octo-kumo
diff --git a/‎2025-athack-ctf/index.md
Lines changed: 2 additions & 2 deletions b/‎2025-athack-ctf/index.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎2025-cyber-apocalypse-ctf/ai/index.md b/‎2025-cyber-apocalypse-ctf/ai/index.md
diff --git a/‎2025-cyber-apocalypse-ctf/ai/reverse-prompt.md
Lines changed: 101 additions & 0 deletions b/‎2025-cyber-apocalypse-ctf/ai/reverse-prompt.md
Lines changed: 101 additions & 0 deletions
diff --git a/‎2025-cyber-apocalypse-ctf/index.md
Lines changed: 13 additions & 0 deletions b/‎2025-cyber-apocalypse-ctf/index.md
Lines changed: 13 additions & 0 deletions
diff --git a/‎2025-pearl-ctf/index.md
Lines changed: 13 additions & 0 deletions b/‎2025-pearl-ctf/index.md
Lines changed: 13 additions & 0 deletions
diff --git a/‎2025-pearl-ctf/web/index.md b/‎2025-pearl-ctf/web/index.md
diff --git a/‎2025-pearl-ctf/web/quote/indxe.md renamed to ‎2025-pearl-ctf/web/quote/index.md
Lines changed: 4 additions & 0 deletions b/‎2025-pearl-ctf/web/quote/indxe.md renamed to ‎2025-pearl-ctf/web/quote/index.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎2025-srdnlen-ctf/index.md
Lines changed: 6 additions & 1 deletion b/‎2025-srdnlen-ctf/index.md
Lines changed: 6 additions & 1 deletion
diff --git a/‎2025-umass-ctf/hardware/FCSIGN/datasheet.md
Lines changed: 142 additions & 0 deletions b/‎2025-umass-ctf/hardware/FCSIGN/datasheet.md
Lines changed: 142 additions & 0 deletions
@@ -1,11 +1,11 @@
 ---
 created: 2025-03-01T15:57
-updated: 2025-03-18T02:25
+updated: 2025-04-19T08:05
 title: ATHACK CTF 2025
 rank: 6
+points: 5950
 ---
 
-
 Damn I got basically everything alone.
 
 ::ctf-overview
 
@@ -0,0 +1,101 @@
+---
+created: 2025-03-22T23:54
+updated: 2025-04-19T08:07
+points: 975
+---
+
+My first attempt was to use a evolution like algorithm to find the original text, the model I used was `SentenceTransformer('sentence-transformers/gtr-t5-base')`.
+
+![image.png](https://res.cloudinary.com/kumonochisanaka/image/upload/v1742702140/2025/03/cb531dce84f212dfa080d735717cada3.png)
+
+`0.1707 Text: 'dyneysoof dlo bcema'`
+`0.1671 Text: 'bde mfia '`
+
+Many attempts and modifications were made but the similarity never hit 0.2.
+
+Then after some research I found the word2vec and vec2text.
+
+[vec2text/vec2text: utilities for decoding deep representations (like sentence embeddings) back to text](https://github.com/vec2text/vec2text)
+
+```python
+import vec2text
+import torch
+import numpy as np
+from sklearn.metrics.pairwise import cosine_similarity
+
+corrector = vec2text.load_pretrained_corrector("gtr-base")
+ground_truth = np.load('gtr_embeddings.npy')
+vec2text.invert_embeddings(
+  embeddings=torch.from_numpy(ground_truth).cuda(),
+  corrector=corrector,
+  num_steps=10,
+)
+# ['            The secret terminalphrase is terminalin']
+```
+
+The result is promising! It is semantically saying `the secret password is ...`.
+
+```python
+from transformers import AutoModel, AutoTokenizer, PreTrainedTokenizer, PreTrainedModel
+def get_gtr_embeddings(text_list,
+                       encoder: PreTrainedModel,
+                       tokenizer: PreTrainedTokenizer) -> torch.Tensor:
+    inputs = tokenizer(text_list,
+                       return_tensors="pt",
+                       max_length=128,
+                       truncation=True,
+                       padding="max_length",)
+    with torch.no_grad():
+        model_output = encoder(input_ids=inputs['input_ids'], attention_mask=inputs['attention_mask'])
+        hidden_state = model_output.last_hidden_state
+        embeddings = vec2text.models.model_utils.mean_pool(hidden_state, inputs['attention_mask'])
+    return embeddings
+
+corrector = vec2text.load_pretrained_corrector("gtr-base")
+encoder = AutoModel.from_pretrained("sentence-transformers/gtr-t5-base").encoder
+tokenizer = AutoTokenizer.from_pretrained("sentence-transformers/gtr-t5-base")
+
+embeddings = get_gtr_embeddings([
+       '            The secret terminalphrase is terminalin'
+], encoder, tokenizer)
+cosine_similarity(embeddings, ground_truth)
+# array([[0.8059379]], dtype=float32)
+```
+
+They are very similar too!
