TL;DR

Script embeds a second compiled AppleScript blob; the inner script starts at offset 190. The inner script validates a full flag string candidate

| candidate | = 0x18 = 24
prefix is SECCON{ and suffix is }
The 16 char middle payload must satisfy Shimbashi, Ginza, Kanda and Sugamo

Shimbashi is an invertible per-character encoding with embedded target outputs

$o_i=ord(p_i)+13+\delta_i$
$\delta_i=(13((i mod 3)+1) mod 11)$ for $i\in{1, ... ,16}$
$p_i=chr(o_i-13-i)$

Analysis

AppleScript compiled/run-only binaries commonly use the FasdUAS container

The interesting part in this challenge is that 1.scpt contains another compiled script inside it.

Extract the embedded inner compiled script Search for the second header by looking for scptFasdUAS

This file contains scptFasdUAS 1.101.10 The scpt prefix is 4 bytes, and the FasdUAS header begins immediately after it.

In this challenge the embedded header begins at offset 190, so carving from there yields a valid compiled script

1
dd if=1.scpt of=inner2.scpt bs=1 skip=190 status=none
2
file inner2.scpt

Dissassemble the AppleScript VM bytecode

1
Function name : b'Iidabashi'
2
Function arguments:  [b'candidate']

This is the main predicate, it returns true/false and drives the Correct / Try Again High-level structure of Iidabashi (the checker) Reading Iidabashi top-to-bottom, you can reconstruct a clean high-level validator.

Normalize the input

The candidate is converted to an NSString and trimmed

Jimbocho(t) is essentially NSString.stringWithString_(t).
trimNSString(ns) uses NSCharacterSet.whitespaceAndNewlineCharacterSet and stringByTrimmingCharactersInset_

So we can treat the input as a normal trimmed string.

The script then checks

T via four independent mechanisms:

Shimbashi(T, …) must exactly equal an embedded 16-element integer list.
Ginza(T) must equal 0x5f.
Kanda(T, …) must produce a record matching an embedded expected record.
Sugamo(T, …) must produce another record matching another embedded expected record.

The crucial observation is that (1) is directly invertible, so the payload can be recovered without brute force. Shimbashi: recover the payload by inversion Shimbashi is where the challenge leaks the payload in an invertible way.

Constants inside Shimbashi

Iidabashi defines two constants (seen as globals in the disassembly) idaho = 0x1abb kansas = 0x1ac8 Inside Shimbashi, a value is computed:

COLORADO=(kansas-idaho) mod 256

Numerically:

COLORADO=(0x1ac8-0x1abb) mod256 = 0x0d =13 So COLORADO = 13.

The embedded target output list Iidabashi also embeds the 16 outputs that Shimbashi must produce. As hex

1
O = [0x72, 0x83, 0x7F, 0x7D, 0x78, 0x82, 0x74, 0x85,
2
    0x78, 0x81, 0x87, 0x75, 0x86, 0x81, 0x4B, 0x44]

Let $O=(o_1, ... , o_{16})$ be these values.

The per-index delta item

$\delta_i=(13((i mod 3)+1) mod 11)$

Encoding equation

$ord(t_i)=o_i-13-\delta_i)$

$t_i=chr(o_i-13-\delta_i)$

For i=1

$o_1= 0x72 = 114$

$\delta_1 = 4$

$ord(t_1) = 114-13-4 = 97$

Applying this to all 16 positions yields $\rightarrow$ applescriptfun<3

Ginza checksum mod 256

$Ginza(T)=(\sum\limits_{c \in T} ord(c)) mod 256$

The expected result in bytecode is 0x5f.

Kanda and Sugamo are more complex stateful transforms that output a record (dictionary-like object) with emoji-codepoint keys such as U1F41D, U1F99C, etc.

The checker compares these fields against records embedded in the bytecode.

Both functions use Quotient and Remainder on values that can become negative.

Python’s // and % use floor division; many runtimes (including typical VM implementations) use truncation toward zero.

To match the bytecode behavior, implement

$q=trunc(a/b), r=a-bq$

From the bytecode literals, the expected record for Kanda(T, …) is

1
U1F41D = 0x07C3
2
U1F99C = 64104
3
U1F11D = 0x1523
4
U1F41C = 56473
5
len    = 0x10
6
U1F41B = 0x4D16

Likewise Sugamo(T, …) is

1
U1F41D = 62601
2
U1F99C = 65475
3
U1F11D = 65339
4
len    = 6

Exploit

Reimplementing these transform is not required to recover T (cuz Shimbashi already gives it)

1
EXPECTED_SHIMBASHI = [
2
    0x72, 0x83, 0x7F, 0x7D, 0x78, 0x82, 0x74, 0x85,
3
    0x78, 0x81, 0x87, 0x75, 0x86, 0x81, 0x4B, 0x44,
4
]
5

