I heard bulldozer is on this channel, be careful! nc crypto.chal.ctf.westerns.tokyo 5643 Download the chal: here. How to solve To decrypt the flag, we need two things: the AES key and the IV when the flag is generated. IV IV is generated by random.getrandbits(). Python random uses Mersenne Twister, and it is able to recover the state of the Python random generator with 624 32-bit integers. See this link for detail....
Download the problem file from http://research.samsung.com/sctf2018 or https://www.dropbox.com/s/n45bss3bgr4sjcg/MQ.py?dl=0 Define Function M: $M(x_0,\ldots,x_{n-1}) = \sum\limits_{i=0}^{n-1} \sum\limits_{j=i}^{n-1} q_{i, j}x_i x_j + \sum\limits_{i=0}^{n-1} u_ix_i + c $. ($q$ is for quad, $u$ is for uni. Notice that $q_{i,j}=q_{j,i}$) The code gives $M(input)$ and $M(input + flag)$. Let’s think about $F(x, y)=M(x + y) - M(x)$. $$F(x, y)=M(x + y) - M(x) = \sum\limits_{i=0}^{n-1} \sum\limits_{j=i}^{n-1} q_{i, j} (x_i y_j + y_i x_j + y_i y_j) + \sum\limits_{i=0}^{n-1} u_i y_i $$...
Download the problem file from http://research.samsung.com/sctf2018 or https://www.dropbox.com/s/xx6tnhzrgpdxvd8/LCG.py?dl=0 It is quite simple PRNG with the equation (t = 0xdeadbeef): $x_i = (k_1 - t) x_{i-1} + k_1 t x_{i-2} + k_2 (mod\ k_3)$ We can define $y_i$ as $y_i = x_i + t x_{i-1}$, then $y_i = k_1 y_{i-1} + k_2 (mod\ k_3)$. So, it’s just same as the normal LCG. I used the method to break LCG described in this link, and the solver is here....
At first, let’s define final_state(), which returns the last state of transduce(B, s) for input B. def transduce(b, s=0): if len(b) == 0: return b d, t = T[s] b0, bp = b[0], b[1:] return [b0 ^ t] + transduce(bp, s=d[b0]) def final_state(b, s=0): if len(b) == 0: return s d, _ = T[s] b0, bp = b[0], b[1:] return transduce_state(bp, s=d[b0]) The problem of breaking the cipher is that there’s swapping action of left 32 bits & right 32 bits in each stage....