Write Up Capture The Flag (CTF) ADIKARA 2025

# Write Up Capture The Flag (CTF) ADIKARA 2025 Joshua Prasetyo Sadewo Paundu (beri aku pangsit) LinkedIn : linkedin.com/in/joshuapaundu12 https://hackmd.io/@LMpyDGTGQViJO4yYIRE-PQ/HJAOsWWQ-x Challenge Category <a href="#FORENSICS">**FORENSICS**</a> * <a href="#HEAVY">HEAVY</a> * <a href="#Neovim">Neovim</a> --- <a href="#MISC">**MISC**</a> * <a href="#松本眞">松本眞</a> * <a href="#Sanity">Sanity Check</a> * <a href="#Berputar">Berputar</a> --- <a href="#CRYPTOGRAPHY">**CRYPTOGRAPHY**</a> * <a href="#Duty">"Your duty is not over!"</a> * <a href="#sambal256">sambal256</a> --- <a href="#RevEng">**REVERSE ENGINEERING**</a> * <a href="#Snake">Snake</a> --- ## <center><a id=FORENSICS>**FORENSICS**</a></center> ### <a id="HEAVY">HEAVY</a> ![Screenshot 2025-12-18 165658](https://hackmd.io/_uploads/SJNdx8WX-l.png) Download "Open-me-to-get-the-flag.zip". Kemudian unzip file nya. ``` unzip Open-me-to-get-the-flag.zip ``` Kemudian masuk dalam folder yang sudah diunzip. Ketika melihat file "Do Not.zip", jangan langsung diunzip, itu adalah ZIP Bomb, walaupun kelihatannya 600MB saja, tetapi ketika diunzip akan menjadi 400GB. Caranya menyelesaikan soal ini adalah dengan menjalankan command berikut di terminal (kalau saya di Kali Linux). ``` unzip -p "DO NOT.zip" | grep -a -m 1 "ADIKARA25" ``` And boom! Akan keluar spam output flag nya. FLAG : ADIKARA25{z1p_z4p_b0mb3d_1-h0p3_y0u_d0n't-tr7-t0_3xtr@c7_th1$} --- ### <a id="Neovim">Neovim</a> ![Screenshot 2025-12-18 165713](https://hackmd.io/_uploads/BydYeU-mZe.png) Download file "chall.pcapng". Soal ini ternyata Network Forensics, lebih tepatnya **USB Keystroke Injection Analysis** dengan twist logika Aplikasi Neovim. Setelah dianalisis, filenya berisi lalu lintas USB. Untuk menyelesaikan soal ini dibutuhkan script dengan membuat file bernama "solveNeovim.py". Berikut code script nya. ``` import struct import sys # Mapping HID hid_map = { 0x04: 'a', 0x05: 'b', 0x06: 'c', 0x07: 'd', 0x08: 'e', 0x09: 'f', 0x0A: 'g', 0x0B: 'h', 0x0C: 'i', 0x0D: 'j', 0x0E: 'k', 0x0F: 'l', 0x10: 'm', 0x11: 'n', 0x12: 'o', 0x13: 'p', 0x14: 'q', 0x15: 'r', 0x16: 's', 0x17: 't', 0x18: 'u', 0x19: 'v', 0x1A: 'w', 0x1B: 'x', 0x1C: 'y', 0x1D: 'z', 0x1E: '1', 0x1F: '2', 0x20: '3', 0x21: '4', 0x22: '5', 0x23: '6', 0x24: '7', 0x25: '8', 0x26: '9', 0x27: '0', 0x28: 'ENTER', 0x29: 'ESC', 0x2A: 'BSC', 0x2B: 'TAB', 0x2C: 'SPACE', 0x2D: '-', 0x2E: '=', 0x2F: '[', 0x30: ']', 0x31: '\\', 0x33: ';', 0x34: '\'', 0x36: ',', 0x37: '.', 0x38: '/', 0x35: '`', 0x4F: 'RIGHT', 0x50: 'LEFT', 0x51: 'DOWN', 0x52: 'UP' } shift_map = { '1': '!', '2': '@', '3': '#', '4': '$', '5': '%', '6': '^', '7': '&', '8': '*', '9': '(', '0': ')', '-': '_', '=': '+', '[': '{', ']': '}', '\\': '|', ';': ':', '\'': '"', ',': '<', '.': '>', '/': '?', '`': '~' } def parse_pcap_rollover(filename): print(f"[*] Parsing {filename} with N-Key Rollover support...") events = [] previous_keys = set() with open(filename, 'rb') as f: while True: header = f.read(8) if len(header) < 8: break _, block_len = struct.unpack('<II', header) body_len = block_len - 12 if body_len < 0: break block_body = f.read(body_len) f.read(4) # Perbaikan: Hapus check block_body[0] != 0 yang bikin error if len(block_body) > 20: cap_len = struct.unpack('<I', block_body[12:16])[0] packet_data = block_body[20 : 20 + cap_len] # USB HID Data Offset 64 if len(packet_data) >= 72: hid = packet_data[64:72] mod = hid[0] # Ambil semua key yang sedang ditekan (Byte 2 sampai 7) current_keys = set() for i in range(2, 8): code = hid[i] if code != 0: current_keys.add(code) # Deteksi tombol BARU (yang belum ada di paket sebelumnya) new_keys = current_keys - previous_keys if new_keys: # Kita harus urutkan berdasarkan posisi di array HID agar urutan ketikan benar # (Misal user nahan Shift (byte 0) lalu ngetik A (byte 2)) ordered_new = [] for i in range(2, 8): if hid[i] in new_keys: ordered_new.append(hid[i]) for k in ordered_new: events.append((mod, k)) previous_keys = current_keys return events def reconstruct_neovim(keys): buffer = [] cursor = 0 mode = 'NORMAL' print("[*] Reconstructing Text...") # Skip sampai ENTER pertama start_idx = 0 for i, (m, c) in enumerate(keys): if c == 0x28: # ENTER start_idx = i + 1 break for mod, code in keys[start_idx:]: if code not in hid_map: continue key = hid_map[code] is_shift = (mod & 0x02) or (mod & 0x20) if key == 'ESC': mode = 'NORMAL' if cursor > 0: cursor -= 1 elif mode == 'NORMAL': if key in ['i']: mode = 'INSERT' elif key in ['a']: mode = 'INSERT' if len(buffer) > 0: cursor += 1 elif key in ['I']: mode = 'INSERT'; cursor = 0 elif key in ['A']: mode = 'INSERT'; cursor = len(buffer) elif key == 'x': if buffer and cursor < len(buffer): del buffer[cursor] if cursor == len(buffer) and cursor > 0: cursor -= 1 elif key in ['h', 'LEFT']: if cursor > 0: cursor -= 1 elif key in ['l', 'RIGHT']: if cursor < len(buffer): cursor += 1 elif key == '0': cursor = 0 elif key == '$': cursor = len(buffer) elif mode == 'INSERT': if key == 'BSC': if cursor > 0: del buffer[cursor - 1] cursor -= 1 elif len(key) == 1: char = key if is_shift: if char in shift_map: char = shift_map[char] elif char.isalpha(): char = char.upper() buffer.insert(cursor, char) cursor += 1 return "".join(buffer) if __name__ == "__main__": try: keys = parse_pcap_rollover("chall.pcapng") flag = reconstruct_neovim(keys) print("\n" + "="*50) print("RECONSTRUCTED FLAG:") print(flag) print("="*50) except Exception as e: print(e) ``` Kemudian jalankan script nya. ``` python3 solveNeovim.py ``` And boom! FLAG : ADIKARA25{d1d_y0u_l1st3n_t0_m7_k3yb04rd_input???_goodJOB!!} --- ## <center><a id=MISC>**MISC**</a></center> ### <a id=松本眞>松本眞</a> ![Screenshot 2025-12-18 165723](https://hackmd.io/_uploads/ry9clIbmZl.png) Download file "chall.zip". Kemudian unzip filenya. ``` unzip chall.zip ``` Kemudian buat script dengan nama file yaitu "solveKanji.py". ``` from Crypto.Util.number import bytes_to_long, long_to_bytes import random try: from randcrack import RandCrack except ImportError: print("Please install randcrack: pip install randcrack") exit() kunci = bytes_to_long(b"days") with