SEKAI CTF part WP (Ichao, Hatsune Miku)

This is my first time participating in an international competition. I feel it’s not that bad. I can at least understand the questions.

852 teams in total

Attached is the final ranking photo of the rookie team (ranked 155th)

Attached is the competition URL:

Project SEKAI CTF 2022

（1）Vocaloid Heardle(misc)

According to the question prompt, I found that this is not a question related to steganography.

Download the two files he gave. When the mp3 file marked with the flag is opened, it is not a noise, but a sound mix of Miku and other two-dimensional singers.

Throwing it to the audio analysis tool proved to be fruitless.

Then open the py file for analysis

The main function reads the string in the flag file, intercepts the middle part of the flag, and converts the characters into decimal one by one before calling the function

The upper one of the two functions first obtains the json resource, then finds the musicID with the same value based on the decimal number passed by the main function, and then gives the resource package name to the variable resource based on the musicID.

The following function opens the corresponding resource according to the variable resource and writes the corresponding mp3 file into the local mp3 file.

I don’t understand the operation at the bottom, but I can boldly guess that the overall logic is to go to the resource page one by one to search for the corresponding music based on the decimal converted from the flag field. The final operation is probably to merge all the music into one music file, which is flag. .mp3

Open the corresponding json resource page

https://sekai-world.github.io/sekai-master-db-diff/musicVocals.json

Look carefully, there is a Japanese display text, it may be the name of the song

However, the search result after listening to the song on NetEase Cloud was not found. ~~After translation, it was found that it was actually just the Japanese of the virtual singer.~~

But a keyword assetbundleName was found under this website

Just look for it in the same category

Then open the website according to the code below

Just open one and it will be the mp3 resource page.

The general logic is as follows:

(1) Convert the intercepted flag field into decimal, to

https://sekai-world.github.io/sekai-master-db-diff/musicVocals.json

Find the musicID corresponding to the decimal number in the page

(2) Find assetbundleName in the same class based on musicID in the json interface

(3) Open the corresponding resource page according to assetbundleName

(4) Download the songs in the resource page to the local

(5) The final cut becomes a mixed cut

The bad news is that you can only listen to it one by one from the song resource page through the mixed cuts in the given flag.mp3 file. If it matches, the musicID number of this song is the decimal value of a certain field of flag.

Of course, you can also listen to all the songs and mixed songs on the resource page and then identify the songs one by one.

The good news is that ASCII representation is limited, and you can first listen to the fields that often appear in the flag (0~9, uppercase and lowercase letters), so you can also listen manually after narrowing the range. You need to pay attention to each piece of music. There are different versions, such as miku version and singer version, etc.

After listening to it from beginning to end, I only missed one character. I thought it was a special character. After listening again, I found that it was '<'.

Finally get the flag:

SEKAI{v0CaloId<3u}

（2）Matrix Lab 1（re）

After downloading the file, I found it was a .class file and threw it into IDEA to decompile it.

The main function analysis found that the flag length is 43 and is divided into three sections. The middle section is passed to the solve function.

to solve function

First the string is converted into a two-dimensional function (6*6)

The next operation (implementing the shift of each number in the matrix)

Next, the matrix is encrypted

getArray combines two rows of the matrix into a string (one row is reversed)

Encrypt first performs a barrier encryption, and then performs an XOR based on a decimal number (key).

This same type of operation is done in three groups, so the final flag consists of three groups.

write a script

#include <iostream>
using namespace std;

int len=6;

int tempres[6][6];
string de(string key,int num){
    char str[12];
    for(int i=0;i<12;i++){
        key[i]^=num;
    }
    
    int var3=5;
    int var4=6;
    for(int i=0;i<12;i++){
        str[var3--]=key[i];
        str[var4++]=key[i+1];
        i++;
    }
     
    return str;
}

void re_getArray(string temp,int fi,int se){
    
    int j=0;
    for(int i=0;i<len;i++){
        tempres[fi][i]=temp[j];
        j++;
    }
    
    for(int i=0;i<len;i++){
        tempres[se][len-1-i]=temp[j];
        j++;
    }
}

void re_solve(){
    int length=6;
    for(int var2 = 0; var2 <= length / 2; ++var2) {
            for(int var3 = 0; var3 < length - 2 * var2 - 1; ++var3) {
                char var4 = tempres[var2 + var3][length - 1 - var2];
                tempres[var2 + var3][length - 1 - var2]=tempres[length - 1 - var2][length - 1 - var2 - var3];
                tempres[length - 1 - var2][length - 1 - var2 - var3]=tempres[length - 1 - var2 - var3][var2];
                tempres[length - 1 - var2 - var3][var2]=tempres[var2][var2 + var3];
                tempres[var2][var2 + var3]=var4;
            }
        }
    
}
 int main()    
{
     string key1="oz]{R]3l]]B#";
     string key2="50es6O4tL23E";
     string key3="tr3c10_F4TD2";
     
     string temp_key1=de(key1,2);
     string temp_key2=de(key2,1);
     string temp_key3=de(key3,0);
     
    re_getArray(temp_key1,0,5);
    re_getArray(temp_key2,1,4);
    re_getArray(temp_key3,2,3);
     
    re_solve();
    
    for(int i=0;i<6;i++){
        for(int j=0;j<6;j++){
            printf("%c",tempres[i][j]);
        }
    } 

    
}