Project Sekai - ✅-rev-geoguesser

Project Sekai

🔒 UIUCTF 2023 / ✅-rev-geoguesser

geoguesser - 500 points

Category: Rev Description: I thought geoguesser was too easy, so I made it harder. Usage: janet -i program.jimage nc geoguesser.chal.uiuc.tf 1337 Author: richard Files:

Tags: No tags.

Sutx pinned a message to this channel. 06/30/2023 5:15 PM

@Violin wants to collaborate

ok so its janet prog lang

22:03

prob need some interpreter

22:05

looking at dumped jimage seems to have some math rng then we need to guess the answer

22:11

janet seems just compiled elf of janet

22:12

nothing needs reversing

22:18

# ./janet -i program.jimage 
Welcome to geoguesser!
Where am I? 0.2,0.3
Nope. You have 4 guesses left.
Where am I? 1,1
Nope. You have 3 guesses left.
Where am I? 1,1
Nope. You have 2 guesses left.
Where am I? 0,1
Nope. You have 1 guesses left.
Where am I? 1,0.2
You lose!
The answer was: <tuple 0x5584FD29DBC0>

22:19

gives tuple in the end, we need to hook and get the values maybe??

22:22

# strings program.jimage 
root-env
parse-coord
source-map
main.janet
value
parse-coord
main
float
number
some
        peg/match
_000031
_000032,
(parse-coord s)
random-float
random-float
math/rng-uniform
(random-float min max)
main
main
Welcome to geoguesser!
print
init-rng
os/time
math/rng
init-rng,
guessing-game
        get-guess
Where am I? 
prin
stdin
line
        file/read
"Not a valid coordinate. Try again.
        get-guess
_000033
input-line
_00003w
num,
compare-coord
compare-float
math/abs
        tolerance
compare-float,
compare-coord
_00003P,
Nope. You have 
 guesses left.
answer
guessing-game
guess
        remaining
_00004I,
print-flag
flag.txt
        file/open
You win!
string/trimr
The flag is: 
print-flag
        You lose!
The answer was: 
(main &)
(init-rng)
*macro-lints*
(compare-float a b tolerance)
(compare-coord a b tolerance)
        precision
(guessing-game answer)
*current-file*
source
coordinate-peg
(get-guess)
(print-flag)

22:23

ok so some guessing

22:23

There's os/time, so they probably used a seed based on connection time, then (random-float min max) gives 2 values

22:24

So we just need to know min and max maybe

@Rench wants to collaborate

so basically they give janet binary which is just the janet compiled elf

22:26

it can load jimage file which are pre-compiled janet programs

22:26

if you load it, it asks for coordinates, in format x.xxx,y.yyy

sahuang

# ./janet -i program.jimage 
Welcome to geoguesser!
Where am I? 0.2,0.3
Nope. You have 4 guesses left.
Where am I? 1,1
Nope. You have 3 guesses left.
Where am I? 1,1
Nope. You have 2 guesses left.
Where am I? 0,1
Nope. You have 1 guesses left.
Where am I? 1,0.2
You lose!
The answer was: <tuple 0x5584FD29DBC0>

after 5 times it shows this (notice The answer was: <tuple 0x5584FD29DBC0>)

22:27

Looking at strings, I have some guess on how the numbers are generated, now to verify it we need to get the values of the tuple (prob with dynamic analysis)

22:27

(parse-coord s)
random-float
random-float
math/rng-uniform
(random-float min max)
init-rng
os/time
math/rng

22:27

key strings

22:28

they generated 2 random floats with rng-uniform

22:28

to init rng, they used os time

22:28

but we dont know min/max (guess is -90~90 or 0~90)

22:28

they give 5 times because time can have delay of +-2s

22:32

(math/rng-uniform (math/rng (os/time))) ok this gives a uniform number

22:33

looks matching their code

22:33

but no random-float here

k im here lemme read through everything

sahuang

but no random-float here

ok random-float is their defined function

22:35

 ?random-float??韶math/rng-uniform 
 ?min 
?max 
?,  *  ; /  * 3         3

22:35

some numbers

22:36

yeah we just need to get the values and then reverse guess the logics or whatever

22:37

(defn random-float [lower greater]
  (+ (* (math/rng-uniform RNG)
        (- greater lower))
     lower))

some online script

22:37

seems similar

22:38

min + rand * (max - min)

22:38

makes sense

22:38

so yeah just hope to get the final values The answer was: <tuple 0x5584FD29DBC0> to guess

so

22:40

you want me to try and debug to see what's in the tuple at 0x5584FD29DBC0?

yes

22:40

each run will be different

22:40

just need a range

22:40

like 0-90 or -90-90 or 0-1

kk I'll see what I can do

22:48

this is gonna be so painful lol

22:48

the binary is so bloated (edited)

oh, so cant step to the end?

lemme keep trying

22:48

probably can

22:48

will just take me a while to get there

22:50

oh wait there's the function run_vm

22:50

maybe I can just stay in it and be good

i just tried the coordinate (x,y) should satisfy x in (-90,90) and y in (-180,180) So if you can get the timestamp of running the program + the result, its fairly guessable

22:55

wait

22:55

@Rench \solved

22:55

LMAO

22:55

guessed everything

huh

sahuang

used /ctf submit

✅ Well done, challenge solved!

wtf

22:55

explain

(defn random-float [min max rng]
  (+ (* (math/rng-uniform rng)
        (- max min))
     min))

(defn -main []
  (let [rng (math/rng (os/time))
        num1 (random-float -90 90 rng)
        num2 (random-float -180 180 rng)]
    (print "Random float 1: " num1 "\n")
    (print "Random float 2: " num2 "\n")))

(-main)

22:56

guessed the original program

bro

22:56

wait how did you get seed for random?

let [rng (math/rng (os/time)

22:56

os/time returns the unix timestamp

22:56

so basically run above program, then run nc\

22:57

then enter the result

did you just like lineup nc time with that time

22:57

and hope it worked

22:57

ok that's crazy

yeah same time

good work

xd

22:58

glad their program is not complex

Exported 78 message(s)