Page MenuHomedesp's stash
Files F374812

m0lecon22.md
No OneTemporary
Actions

m0lecon22.md
View Options

### crackme
actually quite fun tbh it had 4 stages of checking of increasing difficulty (well technically the last one was a cliff lmfao)
quite easy to figure out what the first 3 is doing - 80 characters, all uppercase, which iteratively splits into 5 strings ('abcdeabcde' -> 'aa bb cc dd ee'), and at most 3 characters can be matching the strings around it (pairwise check)
main pain comes from the last check - it has rand in it, bunch of xors and checks, and expects all 5 arrays to pass
but wait the rand is run 999999 times so technically any case should be run so do we need to get all 16 characters of an array to permutate xors and still result in 0 that never happens
i even wrote a z3 script to prove it
```py
from z3 import *
import itertools
t = []
t += [BitVec('t1', 8)]
t += [BitVec('t2', 8)]
t += [BitVec('t3', 8)]
t += [BitVec('t4', 8)]
t += [BitVec('t5', 8)]
t += [BitVec('t6', 8)]
t += [BitVec('t7', 8)]
t += [BitVec('t8', 8)]
t += [BitVec('t9', 8)]
t += [BitVec('t10', 8)]
t += [BitVec('t11', 8)]
t += [BitVec('t12', 8)]
t += [BitVec('t13', 8)]
t += [BitVec('t14', 8)]
t += [BitVec('t15', 8)]
t += [BitVec('t16', 8)]
def pairwise(iterable):
a, b = itertools.tee(iterable)
next(b, None)
return zip(a, b)
def triplewise(iterable):
"Return overlapping triplets from an iterable"
# triplewise('ABCDEFG') -> ABC BCD CDE DEF EFG
for (a, _), (b, c) in pairwise(pairwise(iterable)):
yield a, b, c
s = Solver()
# for i in t:
# s.add(i >= ord('A'))
# s.add(i <= ord('Z'))
for i, j in pairwise(t):
s.add(i ^ j == 0)
for i, j, k in triplewise(t):
s.add(i ^ j ^ k == 0)
s.check()
print(s.model())
```
is unsat even when its just triple
if you think about it ofc its unsat x ^ x = 0 but x ^ x ^ x = x so odd amounts never result in 0
but wait im assuming too much of how this binary works look at `v20 = v20 && v29 > 0;`
since we are applying that 999999 times that means if `v29` is 0 even just once we get `v20` as 0 which passes the check for that one array
so i went to work grabbing pairs from the xor that matches so we can get a 0
