solve.py (1074B)
1from pwn import * 2from base64 import b64decode 3import subprocess 4 5def extract_char(index): 6 io = remote("localhost", 1337) 7 8 scalex = 1 << (64 + index * 8) 9 scaley = "9" * 100 10 11 io.readuntil(b"Flag length: ") 12 flaglen = int(io.readline()) 13 14 io.readuntil(b"Image width: ") 15 width = int(io.readline()) 16 17 io.readuntil(b"Image height: ") 18 height = int(io.readline()) 19 20 print(flaglen, width, height) 21 22 io.readuntil(b"Scale x: ") 23 io.sendline(str(scalex).encode()) 24 25 io.readuntil(b"Scale y: ") 26 io.sendline(str(scaley).encode()) 27 28 data = b64decode(io.readline().strip()) 29 with open("tmp.webp", "wb+") as f: 30 f.write(data) 31 io.close() 32 33 output = subprocess.check_output(["node", "findoff.js"]) 34 indexlines = [l for l in output.split(b"\n") if l.startswith(b"IDX ")] 35 indexes = set([int(l.split()[1]) for l in indexlines]) 36 print(len(indexes), indexes) 37 38 return chr(list(indexes)[0]) 39 40flag = "" 41for i in range(40): 42 if flag.startswith("SECCON"): 43 break 44 flag = extract_char(i) + flag 45print(flag)