#!/usr/bin/env python3 """ decrypt_flag.py — Decryptor for the APFS forensics challenge. Usage: python3 decrypt_flag.py encrypted_flag.bin The key is a 64-character hex string (32 bytes). Decryption uses PBKDF2-SHA256 with a HIGH iteration count, so each attempt takes ~90 seconds. Choose your key wisely. """ import hashlib import hmac import struct import sys import time def decrypt_flag(enc_path: str, key_hex: str) -> None: with open(enc_path, "rb") as f: data = f.read() # Parse header: salt(16) + iterations(4) + flag_len(4) = 24 bytes header if len(data) < 24 + 32: # header + at least hmac print("[!] File too small to be a valid encrypted flag.") sys.exit(1) salt = data[0:16] iterations, flag_len = struct.unpack_from(' ") print() print(" key_hex: 64-character hex string (32 bytes)") print() print("Example:") print(" python3 decrypt_flag.py encrypted_flag.bin abcdef0123456789...") sys.exit(1) decrypt_flag(sys.argv[1], sys.argv[2]) if __name__ == "__main__": main()