but i was working on bytes instead of ints which is why the values didnt work even though they matched
and turns out none of the ints match or can ever be negative either the most significant nibble is always 0 which means we cant xor it to negative
so we will have to find a path that xors multiple integers to get a 0
was gonna do it manually, but it looks painful staring at 1s and 0s so i wrote another DFS for it
```py
vals = [
0x38, 0x82, 0x97, 0x1F, 0xD1, 0x2E, 0xD4, 0x1B, 0x98, 0x72, 0x4C, 0x07, 0x08, 0x7F, 0xBC, 0x09,
0xFA, 0xE1, 0x0F, 0x29, 0xF5, 0xE5, 0x7F, 0x12, 0x60, 0x24, 0xAC, 0x36, 0x1B, 0xE5, 0xD7, 0x3C,
0x69, 0x9E, 0xAB, 0x36, 0x55, 0xFA, 0xC6, 0x2B, 0x11, 0xE3, 0x52, 0x07, 0x80, 0xAF, 0x06, 0x0B,
0xF0, 0xFC, 0x28, 0x3C, 0x5B, 0xC3, 0xD6, 0x07, 0x83, 0x2B, 0x49, 0x1C, 0xFE, 0x8A, 0xC6, 0x21,
0x4F, 0x48, 0x27, 0x30, 0xE1, 0xD0, 0xD2, 0x37, 0x62, 0x32, 0x53, 0x30, 0x66, 0xB1, 0xA9, 0x28,
0x97, 0x43, 0x2F, 0x04, 0x74, 0xB8, 0x01, 0x2F, 0xA0, 0x69, 0xC5, 0x37, 0xD4, 0x8F, 0x45, 0x17,
0x1E, 0xE4, 0xB3, 0x00, 0xAC, 0x46, 0x73, 0x3C, 0x10, 0x03, 0x6D, 0x16, 0x49, 0x44, 0x96, 0x06,
0x78, 0x08, 0xFD, 0x12, 0xF0, 0xF3, 0xD6, 0x2B, 0xF9, 0x85, 0x75, 0x29, 0x43, 0xF0, 0xE0, 0x0A,
0x05, 0xD2, 0x83, 0x09, 0x94, 0x6E, 0xE8, 0x33, 0xAD, 0x8B, 0x53, 0x29, 0x9D, 0x5C, 0x68, 0x05,
0x87, 0x03, 0xF5, 0x00, 0x8E, 0x2A, 0x15, 0x07, 0x15, 0xC8, 0xC9, 0x2D, 0xD0, 0x97, 0x8C, 0x35,
0xC1, 0xF5, 0xDE, 0x34, 0x48, 0x89, 0x46, 0x15, 0xDC, 0x37, 0x53, 0x0D, 0xF4, 0x89, 0x45, 0x2C,
0xD6, 0x03, 0x01, 0x37, 0xE4, 0xAD, 0x33, 0x27, 0x92, 0xD9, 0xB6, 0x1D, 0xE8, 0x78, 0xBF, 0x36,
0x5B, 0xC2, 0x9D, 0x21, 0xB8, 0x3D, 0xDE, 0x24, 0x27, 0x7E, 0x2D, 0x09, 0x19, 0x55, 0x01, 0x0F,
0x21, 0x0A, 0xB9, 0x34, 0xF5, 0x16, 0xB3, 0x15, 0xAE, 0xC9, 0x43, 0x1D, 0x21, 0x0E, 0xBD, 0x1D,
0xD9, 0x9C, 0xA1, 0x24, 0x43, 0x28, 0x5F, 0x13, 0x5D, 0x94, 0xEE, 0x29, 0xD0, 0x76, 0xE9, 0x08,
0x1F, 0xEE, 0x82, 0x02, 0x63, 0x8D, 0xA9, 0x06, 0x0E, 0x48, 0x0A, 0x17, 0x62, 0x48, 0x0D, 0x02,
0xD4, 0xB4, 0x69, 0x0D, 0xC0, 0x69, 0x04, 0x20, 0x52, 0x53, 0x12, 0x25, 0x7E, 0x4E, 0x2B, 0x32,
0x25, 0x8D, 0x1B, 0x3A, 0xB5, 0xCD, 0x73, 0x1D, 0x2C, 0x8A, 0x56, 0x20, 0xCE, 0x08, 0x9F, 0x3E,
0x9E, 0xF1, 0x9D, 0x31, 0xC0, 0xD4, 0x59, 0x1D, 0xDE, 0x92, 0xF2, 0x01, 0xA8, 0x76, 0xDA, 0x10,
