ByteCTF
Extreme Escape
Topic description:This question requires dynamic debugging to analyze the content to be entered, may be in some places will be prompted to appear.
This is an IOS reverse, as there is no device to analyze only statically
The process is roughly the same as Android Reverse Unzip and drag into ida
Prompt to enter flag format Cut according to "-"
It's actually the uuid format, and there is an assignment operation after it is entered correctly
Then look down and notice
{%@-%@-%@-%@-%@} part5,part2,part3,part4,part5
Compute the sha256 of this string
This is followed by a slicing operation based on the length of each part, and then a substitution
Note where each section begins
Final comparison
Final slices for replacement
a="6c9838a3c6810bdb2633ed5910b8547c09a7a4c08bf69ae3a95c5c37f9e8f57e"
#print 1 to 9
for i in range(1,9):
print(a[i],end='')
print("-",end='')
for i in range(9,13):
print(a[i],end='')
print("-",end='')
for i in range(5,9):
print(a[i],end='')
print("-",end='')
for i in range(5,9):
print(a[i],end='')
print("-",end='')
for i in range(5,17):
print(a[i],end='')
# c9838a3c-6810-8a3c-8a3c-8a3c6810bdb2
ByteBuffer
Serialization format of FlatBuffers
FlatBuffers is the object data, stored in a one-dimensional array, the data are cached in a ByteBuffer, each object in the array is divided into two parts.
Metadata section: responsible for storing the index. Real data section: holds the actual values
Use a 4-byte UInt to store a 10-digit integer.
FlatBuffers' basic usage principles for serialization:
- Small-end mode.FlatBuffers stores all kinds of basic data according to the small-end mode, because this mode is currently consistent with the storage mode of most processors, which can speed up the data read and written data.
- Write data direction is different from read data direction
From the given binary
One part gives dot data
The other part gives Edge data
Corresponding to the points and edges, we need to recover the original data
dot data in groups of 4
Small end-ordering is used here
x1=06 40=1600 y1=4B=75 In order, you can get the data for all the points every four places.
Ditto. On the edge.
Edge #103 corresponds to 0x77 0x75, which is point 119 117.
Stud scripts can be written based on the principle of
cnt = 0
with open("", "rb") as file:
ans = ()
# print(ans)
import struct
edge_index = 0x3AC
dot_index = 0x1230
while edge_index < 0x120C:
tmp = ("<Q", ans[edge_index : edge_index + 8])[0]
edge_index += 8
dot1 = ("<L", ans[edge_index : edge_index + 4])[0]
edge_index += 4
dot2 = ("<L", ans[edge_index : edge_index + 4])[0]
edge_index += 4
edge_index += 4
length = ((("<L", ans[edge_index : edge_index + 4])[0] + 4) // 4) * 4
# print(length)
edge_index += 4
name = ans[edge_index : edge_index + length].decode()
print("line_name:" + name)
print("linked_dot1:" + str(dot1))
print("linked_dot2:" + str(dot2))
edge_index += length
print("line_name:" + "Edge #0")
print("linked_dot1:" + str(2))
print("linked_dot2:" + str(1))
while dot_index < 0x1F88:
tmp = ("<L", ans[dot_index : dot_index + 4])[0]
dot_index += 4
x1 = ("<L", ans[dot_index : dot_index + 4])[0]
dot_index += 4
y1 = ("<L", ans[dot_index : dot_index + 4])[0]
dot_index += 4
dot_index += 4
length = ((("<L", ans[dot_index : dot_index + 4])[0] + 4) // 4) * 4
# print(length)
dot_index += 4
name = ans[dot_index : dot_index + length].decode()
print("dot_name:" + name)
print("x:" + str(x1))
print("y:" + str(y1))
dot_index += length
print("dot_name:" + "Dot #2")
print("x:" + str(0x19))
print("y:" + str(0x4B))
capture
Then plot the points and lines in relation to each other
import as plt
# Read data
dots = {}
edges = []
with open("1(1).txt", "r") as f.
lines = ()
for i in range(0, len(lines), 3): line = lines[i].strip().
line = lines[i].strip()
if ("dot_name").
dot_name = (":")[1].split("#")[1])
line2 = lines[i + 1].strip()
line3 = lines[i + 2].strip()
x = int((":")[1])
y = int((":")[1])
dots[dot_name] = (y, x)
elif ("line_name").
line_name = (":")[1])
line2 = lines[i + 1].strip()
line3 = lines[i + 2].strip()
line3 = lines[i + 2].strip() dot1 = (":")[1]
dot2 = (":")[1]
((dot1, dot2))
# Draw the dots
for dot_name, (x, y) in ().
(x, y)
# Draw line segments
for dot1, dot2 in edges.
x1, y1 = dots[dot1]
x2, y2 = dots[dot2]
([x1, x2], [y1, y2], "b-")
# Set the label
("X")
("Y")
()
()
Get the flag.