protoss_58 - CODEGATE 2025 Quals
バイナリを与えるだけでは復元してくれなかったので、いい感じに抽出した
code: python
with open('./client', 'rb') as f:
data = f.read()
with open('secret.proto', 'wb') as f:
with open('auth.proto', 'wb') as f:
tokenが必要なので復元
code:python
TABLE = b'4E6nQpOkBcWmIfXorxGhg_z81qC3sv79DlRSN5PHeUZAwVYuat0TF2djJbKLyMi'
EXPECTED = b'lScv9oQ6VgELTPBdHnxp9dND'
def ror(val, r):
return ((val >> r) | (val << (8 - r))) & 0xFF
def unmap_table(encoded):
def unexpand(expanded):
data = bytearray()
for i in range(0, len(expanded), 4):
a, b, c, d = expandedi:i+4 b1 = (a << 2) | ((d >> 4) & 0b11)
b2 = (b << 2) | ((d >> 2) & 0b11)
b3 = (c << 2) | (d & 0b11)
return data
def reverse_transform(data):
out = bytearray(len(data))
for i in reversed(range(len(data))):
next_val = outi+1 if i+1 < len(data) else 0xA5 x = ror(x, 4)
x = x ^ next_val
x = ror(x, 5)
x = x ^ 0x44
return out
def recover_flag():
expanded = unmap_table(EXPECTED)
data = unexpand(expanded)
original = reverse_transform(data)
print(original)
return original.decode('utf-8')
if __name__ == "__main__":
print("Recovered flag:", recover_flag())
復元したtokenでserviceを呼び出すとflagが得られる
code:python
import grpc
import auth_pb2
import auth_pb2_grpc
import secret_pb2
import secret_pb2_grpc
guest_token = 'sHkdjCXN2cq4.8cb507d6d97ebfa'
commander_token = '88bskFDdusFkfeStkWvS.61647db145e0c134'
with grpc.insecure_channel('xxx:xxx') as channel:
# stub = auth_pb2_grpc.AuthServiceStub(channel)
# resp = stub.Verify(auth_pb2.VerifyRequest(auth_data='sHkdjCXN2cq4.8cb507d6d97ebfa'))
# print(resp)
stub = secret_pb2_grpc.SecretServiceStub(channel)
# resp = stub.SecretTitles(secret_pb2.SecretTitlesRequest(token = guest_token))
# print(resp)
# for i in range(11):
# resp = stub.Secret(secret_pb2.SecretRequest(token = guest_token, secret_idx = i))
# print(resp)
resp = stub.Flag(secret_pb2.FlagRequest(token = commander_token, hidden = 'My_1ife_F0r_Aiur!!'))
print(resp)