CSE Puzzle Challenge - Puzzle 11 - Solution

Solution

 

Bookie Bust Walk-through

Tools for this challenge:

  1. 7zip
  2. Hex editor (101Editor will be the most helpful)
  3. Gimp
  4. Access to the internet

The challenge descriptor let us know from the start that we will be dealing with a Flash drive and since unzipping it doesn’t turn it into a folder with a bunch of files we can assume we are dealing with a data duplicate of the drive (dd). Looking at the unzipped file in a hex editor, Jimmy’s flash drive can quickly be identified as a FAT 16 file-system.  

If you are using windows you can simply use 7zip to extract the file-system, otherwise you can mount the file-system to an empty directory.

>sudo mount JimmyW_Flash <directory name>

Once mounted we can immediately see the following files:

  • C-47.pdf
  • MyGirl.jpeg
  • PBC-Expungement-Form.pdf

A closer look (ls -la) allows us to see there is also a hidden directory “.work”

looking into the hidden directory we can see the following:

  • .work/
    • Mark.jpeg
    • seats.jpg
    • Tail_lookout.jpeg

 

Analyzing the hidden directory:

 

Given that the files in the hidden directory seem to have some sort of relationship to Jimmy’s dirty dealings, we should start our investigation here. Even though these files are not obscenely large it’s good practice to make sure they are not more then they appear (this is where a good hex editor like 010Editor can come in very handy).

First here is a little JPEG/JPG information to bore your friends with:

Most files use some form of magic numbers within the first 0x60 bytes, in the case of a JPEG/JPG file in a raw JFIF format the first two bytes of the file 0xFFD8 are actually the M_SOI marker. All JPEG/JPG files in a raw JFIF format will start with these numbers (seen above in red). The next two bytes constitute the APP0 marker ID of 0xFFE0. So it can appear that the magic numbers of for a JPEG/JPG file in JFIF format are 0xFFD8FFE0 (ÿØÿà), as they appear at the beginning of every JPEG/JPG. (see https://en.wikipedia.org/wiki/List_of_file_signatures for more)

These JPEG/JPG files also have another feature just as they have a Start Of Image (SOI) marker they also have an End Of Image (EOI) marker. This is found at the end of the file and is represented by 0xFFD9. This number is only used to represent the end of an image, but this does not necessarily mean the end of file. If the file has a thumbnail image there will be an SOI and EOI marker at the beginning and end of the thumbnail image data. Therefore it is possible to have two SOI markers and two EOI markers. The last two bytes of every raw JFIF JPEG/JPG file should consist of 0xFFD9.

If we examine the Mark.jpeg and the Tail_lookout.jpeg we can see that both files start and end with the appropriate SOI and EOI markers. The seats.jpg file however, does not follow this rule:

 

Looks like something is wrong here. One method of discovery is to run “binwalk” on the file in question. 

Unfortunately, binwalk did not return a useful result so we will have to go at this the hard way. If you have a copy of 010Editor you can run the JPG.bt template to see very quickly whats going on, the rest of us will have to do a hex search for the EOI marker.

A hex search for the EOI marker returned one hit at address 0x39072, given the distance from the beginning of the file and the fact that only one marker was found, it is probably safe to assume that this file does not have a traditional thumbnail block. Furthermore, the full file length is 0x3D06C meaning, the file contains an extra 0x3FF8 bytes beyond that of the JPG file.

It seams that when a JPEG/JPG file is rendered, the interpreter ignores all the bytes that follow the EOI and as a result they have no effect on the appearance of the actual JPEG/JPG image.  We can prove this by extracting the first 0x39074 bytes and save them as a “.jpg” file. After doing this we should be able to open the file and see the image just as before. Similarly, we need to take a look at the remaining 0x3FF8 bytes of data, this may lead us to the evidence the police are looking for.

The Extra 0x3FF8 bytes of Data

To attack this section there of a couple of avenues we can explore.

  1. Binwalk the extra data looking for any information on what it may contain.

We did however already binwalk this data when we binwalked the full jpg file with no luck.

  1. Check the entropy of the file to determine if it may be encrypted or compressed.

The easiest way to test the entropy of the file is to throw it in CyberChef. To do this we can literally drag and drop the file into the “Input” window, and create the recipe “From Hex” and Entropy then “Bake!”.  From the following output we can conclude that the hidden data is encrypted or compressed.

  1. We can look for patterns and magic numbers in the hex.

This file does have some interesting patterns to it. Typically, when a file is compressed repeating bytes will not occur in sequence. Looking at the first 0x20 bytes of the file we can see a large amount of repetition, this might indicate a file header structure. Moreover, there is some very fishy magic to this file.

If we take a close look at the first six bytes we see:

36 7A BC AF 27 1C

Going back to that lovely wikipedia page (https://en.wikipedia.org/wiki/List_of_file_signatures) you might notice the similarity to the 7zip file magic:

37 7A BC AF 27 1C

It  seems Jimmy is trying to be tricky and hide the real file magic from us and our tools. Changing the first byte of the file to 0x37 and saving it as a .7z we can test this theory, by trying to unarchive it.

Yup! Attempting to extract the edited extra data proved somewhat fruitful, only problem is Jimmy was smart enough to password protect his secret file.

Finding the Password

Taking a close look at the seats.jpg image we can use and online tool http://fotoforensics.com/. From here we can see that there were two big edits to this file.

  1. This one can be seen without difficulty when viewing the image.
  2. This area was not obvious before. If we take a closer look at this area, in the original file we can see whats hidden there.

With a little playing in gimp we can see this information a little clearer.

Taking the whole image into context we have the following clues:

  • The old Trafford Stadium with the Manchester United logo (Google images search)
  • G.E Thomas
  • Some form of signal

For those of you who have taken a networking class (or are simply good at googling) the connection between Manchester and G.E. Thomas should easily point you in the direction of “Manchester coding”.

In Manchester code (specifically G.E. Thomas Manchester code) a “1” is represented by a falling edge in the middle of the period and a “0” is represented as a rising edge in the middle of the period (nice of Jimmy to also mark the period for us). Thus the above code can be translated into the following:

010000100111010101110011011000100111100101000010011011110111100101110011

A little help from GCHQ’s CyberChef, a quick translation From Binary and we get “BusbyBoys” Jimmy must be a Manchester United fan! (see https://en.wikipedia.org/wiki/Manchester_code for more on Manchester code.)

Last But not Least

Using the “BusbyBoys” password on the hidden archive and BOOM! Jimmy is busted! You found Jimmy’s illegal books, and all the evidence the police need to finally put him in jail. Congratulations!

 

Enjoy solving puzzles? Make a career out of it!