0x18, 0x4A, 0xFD, 0x24, 0x26, 0xE0, 0x97, 0x24, 0xF5, 0x50, 0x5D, 0x03, 0x2E, 0x7E, 0xA3, 0x36,
0xD6, 0x7F, 0x8B, 0x33, 0x72, 0x12, 0x3D, 0x03, 0x2C, 0xDE, 0x0B, 0x28, 0xE7, 0x6E, 0xA7, 0x06,
0x87, 0xC1, 0x08, 0x10, 0x76, 0x9D, 0xBC, 0x06, 0x56, 0x74, 0xB0, 0x30, 0x22, 0x1C, 0xA6, 0x2F,
0xAD, 0xB0, 0x13, 0x05, 0x7D, 0x0A, 0xB9, 0x2E, 0x5C, 0x97, 0xC8, 0x3A, 0x6B, 0x0A, 0x5A, 0x1E,
0x9B, 0xFD, 0x43, 0x3A, 0xB0, 0x42, 0xF1, 0x1A, 0x7E, 0xC9, 0x0A, 0x0A, 0x84, 0x81, 0x51, 0x18,
0xF1, 0x1F, 0x3C, 0x05, 0x2B, 0x38, 0xB5, 0x0A, 0x9D, 0x09, 0x57, 0x23, 0x96, 0xBE, 0xE3, 0x00,
0xFC, 0x26, 0x5C, 0x28, 0x58, 0x1F, 0xC5, 0x1E, 0x77, 0x7F, 0x1F, 0x26, 0x68, 0x45, 0xF2, 0x30,
0xF7, 0xF3, 0x4C, 0x18, 0x2C, 0xA2, 0x32, 0x25, 0xE8, 0x7A, 0x2E, 0x0F, 0x8B, 0xF5, 0x59, 0x2A,
0x41, 0x33, 0x21, 0x25, 0x3E, 0xEB, 0x96, 0x0E, 0xE6, 0x07, 0x77, 0x24, 0x8D, 0x19, 0xF8, 0x34,
0x4A, 0x08, 0xAE, 0x3B, 0xCB, 0x0D, 0x3B, 0x1F, 0x1E, 0xCD, 0xB1, 0x3B, 0x28, 0x2B, 0x71, 0x29,
0xE7, 0x59, 0xD1, 0x2C, 0x83, 0x57, 0x3F, 0x0B, 0x23, 0xD5, 0xFD, 0x19, 0xEA, 0x3F, 0x04, 0x10,
0x04, 0x7B, 0x37, 0x12, 0x5D, 0x54, 0x58, 0x1E, 0x06, 0xF3, 0x85, 0x39, 0x50, 0x49, 0x6A, 0x34,
0x4E, 0xAD, 0xA5, 0x20, 0xE6, 0xC5, 0xEE, 0x3C, 0x41, 0xBC, 0xEF, 0x30, 0x1A, 0x39, 0xC1, 0x3D,
0xA7, 0x4C, 0x59, 0x1D, 0xEC, 0x2B, 0xE5, 0x18, 0x09, 0x65, 0x2B, 0x06, 0x09, 0x1C, 0xE9, 0x11,
0x40, 0x54, 0xD0, 0x2D, 0x3B, 0xEA, 0xBF, 0x18, 0x91, 0x8E, 0x7E, 0x3F, 0x39, 0x3E, 0x97, 0x01,
0x9C, 0xBC, 0xDE, 0x2E, 0xE4, 0x3C, 0x7E, 0x20, 0x30, 0x43, 0x04, 0x36, 0x75, 0xAC, 0xA1, 0x01,
0xE5, 0x08, 0x46, 0x12, 0xC1, 0x0F, 0xFC, 0x02, 0x5B, 0x05, 0xF9, 0x2E, 0xFB, 0xC0, 0x14, 0x2F,
0x9F, 0xA2, 0xCE, 0x10, 0xDF, 0x64, 0x5E, 0x3B, 0x3A, 0x30, 0x5C, 0x1E, 0x1F, 0x36, 0xAA, 0x01,
0x99, 0x47, 0x5B, 0x23, 0x25, 0x1B, 0xB3, 0x3E, 0xAD, 0x65, 0x3C, 0x20, 0xDB, 0xA5, 0x51, 0x0F,
0x17, 0x16, 0x20, 0x36, 0xF4, 0x1A, 0x82, 0x3D, 0x2B, 0x6F, 0x4E, 0x09, 0x30, 0x35, 0x3D, 0x22,
0x89, 0x39, 0xFA, 0x3B, 0xBC, 0x87, 0x51, 0x09, 0xE9, 0xD3, 0xEC, 0x36, 0xCA, 0x1A, 0x66, 0x1D,
0xB8, 0xA8, 0xFE, 0x00, 0xC9, 0x72, 0x9A, 0x04, 0x3F, 0x41, 0x45, 0x08, 0xAC, 0xD0, 0x55, 0x02,
0xC1, 0x02, 0x64, 0x20, 0x56, 0x2B, 0xF7, 0x0C, 0xC8, 0x37, 0x35, 0x38, 0x70, 0x1E, 0xD9, 0x1B,
