Guys, guys, don’t fight. I’m sure we’ll be able to come up with something roughly equal. source eulernt.pwni.ng:5555 NOTE: We originally uploaded the wrong version. It is still available here if you really want it: wrong version. How to solve We need to get a divisor of $333!$ that is close to $(333!)^{1/2}$. Just factorize with factorDB. There are some $p^k$s of which $k$ is odd. Let’s define a product of those $p$s as $v := \prod p$....

They say 3 rounds is provably secure, right? Download How to solve Permutations can be handled as matrices. For given key $k$ and plaintext $(x, y)$, the result of one-round encryption is: $$(x_1, y_1) = (y, xk^{-1}yk)$$ Let’s do this for three rounds! $$(x_2, y_2) = (xk^{-1}yk, yk^{-1}xk^{-1}yk^2)$$ $$(x_3, y_3) = (y_2, xk^{-1}ykk^{-1}y_2k) = (y_2, xk^{-1}yy_2k)$$ If we define $t = yy_2$, we can say that $$(yx_3, y_3) = (t, xk^{-1}tk)$$...

I heard bulldozer is on this channel, be careful! nc crypto.chal.ctf.westerns.tokyo 5643 Download the chal: here. How to solve To decrypt the flag, we need two things: the AES key and the IV when the flag is generated. IV IV is generated by random.getrandbits(). Python random uses Mersenne Twister, and it is able to recover the state of the Python random generator with 624 32-bit integers. See this link for detail....

Download the problem file from http://research.samsung.com/sctf2018 or https://www.dropbox.com/s/n45bss3bgr4sjcg/MQ.py?dl=0 Define Function M: $M(x_0,\ldots,x_{n-1}) = \sum\limits_{i=0}^{n-1} \sum\limits_{j=i}^{n-1} q_{i, j}x_i x_j + \sum\limits_{i=0}^{n-1} u_ix_i + c $. ($q$ is for quad, $u$ is for uni. Notice that $q_{i,j}=q_{j,i}$) The code gives $M(input)$ and $M(input + flag)$. Let’s think about $F(x, y)=M(x + y) - M(x)$. $$F(x, y)=M(x + y) - M(x) = \sum\limits_{i=0}^{n-1} \sum\limits_{j=i}^{n-1} q_{i, j} (x_i y_j + y_i x_j + y_i y_j) + \sum\limits_{i=0}^{n-1} u_i y_i $$...

Download the problem file from http://research.samsung.com/sctf2018 or https://www.dropbox.com/s/xx6tnhzrgpdxvd8/LCG.py?dl=0 It is quite simple PRNG with the equation (t = 0xdeadbeef): $x_i = (k_1 - t) x_{i-1} + k_1 t x_{i-2} + k_2 (mod\ k_3)$ We can define $y_i$ as $y_i = x_i + t x_{i-1}$, then $y_i = k_1 y_{i-1} + k_2 (mod\ k_3)$. So, it’s just same as the normal LCG. I used the method to break LCG described in this link, and the solver is here....