open("output.txt", "r") as f: lines = f.readlines() leaked_vals_xored = [int(line.strip()) for line in lines[:624]] encrypted_flag = int(lines[624].strip()) recovered_randoms = [] for val in leaked_vals_xored: original_rand = val ^ kunci recovered_randoms.append(original_rand) rc = RandCrack() for val in recovered_randoms: rc.submit(val) predicted_guess = rc.predict_getrandbits(32) flag_long = encrypted_flag ^ predicted_guess print(f"Flag: {long_to_bytes(flag_long)}") ``` Jalankan codenya. ``` python3 solveKanji.py ``` And boom! FLAG : ADIKARA25{riyal_or_fake_dikit-dikit_redacted} --- ### <a id=Sanity>Sanity Check</a> ![Screenshot 2025-12-18 165734](https://hackmd.io/_uploads/SkLilUWmZe.png) Ini langsung aja, flag gratisan soalnya. FLAG : ADIKARA25{ig_orang_ganteng_@pauldenieel_wellcometoADIKARA25} --- ### <a id=Berputar>Berputar</a> ![Screenshot 2025-12-18 165744](https://hackmd.io/_uploads/BJAsgIWmZe.png) Download file "Berputar.png" ![Berputar](https://hackmd.io/_uploads/rkE0l4W7Wl.png) Ternyata fotonya diedit dengan swirl or twirl effect. Mari kita edit fotonya. Saya pakai aplikasi GIMP. Klik File > Open > Pilih "Berputar.png". Kemudian klik Filters > Distorts > Whirl and Pinch... . Sesuaikan saja sampai gambar dan flag nya bisa dibaca dan tidak terlalu blur. ![Screenshot 2025-12-18 145020-min](https://hackmd.io/_uploads/Sk7GXNZ7Ze.png) Nah, ini kan masih text nya belum terlalu terbaca karena masih ada effect yaitu mirroring, nah kita mirror kembali gambarnya. Bisa pakai ss di atas saja. Saya menggunakan canva. Di canva, upload ss an tadi dan klik ss an nya, kemudian klik Flip. And boom! ![Flipped berputar](https://hackmd.io/_uploads/ryLo4Vb7bl.png) FLAG : ADIKARA25{4d4_y4n9_tr4um4_s4m4_1n1_g4_4wk0kwk0} --- ## <center><a id=CRYPTOGRAPHY>**CRYPTOGRAPHY**</a></center> ### <a id=Duty>"Your duty is not over!"</a> ![Screenshot 2025-12-18 165754](https://hackmd.io/_uploads/S1YhxUb7Wl.png) Download file "chall1.sage" dan "output.txt". Dengan clue yang diberikan, maka lempar soal ini ke AI andalan masing-masing wkwk (saya menggunakan Google Gemini gemini.google.com) dengan prompt berikut. ``` this is new chall called "Your duty is not over!" this is the description and the file for the chall One-Shot GPT(?) - harusnya... ``` Dan akan diberikan script sage untuk menyelesaikan soal ini. Bisa menggunakan tools "Sage" jika sudah diinstall, tetapi karena saya belum punya dan install toolsnya, maka saya gunakan tools online yaitu sagecell.sagemath.org. Berikut scriptnya. ``` from sage.all import * # 1. Masukkan nilai output dari file output.txt output_val = "-4.400254714186837720884005246153555926208584025958757068641460772267361124069883331715787521794824666417805984299685707768508770165125499844120963319726537732046645769753321201043441594392577223815605059723564766261895500496595275344809553817340743407591901042101627813085554129921395760041795744752720659384" # 2. Setup Field dengan presisi tinggi (lebih dari 1024 agar aman) R = RealField(2048) y = R(output_val) pi_val = R(pi) # 3. Hitung target arc tangent # x = k*pi + atan(y) => x - k*pi - atan(y) approx 0 target = atan(y) # 4. Konstruksi Lattice (Metode CVP/SVP Embedding) # Kita ingin mencari vektor pendek (x, k, error) # Persamaan: x*(1) + k*(-pi) + 1*(-target) = epsilon # Scaling factor yang besar untuk memanfaatkan presisi float S = 2**1500 # Matriks Basis Lattice # Kolom 1: Koefisien untuk x # Kolom 2: Koefisien untuk k # Kolom 3: Constraints (scaled) M = Matrix(ZZ, [ [1, 0, round(S)], # Mewakili variabel x [0, 1, round(-S * pi_val)], # Mewakili variabel k [0, 0, round(-S * target)] # Mewakili konstanta (embedding) ]) print("[*] Menjalankan LLL algorithm...") B = M.LLL() # 5. Cek hasil reduksi lattice def int_to_bytes(n): return n.to_bytes((n.bit_length() + 7) // 8, 'big') found = False for row in B: # Baris hasil adalah kombinasi linear basis: # row = x*Row1 + k*Row2 + 1*Row3 # Elemen pertama dari row adalah x (karena struktur matriks [1, 0, ...]) x_candidate = abs(row[0]) # Cek apakah kandidat x terlihat seperti flag if x_candidate > 0: try: flag_bytes = int_to_bytes(Integer(x_candidate)) if b"ADIKARA25" in flag_bytes: print(f"\n[+] FLAG FOUND: {flag_bytes.decode()}") found = True break except: continue if not found: print("[-] Flag tidak ditemukan. Coba tuning scaling factor.") ``` Klik Evaluate pada tools onlinenya. And boom! FLAG : ADIKARA25{introoo_too_sagemath_aokwaokwao} --- ### <a id=sambal256>sambal256</a> ![Screenshot 2025-12-18 165832](https://hackmd.io/_uploads/Byc6eIZ7Wg.png) Download "chall.zip". Unzip file nya. ``` unzip chall.zip ``` Nah, dalam file chall.zip, ternyata ada file "bumbu.json", "sambal_wallet.py" dan "masak_transaksi.py". Di dalam file "sambal_wallet.py" ada code ini. ``` slice_size = int(C * (10 ** (77 - (nonce_seed - (nonce_seed // divisor) * divisor)))) k = random.randint(1, slice_size - 1) ``` Nilai k (nonce) seharusnya acak penuh (256-bit). Tapi karena rumus di atas, nilai k jadi lebih kecil dari seharusnya yang biasa disebut Biased Nonce. Ini kelemahan yang memicu serangan matematika bernama **Hidden Number Problem (HNP)**. Kita akan buat script untuk menyelesaikan soal ini dengan nama file "solveSambal256.py". ``` import json import sys def main(): print("[*] Membaca bumbu.json...", file=sys.stderr) try: with open("bumbu.json", "r") as f: txs = json.load(f) except: print("[-] Error: bumbu.json tidak ditemukan.", file=sys.stderr) return N = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 sigs = [] for tx in txs[:15]: try: r = int(tx['r'], 16) s = int(tx['s'], 16) z = int(tx['hash'], 16) sigs.append((r, s, z)) except: continue print(f"[*] Menggunakan {len(sigs)} sampel.", file=sys.stderr) r0, s0, z0 = sigs[0] s0_inv = pow(s0, -1, N) r0_inv = pow(r0, -1, N) u0 = (z0 * s0_inv) % N elim_factor = (s0 * r0_inv) % N A_vals = [] B_vals = [] for i in range(1, len(sigs)): ri, si, zi = sigs[i] si_inv = pow(si, -1, N) ti = (ri * si_inv) % N ui = (zi * si_inv) % N Ai = (ti * elim_factor) % N Bi = (ui - (Ai * u0)) % N A_vals.append(Ai) B_vals.append(Bi) sage_code = f""" N = {N} As = {A_vals} Bs = {B_vals} C_CONST = 