Attempting to see what it contains leads to an error. After inspecting it using a hex editor (hexed.it) I saw that the first bytes were missing.
This means that the file has ben XORed with the first 8 bytes.
Python code for for XORing 2 files:
import sys
def xor_files(file1_path, file2_path, output_path):
with open(file1_path, 'rb') as file1, open(file2_path, 'rb') as file2:
data1 = file1.read()
data2 = file2.read()
key = (data2 * (len(data1) // len(data2) + 1))[:len(data1)]
result_data = bytes(x ^ y for x, y in zip(data1, key))
with open(output_path, 'wb') as output_file:
output_file.write(result_data)
if __name__ == "__main__":
if len(sys.argv) != 4:
print("Usage: python xor.py <file_path> <key_file_path> <output_path>")
sys.exit(1)
file1_path = sys.argv[1]
file2_path = sys.argv[2]
output_path = sys.argv[3]
xor_files(file1_path, file2_path, output_path)
print("XOR operation completed. Result saved to", output_path)
Additionally, the presence of "PK" markers suggests that it's formatted as a ZIP archive rather than a RAR file.
XORing it with the initial bytes of a ZIP file (50 4b 03 04) still results in a corrupted file, indicating that the header bytes are incomplete.
After closer inspection I observed 2 interesting strings.
This means that inside the zip there might be a file called xo.rar.pdf.
The xor between the wrong name file and the correct one gave me the missing bytes from the header. The header is:
In the ZIP file, the PDF seemed empty, but when I selected all (Ctrl+A), some text appeared. Right-clicking and choosing "search on web" revealed the contents: the flag.
