2023 Cyber Apocalypse: Shattered Tablet

#htb #ctf #reverse #constraint-satisfaction #byte-analysis

Challenge Information

AttributeDetails
Event2023 Cyber Apocalypse
CategoryReverse
ChallengeShattered Tablet

Summary

This challenge requires reconstructing an input string by understanding how the binary accesses different byte offsets of the input. The binary reads a 64-byte input and checks hundreds of conditions involving different byte positions and values.

Analysis

The vulnerable code:

printf("Hmmmm... I think the tablet says: ");
fgets((char *)&local_48, 0x40, stdin);


if (((((((((local_30._7_1_ == 'p') && (local_48._1_1_ == 'T')) && (local_48._7_1_ == 'k')) &&
        ((local_28._4_1_ == 'd' && (local_40._3_1_ == '4')))) &&
       ((local_38._4_1_ == 'e' && ((local_40._2_1_ == '_' && ((char)local_48 == 'H')))))) &&
      (local_28._2_1_ == 'r')) &&
     ...

The input is accessed in two ways:

  • (char)local_48 - access as char (byte 0)
  • local_48._1_1_ - access second byte
  • local_48._7_1_ - access eighth byte
  • local_48._3_1_ - access fourth byte, etc.

Each condition specifies which byte at which offset must equal which character.

Solution

To solve this manually:

  1. Extract all conditions involving each local variable

  2. Map byte offsets to constraint values:

    • local_48 is input bytes 0-7
    • local_40 is input bytes 8-15
    • local_38 is input bytes 16-23
    • local_30 is input bytes 24-31
    • local_28 is input bytes 32-39

  3. Reconstruct the string:

    • local_48._0_1_ (byte 0) = ‘H’
    • local_48._1_1_ (byte 1) = ‘T’
    • local_48._2_1_ (byte 2) = ‘B’
    • local_48._3_1_ (byte 3) = ’{’
    • Continue for all bytes…

  4. Result: HTB{br0k3n_4p4rt,n3ver_t0_b3_r3p41r3d}

Automated approach using constraint extraction:

# Extract constraints from Ghidra decompilation
# Build mapping of position -> character
constraints = {
    0: 'H',      # local_48[0]
    1: 'T',      # local_48[1]
    2: 'B',      # local_48[2]
    3: '{',      # local_48[3]
    # ... continue for all positions ...
}


# Reconstruct string
result = ''.join(constraints[i] for i in range(64))

Key Takeaways

  • Understanding memory layout and byte access is critical
  • Multi-byte field access patterns reveal input structure
  • Systematic constraint extraction enables automated solutions
  • Complex conditions can be decomposed into individual constraints
  • Position-specific validation reveals required character values