0xB6, 0x3F, 0xC7, 0x0A, 0xCB, 0xB8, 0x3B, 0x1D, 0x40, 0x20, 0x11, 0x32, 0xCE, 0xEF, 0x1E, 0x36,
0x71, 0x8D, 0x8F, 0x1A, 0x6A, 0xD2, 0x9F, 0x09, 0x5F, 0x03, 0x2E, 0x12, 0xD2, 0xF5, 0xB5, 0x12,
0xFF, 0x2F, 0xF0, 0x33, 0x71, 0xAC, 0x05, 0x0E, 0x9D, 0x69, 0x77, 0x3E, 0xA6, 0xAD, 0x4D, 0x36,
0x2A, 0x77, 0x25, 0x22, 0x5D, 0x9C, 0xA2, 0x13, 0x2A, 0x55, 0x55, 0x3A, 0x17, 0x04, 0xC6, 0x2F,
0x19, 0x87, 0xAF, 0x08, 0x80, 0x52, 0xEA, 0x3F, 0x81, 0x1D, 0x58, 0x07, 0x9D, 0x27, 0xCF, 0x02,
0x86, 0xE1, 0xA4, 0x11, 0xF3, 0xA6, 0x11, 0x23, 0xD4, 0x0F, 0x47, 0x29, 0x46, 0xEF, 0xA4, 0x3E,
0xD4, 0xBD, 0xFC, 0x3B, 0xB2, 0xFA, 0xF4, 0x39, 0xA6, 0x4E, 0xAD, 0x32, 0xFD, 0xCF, 0x54, 0x39,
0x12, 0xAE, 0xEF, 0x36, 0xC8, 0x18, 0x18, 0x23, 0x95, 0x5C, 0x43, 0x2B, 0x95, 0xF6, 0xB0, 0x34,
0xE1, 0x53, 0xDF, 0x39, 0x79, 0x54, 0x7F, 0x07, 0xD1, 0x3D, 0xC1, 0x27, 0x5F, 0x54, 0x76, 0x24,
0x55, 0x7E, 0x95, 0x37, 0x44, 0xBE, 0xF7, 0x25, 0xD6, 0x8C, 0x46, 0x1F, 0xF0, 0x1A, 0x30, 0x0C,
0xA4, 0x3E, 0xEF, 0x11, 0x44, 0x80, 0x41, 0x32, 0xD3, 0xFC, 0x80, 0x12, 0x1F, 0xDD, 0x46, 0x04,
0xC8, 0x4D, 0xD0, 0x07, 0x56, 0xA0, 0xF7, 0x29, 0xB6, 0x1C, 0x59, 0x39, 0xCA, 0xF7, 0xCF, 0x06,
0xE2, 0x23, 0x55, 0x28, 0x4D, 0xAD, 0x4F, 0x3C, 0xC4, 0xED, 0xFD, 0x3C, 0xF0, 0x8D, 0xF8, 0x27,
0xA8, 0x84, 0xF0, 0x16, 0x40, 0xFA, 0x08, 0x0A, 0x6B, 0xA8, 0x82, 0x07, 0x45, 0xFF, 0xA2, 0x12,
0xC1, 0x2D, 0x5E, 0x0A, 0xB2, 0xEB, 0xF7, 0x29, 0x27, 0xA5, 0xE6, 0x1C, 0xAD, 0xFD, 0x4F, 0x08,
0x18, 0x40, 0x3F, 0x08, 0x8F, 0x68, 0xF7, 0x18, 0x16, 0xDF, 0xA8, 0x05, 0xD3, 0x82, 0x0B, 0x18,
0x91, 0xA9, 0x62, 0x2D, 0x78, 0xE8, 0x54, 0x2F, 0x57, 0xA2, 0xD0, 0x39, 0x7C, 0x77, 0xBD, 0x36,
0x76, 0xA7, 0x53, 0x0A, 0xCC, 0x13, 0x1F, 0x06, 0x5F, 0x54, 0x45, 0x11, 0x53, 0x26, 0x20, 0x2B,
0x17, 0xC9, 0xB0, 0x2B, 0x51, 0x74, 0xEF, 0x22, 0xD6, 0x7D, 0xC8, 0x21, 0x72, 0xDD, 0x79, 0x13,
0x05, 0x2B, 0xEC, 0x29, 0x2B, 0x3F, 0x68, 0x00, 0xAC, 0x14, 0x72, 0x28, 0x40, 0x53, 0x5A, 0x36,
0x58, 0x82, 0x0F, 0x2B, 0x32, 0x2C, 0xC0, 0x27, 0xE2, 0x4F, 0x3C, 0x1C, 0x0B, 0xF0, 0x90, 0x2C,
0xD4, 0xC2, 0x1C, 0x11, 0x59, 0x12, 0x8A, 0x1E, 0x96, 0x42, 0x17, 0x3D, 0xC6, 0x29, 0x33, 0x37,
0x70, 0xB2, 0x7B, 0x29, 0x10, 0x33, 0xF5, 0x38, 0x70, 0xBE, 0xA2, 0x01, 0x09, 0x1B, 0x97, 0x17,
