If you open the file with a text editor, you can see the following content:
Obviously, the data here is encoded by Base64 algorithm, let’s decode it:
The above picture shows the decoded content, by searching the keyword in Google we can find the source:
Compared the decoded file with the file downloaded from above link, we could not find any additional information being added to the decoded file.
So there must be some secrets being hidden into the Base64 strings, but what are they? Let’s re-encode the content with a standard Base64 algorithm to see if there are any differences:
What can you find here? Yes, there are many strings that only different in the last byte before the “=”.
If you are familiar with Base64, I think you can easily figure out the reason. As we know, for Base64 algorithm, the original data will be split into groups of 3 bytes, and if the last group only contains 1 or 2 bytes, it will add some padding to the end and use 1 or 2 “=” to indicate how many original bytes are here in the last group. Here is an example of 1 byte in the last group:
The 4 paddings here actually will be ignored by the decode routine, that is to say, we can put any bits here, what a good place to hide information!
Understand this, there will be no difficulties to solve this challenge, the following script is what I use to extract the hidden information:
import base64 import string def tobin(data): b64table = string.ascii_uppercase + string.ascii_lowercase + string.digits + '+/' index = b64table.find(data) return format(index, '06b') def toStr(bin): binlen = len(bin) out = '' for i in range(0, binlen, 8): out += chr(int(bin[i:i+8], 2)) return out out = '' for line in open('cip_d0283b2c5b4b87423e350f8640a0001e', 'rb'): line = line.strip() if line.strip()[-2:] == '==': binstr = tobin(line[-3:-2]) out += binstr[-4:] print binstr[-4:] elif line.strip()[-1:] == '=': binstr = tobin(line[-2:-1]) out += binstr[-2:] print binstr[-2:] print out print toStr(out)