# N1CTF2018 APFS&Lipstick题解

## APFS题目描述

Apple released the brand new APFS on WWDC 2017 with a bunch of new features. With curiousity, Ben tried it out at once. Also, he left some surprise for you :)

## 提示

1. This challenge is not related to the version of your MacOS
2. look CAREFULLY at the challenge description apfs_snapshot
3. HFS+: 1 sec APFS: 10^-9 sec
4. A ^ B = F
5. L1: 16bytes-aligned L2: hint “apfs_snapshot” L3: hint “HFS+: 1 sec APFS: 10^-9 sec” L4: mtime LSB, A ^ B = zip

## 附件信息

• 文件名：497e2194-d11f-4dfd-9246-b9746f289bc7.dmg
• 文件哈希：5fcfa02736ea8bf82c01f37a0309369a(MD5)
• 文件大小：8,543,242 Byte

## 题解

`cd Volumessudo mkdir N1CTF_APFS_snapshotsudo mount_apfs -s ctf ./N1CTF_APFS ./N1CTF_APFS_snapshot`

1. APFS 比 HFS+ 读写快，但是不可能快9个数量级啊，划掉
2. APFS 比 HFS+ 索引快，但是依然不可能快9个数量级啊，而且 APFS 里实际的数据只存一份，有点像Linux的硬链接，不对不对，划掉划掉
3. 肯定与什么东西是1秒(s)和1纳秒(ns)的差距，找找就行，Bingo

`cd /Volumes/N1CTF_APFS/ctfgstat -c "%n %y" * > ~/qian.txtcd /Volumes/N1CTF_APFS_snapshot/ctfgstat -c "%n %y" * > ~/hou.txt`

`#!/usr/bin/env python# coding: utf-8def oct2bin(number): return str(bin(number)).replace("0b", "").zfill(3)def main(): qian = "2 4 0 4 5 4 0 3 0 1 0 0 5 0 0 0 0 0 2 0 4 0 0 0 0 0 0 6 7 5 6 3 3 1 4 4 6 1 7 2 4 3 3 4 6 6 1 6 1 4 2 0 0 0 0 0 0 0 0 2 2 4 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 3 1 4 6 6 1 4 1 3 1 6 2 7 1 6 4 3 6 0 7 2 3 7 4 6 6 4 5 6 2 3 2 3 3 2 1 2 6 6 5 3 6 6 5 6 2 2 6 3 0 7 4 4 3 0 4 7 5 6 2 6 1 6 5 6 7 4 7 2 7 1 4 5 6 3 5 3 1 5 7 5 3 5 6 6 7 2 2 5 1 5 5 1 4 5 0 6 3 2 1 4 3 1 3 1 2 1 5 3 7 5 6 2 4 5 1 5 5 0 6 4 5 3 7 4 3 2 4 4 5 1 3 0 5 4 4 6 5 7 3 3 0 6 2 5 6 3 3 0 0 0 6 2 4 0 4 5 4 0 1 0 0 4 3 7 4 0 0 0 2 4 0 0 0 0 1 0 2 0 0 0 0 0 0 3 3 6 7 1 5 4 6 2 3 0 7 5 2 1 5 6 3 3 0 7 0 6 1 0 0 0 0 0 0 0 0 1 1 2 0 0 0 0 0 0 0 0 0 4 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 6 3 1 5 4 3 0 2 6 3 4 5 6 3 5 0 7 4 1 6 4 0 2 4 0 0 0 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 4 0 0 0 1 2 3 7 4 7 6 4 1 4 6 1 2 2 6 5 6 4 6 0 0 4 6 2 3 7 3 5 4 1 7 2 0 4 5 3 2 3 2 3 0 0 2 6 7 3 3 6 2 0 2 5 0 3 0 3 5 4 7 5 1 4 0 1 2 4 0 4 5 4 0 5 0 1 4 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 4 0 0 2 6 4 0 0 0 0 0 0 0 0 5 3 4 0 0 0 0 0 0 0 0 0 0 0 0" qian = qian.split(" ") hou = "0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 5 5 3 0 1 0 0 4 0 0 0 0 7 3 6 5 5 3 5 0 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 3 5 1 1 0 5 6 0 6 7 2 4 6 0 6 7 1 0 3 2 2 5 2 5 6 2 6 1 2 2 5 1 0 2 3 0 7 2 6 0 3 5 7 0 6 1 3 1 2 3 5 7 3 2 7 3 2 0 2 2 3 4 5 6 6 1 7 4 2 4 5 1 2 5 3 2 0 5 6 5 1 1 2 4 7 4 0 2 1 1 1 6 2 1 6 5 6 7 4 7 3 2 6 7 6 7 3 0 4 5 6 3 7 4 1 6 3 1 2 5 6 4 0 1 1 7 4 4 7 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 6 5 4 0 4 0 2 0 0 0 0 3 5 7 2 6 5 6 4 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 7 4 3 1 5 0 3 5 7 3 5 3 4 0 6 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" hou = hou.split(" ") r = "" for i in range(0, len(qian)):  a = int(qian[i])  b = int(hou[i])  f = a ^ b  r += oct2bin(f) print rif __name__ == '__main__': main()`

