Post

sudo kurl

Posted
By Dimitrie-Toma Furdui
6 min read

We have a 2D board and we have to set it up in a specific way to be able to get the flag:

The board is stored as a vector of vectors (from C++). We can set up some structures in IDA to make reversing easier:

1
2
3
4
5
6
7
8
9
10
11
12
13

struct IntVector // sizeof=0x18
{
    int *start;
    int *finish;
    int *end;
};

struct IntVector2D // sizeof=0x18
{                                       // XREF: .bss:board/r
    IntVector *start;
    IntVector *finish;
    IntVector *end;
};

We also have a displayBoard function:

This function is not called anywhere, but we can call it ourselves in GDB:

It’s a 25 by 25 board. Let’s see the checks applied to see if we won. The function checkWin validates that all elements of the board are different from 0:

0 is considered that an element is missing. isValid performs multiple checks, let’s take them one by one.

The first check takes every row and validates if the elements are unique, via a separate vector that stores the frequencies.

Then, in the same nested loop, it takes every column and checks if the elements are unique.

The last check splits the board into 5x5 squares and validates if every element is unique.

These validations are exactly the same as a Sudoku puzzle, but with a different board size. I was too lazy to implement a Sudoku solver, so I used puppeteer to visit an online solver and fill the squares and take the results :D

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

import asyncio
from pyppeteer import launch
from pwn import *
import time

board_string = """
. . . 21 . 11 . . 3 24 9 20 23 . 7 22 . 5 18 . 15 2 16 13 .
24 4 . 20 15 . . 5 . 16 2 25 22 . 17 6 21 . 14 . 8 10 1 19 18
. . 10 . 5 . 21 19 22 . 3 13 1 16 . 15 4 7 23 24 12 . 14 . .
. . 13 6 12 14 4 1 . . 24 18 19 5 . . 17 . . . 7 22 . 9 21
. 23 19 7 . . 6 . . 20 15 4 . 21 . . . . 16 10 24 3 . 17 5
12 15 21 . . . 16 6 18 5 7 . 17 3 9 14 . 4 24 22 13 . . . .
14 10 11 2 24 1 25 22 20 . . 23 6 19 . 13 5 8 12 . 17 . 7 15 9
. . . . 1 24 . 3 15 10 20 8 5 . 25 9 16 19 21 . 2 6 . 12 14
. . 5 . 3 . 23 14 8 . . 2 15 . 12 . 7 1 17 6 22 21 4 . 19
13 . . 4 20 . . . 17 . 11 16 . . 22 . 10 18 15 23 . 25 8 1 3
20 25 7 22 . 23 . 10 1 . . . . 13 4 21 . 6 19 . 3 9 15 8 .
1 24 . . . 4 . 20 13 . 8 . 3 . 19 16 2 12 9 5 . 14 10 25 22
. . . . . . . 9 24 . 25 6 . 2 16 4 8 10 . 17 18 7 21 . 1
. 8 . 10 14 16 3 25 6 . . 7 18 9 11 . 13 . 20 . 19 24 5 . 17
17 3 . 15 9 5 . . 11 . . 21 . . 23 7 . 22 . . 20 13 12 4 6
15 . 20 11 21 10 . . 5 22 16 . . 8 3 24 . 13 2 19 . . . . .
. 13 8 . 19 17 . . . . . 12 7 24 6 . 15 23 22 4 14 5 9 . .
9 1 23 14 4 . 24 . 7 8 19 . 2 . 13 17 3 20 5 . . 15 . 16 10
10 . 2 12 . 13 18 15 . . 17 5 . 20 21 8 1 16 . 7 . 19 . 11 .
7 5 17 24 16 20 2 11 19 3 23 . 4 15 1 18 14 . 10 . . 8 13 21 12
. 20 9 . 7 15 22 17 10 . 12 19 . . 24 25 . 14 4 8 16 18 2 . .
19 2 24 8 . . 20 7 4 . . . 9 . 15 5 . 21 11 16 1 . . 14 25
. . 25 1 . 8 5 23 14 6 4 17 16 . 2 . 20 . 13 9 10 12 24 7 15
. . 14 . . . . . . 2 6 10 13 . 5 12 . 24 . . 9 11 . 3 8
6 . 15 . 13 . . 24 . 9 1 . 8 25 . 10 18 17 . 2 . 4 19 . 23
""".strip()

board = [[0] * 25 for _ in range(25)]

for row, line in enumerate(board_string.split("\n")):
    for column, cell in enumerate(line.split(" ")):
        board[row][column] = int(cell) if cell != "." else 0

async def main():
    browser = await launch()
    page = await browser.newPage()
    await page.goto("https://sudokuspoiler.com/sudoku/sudoku25")

    cookies_selector = "button[mode=primary]"
    await page.waitForSelector(cookies_selector, {"visible": True})
    cookies = await page.querySelector(cookies_selector)
    await cookies.click()

    fields = await page.querySelectorAll("#grid input[type=text]")
    board_flattened = sum(board, [])
    for index, field in enumerate(fields):
        value = board_flattened[index]
        if value == 0:
            continue
        await page.evaluate(f"(field) => field.value = '{value}'", field)

    solve_button = await page.querySelector("#solveButton")
    await solve_button.click()

    time.sleep(3)

    solution = []

    for field in fields:
        value = await page.evaluate("(field) => field.value", field)
        solution.append(value)

    await browser.close()

    assert len(solution) == 625 and all(value != 0 for value in solution)

    solution = [solution[i:(i + 25)] for i in range(0, len(solution), 25)]

    def send_cell(row, column, value):
        io.sendlineafter("Row [1-25] (-1 to check win): ", str(row).encode())
        io.sendlineafter("Column [1-25]: ", str(column).encode())
        io.sendlineafter("Troups [1-25]: ", str(value).encode())

    context.log_level = "debug"
    io = process("./chall")
    for i in range(25):
        for j in range(25):
            if board[i][j] != 0:
                continue
            send_cell(i + 1, j + 1, solution[i][j])

    io.sendline(b"-1")
    log.success(io.clean(timeout=1))
    io.kill()

asyncio.get_event_loop().run_until_complete(main())
ctf, TRX CTF 2025
reverse
This post is licensed under CC BY 4.0 by the author.