ÁÖ¾îÁø ÆÄÀÏÀ» ¾ÐÃàÀ» Ç®¾îº¸¸é ./forensics300-e130c3621118e4b891fbceb67e2c94cc.dd
ÆÄÀÏÀÌ ³ª¿É´Ï´Ù.

$ file ./forensics300-e130c3621118e4b891fbceb67e2c94cc.dd
./forensics300-e130c3621118e4b891fbceb67e2c94cc.dd: data

raw format data À̱ä ÇÏÁö¸¸ ÀÏ´Ü È®ÀåÀÚ°¡ dd¶ó´Â °ÍÀ» ÅëÇØ linux dd command ¸¦
ÀÌ¿ëÇß´Ù´Â °ÍÀ» À¯ÃßÇÒ ¼ö ÀÖ°í strings¸¦ ÅëÇØ ¾ÈÀÇ ³»¿ëÀ» ÃßÁ¤ÇØ º¸¸é ƯÁ¤ 
hdd device¸¦ dd¸¦ ÀÌ¿ëÇØ dump ÇßÀ» °Å¶ó°í ÃßÁ¤ÇÒ ¼ö ÀÖ½À´Ï´Ù.

stringsÀÇ °á°ú¸¦ º¸´Ùº¸¸é 'kenshoto'¶ó´Â Èï¹Ì·Î¿î ¹®ÀÚ¿­À» ¹ß°ßÇÒ ¼ö ÀÖ½À´Ï´Ù.


$ strings ./forensics300-e130c3621118e4b891fbceb67e2c94cc.dd |grep kenshoto
/Title (kenshoto) >>
kenshoto.pdf
kenshoto.pdf
kenshoto.ps
%%Title: (kenshoto)
/Title(kenshoto)def
kenshoto.pdf
kenshoto.pdf
kenshoto.ps
%%Title: (kenshoto)
/Title(kenshoto)def
/Title (kenshoto) >>

À̸¦ ÅëÇØ ½ÇÁ¦ hdd device¿¡ kenshoto.pdf, kenshoto.ps °¡ µé¾îÀÖ¾úÀ½À» ÃßÁ¤ÇÒ ¼ö ÀÖ½À´Ï´Ù.
µû¶ó¼­ pdf, psÀÇ format signature¸¦ ÅëÇØ kenshoto.pdf, kenshoto.ps¸¦ º¹±¸ÇÏ´Â
½ºÅ©¸³Æ® restore.py ¸¦ ÀÛ¼ºÇÏ¿´½À´Ï´Ù.

===========================================================
$ cat restore.py
#! /usr/bin/python
import os

Pattern_PDF = "\x25\x50\x44\x46"
Pattern_PS = "\x25\x21\x50\x53"

OrgFile = "forensics300-e130c3621118e4b891fbceb67e2c94cc.dd"

f = open(OrgFile, "rb")
fstr = f.read()
f.close()

idx = 0
while 1:
    idx = fstr.find(Pattern_PDF, idx)
    if idx==-1:
        break

    filename = "pdf_%08x.pdf" % idx
    f = open(filename, "wb")
    f.write( fstr[idx:])
    f.close()

    print "restored [%s]" % filename

    idx = idx+1

idx = 0
while 1:
    idx = fstr.find(Pattern_PS, idx)
    if idx==-1:
        break

    filename = "ps_%08x.ps" % idx
    f = open(filename, "wb")
    f.write( fstr[idx:])
    f.close()
    print "restored [%s]" % filename

    idx = idx+1

=========================================================================
$ ./restore.py
restored [pdf_00410000.pdf]
restored [pdf_016e4000.pdf]
restored [ps_00420000.ps]
restored [ps_016a0000.ps]

$ file pdf_00410000.pdf
pdf_00410000.pdf: PDF document, version 1.3

$ file pdf_016e4000.pdf
pdf_016e4000.pdf: PDF document, version 1.3

$ file ps_00420000.ps
ps_00420000.ps: PostScript document text conforming at level 3.0

$ file ps_016a0000.ps
ps_016a0000.ps: PostScript document text conforming at level 3.0

===========================================================


¿©±â¼­ º¹±¸ÇÑ ÆÄÀÏÀ» ÅëÇØ µÎ°¡Áö ¼Ö·ç¼ÇÀÌ °¡´ÉÇÕ´Ï´Ù.
Çϳª´Â ps¸¦ ºÐ¼®ÇÏ´Â °ÍÀÌ°í Çϳª´Â pdf¸¦ ºÐ¼®ÇÏ´Â °ÍÀÔ´Ï´Ù.

************************************************
1. ps ºÐ¼®
¾Æ·¡¿Í °°ÀÌ °£´ÜÈ÷ ps2ascii¸¦ ÅëÇØ Á¤´äÀ» È®ÀÎ ÇÒ ¼ö ÀÖ½À´Ï´Ù.
$ ps2ascii ./ps_00420000.ps |grep key
DefCon  CTF  2007 * The key for CTF 2007 Quals is: "in the other file" DefCon  CTF  2006
....
************************************************

************************************************
2. pdf ºÐ¼®
¿©±â¼­ °¢ ÆÄÀÏÀÇ EOF¸¦ ¾Ë·Á¸é °¢ Æ÷¸äÀÇ EOF signature¸¦ È®ÀÎÇÏ¿© ÇÒ ¼ö ÀÖÁö¸¸
°£´ÜÈ÷ psÀÇ ½ÃÀÛ offsetÀÌ 0x420000 À̹ǷΠpdf_00410000.pdfÀÇ EOF offsetÀÌ
0x00420000Âë µÈ´Ù´Â °ÍÀ» À¯Ãß ÇÒ ¼ö ÀÖ½À´Ï´Ù.

========================================================================
$ cut --bytes=-65536 ./pdf_00410000.pdf > dump.pdf
$ file dump.pdf
dump.pdf: PDF document, version 1.3
========================================================================

À§ÀÇ dump.pdfÆÄÀÏÀ» pdf viewer·Î ¿­¾î¼­ È®ÀÎÇØ º¸¸é kenshoto ȨÆäÀÌÁö¸¦ ĸÃÄÇسõÀºµíÇÑ 
¹®¼­°¡ ³ª¿À¸ç Á¤´äÀ» È®ÀÎ ÇÒ ¼ö ÀÖ½À´Ï´Ù.
* The key for CTF 2007 Quals is: "in the other file"
************************************************