6
COLORADO = 0x0D
7
EXPECTED_GINZA = 0x5F
8

9
NEW_JERSEY = [0x37, 0xA9, 0x5D]
10
U1F9E7 = 0x9D
11
WESTCHESTER = 0x1ABB
12

13
EXPECTED_KANDA = {
14
    "U1F41D": 0x07C3,
15
    "U1F99C": 64104,
16
    "U1F11D": 0x1523,
17
    "U1F41C": 56473,
18
    "len": 0x10,
19
    "U1F41B": 0x4D16,
20
}
21

22
EXPECTED_SUGAMO = {
23
    "U1F41D": 62601,
24
    "U1F99C": 65475,
25
    "U1F11D": 65339,
26
    "len": 6,
27
}
28

29

30
def quot(a: int, b: int) -> int:
31
    return int(a / b)
32

33

34
def rem(a: int, b: int) -> int:
35
    return a - b * quot(a, b)
36

37

38
def norm16(x: int) -> int:
39
    return rem(rem(x, 65536) + 65536, 65536)
40

41

42
def invert_shimbashi(outputs: list[int]) -> str:
43
    chars: list[str] = []
44
    for i, out in enumerate(outputs, start=1):
45
        v11 = rem(13 * (rem(i, 3) + 1), 11)
46
        c = out - COLORADO - v11
47
        if not (0 <= c <= 0x10FFFF):
48
            raise ValueError("decoded codepoint out of range")
49
        chars.append(chr(c))
50
    return "".join(chars)
51

52

53
def kanda(ns_payload: str) -> dict[str, int]:
54
    t = ns_payload
55
    n = len(t)
56
    v0, v1, v2 = NEW_JERSEY
57

58
    rec_41d = 0
59
    rec_99c = 0
60
    rec_11d = WESTCHESTER
61
    rec_41c = 0
62
    rec_41b = WESTCHESTER
63

64
    for i in range(1, n + 1):
65
        code = ord(t[i - 1])
66
        var11 = code - 0x80
67
        var12 = rem(i * U1F9E7 + v0, 0x101)
68
        var13 = var11 * var12 + v1
69

70
        var14 = v2 - i
71
        if var14 == 0:
72
            var14 = -1
73
        var15 = quot(var13, var14)
74

75
        var16 = var12 or 1
76
        var17 = rem(var13, var16)
77

78
        rec_99c = rem(rec_99c + var15 + var17, 65536)
79
        rec_41d = rec_41d + var13
80
        rec_11d = rem(rec_11d + var15 + var17, 65536)
81
        rec_41c = rec_41c + v0 - v2
82

83
        v0 = v0 + var17
84
        v1 = v1 - var15
85
        v2 = -v2 + rem(code, 5)
86

87
        var18 = rem(var15 + var17 + U1F9E7, 65536)
88
        rec_41b = rem(rec_41b + var18 * (i + 3), 65536)
89

90
    return {
91
        "U1F41D": norm16(rec_41d),
92
        "U1F99C": norm16(rec_99c),
93
        "U1F11D": norm16(rec_11d),
94
        "U1F41C": norm16(rec_41c),
95
        "len": norm16(n),
96
        "U1F41B": norm16(rec_41b),
97
    }
98

99

100
def sugamo(ns_payload: str) -> dict[str, int]:
101
    t = ns_payload
102
    n = min(len(t), 6)
103
    v0, v1, v2 = NEW_JERSEY
104
    rec_41d = 0
105
    rec_99c = 0
106
    rec_11d = 0
107

108
    for i in range(1, n + 1):
109
        code = ord(t[i - 1])
110
        var9 = (code - 0x80) * v0 + v1
111
        var10 = v2 - i
112
        if var10 == 0:
113
            var10 = -1
114
        var11 = quot(var9, var10)
115

116
        var12 = v0 - rem(code, 9)
117
        if var12 == 0:
118
            var12 = 1
119
        var13 = rem(var9, var12)
120

121
        rec_99c = rem(rec_99c + var11 + var13, 65536)
122
        rec_41d = rem(rec_41d + var9, 65536)
123
        rec_11d = rem(rec_11d + var11 * var13, 65536)
124

125
        v0 = v0 + var13
126
        v1 = v1 - var11
127
        v2 = -v2 + rem(code, 7)
128

129
    return {
130
        "U1F41D": norm16(rec_41d),
131
        "U1F99C": norm16(rec_99c),
132
        "U1F11D": norm16(rec_11d),
133
        "len": n,
134
    }
135

136

137
def main() -> None:
138
    inner = invert_shimbashi(EXPECTED_SHIMBASHI)
139
    if rem(sum(ord(c) for c in inner), 256) != EXPECTED_GINZA:
140
        raise SystemExit("ginza check failed")
141
    if kanda(inner) != EXPECTED_KANDA:
142
        raise SystemExit("kanda check failed")
143
    if sugamo(inner) != EXPECTED_SUGAMO:
144
        raise SystemExit("sugamo check failed")
145
    print(f"SECCON{{{inner}}}")
146

147

148
if __name__ == "__main__":
149
    main()

[SECCON CTF 14] aeppel writeup