06 Dec 2023
Reverse engineering A Christmas DOScovery: Tapes of Yule-tide PastHad to skip yesterday, so I’m behind a task, but used an easy question to keep the streak. This seems like it’ll be a stroll down memory lane.
File signatures or magic bytes are specific byte sequences at the beginning of a file to id or verify its content type and format. Often corresponds to ASCII characters for easier human readability. ID pprocess helps applications quickly determine if they can handle to file, helping with functionality and security. Knowing magic bytes can help quickly identify malicious or suspicious activity and choose the right tool for deeper analysis.
Common files and their magic bytes:
| Format | Magic Bytes | ASCII |
|---|---|---|
| PNG | 89 50 4E 47 0D 01 1A 0A | %PNG |
| GIF | 47 49 46 38 | GIF8 |
| Windows/DOS EXE | 4D 5A | MZ |
| ELF EXEs | 7F 45 4C 46 | .ELF |
| MP3 | 49 44 33 | ID3 |
Fix the magic bytes, restore, get the flag.
x64 Assemmbly Crash Course