Ghost in the Shellcode 2014: Revenge of Imgception
- Revenge of Imgception consists of 8 stages. Each stage involves extracting one type of image from another.
- Prior to the game, a large number of images will be pre-generated to save processing power and reduce the infrastructure requirements of the challenge. Players will be presented with a randomly chosen image from this set. The idea is to cause confusion among the players, as two players working the challenge together are unlikely to receive the same image, though the challenge proceeds identically for all images. This behavior continues for the duration of the challenge, as the images for each stage are randomly selected when the challenge is generated.
- 1-1: The file is a JPEG. The next stage is hidden in comment fields (\xFF\xFE). The number of comment fields is variable because they have a maximum size of 65535.
- 2-1: The file is an animated GIF. The next stage is hidden in a set of comment extensions as binary data. The number of comment extensions is variable depending on the size of the next stage.
- 3-1: The file is a zip full of PNG files. The next stage is spread among them. Each PNG has a custom chunk marked with a "icTf" header. Each chunk begins with 3 bytes of the order string ("ThankYouMarioButOurPrincessIsInAnotherCastle" * 20) followed by a null byte, followed by binary data. The binary data chunks from each file must be concatenated together in the order given by the order string. The entirety of the order string may not be used, as the zip contains a variable number of files.
- 4-1: The file is a floppy disk image containing the next stage. Nothing special about this one. The previous stage is complex enough to warrant a freebie.
- 5-1: The file is a Super Mario Brothers ROM image for the Nintendo Entertainment System. It is playable in the fceux emulator, and the hope is that players will attempt to play through the game to continue to the next stage. However, the next stage has actually been concatenated to the end of the ROM, and is marked with "GITS" * 512.
- 6-1: The file is an ISO image with a hidden directory. When mounted with default (linux) options, the only apparent file is a JPEG image. However, when mounted with the --no-joliet option, the next stage becomes apparent.
- 7-1: The file is a multi-page TIFF image with broken file magic. The file magic is \x49\x4d\x2a\x2a. The TIFF file header indicates whether the image is little or big endian by the first two bytes being either \x49\x49 (little) or \x4d\x4d (big). The next two bytes are similarly arranged, either \x2a\x00 (little) or \x00\x2a (big). The correct file header for this image is \x49\x49\x2a\x00. Once the header is fixed, the image contains three images - one world 7-1 image and two apparently identical world 8-1 images that constitute the next stage.
- 8-1: The files are two apparently identical greyscale BMP images. The images are not, however, identical. The final image is steganographically hidden in the delta between color byte values. By subtracting the byte values in one file from the corresponding byte in the other, some bytes will result in a value between -8 and +7. Each value represents a single nibble of the final image.
- The final image contains a congratulatory message and the key: K00pas@llth3w@yd0wn