### babyrev

main problem about this chall is that the second check after name check for `bossbaby` is in a function that manually stack allocs 

so i spent like a good 30 mins reversing the alloc part without realizing thats completely unrelated to the challenge lmfao

the real computation is in `0x1209` - which IDA seems to have trouble matching since it think `0x1208` is a valid function so i had to undefine and define again to check

then after that its just copying from the decompilation and stitching into a solve script

speaking of which:
```c
#include <stdio.h>
#include <stdlib.h>

int main()
{
    int dword_4020[] = {0x66, 0x0D9, 0x188, 0x341, 0x7C0, 0x6F9, 0x18A4, 0x95, 0x10A,
                        0x1D5, 0x37C, 0x3A9, 0x7B0, 0x1969, 0x127, 0x1A3, 0x1C4, 0x2B9,
                        0x754, 0x889, 0x0F50, 0x1F0, 0x254, 0x2D9, 0x558, 0x571, 0x924,
                        0x1019, 0x342, 0x3AD, 0x508, 0x6E9, 0x0A30, 0x10E1, 0x1284,
                        0x500, 0x5D2, 0x74D};

    char flag[38];
    
    long ptr = (long) malloc(38*4);
    
    for(int i = 0; i < 38; i++) {
        
        for(char c = 32; c < 127; c++) {
            
            *(int *)(4 * i + ptr) = (c << ((char)i % 7)) + i * i;  //from sub_1209, after fixing offset
            
            if ( dword_4020[i] == *(int *)(ptr + 4 * i) )  //from sub_12AD comparison
                flag[i] = c;
                
        }
    }

    printf("%s\n", flag);
    return 0;
}
```

### a wild ride

another gpx problem eyy (maplectf nostalgia alr at this point kekw)

this time we have to deal with gpx in a encrypted zip instead of fishing out from pcap though, but the zip uses zipcrypto which is really weak

so https://github.com/kimci86/bkcrack to the rescue using xml header as plaintext for the attack

and after 5 secs we got the password `crackme` lmao wouldve got it using hashcat anyway

then its just merging the gpx and using the same gpx visualizing site i used in maplectf (https://www.gpsvisualizer.com/) to get the flag lmao (had to squint at the handwriting tho lmfao)

merge script:
```py
import os

all = ['<?xml version="1.0" encoding="UTF-8"?>\n',
'<gpx xmlns="http://www.topografix.com/GPX/1/1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.topografix.com/GPX/1/1 http://www.topografix.com/GPX/1/1/gpx.xsd" version="1.1" creator="gpx.py -- https://github.com/tkrajina/gpxpy">\n',
#'  <trk>\n'
]

for f in os.listdir('.'):
    if '.gpx' in f:
        with open(f, 'r') as gpx:
            all += gpx.readlines()[2:-1]

all += [
#'  </trk>\n',
'</gpx>\n']

with open('merged.gpx', 'w') as merge:
    merge.writelines(all)
```

### usb drive

shortcut .lnk file, hidden tinyurl.com url

for some reason its inyurl.com though but its trivial to guess its tinyurl

leads us to a google drive, looks like base64 encoded but nope

then [@Robert](https://maplebacon.org/authors/Nneonneo/) came in and said its base32 coz of the `===` and full uppercase and dang it actually is base32 lmao

