SHX11 : stego200-brazil_icon

There is something wrong with this icon.


There's a Brazilian icon flag..

With a ZIP file inside. So, I dumped the ZIP and tried to extract..

Nope! requires a password, and i have no clue where found it.

So I launched the hex-editor to do a deep look into this..

Here's our ZIP, starting by the hex signature 50 4B 03 04, and a lot of junk below..

You can see this clealy dumping the hex and adjusting the columns

$ xxd -c 76 ico.ico > xxx

At the first sight I thought it was a reflection of the bytes used to create the ICO file..

But no, this is an ASCII Art generated from the .ico image and strategically added to the end of the file, if you remove this, the ico still working displaying the Brazilian flag.

So, I've started removing/filling w/ zero bytes the zipfile and all that could be junk to see what happens w/ the ICO..

After A LOT of tries.. BAM! I can see another ICO beyond the Brazilian flag, this icon showed the password prefix of the ZIP file, then the brute-force becomes easy!

The flag..

I'm not sure if this was the correct correct way to solve it, but it worked!

Solution update

After scored the flag I talked w/ the admin, and I really solved w/ a lot of overthink(like always..).

This icon w/ the password is concatenated at the end of the file!

But it may be tricky to cut because the ICO signature is 00 00 01 00 and it can be found at the footer of the every ZIP file. This complicated my attempts to crop the icon.

You need to figure out the footer of ZIP file and the header of ICO file to start the crop.

And that ASCII art? Is not an ASCII art, It was generated by ICO like as I was thinking..