`#/usr/bin/env python#coding: utf-8def bin2hex(string): return chr(int(string, 2))def main(): data = "010100000100101100000011000001000000101000000000000000010000100000000000000000000011010110110010011001000100110001111101111101110001101011001010001100010000000000000000000000000010010100000000000000000000000000001000000000000000000000000000011001100110110001100001011001110010111001110100011110000111010000100001111111100000000010101101001111100001100001111101000100100000100111100100101001101110001010000110100101001000000001101000001111010110001110011111000001000111100010111111111001110010011001100011010101111001100101111101101001010100010110000010011110110001011101100111011010111000011000110001000010000101010100100011111101101110110110011000111011100010001101000110101111010100100100111010010100000100101100000001000000100011111100000000000010100000000000000001000010000000000000000000001101011011001001100100010011000111110111110111000110101100101000110001000000000000000000000000001001010000000000000000000000000000100000000000001001000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000110011001101100011000010110011100101110011101000111100001110100000010100000000000100000000000000000000000000000000000000000000000000001000000000001100000000000001101111100101010110111100011101100001110110011110100110000000100110010011111011101100001111010000100101011010011010011000000010110111011011110010000010101000011000011101100111101001100000001010100000100101100000101000001100000000000000000000000000000000000000001000000000000000100000000010110100000000000000000000000000101011100000000000000000000000000000000000000" tmp = "" r = "" for i in data:  if len(tmp) == 8:   r += bin2hex(tmp)   tmp = ""  tmp += i f = open("result", "w") f.write(r) f.close()if __name__ == '__main__': main()`

Lipstick

lipstick为口红的意思，这次题目是一张图片

Save Bin保存为一个zip包

`BC0B28D04179D47A6FC2696FEB8262CF1A77C0083EBC0B28BC0B28D132746A1319BC0B28BC0B28D4121DD75B59DD8885CE0A4AD4121D7E453AD75B59DD8885`

https://www.yslbeautyus.com/on/demandware.store/Sites-ysl-us-Site/en_US/Product-Variation?pid=194YSL

`# -*- coding:utf8 -*-__author__='pcat@chamd5.org'import requestsimport reimport libnumdef foo(): url=r'https://www.yslbeautyus.com/on/demandware.store/Sites-ysl-us-Site/en_US/Product-Variation?pid=194YSL' cont=requests.get(url).content # print cont pattern=r'YSL_color=(.*?)%20[\s\S]*?background-color: #(.*?)"' rst=re.findall(pattern,cont) dYSL={} for num,color in rst:  dYSL[color]=int(num.lstrip('0')) lst=['BC0B28','D04179','D47A6F','C2696F','EB8262', 'CF1A77','C0083E','BC0B28','BC0B28','D13274', '6A1319','BC0B28','BC0B28','D4121D','D75B59', 'DD8885','CE0A4A','D4121D','7E453A','D75B59', 'DD8885'] flag=''.join('{:b}'.format(dYSL[i]) for i in lst) print libnum.b2s(flag) passif __name__ == '__main__': foo() print 'ok'`

ps，两个题目附件的下载链接：

https://pan.baidu.com/s/12J01OX2o81Tsq8Y9fMJX7w

95 篇文章36 人订阅

0 条评论

## 相关文章

1.1K5

### SAP最佳业务实践:MM–组件收费的委外加工(251)-6开销售发票

4.7 创建出具发票凭证 创建出具发票凭证给委外加工商。 完成了对委外加工商的发货。 SAP ECC菜单Processes -Create Invoices f...

3788

### Windows 10 IoT Serials 5 - 如何为树莓派应用程序添加语音识别与交互功能

都说语音是人机交互的重要手段，虽然个人觉得在大庭广众之下，对着手机发号施令会显得有些尴尬。但是在资源受限的物联网应用场景下（无法外接鼠标键盘显示器），如...

20410

3499

3736

### 【Python 第4课】输入

Hi~Crossin又来了。 可以用编程语言让计算机按你说的指令做事情之后，大家是不是有些跃跃欲试呢？别着急，先回顾一下我们之前几节课。我们到现在一共提到了三种...

3167

2142

1.2K5

3096

1092