Pas un PDF

Apr 08, 2026

Cyber Saguenay CTF Forensics pdfxorfile-format

Pas un PDF

Summary

The provided archive contained a fake executable that was actually an obfuscated PDF. The payload used a repeating 7-byte XOR key, and the final flag was recovered from rendered PDF text.

Evidence

  • must_examine.zip contained not_a_pdf.exe.
  • file reported the extracted file as generic data, not a PE executable.
  • The file started with ==CTF== and showed a period-7 index-of-coincidence spike.
  • Repeating-key XOR with key %PDF-1. produced valid PDF syntax.
  • Ghostscript text extraction found a flag token split across wrapped lines.

Steps

  1. Extract and classify the file.
unzip -l "must_examine.zip"
unzip -o "must_examine.zip"
file "not_a_pdf.exe"
xxd -l 128 "not_a_pdf.exe"
strings -n 6 "not_a_pdf.exe"

  1. Identify the transform. Byte-distribution and IOC checks showed a repeating period of 7. Printable maximization and PDF cribbing recovered the XOR key %PDF-1..

  2. Decode the payload using the repeating XOR key and save it as a PDF.

from pathlib import Path

data = Path("not_a_pdf.exe").read_bytes()
key = b"%PDF-1."
decoded = bytes(b ^ key[i % len(key)] for i, b in enumerate(data))
Path("recovered.pdf").write_bytes(decoded)
  1. Extract text through the PDF renderer.
gs -q -dNOPAUSE -dBATCH -sDEVICE=txtwrite \
  -sOutputFile="gs_text.txt" "recovered.pdf"
  1. Search the extracted text for the wrapped flag token.
rg -i "UQAC|flag|ctf|\{" gs_text.txt

Flag

Recovered, but redacted in the local notes.

Notes

Simple string extraction was not enough because the flag was embedded in PDF content and split across rendered text lines.