6 files changed, 28 insertions, 0 deletions

diff --git a/chall/description b/chall/description
new file mode 100644
index 0000000..73557e4
--- /dev/null
+++ b/chall/description
@@ -0,0 +1 @@
+There is a new variant of a ransomware, messing up my image files. Somebody told me a vital part of forensics is to understand files. Could you help me to recover my image file?
diff --git a/chall/intro-forensics-3.zip b/chall/intro-forensics-3.zip
new file mode 100644
index 0000000..dd74348
--- /dev/null
+++ b/chall/intro-forensics-3.zip
diff --git a/solve/flag b/solve/flag
new file mode 100644
index 0000000..0f7037b
--- /dev/null
+++ b/solve/flag
@@ -0,0 +1 @@
+CSCG{space_space_spaaaace_space!!!}
diff --git a/solve/intro-forensics-3 b/solve/intro-forensics-3
new file mode 100644
index 0000000..0a7a3a4
--- /dev/null
+++ b/solve/intro-forensics-3
diff --git a/solve/out.png b/solve/out.png
new file mode 100644
index 0000000..57b0e11
--- /dev/null
+++ b/solve/out.png
diff --git a/solve/solve b/solve/solve
new file mode 100755
index 0000000..63e75a5
--- /dev/null
+++ b/solve/solve
@@ -0,0 +1,26 @@
+#!/usr/bin/env python3
+
+import binascii
+
+header = b"\x89\x50\x4e\x47\x0D\x0A\x1A\x0A"
+data = open("./intro-forensics-3", "rb").read()
+assert(data[:len(header)] == header)
+
+pos = len(header)
+chunks = {}
+while pos < len(data):
+    start = pos
+    clen = int.from_bytes(data[pos:pos+4], "big")
+    pos += 4
+    ctype = data[pos:pos+4]
+    pos += 4
+    cdata = data[pos:pos+clen]
+    pos += clen
+    index = int.from_bytes(data[pos:pos+4], "big")
+    pos += 4
+    new_crc = int.to_bytes(binascii.crc32(data[start+4:start+8] + cdata), 4, "big")
+    chunks[index] = data[start:start+8] + cdata + new_crc
+
+chunks = sorted(chunks.items(), key = lambda x : x[0])
+data = header + b"".join([v for k,v in chunks])
+open("out.png", "wb+").write(data)