August 21, 2024

idek CTF 2024

剛好看到同學說有報名 idek CTF,想說就去玩玩看,最後只解了兩題

一題reverse 一題 misc 都是簡單的題目

可以看到敘述,分數最高的 player 可以獲得 flag,很明顯我們的目標會在 score 之類的地方

解包解壓縮後可以看到有這些東西, .exe,確定遊戲是跑在 windows 底下的

打開遊戲,可以發現就是 chrome 離線時的小遊戲,玩法一樣

這遊戲的音樂很大聲

其實解題思路在這邊就很清晰了,我們要達到高分,那不免俗可能需要 cheat engine 的幫助,這邊有兩個可以嘗試的目標,所謂的高分是指

後來我用 cheat engine 找到存放最高分數的位置,修改後沒有得到 flag

情理之中,歷史最高分 > 某個數字就可以拿到 flag 的邏輯還是怪怪的

所以應該是 目前的分數高到足夠可以得到 flag,我一樣去分析但其實找不太到存在當前分數的地方,不確定是不是故意設計成這樣,後來放棄分析主程式跑去看有什麼其當的檔案就真的看到有趣的東西了 spritesheet.json

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151

    {
    "ground_0": {"x": 2, "y": 54, "width": 600, "height": 12},
    "ground_1": {"x": 602, "y": 54, "width": 600, "height": 12},
    "restart_button": {"x": 2, "y": 2, "width": 36, "height": 32},
    "restart_text": {"x": 655, "y": 15, "width": 191, "height": 11},
    "cloud": {"x": 86, "y": 2, "width": 46, "height": 14},
    "char_0": {"x": 655, "y": 2, "width": 9, "height": 11},
    "char_1": {"x": 665, "y": 2, "width": 9, "height": 11},
    "char_2": {"x": 675, "y": 2, "width": 9, "height": 11},
    "char_3": {"x": 685, "y": 2, "width": 9, "height": 11},
    "char_4": {"x": 695, "y": 2, "width": 9, "height": 11},
    "char_5": {"x": 705, "y": 2, "width": 9, "height": 11},
    "char_6": {"x": 715, "y": 2, "width": 9, "height": 11},
    "char_7": {"x": 725, "y": 2, "width": 9, "height": 11},
    "char_8": {"x": 735, "y": 2, "width": 9, "height": 11},
    "char_9": {"x": 745, "y": 2, "width": 9, "height": 11},
    "char_h": {"x": 755, "y": 2, "width": 9, "height": 11},
    "char_i": {"x": 765, "y": 2, "width": 9, "height": 11}, 
    "trex_crashed": {"x": 1024, "y": 2, "width": 44, "height": 47},
    "trex_idle_0": {
        "x": 848,
        "y": 2,
        "width": 44,
        "height": 47,
        "collision": [
            {"x": 1, "y": 18, "width": 30, "height": 9},
            {"x": 1, "y": 24, "width": 29, "height": 5},
            {"x": 10, "y": 35, "width": 14, "height": 8},
            {"x": 22, "y": 0, "width": 18, "height": 16},
            {"x": 5, "y": 30, "width": 21, "height": 4},
            {"x": 9, "y": 34, "width": 15, "height": 4}
        ]
    },
    "trex_blink_0": {
        "x": 892,
        "y": 2,
        "width": 44,
        "height": 47
    },
    "trex_running_0": {
        "x": 936,
        "y": 2,
        "width": 44,
        "height": 47,
        "collision": [
            {"x": 1, "y": 18, "width": 30, "height": 9},
            {"x": 1, "y": 24, "width": 29, "height": 5},
            {"x": 10, "y": 35, "width": 14, "height": 8},
            {"x": 22, "y": 0, "width": 18, "height": 16},
            {"x": 5, "y": 30, "width": 21, "height": 4},
            {"x": 9, "y": 34, "width": 15, "height": 4}
        ]
    },
    "trex_running_1": {
        "x": 980,
        "y": 2,
        "width": 44,
        "height": 47,
        "collision": [
            {"x": 1, "y": 18, "width": 30, "height": 9},
            {"x": 1, "y": 24, "width": 29, "height": 5},
            {"x": 10, "y": 35, "width": 14, "height": 8},
            {"x": 22, "y": 0, "width": 18, "height": 16},
            {"x": 5, "y": 30, "width": 21, "height": 4},
            {"x": 9, "y": 34, "width": 15, "height": 4}
        ]
    },
    "trex_ducking_0": {
        "x": 1112,
        "y": 2,
        "width": 59,
        "height": 47,
        "collision": [
            {"x": 1, "y": 18, "width": 55, "height": 25}
        ]
    },
    "trex_ducking_1": {
        "x": 1171,
        "y": 2,
        "width": 59,
        "height": 47,
        "collision": [
            {"x": 1, "y": 18, "width": 55, "height": 25}
        ]
    },
    "obstacle_small_0": {
        "x": 228,
        "y": 2,
        "width": 17,
        "height": 35,
        "collision": [
            {"x": 0, "y": 7, "width": 5, "height": 27},
            {"x": 4, "y": 0, "width": 6, "height": 34},
            {"x": 10, "y": 4, "width": 7, "height": 14}
        ]
    },
    "obstacle_small_1": {
        "x": 245,
        "y": 2,
        "width": 34,
        "height": 35,
        "collision": [
            {"x": 0, "y": 7, "width": 5, "height": 27},
            {"x": 4, "y": 0, "width": 22, "height": 34},
            {"x": 27, "y": 4, "width": 7, "height": 14}
        ]
    },
    "obstacle_small_2": {
        "x": 279,
        "y": 2,
        "width": 51,
        "height": 35,
        "collision": [
            {"x": 0, "y": 7, "width": 5, "height": 27},
            {"x": 4, "y": 0, "width": 39, "height": 34},
            {"x": 44, "y": 4, "width": 7, "height": 14}
        ]
    },
    "obstacle_large_0": {
        "x": 332,
        "y": 2,
        "width": 25,
        "height": 50,
        "collision": [
            {"x": 0, "y": 12, "width": 7, "height": 38},
            {"x": 8, "y": 0, "width": 7, "height": 49},
            {"x": 13, "y": 10, "width": 10, "height": 38}
        ]
    },
    "obstacle_large_1": {
        "x": 357,
        "y": 2,
        "width": 50,
        "height": 50,
        "collision": [
            {"x": 0, "y": 12, "width": 7, "height": 38},
            {"x": 8, "y": 0, "width": 33, "height": 49},
            {"x": 40, "y": 10, "width": 10, "height": 38}
        ]
    },
    "obstacle_large_2": {
        "x": 407,
        "y": 2,
        "width": 75,
        "height": 50,
        "collision": [
            {"x": 0, "y": 12, "width": 7, "height": 38},
            {"x": 8, "y": 0, "width": 58, "height": 49},
            {"x": 65, "y": 10, "width": 10, "height": 38}
        ]
    }

他記錄了整個遊戲角色、障礙物的座標以及大小,答案呼之欲出了,這邊我們只要把所有障礙物的 width & height 修改成0就可以跑在乾淨的道路上了