PoC||GTFO Tamagotchi image decoding In the issue 2 of (Children's Bible Coloring Book Of) PoC||GTFO, a small challenge was present: http://imgur.com/Ha2EJLM With a simple message: "Hey kids! Can you reverse engineer this shellcode from the picture?" As I'm currently doing a lot of waiting while trying to get myself back home from 30C3, I decided to give it a try. We can note a few things about the image on the tamagotchi's display. It's 48 pixels wide and, although counting height pixels is a bit troublesome, 31 pixel high. It has only four distinct colors. With four distinct values, we can encode 2 bits per pixel. After some image manipulation with my oh-not-so-sharp skills in GIMP I came up with this (first desqued,posturized, scaled to 48x48, exported): http://i.imgur.com/dBVNWdq.png Ok, now we have an image with 4 distinct colors, with values (thanks python PIL): >>> from PIL import Image >>> im = Image.open("pp.png") >>> pix = im.load() >>> for i in range(im.size[0]): ... for j in range(im.size[1]): ... v.add(pix[i,j]) ... >>> v set([(170, 255), (170, 254), (85, 252), (85, 253), (170, 253), (85, 254), (85, 255), (0, 255), (0, 254), (255, 254), (255, 255)]) >>> So 0,85,170 and 255. Let's add concrete 2 bit values to these so 0 becomes 3, 85 becomes 2, 170 becomes 1 and 255 become 0. Let's try to decode the image by assuming that 4 pixels make a byte with first pixel being the most significant. Here is the code: # this is not the best decoding code in the world # this is just a PoC from PIL import Image im = Image.open("pp.png") pix = im.load() c = 0 decoded = "" for i in range(0,im.size[1]): for j in range(0,im.size[0]): b = pix[j,i][0] val = None if b == 0: val = 3 elif b == 85: val = 2 elif b == 170: val = 1 elif b == 255: val = 0 c = c << 2 c |= val if j % 4 == 3: decoded += chr(c) c = 0 print decoded Save it, run it and get: $ python tamago.py ������������������������������������������������������������������������ �������©���� ������p������e���楥���e������LL ������Wait a sec, this isn't shellcode, is it? QDppS5rEUukz6E+nSlUM8P z/HErYyNzfmVO8wPEMFYU= or maybe it is...������������������������������� ��If you can see this, you're too close��������������������������������� ���������������xL That should be it, unless some pixels got flipped in GIMP ... Obviously, there's some base64 encoded data there... I can't verify the code because I don't have the tamagotchi and actual shellcode disassembly will have to wait until I watch the Natashenka's talk (I missed it during the congress).