0x73, 0xE3, 0x98, 0x1C, 0x16, 0x9D, 0xD2, 0x1D, 0x0A, 0xA9, 0xE0, 0x14, 0x18, 0xF8, 0x3F, 0x37,
0x8B, 0x93, 0x33, 0x24, 0xD9, 0x9A, 0xAF, 0x2C, 0xCC, 0x33, 0x64, 0x1A, 0xE8, 0x45, 0x73, 0x30,
0x38, 0xDF, 0x8B, 0x2A, 0x2A, 0x3C, 0xB1, 0x01, 0x86, 0x5D, 0x60, 0x11, 0x01, 0x9B, 0xBC, 0x33,
0xAC, 0x6C, 0x7D, 0x13, 0xF8, 0x10, 0x88, 0x1E, 0x62, 0x32, 0x10, 0x0C, 0x35, 0x01, 0x77, 0x1A,
0x2E, 0x07, 0x98, 0x2C, 0xF7, 0x94, 0x84, 0x2B, 0x3F, 0x38, 0xEA, 0x00, 0x93, 0xD6, 0x16, 0x0F,
0xB7, 0xA0, 0x0F, 0x2D, 0xBD, 0xDD, 0x1C, 0x06, 0xFB, 0x64, 0x50, 0x26, 0x88, 0xFE, 0x4C, 0x3E,
0xE1, 0x3B, 0xED, 0x16, 0x30, 0x74, 0xD3, 0x04, 0xA0, 0x46, 0x5A, 0x25, 0x77, 0x78, 0x8B, 0x12,
0x49, 0x2D, 0xE4, 0x0A, 0x05, 0xB6, 0x5B, 0x25, 0x27, 0x34, 0x0A, 0x3F, 0x06, 0xC6, 0xB2, 0x39,
0x0D, 0xDC, 0xA7, 0x3B, 0x0F, 0x9A, 0xD7, 0x1C, 0x26, 0xE4, 0x00, 0x12, 0x91, 0xC2, 0xE0, 0x16,
0xFA, 0x8B, 0xF3, 0x2F, 0xCA, 0x20, 0x3A, 0x3E, 0x92, 0xF9, 0x19, 0x3D, 0x9D, 0x6C, 0x69, 0x0D,
0xB2, 0x94, 0xF1, 0x3D, 0x0B, 0x64, 0x95, 0x08, 0x3C, 0xB5, 0xB7, 0x16, 0x2C, 0x7A, 0x19, 0x3D,
0xB4, 0xA2, 0xD3, 0x18, 0x90, 0x97, 0xA9, 0x2F, 0x16, 0x2E, 0x87, 0x04, 0xC4, 0x46, 0xE4, 0x3A,
0x5C, 0x21, 0x2A, 0x25, 0x95, 0xF4, 0x5D, 0x06, 0x30, 0x03, 0x06, 0x35, 0xCD, 0x51, 0xD7, 0x1B,
0x33, 0xCE, 0xB3, 0x19, 0x07, 0x99, 0xE1, 0x1B, 0xE0, 0x73, 0xDB, 0x04, 0x8C, 0x30, 0xAF, 0x02,
0x43, 0xAB, 0x62, 0x0A, 0x5E, 0x44, 0x5A, 0x3A, 0xF4, 0x02, 0x85, 0x24, 0x3A, 0x34, 0x22, 0x05,
0x20, 0x2B, 0x61, 0x1D, 0xCA, 0x71, 0xA8, 0x1E, 0x32, 0x15, 0xB5, 0x10, 0x23, 0xC4, 0xF2, 0x03,
0xB0, 0xD8, 0x11, 0x09, 0x8B, 0xF9, 0x24, 0x05, 0x4C, 0x1D, 0x60, 0x34, 0xD9, 0x43, 0x03, 0x29,
0x1D, 0x26, 0xA4, 0x09, 0xD6, 0xAA, 0x5D, 0x1E, 0xD8, 0x91, 0xCD, 0x1E, 0x22, 0xE2, 0x35, 0x09,
0xAF, 0x46, 0x25, 0x35, 0xA1, 0xD7, 0xDA, 0x1F, 0x02, 0x57, 0xEC, 0x13, 0x26, 0x22, 0xC2, 0x23,
0x36, 0x04, 0xA5, 0x21, 0xCC, 0xC4, 0x28, 0x11, 0xB9, 0xFA, 0x49, 0x21, 0xD7, 0x44, 0x80, 0x17,
0x63, 0x50, 0x4E, 0x3E, 0x3C, 0xE1, 0x70, 0x0D, 0xD3, 0x0E, 0x7A, 0x3E, 0xF3, 0xED, 0x62, 0x1E,
0x15, 0x2E, 0xF0, 0x38, 0x2B, 0x86, 0xE0, 0x02, 0x10, 0xD0, 0xE1, 0x16, 0xC1, 0x4A, 0x84, 0x31,
0x55, 0x69, 0x6C, 0x05, 0x0C, 0x63, 0x7E, 0x0A, 0x58, 0x32, 0xB9, 0x39, 0x33, 0x3F, 0xBA, 0x3C,