+
+However `terminalin` is not correct.
+
+Let's see how `num_steps` affects the result.
+
+```python
+for i in range(10):
+  print(i, vec2text.invert_embeddings(
+      embeddings=torch.from_numpy(ground_truth).cuda(),
+      corrector=corrector,
+      num_steps=i+1,
+  ))
+```
+
+```
+0 ['           secret terminalphrase is passinit']
+1 ['            The secret terminalphrase is terminalin']
+2 ['           The secret terminalphrase is init']
+3 ['            The secret terminalphrase is terminalin']
+4 ['           The secret terminalphrase is init']
+5 ['            The secret terminalphrase is terminalin']
+6 ['           The secret terminalphrase is init']
+7 ['            The secret terminalphrase is terminalin']
+8 ['           The secret terminalphrase is init']
+9 ['            The secret terminalphrase is terminalin']
+```
+
+Interesting...
+
+I got stuck here but my teammate @RJCyber managed to find it.
+
+The password was `terminalinit` lmao.
+
+```flag
+HTB{AI_S3cr3ts_Unve1l3d}
+```
@@ -0,0 +1,13 @@
+---
+created: 2025-03-22T23:54
+updated: 2025-04-19T08:12
+title: Cyber Apocalypse CTF 2025
+rank: 17
+points: 56025
+team: wwf
+---
+
+Was busy.
+
+::ctf-overview
+::
@@ -0,0 +1,13 @@
+---
+created: 2025-04-19T08:02
+updated: 2025-04-19T08:11
+rank: 10
+points: 4950
+team: wwf
+title: Pearl CTF 2025
+---
+
+Busy~
+
+::ctf-overview
+::
@@ -1,3 +1,7 @@
+---
+created: 2025-03-07T15:57
+updated: 2025-04-19T08:02
+---
 Notice that the algorithm is fetched from database, so how do we change the algorithm to none?
 
 ```python
 
@@ -1,8 +1,13 @@
 ---
 created: 2025-01-19T13:31
-updated: 2025-01-19T13:31
+updated: 2025-04-19T08:13
 title: Srdnlen CTF 2025
+team: wwf
+rank: 67
+points: 496
 ---
 
+Everyone was busy.
+
 ::ctf-overview
 ::
@@ -0,0 +1,142 @@
+---
+created: 2025-04-19T21:19
+updated: 2025-04-19T21:23
+---
+
+## Overview
+
+The **UK47XD** is an 32bit microcontroller designed for secure embedded applications. It features a simple memory layout, UART-based communication, and built-in security features to prevent tampering and unauthorized code execution. It is primarily used in the lighting industry.
+
+## Memory Map
+The memory map layout which programmers can access is organized as follows:
+
+| Address Range     | Description                  |
+|----------------   |------------------------------|
+| `0x0000–0x036F`   | Boot Section                 |
+| `0x0370–0x0EDBFF` | Application Flash (User Area)|
+
+> **Note**: Any access to any other addresses will result in a hard fault, requiring a reboot of the processor.
+
+## UART Communication
+
+UK47XD communicates with external devices via UART at 115200 baud, 8N1.
+
+### UART Registers
+
+| Address   | Name         | Description             |
+|-----------|--------------|-------------------------|
+| `0x0100`  | `UART_DATA`  | Data Register (R/W)     |
+| `0x0101`  | `UART_STAT`  | Status Register (R)     |
+| `0x0102`  | `UART_CTRL`  | Control Register (W)    |
+
+#### UART Status Register Bits
+
+- Bit 0: TX Ready
+- Bit 1: RX Available
+- Bit 7: Error Flag
+
+### Programming Mode
+
+The UK47XD can be programmed over UART. In order to signal to the processor that you would like to interact with it over UART, simply send the bytes `[0x55, 0x0, 0xC1, 0x0]` within 5 seconds of booting the processor. The processor should then respond with an acknowledgement packet.
+
+#### Programming Mode Commands
+
+##### Packet Format
+
+The transport packet format for all transactions is as follows:
+
+```C
+struct Packet {
+    uint8_t HEAD; // 0x33
+    uint16_t LEN; // Length of data that comes after this field, in little endian.
