TL;DR

The cilent bundle embeds 25 “boolean constraint puzzles” as a base64 + gzip JSON blob Each day asks for a 32bit unsigned integer satisfying several bitwise expression

Analysis

Main logic is dist/_next/static/chunks/app/page-fdcc665989738875.js

Inside the bundle there is a long string starting with H4sIA It is base64 encoded, gzip compressed, JSON after decompression

Analysis After decoding it

1
{ "day": 1, "eqExprs": [...], "maskExprs": [...] }

The page turns each string expression into a runtime predicate with new Function ("x", "return ("" + expr + ");")

Each predicate is a boolean check over a 32 bit value (x >>> 0 style) Every expression ends with === 1

Once all 25 solutions are correct, the app derives a key material and decrypts

pepper = "boolean-advent-2025-pepper"
solutions_bytes = concat_be32(solution[day]) for day=1..25 (100 bytes)
seed = SHA256(pepper || solutions_bytes || pepper)
ciphertext = base64decode("uJVY4mJFB6T9yppuCdGFmTW1O5GZ06yw4OTVml4VNOw=")
keystream = SHA256(seed || counter_be32) for counter = 0,1,2,... concatenated until long enough
plaintext = ciphertext XOR keystream

Exploit

Extracts and decompresses the embedded JSON blob
Parses the JS expressions into Z3 BitVec constraints
Solves each day (and checks uniqueness)
Re-implements the SHA-256 keystream XOR to print the final flag

1
#!/usr/bin/env python3
2
import base64
3
import gzip
4
import json
5
import re
6
from dataclasses import dataclass
7

8
from z3 import BitVec, BitVecVal, LShR, Solver, sat
9

10

11
JS_BUNDLE = "dist/_next/static/chunks/app/page-fdcc665989738875.js"
12

13

14
def extract_puzzles(bundle_path: str) -> list[dict]:
15
    with open(bundle_path, "r", encoding="utf-8", errors="ignore") as f:
16
        s = f.read()
17
    m = re.search(r'"(H4sIA[^"]+)"', s)
18
    if not m:
19
        raise RuntimeError("Could not find embedded base64 gzip puzzle blob")
20
    blob_b64 = m.group(1)
21
    raw = gzip.decompress(base64.b64decode(blob_b64))
22
    return json.loads(raw.decode("utf-8"))
23

24

25
@dataclass
26
class Token:
27
    kind: str
28
    value: str
29

30

31
def tokenize(expr: str) -> list[Token]:
32
    tokens: list[Token] = []
33
    i = 0
34
    while i < len(expr):
35
        ch = expr[i]
36
        if ch.isspace():
37
            i += 1
38
            continue
39
        if expr.startswith(">>>", i):
40
            tokens.append(Token("op", ">>>"))
41
            i += 3
42
            continue
43
        if expr.startswith("===", i):
44
            tokens.append(Token("op", "==="))
45
            i += 3
46
            continue
47
        if expr.startswith("<<", i):
48
            tokens.append(Token("op", "<<"))
49
            i += 2
50
            continue
51
        if expr.startswith(">>", i):
52
            tokens.append(Token("op", ">>"))
53
            i += 2
54
            continue
55
        if ch in "()~+-*^&|":
56
            tokens.append(Token("op", ch))
57
            i += 1
58
            continue
59
        if ch.isdigit():
60
            j = i + 1
61
            while j < len(expr) and expr[j].isdigit():
62
                j += 1
63
            tokens.append(Token("num", expr[i:j]))
64
            i = j
65
            continue
66
        if ch == "x":
67
            tokens.append(Token("id", "x"))
68
            i += 1
69
            continue
70
        raise RuntimeError(f"Unexpected character at {i}: {expr[i:i+20]!r}")
71
    return tokens
72

73

74
class Parser:
75
    def __init__(self, tokens: list[Token], x):
76
        self.tokens = tokens
77
        self.i = 0
78
        self.x = x
79

80
    def _peek(self) -> Token | None:
81
        return self.tokens[self.i] if self.i < len(self.tokens) else None
82

83
    def _eat(self, expected: str | None = None) -> Token:
84
        tok = self._peek()
85
        if tok is None:
86
            raise RuntimeError("Unexpected end of input")
87
        if expected is not None and tok.value != expected:
88
            raise RuntimeError(f"Expected {expected}, got {tok.value}")
89
        self.i += 1
90
        return tok
91

92
    def parse(self):
93
        out = self._parse_equality()
94
        if self._peek() is not None:
95
            raise RuntimeError(f"Trailing tokens at {self._peek()}")
96
        return out
97

98
    def _parse_equality(self):
99
        lhs = self._parse_or()
100
        op = self._peek()
101
        if op is None or op.value != "===":
102
            raise RuntimeError("Expected === at top-level (all constraints should end with '=== 1')")
103
        self._eat("===")
104
        rhs = self._parse_or()
105
        return lhs == rhs
106

107
    def _parse_or(self):
108
        node = self._parse_xor()
109
        while (tok := self._peek()) is not None and tok.value == "|":
110
            self._eat("|")
111
            node = node | self._parse_xor()
112
        return node
113