1.157920892373162 u0 = {u0} t0 = {(r0 * s0_inv) % N} t0_inv = {elim_factor} def solve_elimination(remainder_guess): m = len(As) exponent = 77 - remainder_guess Bound = int(C_CONST * (10 ** exponent)) bits = Bound.bit_length() print(f"\\n[*] Testing pk % 30 == {{remainder_guess}} (Bound ~{{bits}} bits)...") matrix_rows = [] row_k0 = [1] + As + [0] matrix_rows.append(row_k0) for i in range(m): row = [0] * (m + 2) row[i+1] = N matrix_rows.append(row) row_const = [0] + Bs + [Bound] matrix_rows.append(row_const) M = Matrix(ZZ, matrix_rows) B_red = M.LLL() for row in B_red: k0_cand = abs(row[0]) if k0_cand == 0 or k0_cand >= N: continue d_cand = ((k0_cand - u0) * t0_inv) % N if d_cand > 0 and d_cand < N: k1_check = (As[0] * k0_cand + Bs[0]) % N if k1_check < (Bound * 4): return d_cand return None found = None for r in range(29, 14, -1): key = solve_elimination(r) if key: found = key break if found: h = hex(found) print("\\n" + "="*50) print("[+] FOUND! Private Key: " + h) print("[+] FLAG: ADIKARA25{{" + h + "}}") print("="*50) else: print("[-] Masih gagal. Coba tambah sampel.") """ print("\n" + "="*60) print("SALIN KODE DI BAWAH INI KE: https://sagecell.sagemath.org/") print("="*60 + "\n") print(sage_code) if __name__ == "__main__": main() ``` Kemudian jalankan code nya. ``` python3 solveSambal256.py ``` Sebenarnya bisa menggunakan tools bernama "Sage", tetapi karena saya tidak punya dan download, maka saya pakai tools online dari sagecell.sagemath.org. Ketika sudah dijalankan code di atas, maka pasti akan keluar output seperti ini. ``` python3 solveSambal256.py [*] Membaca bumbu.json... [*] Menggunakan 10 sampel. ============================================================ SALIN KODE DI BAWAH INI KE: https://sagecell.sagemath.org/ ============================================================ # --- DATA INPUT --- N = 115792089237316195423570985008687907852837564279074904382605163141518161494337 As = [66588331852208481522337871888845668318235457520906309883450482113035402425530, 113606784214285017167269751740596051500583698475799772006150605530692858087259, 58963002289612366773903237632051505613099074385978442950395385030872089058084, 72728260395293880728762414119991688487073028853377393889919749786514523688236, 34605437288756784616073217144098313966009523148701115827972191200450725103350, 45798728611883711632373041972936939510478908676666323241043728928140293449889, 86447950557162427585983028008399220379420958165800071905887157237904638394522, 83056121679191406203341098194527291838961644619135182816268104469265778715631, 32091759307442938661777722956162177486117346222132220580458174187928811292399] Bs = [2469396126124340542042535677611784678960521024226039026041788313887735162498, 73309783415841544161877716984320944410493852212742537009194469705867858155830, 110688735061565452681118608769996258500968040556368108736514214421758331763773, 75172104483698413521365103933985230853261876046982833598317441882246278836706, 71784145235535479397732851705889616016275480040736907928676653735318611282798, 