Location>code7788 >text

2024 ByteCTF

Popularity:428 ℃/2024-09-23 16:33:48

ByteCTF

Extreme Escape

Topic description:This question requires dynamic debugging to analyze the content to be entered, may be in some places will be prompted to appear.

This is an IOS reverse, as there is no device to analyze only statically

The process is roughly the same as Android Reverse Unzip and drag into ida

Prompt to enter flag format Cut according to "-"

image-20240922093743354

It's actually the uuid format, and there is an assignment operation after it is entered correctly

image-20240922093821488

Then look down and notice

{%@-%@-%@-%@-%@} part5,part2,part3,part4,part5

Compute the sha256 of this string

image-20240922093913056

This is followed by a slicing operation based on the length of each part, and then a substitution

Note where each section begins

Final comparison

48d43cd4a6479fe599dee4ea8ea8b21d

Final slices for replacement

a="6c9838a3c6810bdb2633ed5910b8547c09a7a4c08bf69ae3a95c5c37f9e8f57e"
#print 1 to 9
for i in range(1,9):
    print(a[i],end='')
print("-",end='')
for i in range(9,13):
    print(a[i],end='')
print("-",end='')    
for i in range(5,9):
    print(a[i],end='')
print("-",end='')
for i in range(5,9):
    print(a[i],end='')
print("-",end='')
for i in range(5,17):
    print(a[i],end='')


# c9838a3c-6810-8a3c-8a3c-8a3c6810bdb2

ByteBuffer

Serialization format of FlatBuffers

FlatBuffers is the object data, stored in a one-dimensional array, the data are cached in a ByteBuffer, each object in the array is divided into two parts.

Metadata section: responsible for storing the index. Real data section: holds the actual values

Use a 4-byte UInt to store a 10-digit integer.

FlatBuffers' basic usage principles for serialization:

  • Small-end mode.FlatBuffers stores all kinds of basic data according to the small-end mode, because this mode is currently consistent with the storage mode of most processors, which can speed up the data read and written data.
  • Write data direction is different from read data direction

From the given binary

One part gives dot data

image-20240922153822793

The other part gives Edge data

image-20240922153843192

Corresponding to the points and edges, we need to recover the original data

dot data in groups of 4

image-20240922154056092

Small end-ordering is used here

x1=06 40=1600 y1=4B=75 In order, you can get the data for all the points every four places.

Ditto. On the edge.

image-20240922154930836

Edge #103 corresponds to 0x77 0x75, which is point 119 117.

Stud scripts can be written based on the principle of

cnt = 0

with open("", "rb") as file:
    ans = ()

# print(ans)
import struct

edge_index = 0x3AC
dot_index = 0x1230

while edge_index < 0x120C:
    tmp = ("<Q", ans[edge_index : edge_index + 8])[0]
    edge_index += 8
    dot1 = ("<L", ans[edge_index : edge_index + 4])[0]
    edge_index += 4
    dot2 = ("<L", ans[edge_index : edge_index + 4])[0]
    edge_index += 4
    edge_index += 4
    length = ((("<L", ans[edge_index : edge_index + 4])[0] + 4) // 4) * 4
    # print(length)
    edge_index += 4
    name = ans[edge_index : edge_index + length].decode()

    print("line_name:" + name)
    print("linked_dot1:" + str(dot1))
    print("linked_dot2:" + str(dot2))
    edge_index += length

print("line_name:" + "Edge #0")
print("linked_dot1:" + str(2))
print("linked_dot2:" + str(1))

while dot_index < 0x1F88:
    tmp = ("<L", ans[dot_index : dot_index + 4])[0]
    dot_index += 4
    x1 = ("<L", ans[dot_index : dot_index + 4])[0]
    dot_index += 4
    y1 = ("<L", ans[dot_index : dot_index + 4])[0]
    dot_index += 4
    dot_index += 4
    length = ((("<L", ans[dot_index : dot_index + 4])[0] + 4) // 4) * 4
    # print(length)
    dot_index += 4
    name = ans[dot_index : dot_index + length].decode()

    print("dot_name:" + name)
    print("x:" + str(x1))
    print("y:" + str(y1))
    dot_index += length

print("dot_name:" + "Dot #2")
print("x:" + str(0x19))
print("y:" + str(0x4B))

capture

image-20240922155041251

Then plot the points and lines in relation to each other

import as plt

# Read data
dots = {}
edges = []

with open("1(1).txt", "r") as f.
    lines = ()

for i in range(0, len(lines), 3): line = lines[i].strip().
    line = lines[i].strip()
    if ("dot_name").
        dot_name = (":")[1].split("#")[1])
        line2 = lines[i + 1].strip()
        line3 = lines[i + 2].strip()
        x = int((":")[1])
        y = int((":")[1])
        dots[dot_name] = (y, x)
    elif ("line_name").
        line_name = (":")[1])
        line2 = lines[i + 1].strip()
        line3 = lines[i + 2].strip()
        line3 = lines[i + 2].strip() dot1 = (":")[1]
        dot2 = (":")[1]
        ((dot1, dot2))

# Draw the dots
for dot_name, (x, y) in ().
    (x, y)

# Draw line segments
for dot1, dot2 in edges.
    x1, y1 = dots[dot1]
    x2, y2 = dots[dot2]
    ([x1, x2], [y1, y2], "b-")

# Set the label
("X")
("Y")
()
()

image-20240922155303954

Get the flag.