PwnCollege - RE - Endianness

Posted on 2026-03-17 In ctf Views: Disqus:

Reading Endianness (Python)

Pixel = namedtuple("Pixel", ["ascii"])

def main():
    if len(sys.argv) >= 2:
        path = sys.argv[1]
        assert path.endswith(".cimg"), "ERROR: file has incorrect extension"
        file = open(path, "rb")
    else:
        file = sys.stdin.buffer

    header = file.read1(4)
    assert len(header) == 4, "ERROR: Failed to read header!"

    assert int.from_bytes(header[:4], "little") == 0x72254F3C, "ERROR: Invalid magic number!"

    with open("/flag", "r") as f:
        flag = f.read()
        print(flag)


if __name__ == "__main__":
    try:
        main()
    except AssertionError as e:
        print(e, file=sys.stderr)
        sys.exit(-1)

hacker@reverse-engineering~reading-endianness-python:~$ xxd payload.cimg
00000000: 3c4f 2572 0000 0000 0000 0000 0000 0000  <O%r............
hacker@reverse-engineering~reading-endianness-python:~$ /challenge/cimg payload.cimg
pwn.college{**********************************************}

Reading Endianness (C)

//...
int main(int argc, char **argv, char **envp)
{

    struct cimg cimg = { 0 };
    int won = 1;

    if (argc > 1)
    {
        if (strcmp(argv[1]+strlen(argv[1])-5, ".cimg"))
        {
            printf("ERROR: Invalid file extension!");
            exit(-1);
        }
        dup2(open(argv[1], O_RDONLY), 0);
    }

    read_exact(0, &cimg.header, sizeof(cimg.header), "ERROR: Failed to read header!", -1);

    if (cimg.header.magic_number != 1198345851)
    {
        puts("ERROR: Invalid magic number!");
        exit(-1);
    }

    if (won) win();

from pwn import *
from pwn import process

magic_number = 1198345851
# or 4 bytes
magic_number = magic_number.to_bytes(256, "little")
file = open("payload.cimg", "wb")
file.write(magic_number)
file.close()

p = process(["/challenge/cimg", "payload.cimg"], stdin=process.PTY, stdout=process.PTY)
print(p.recvall())

b’pwn.college{**********************************************}’

Reading Endianness (x86)

radare2 btw

│     0x004012be      488d742404     lea rsi, [rsp + 4]
│     0x004012c3      ba04000000     mov edx, 4
│     0x004012c8      488d0d290e..   lea rcx, str.ERROR:_Failed_to_read_header_    ; 0x4020f8 ; "ERROR: Failed to read header!"
│     0x004012cf      e827020000     call sym.read_exact         ;[5]
│     0x004012d4      817c24043c..   cmp dword [rsp + 4], 0x72254f3c    ; '<O%r'
│ ┌─< 0x004012dc      7414           je 0x4012f2
│ │   0x004012de      488d3d310e..   lea rdi, str.ERROR:_Invalid_magic_number_    ; 0x402116 ; "ERROR: Invalid magic number!"
│ │   0x004012e5      e846feffff     call sym.imp.puts           ;[6]
└───> 0x004012ea      83cfff         or edi, 0xffffffff          ; -1
  │   0x004012ed      e8eefeffff     call sym.imp.exit           ;[7]
  └─> 0x004012f2      31c0           xor eax, eax
      0x004012f4      e80d010000     call sym.win                ;[8]
      0x004012f9      488b442408     mov rax, qword [rsp + 8]
      0x004012fe      6448330425..   xor rax, qword fs:[0x28]

from pwn import *
from pwn import process

magic_number = 0x72254f3c
# or 4 bytes
magic_number = magic_number.to_bytes(256, "little")
file = open("payload.cimg", "wb")
file.write(magic_number)
file.close()

p = process(["/challenge/cimg", "payload.cimg"], stdin=process.PTY, stdout=process.PTY)
print(p.recvall())

pwn.college{**********************************************}