114
    def _parse_xor(self):
115
        node = self._parse_and()
116
        while (tok := self._peek()) is not None and tok.value == "^":
117
            self._eat("^")
118
            node = node ^ self._parse_and()
119
        return node
120

121
    def _parse_and(self):
122
        node = self._parse_shift()
123
        while (tok := self._peek()) is not None and tok.value == "&":
124
            self._eat("&")
125
            node = node & self._parse_shift()
126
        return node
127

128
    def _parse_shift(self):
129
        node = self._parse_add()
130
        while (tok := self._peek()) is not None and tok.value in ("<<", ">>", ">>>"):
131
            op = tok.value
132
            self._eat(op)
133
            rhs = self._parse_add()
134
            if op == "<<":
135
                node = node << rhs
136
            elif op == ">>":
137
                node = node >> rhs
138
            else:
139
                node = LShR(node, rhs)
140
        return node
141

142
    def _parse_add(self):
143
        node = self._parse_mul()
144
        while (tok := self._peek()) is not None and tok.value in ("+", "-"):
145
            op = tok.value
146
            self._eat(op)
147
            rhs = self._parse_mul()
148
            node = node + rhs if op == "+" else node - rhs
149
        return node
150

151
    def _parse_mul(self):
152
        node = self._parse_unary()
153
        while (tok := self._peek()) is not None and tok.value == "*":
154
            self._eat("*")
155
            node = node * self._parse_unary()
156
        return node
157

158
    def _parse_unary(self):
159
        tok = self._peek()
160
        if tok is not None and tok.value in ("~", "-"):
161
            op = tok.value
162
            self._eat(op)
163
            node = self._parse_unary()
164
            return ~node if op == "~" else -node
165
        return self._parse_primary()
166

167
    def _parse_primary(self):
168
        tok = self._peek()
169
        if tok is None:
170
            raise RuntimeError("Unexpected end of input in primary")
171
        if tok.kind == "num":
172
            self._eat()
173
            return BitVecVal(int(tok.value) & 0xFFFFFFFF, 32)
174
        if tok.kind == "id" and tok.value == "x":
175
            self._eat()
176
            return self.x
177
        if tok.value == "(":
178
            self._eat("(")
179
            node = self._parse_or()
180
            self._eat(")")
181
            return node
182
        raise RuntimeError(f"Unexpected token in primary: {tok}")
183

184

185
def parse_js_constraint(expr: str, x):
186
    tokens = tokenize(expr)
187
    return Parser(tokens, x).parse()
188

189

190
def solve_day(day: dict) -> int:
191
    x = BitVec("x", 32)
192
    s = Solver()
193
    for ex in day["eqExprs"] + day["maskExprs"]:
194
        s.add(parse_js_constraint(ex, x))
195
    if s.check() != sat:
196
        raise RuntimeError(f"Unsat for day {day['day']}")
197
    m = s.model()
198
    val = m[x].as_long() & 0xFFFFFFFF
199
    # Uniqueness check
200
    s2 = Solver()
201
    for ex in day["eqExprs"] + day["maskExprs"]:
202
        s2.add(parse_js_constraint(ex, x))
203
    s2.add(x != BitVecVal(val, 32))
204
    if s2.check() == sat:
205
        raise RuntimeError(f"Multiple solutions for day {day['day']} (one is {val})")
206
    return val
207

208

209
def sha256(data: bytes) -> bytes:
210
    import hashlib
211

212
    return hashlib.sha256(data).digest()
213

214

215
def derive_final_flag(solutions_by_day: dict[int, int]) -> str:
216
    on = "boolean-advent-2025-pepper".encode("utf-8")
217
    # 4 bytes per day, big-endian, in day order 1..25
218
    sol_bytes = bytearray()
219
    for day in range(1, 26):
220
        v = solutions_by_day[day] & 0xFFFFFFFF
221
        sol_bytes += bytes([(v >> 24) & 0xFF, (v >> 16) & 0xFF, (v >> 8) & 0xFF, v & 0xFF])
222
    seed = sha256(on + sol_bytes + on)
223

224
    ciphertext = base64.b64decode("uJVY4mJFB6T9yppuCdGFmTW1O5GZ06yw4OTVml4VNOw=")
225

226
    # Expand with SHA-256(seed || counter_be32) blocks
227
    keystream = bytearray()
228
    counter = 0
229
    while len(keystream) < len(ciphertext):
230
        ctr = counter.to_bytes(4, "big", signed=False)
231
        keystream += sha256(seed + ctr)
232
        counter += 1
233
    keystream = keystream[: len(ciphertext)]
234

235
    plaintext = bytes(c ^ k for c, k in zip(ciphertext, keystream))
236
    return plaintext.decode("utf-8", errors="strict")
237

238

239
def main():
240
    puzzles = extract_puzzles(JS_BUNDLE)
241
    solutions: dict[int, int] = {}
242
    for day in puzzles:
243
        d = int(day["day"])
244
        solutions[d] = solve_day(day)
245

246
    flag = derive_final_flag(solutions)
247
    print(flag)
248

249

250
if __name__ == "__main__":
251
    main()

[SECCON CTF 14] Mini Bloat writeup

TL;DR

Analysis

Exploit