2 -m 4

Boom! 

Yeah, we got the flag of problem2.png. Can we do these steps with problem.png


"Flag is 12 characters without MMA{...}."
Submit flag "000000000000"! Failed!!!

Did I miss something?



--- matnacian ---
--- ctf for beginners ---



3 comments:

  1. Hi Dude,

    did you try to manually read the QR-Code? You will see that the QR-Code is in Kanji Mode. And with this you need to translate some japanese, to get the code. So far what I got was the Following Data Stream:

    0b0101 --> FNC First Position
    0b1000 --> Kanji Mode
    0b00010101 --> Character Count --> 21 Kanji Chars
    0b0011001101000 --> Char 1 --> JShift 0x89A8
    0b0101000101110 --> char 2 --> JShift 0x8EAE
    0b0001111010100 --> char 3 --> JShift 0x8654
    broken
    broken
    broken
    broken
    broken
    broken
    broken
    broken
    broken
    0b1111101101000 --> JShift 0xEAE8
    broken
    broken
    broken
    0b0111000111000 --> JShift 0x93F8
    0b1000001001011 --> JShift 0x96F8
    0b1110101000111 --> JShift 0xE847
    0b0100100111101 --> JShift 0x8D7D
    broken
    [Possible End or next Mode]
    [next bits can be error correction]

    Everything is described here: http://www.swisseduc.ch/informatik/theoretische_informatik/qr_codes/docs/qr_standard.pdf

    Or for the people who don't want read this paper: https://www.youtube.com/watch?v=KA8hDldvfv0

    I didn't get the flag too, but I am f**king close ^^

    Greetz TheVamp

    ReplyDelete
  2. I solved this challenge during MMA (playing on the PPP team), and wrote a writeup of the solution which you can find here: https://github.com/pwning/public-writeup/blob/master/mma2015/misc400-qr/writeup.md

    You can check it out if you're curious. (And, PS: the QR code is not in Kanji, but in plain ASCII.)

    ReplyDelete
  3. Damn, I am to stupid to read the File Information. ^^ Thx Robert and nice write up
    Greetz TheVamp

    ReplyDelete