36625409480483640496343741075599004433939298358539558296068832982854513728058, 2755426004704160626551887013967438041440011529247373710856420714346536929667, 45335204925471524646488632365890335547795837271450356124793514778328058697127, 83823918703140950734497519947878258921200891859369802329127806482524569431761] C_CONST = 1.157920892373162 # Data u0 dan t0 untuk recovery akhir u0 = 23662191080947673544485515835131281125291084306118327607072669314494605890799 # t0 = r0/s0 t0 = 1190801095606287211806676027396293760117380676874415004037229406114061658781 t0_inv = 94836963635411626315846013810977406580245579492735327950090619122495098787340 def solve_elimination(remainder_guess): m = len(As) # Jumlah relasi (total sampel - 1) # 1. Hitung Bound exponent = 77 - remainder_guess Bound = int(C_CONST * (10 ** exponent)) bits = Bound.bit_length() print(f"\n[*] Testing pk % 30 == {remainder_guess} (Bound ~{bits} bits)...") # 2. Matriks Lattice (CVP Embedding untuk k_i - A_i k_0 = B_i) # Kita mencari vektor (k_0, k_1, ..., k_m) yang pendek. # Relasi: k_i = A_i * k_0 + B_i (mod N) # # Basis: # [ 1, A_1, A_2, ..., A_m, 0 ] # [ 0, N, 0, ..., 0, 0 ] # [ 0, 0, N, ..., 0, 0 ] # ... # [ 0, B_1, B_2, ..., B_m, Bound] <-- Baris Konstanta (Target CVP) matrix_rows = [] # Baris k0 (Variable utama) # Format kolom: [val_k0, val_k1, ..., val_km, weight] # k_i approx A_i * k_0 row_k0 = [1] + As + [0] matrix_rows.append(row_k0) # Baris Modulus (untuk setiap relasi A_i) for i in range(m): row = [0] * (m + 2) row[i+1] = N matrix_rows.append(row) # Baris Konstanta (B_i) # Ini adalah target CVP yang kita embed ke SVP # Kita taruh B_i agar LLL mengurangkannya row_const = [0] + Bs + [Bound] matrix_rows.append(row_const) # 3. Reduksi M = Matrix(ZZ, matrix_rows) # LLL biasanya cukup untuk metode eliminasi ini karena d sudah hilang! B_red = M.LLL() # 4. Cek Solusi for row in B_red: # Elemen pertama adalah kandidat k_0 (atau -k_0) k0_cand = abs(row[0]) if k0_cand == 0 or k0_cand >= N: continue # Cek apakah k0 ini menghasilkan private key valid # d = (k0 - u0) * t0^-1 d_cand = ((k0_cand - u0) * t0_inv) % N # Validasi sederhana: d tidak boleh terlalu kecil/besar aneh if d_cand > 0 and d_cand < N: # Cek ulang ke nonce ke-1 # k1 = A1 * k0 + B1 k1_check = (As[0] * k0_cand + Bs[0]) % N if k1_check < (Bound * 4): # Toleransi return d_cand return None # --- EKSEKUSI --- # Range prioritas (29 turun ke 15) found = None for r in range(29, 14, -1): key = solve_elimination(r) if key: found = key break if found: h = hex(found) print("\n" + "="*50) print("[+] FOUND! Private Key: " + h) print("[+] FLAG: ADIKARA25 + h + ") print("="*50) else: print("[-] Masih gagal. Coba tambah sampel.") ``` Nah, salin output nya dari data input sampai line terakhir dan paste ke tools online sagecell nya, dan klik Evaluate. Pasti akan keluar output seperti ini. ``` [*] Testing pk % 30 == 29 (Bound ~160 bits)... [*] Testing pk % 30 == 28 (Bound ~163 bits)... [*] Testing pk % 30 == 27 (Bound ~167 bits)... [*] Testing pk % 30 == 26 (Bound ~170 bits)... [*] Testing pk % 30 == 25 (Bound ~173 bits)... [*] Testing