0xC3, 0x13, 0x69, 0x21, 0x58, 0x08, 0x38, 0x2E, 0x51, 0xD3, 0x07, 0x1B, 0xF3, 0x70, 0x93, 0x0A,
0xF3, 0xF6, 0xA4, 0x07, 0x57, 0x5B, 0x9F, 0x04, 0x27, 0x79, 0x9A, 0x37, 0xCB, 0xF1, 0xD5, 0x26,
0xB6, 0x5B, 0x96, 0x20, 0xD4, 0xB6, 0xC9, 0x37, 0x19, 0x7B, 0x64, 0x3E, 0x89, 0xEF, 0x60, 0x22,
0x47, 0x41, 0x34, 0x39, 0x49, 0xDC, 0x1E, 0x04, 0x98, 0x6A, 0x90, 0x3C, 0x33, 0x10, 0x8E, 0x21,
0x9F, 0x01, 0xAC, 0x18, 0x60, 0x72, 0x82, 0x28, 0x84, 0x97, 0xD8, 0x04, 0x58, 0x34, 0x88, 0x0B,
0xB9, 0x98, 0x05, 0x2A, 0xC9, 0xB1, 0xD7, 0x27, 0x63, 0xB5, 0x96, 0x3B, 0x5A, 0x9E, 0xDD, 0x31,
0x16, 0xEE, 0xE8, 0x0B, 0x77, 0xC5, 0x82, 0x2C, 0xD2, 0x6F, 0x9F, 0x30, 0x04, 0xBB, 0x45, 0x37,
0x6C, 0x10, 0xAD, 0x35, 0xC0, 0xC1, 0x9B, 0x19, 0x68, 0x4D, 0x29, 0x2B, 0xD9, 0x4D, 0x21, 0x2D,
0x74, 0x4D, 0xD9, 0x26, 0xFB, 0xC6, 0x3A, 0x18, 0xBB, 0x65, 0x3D, 0x21, 0xDE, 0xCE, 0xF7, 0x3F,
0xDF, 0xB6, 0xAB, 0x14, 0x83, 0xE0, 0x62, 0x09, 0x3E, 0xB5, 0x35, 0x0F, 0x4F, 0xBD, 0x5E, 0x18,
0x10, 0xD3, 0x0A, 0x23, 0xC4, 0xCB, 0x56, 0x21, 0x6A, 0x8E, 0x23, 0x1A, 0x5C, 0xEE, 0x9C, 0x3B,
0xDC, 0x1C, 0xB0, 0x0C, 0x61, 0x28, 0xC6, 0x1F, 0xCF, 0x01, 0xFC, 0x0B, 0xE4, 0x71, 0x43, 0x02,
0x78, 0x41, 0x98, 0x35, 0x67, 0xE7, 0x9B, 0x28, 0xE2, 0xBB, 0xAF, 0x25, 0x79, 0x1D, 0xAE, 0x27,
0x18, 0xD8, 0x3D, 0x3C, 0x02, 0x69, 0x57, 0x1B, 0x09, 0xE2, 0x99, 0x33, 0xEB, 0x1D, 0xCF, 0x19,
0x8A, 0x72, 0x94, 0x0B, 0x07, 0x2B, 0x11, 0x39, 0xA5, 0x36, 0xDC, 0x29, 0xDD, 0x76, 0x59, 0x24,
0x48, 0xE0, 0xCB, 0x3F, 0xB5, 0xB1, 0xF9, 0x3F, 0x8C, 0x9B, 0xFD, 0x2A, 0x6B, 0x35, 0xE4, 0x09]
ints = [int.from_bytes(vals[pos:pos + 4], byteorder='little', signed=True) for pos in range(0, len(vals), 4)]
def search(i, path, val):
if val <= 0:
print(i, path, val)
if i >= 7:
return
for j in range(26):
search(i+1, path + chr(j + ord('A')), val ^ ints[i * 26 + j])
search(0, '', 0)
```
which i then manually iterated the `i >= 7` part from 5 (which is the lowest according to `rand() % 11 + 5;`) to exhaust from bottom up to save time
and 7 actually gave me values eyyy 4 at that too
i was gonna wait for 5 but then i remembered they only check pairwise for the third check so we only technically need 2 unique solutions that passes it