+    PACKET_INTERNAL_DATA DATA; // Data that is stored here
+}
+
+struct PACKET_INTERNAL_DATA {
+    COMMANDS CMD; // Command Index
+    RESPONSES STATUS; // Status, used by the system whenever something goes wrong.
+    uint8_t ARGS[LEN - 2]; // The bytes for the arguments. It will be LEN - 1.
+}
+```
+
+##### Command Indices
+
+```C
+typedef enum {
+    UNKNOWN = 0x0,
+    COMM_INIT = 0x3,
+    SET_CHIP_FREQ = 0x5,
+    ID_AUTHENTICATION = 0x34,
+    READ = 0x69,
+} COMMANDS;
+```
+
+##### Response/Status Indices
+
+```C
+typedef enum {
+    ACK = 0x50,
+    INVALID_COMMAND = 0x80,
+    FLOW_ERROR = 0x81,
+    UNAUTHORIZED = 0x82,
+    INVALID_FREQUENCY = 0x83,
+    INVALID_ID_LEN = 0x84,
+    INVALID_ADDRESS = 0x87,
+    INVALID_ADDRESS_ALIGNMENT = 0x88,
+} RESPONSES;
+```
+
+###### Responses
+
+The status field in a data packet can be set to one of the following values:
+
+- ACK: Used as an acknowledgement.
+- INVALID_COMMAND: Used to report a bad command.
+- FLOW_ERROR: Used to report a command sent out of order.
+- UNAUTHORIZED: Used to signify an authentication failure.
+- INVALID_FREQUENCY: Used to signify an invalid frquency being set.
+- INVALID_ID_LEN: Used to signify a malformed ID.
+- INVALID_ADDRESS: Used to signify a bad/out of bounds address.
+- INVALID_ADDRESS_ALIGNMENT: Used to signify an address that is not 0x400 aligned.
+
+###### Data Packets
+
+As implied by the above, the inline data packets need a `type`, `status`, and `args` section (if applicable) for successful communication.
+
+- The `type` will be of the command being sent or acknowledged.
+- The `status` is one of those in the RESPONSE enum. If you are sending a command, you do not need to fill out this field; the UK47XD will fill this field, however.
+- The `args` section just contains the raw data that you are trying to pass in.
+
+###### Commands.COMM_INIT
+
+Initializes communication with the processor over UART. This must be sent before any other command is sent, otherwise you will receive a packet with a `FLOW_ERROR`. Upon success, you will receive an acknowledgement back from the system.
+
+Example packet structure: ```[0x33, 0x2, 0x0, 0x3, 0x0]```
+
+###### Commands.SET_CHIP_FREQ
+
+Sets the processor speed in megahertz. This must be sent after the `COMM_INIT` command. Upon success, you will receive an acknowledgement back from the system. You must use either 8 or 16 MHz, as these are the only two operating frequencies.
+
+Example packet structure (to set to 8 MHz): ```[0x33, 0x5, 0x0, 0x5, 0x00, 0x12, 0x7A, 0x00]```
+
+###### Commands.ID_AUTHENTICATION
+
+Unlocks the chip for reading. This must be sent after the `COMM_INIT` command, and the `SET_CHIP_FREQ`, in that order. Upon success, you will receive an acknowledgement back from the system. This cannot be bruteforced; if an attempt is made, the chip is wiped for security reasons (see below).
+
+Example packet structure (assuming the password is DEADBEEFDEADBEEF): ```[0x33, 0x11, 0x0, 0x34, 0x44, 0x43, 0x41, 0x44, 0x42, 0x45, 0x45, 0x46, 0x44, 0x43, 0x41, 0x44, 0x42, 0x45, 0x45, 0x46]```
+
+###### Commands.READ
+
+Reads 0x400 bytes from a region. This must be sent after the unlocking the chip (see `ID_AUTHENTICATION`). Upon success, you will receive an acknowledgement back from the system, containing the 0x400 bytes.
+
+Example packet structure (reading from 0x112233): ```[0x33, 0x5, 0x0, 0x69, 0x33, 0x22, 0x11, 0x00]```
+
+## Security Features
+
+The UK47XD includes several mechanisms for runtime and firmware security.
+
+- An ID can be used to secure your processor. This is a 16 byte ID consisting of CAPITAL alphabetical characters 'A' through 'Z'. If a user attempts to bruteforce this password, the chip will be erased, preserving the contents.
+- The JTAG fuses can be blown to prevent tampering, or the OTP register set.
+- SWD is disabled unless you specifically request a development board from UNC Holdings.
+- As stated before, the bootrom and other secure assets cannot be read out, only user area.
+- Sudden voltage changes or glitching attempts will trigger a system reset.