pk % 30 == 24 (Bound ~177 bits)... [*] Testing pk % 30 == 23 (Bound ~180 bits)... [*] Testing pk % 30 == 22 (Bound ~183 bits)... [*] Testing pk % 30 == 21 (Bound ~187 bits)... [*] Testing pk % 30 == 20 (Bound ~190 bits)... [*] Testing pk % 30 == 19 (Bound ~193 bits)... [*] Testing pk % 30 == 18 (Bound ~197 bits)... [*] Testing pk % 30 == 17 (Bound ~200 bits)... [*] Testing pk % 30 == 16 (Bound ~203 bits)... [*] Testing pk % 30 == 15 (Bound ~207 bits)... ================================================== [+] FOUND! Private Key: 0x5469aed116df1ee0496645b51700cef1cbc3fec7772f3d078060cc26256c7b18 [+] FLAG: ADIKARA25 + h + ================================================== ``` And boom! Flagnya merupakan Recover Private Key itu sendiri. FLAG : ADIKARA25{0x5469aed116df1ee0496645b51700cef1cbc3fec7772f3d078060cc26256c7b18} --- ## <center><a id=RevEng>**REVERSE ENGINEERING**</a></center> ### <a id=Snake>Snake</a> ![Screenshot 2025-12-18 165842](https://hackmd.io/_uploads/BkqRxLZXZl.png) Download file "Snake" nya Kemudian pakai tools namanya "pyinstxtractor", jika belum ada toolsnya, maka clone repositori github toolsnya. ``` git clone https://github.com/extremecoders-re/pyinstxtractor.git ``` Kemudian pindahkan file "Snake" ke directory pyinstxtractor nya agar menjadi satu directory dengan tools nya ``` mv Snake pyinstxtractor/ ``` Kemudian kita jalankan toolsnya. ``` python3 pyinstxtractor.py Snake ``` Nah, lihat gambar berikut. ![image](https://hackmd.io/_uploads/HJBMpGbm-e.png) Ada file bernama "snake.pyc" di dalam file Snake. Sekarang masuk ke dalam directory extracted nya ``` cd snake_extracted ``` Buka browser, cari pyc decompiler (cth. pylingual.io). Setelah decompile, kita melihat key dan flag yang terbungkus dengan enkripsi XOR sederhana. Ini isi snake.pyc dibukan menggunakan pylingual.io ``` # Decompiled with PyLingual (https://pylingual.io) # Internal filename: snake.py # Bytecode version: 3.13.0rc3 (3571) # Source timestamp: 1970-01-01 00:00:00 UTC (0) import sys import random import base64 try: import pygame _KEY_B64 = b'czNjcjN0LWszeQ==' _KEY = base64.b64decode(_KEY_B64) _flag_obf_b64 = b'MncqOXImbFkGAgBdVxkAK0pfXkosAhAtXg1yDQcPQ0FSBgArSl9eSixEFgVsBx5YbABDRjxDXStLWl1NH04=' def _xor(data: bytes, key: bytes) -> bytes: return bytes((b ^ key[i % len(key)] for i, b in enumerate(data))) def get_flag() -> str: raw = base64.b64decode(_flag_obf_b64) return _xor(raw, _KEY).decode('utf-8', errors='strict') pygame.init() WIDTH, HEIGHT = (640, 480) screen = pygame.display.set_mode((WIDTH, HEIGHT)) pygame.display.set_caption('Snake CTF Challenge') clock = pygame.time.Clock() FONT = pygame.font.SysFont('consolas', 20) BIGFONT = pygame.font.SysFont('consolas', 28, bold=True) TILE = 20 def draw_text(surf, text, pos, color=(255, 255, 255), font=FONT): if isinstance(text, bytes): text = text.decode('ascii', errors='replace') surf.blit(font.render(str(text), True, color), pos) def game_over_screen(surf, score): surf.fill((0, 0, 0)) draw_text(surf, 'GAME OVER', (WIDTH // 2 - 60, HEIGHT // 2 - 40), color=(255, 50, 