turns out to be a PE dll that prints the flag, but i dont wanna risk running it so i just rewrote the program with decompiled code:
```c
#include <stdio.h>
#include <stdint.h>

int main()
{
  char Text[50];
  
  char byte_100020C0[] = { 0xD3, 0, 0, 0, 0xE9, 0, 0, 0, 0xF0, 0, 0, 0, 0x0B,
 0, 0, 0, 0x98, 0, 0, 0, 0x56, 0, 0, 0, 0x8A, 0, 0, 0, 
 0x16, 0, 0, 0, 0xFE, 0, 0, 0, 0x6E, 0, 0, 0, 0xBB,
 0, 0, 0, 0x22, 0, 0, 0, 0x0C, 0, 0, 0, 0x20, 0, 0, 0, 
 0x94, 0, 0, 0, 0x38, 0, 0, 0, 0x35, 0, 0, 0, 0x10, 0, 0, 0, 
 0xF7, 0, 0, 0, 0x5D, 0, 0, 0, 0xA8, 0, 0, 0, 0xD9,
 0, 0, 0, 0x91, 0, 0, 0, 0x6D, 0, 0, 0, 0x28, 0, 0, 0, 
 8, 0, 0, 0, 0x69, 0, 0, 0, 0x9B, 0, 0, 0, 0xAB, 0, 0, 0, 
 0x16, 0, 0, 0, 0x64, 0, 0, 0, 0xA4, 0, 0, 0, 0x4B, 0, 0, 0, 
 0x6E, 0, 0, 0, 0x0C, 0, 0, 0, 0xA8, 0, 0, 0, 0xD2,
 0, 0, 0, 0xFC, 0, 0, 0, 0xA6, 0, 0, 0, 0xBD, 0, 0, 0, 
 0x84, 0, 0, 0, 0xC6, 0, 0, 0, 0xBD, 0, 0, 0, 0xBF,
 0, 0, 0, 0xC7, 0, 0, 0, 5, 0, 0, 0, 0xE6, 0, 0, 0, 
 0xC0, 0, 0, 0, 0x9C, 0, 0, 0, 0x75, 0, 0, 0, 7, 0, 0, 0, 
 0xC6, 0, 0, 0, 0x3A, 0, 0, 0, 0x33, 0, 0, 0, 0x7C, 0, 0, 0, 
 0xD5, 0, 0, 0, 0xE2, 0, 0, 0, 0xAA, 0, 0, 0, 0xDC,
 0, 0, 0, 0xD8, 0, 0, 0, 0xB3, 0, 0, 0, 0xCB, 0, 0, 0, 
 0x92, 0, 0, 0, 0xDE, 0, 0, 0, 8, 0, 0, 0, 0x0B, 0, 0, 0, 
 0x4B, 0, 0, 0, 0xE6, 0, 0, 0, 0xA1, 0, 0, 0, 0x64,
 0, 0, 0, 0xDF, 0, 0, 0, 0xF5, 0, 0, 0};
 
  __int128 v3[10];
  __int128 v6[10];
  
  int v3p[] = {51, 38};
  int v6p[] = {87, 91};
  
  v3[0] = *(__int128 *)&byte_100020C0[160];
  v3[1] = *(__int128 *)&byte_100020C0[80];
  v3[2] = *(__int128 *)&byte_100020C0[256];
  v3[3] = *(__int128 *)&byte_100020C0[240];
  v3[4] = *(__int128 *)&byte_100020C0[272];
  v3[5] = *(__int128 *)&byte_100020C0[192];
  v3[6] = *(__int128 *)&byte_100020C0[64];
  v3[7] = *(__int128 *)&byte_100020C0[16];
  v3[8] = *(__int128 *)&byte_100020C0[96];
  v3[9] = *(__int128 *)v3p;
  v6[0] = *(__int128 *)&byte_100020C0[224];
  v6[1] = *(__int128 *)&byte_100020C0[0];
  v6[2] = *(__int128 *)&byte_100020C0[208];
  v6[3] = *(__int128 *)&byte_100020C0[144];
  v6[4] = *(__int128 *)&byte_100020C0[176];
  v6[5] = *(__int128 *)&byte_100020C0[112];
  v6[6] = *(__int128 *)&byte_100020C0[48];
  v6[7] = *(__int128 *)&byte_100020C0[32];
  v6[8] = *(__int128 *)&byte_100020C0[128];
  v6[9] = *(__int128 *)v6p;
  
  int v1 = 0;
  do
  {
    Text[v1] = *((char *)v3 + 4 * v1) ^ *((char *)v6 + 4 * v1);
    Text[v1 + 1] = *((char *)v3 + 4 * v1 + 4) ^ *((char *)v6 + 4 * v1 + 4);
    v1 += 2;
  }
  while ( v1 < 0x26 );
  printf("%s\n", Text);
}
```

### free nitro

eyy a open source:tm: C# exe love it (edit: turns out it actually is open source LMFAO https://github.com/qwqdanchun/DcRat)

not much obfuscation, `cry` is the main class we wanna look at - other stuff just does the unpacking and loading

from there we can see that they use xml-like format to store hex encoded strings as the payload and plain numbers for the password - libarr is decrypted by xoring with pass1, and filearr is decrypted by xoring pass2

yields us a gzipped payload, which we can unzip and find another C# exe which is the RAT itself

funnily enough the salt used for their encryption is `DcRatByqwqdanchun`, which we can search online and find that its actually an active malware and has tools for decrypting their settings data https://github.com/jeFF0Falltrades/Tutorials/blob/master/asyncrat_config_parser (even tho its trivial to copy code from their encryption class to decrypt it ourselves but eyy saves us time)

run that and we get the flag "hidden" in the settings lol

also "REMOVED FOR SAFETY" thanks organizers

### brain melt

open in IDA, we see `_MEIPASS2` - searching up shows that this is a pyinstaller

find tool for unpacking pyinstaller (https://github.com/extremecoders-re/pyinstxtractor), and we get a ton of pyc files

decompyle3 and uncompyle6 doesnt work since its python 3.9, but pycdc worked (partially - reraise is not implemented, so i spent 30 mins reversing it before realizing the flag was already visible in the portion that was decompiled lmao but hey i did make the whole file decompiled at the end)

run `deobfuscate` after extracting both `deobfuscate` and `decrypt` out from the py file and we obtain the flag