so i wrote a script to apply it to a base string that always pass the 3 checks
```py
apply = ['BFSJEUL', 'CHMOYTI', 'BPZBBJK', 'CRZOVEX', 'BFSJEUL']
test = 'ABCDE'*(80//5)
for i, v in enumerate(apply):
for j, c in enumerate(v):
test = test[:j*5+i] + c + test[j*5+i+1:]
print(test)
```
after waiting for a second or so the program spewed out GOOD! eyyyyy my theory worked
flag `ptm{ThIs_cOuLd_Be_SoLvEd_WiTh_MaTrOiD_iNtErSeCtIoN_3ba32bf27a746014}` no idea what that is kekw
### PTC - Pwn The Circles!
dude i got way too carried away messing around with opsu LMAO like half of the ctf was just me playing in opsu
i decompiled their obfuscated opsu with enigma and made it recompilable and working by hand using resource files from opsu github
had to get source code for beatmapparser too coz the decompiler didnt want to behave for the huge switch case in parseFile
learnt how to maven debug in one line though, as long as exec plugin is added (which we can with wrapping `<pluginManagement>` before `<plugins>` for some reason) - `-Dexec.args="-classpath %classpath -agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=8000 itdelatrisu.opsu.Opsu" exec:java` in the goal field would work nicely already and its one click debug from source too no remote debugging
i actually got the encryption class and the scoredata upload class found like ages ago but i was determined to get the debugging setup running so i can easily breakpoing and manipulate data lmao
turns out theres a checksum check in the encryption class that the website checks though but nothing can stop me once i have code access :sunglasses:
patching that away and forcing playerName to be my own before scoredata is getting sent and also ignoring unranked boolean in rendergame made autoplay work with score uploading
which means i can just listen to songs and edit the score to what they want afterwards lmao very nice
flag `ptm{I_D!d_Th3_08fUSCati0n_bY_H4nD}`
also https://www.youtube.com/watch?v=HVhWw13UEaM based ctf based song

File Metadata

Mime Type
text/x-python
Expires
Mon, Aug 4, 9:33 PM (20 h, 11 m)
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
5b/17/4572fbdb329cddddef506972a809

Event Timeline

Back to Main Site