50), font=BIGFONT) draw_text(surf, f'Score: {score}', (WIDTH // 2 - 60, HEIGHT // 2), color=(255, 255, 255)) if score >= 99999: flag = get_flag() draw_text(surf, 'FLAG:', (WIDTH // 2 - 120, HEIGHT // 2 + 40), color=(50, 255, 50), font=BIGFONT) draw_text(surf, flag, (WIDTH // 2 - 120, HEIGHT // 2 + 80), color=(50, 255, 50), font=FONT) pygame.display.flip() waiting = True if waiting: for ev in pygame.event.get(): if ev.type == pygame.QUIT: pygame.quit() sys.exit(0) if ev.type == pygame.KEYDOWN: pass # postinserted else: # inserted waiting = False def main(): head = [WIDTH // 2, HEIGHT // 2] body = [[head[0], head[1]], [head[0] - TILE, head[1]], [head[0] - 2 * TILE, head[1]]] direction = (TILE, 0) food = [random.randrange(0, WIDTH // TILE) * TILE, random.randrange(0, HEIGHT // TILE) * TILE] score = 0 speed = 10 running = True if running: clock.tick(speed) for event in pygame.event.get(): if event.type == pygame.QUIT: pygame.quit() sys.exit(0) if event.type == pygame.KEYDOWN: pass # postinserted else: # inserted if event.key == pygame.K_UP and direction!= (0, TILE): direction = (0, -TILE) else: # inserted if event.key == pygame.K_DOWN and direction!= (0, -TILE): direction = (0, TILE) else: # inserted if event.key == pygame.K_LEFT and direction!= (TILE, 0): direction = (-TILE, 0) else: # inserted if event.key == pygame.K_RIGHT and direction!= (-TILE, 0): pass # postinserted else: # inserted direction = (TILE, 0) head[0] = (head[0] + direction[0]) % WIDTH head[1] = (head[1] + direction[1]) % HEIGHT body.insert(0, [head[0], head[1]]) if head[0] == food[0] and head[1] == food[1]: score += 1 if score % 50 == 0 and speed < 30: speed += 1 pass nx = random.randrange(0, WIDTH // TILE) * TILE ny = random.randrange(0, HEIGHT // TILE) * TILE if [nx, ny] not in body: food = [nx, ny] break body.pop() running = False if body.count(head) > 1 else False screen.fill((10, 10, 10)) pygame.draw.rect(screen, (255, 50, 50), (food[0], food[1], TILE, TILE)) for i, seg in enumerate(body): color = (0, 200 - min(i * 5, 150), 0) if i == 0 else (0, 150 - min(i * 3, 100), 0) pygame.draw.rect(screen, color, (seg[0], seg[1], TILE, TILE)) draw_text(screen, f'Score: {score}', (10, 10)) draw_text(screen, 'Reach 99999 points to get the flag.', (10, 35)) pygame.display.flip() game_over_screen(screen, score) if __name__ == '__main__': main() except ImportError: print('pygame not installed. Install with: pip install pygame') sys.exit(1) ``` Kemudian kita buat script untuk menyelesaikan challenge ini dengan nama script "solveSnake.py" ``` import base64 # Data from snake.pyc _KEY_B64 = b'czNjcjN0LWszeQ==' _flag_obf_b64 = b'MncqOXImbFkGAgBdVxkAK0pfXkosAhAtXg1yDQcPQ0FSBgArSl9eSixEFgVsBx5YbABDRjxDXStLWl1NH04=' def solve(): # Decode key and flag from base64 key = base64.b64decode(_KEY_B64) raw_flag = base64.b64decode(_flag_obf_b64) # Do XOR Operations flag = bytes((b ^ key[i % len(key)] for i, b in enumerate(raw_flag))) print("Flag Anda:") print(flag.decode('utf-8')) solve() ``` And boom! FLAG : ADIKARA25{sn4k3_g4m3_1s_my_f4v0r1t3_g4m3_wuw_s33_y0u_1n_f1n4l} ---