from Crypto.Util.strxor import strxor from Crypto.Util.number import * from hashlib import md5 import random, os __import__("signal").alarm(100) FLAG = "aliyunctf{REDACTED}"
lrot = lambda X,t: (X<<t|X>>(64-t))&(2**64-1) sbox = lambda X,Sbox: bytes([Sbox[i] for i in X]) pad = lambda X: X+b'\x00'*(block_size-len(X)%block_size) block_size = 16
defround_key(self, round=30): for _ inrange(round): next_rk = md5(self.RK[-1]).digest() self.RK.extend([next_rk[:8], next_rk[8:]])
defencrypt(self, block, round=30): L, R = block[:8], block[8:] for i inrange(1, 2*round+1, 2): T = bytes_to_long(strxor(sbox(L, self.Sbox), self.RK[i])) T = (i*T+lrot(T, 17)+bytes_to_long(self.RK[i+1]))%2**64 L, R = long_to_bytes((T+lrot(T, 20)+bytes_to_long(R))%2**64, 8), L return L+R defcbc_encrypt(self, msg): blocks = [msg[i:i+16] for i inrange(0, len(msg), 16)] result = b'\x00'*16 for block in blocks: result += self.encrypt(strxor(block, result[-16:])) return result[16:]
print("😊 PRFCasino is the Game 4 Super Guesser.") for _ inrange(100): prf = PRF() msg = pad(bytes.fromhex(input("💵 "))) ct = [prf.cbc_encrypt(msg), os.urandom(len(msg))] decision = random.randint(0,1) print("🎩", ct[decision].hex()) assertinput("🎲 ") == str(decision) print(f"🚩 Real Super Guesser! {FLAG}")
defencrypt(self, block, round=30): L, R = block[:8], block[8:] for i inrange(1, 2*round+1, 2): T = bytes_to_long(strxor(sbox(L, self.Sbox), self.RK[i])) T = (i*T+lrot(T, 17)+bytes_to_long(self.RK[i+1]))%2**64 L, R = long_to_bytes((T+lrot(T, 20)+bytes_to_long(R))%2**64, 8), L return L+R
from Crypto.Util.number import * from tqdm import * from pwn import *
#sh = process(["python", "task.py"]) sh = remote("121.41.238.106", 34257) sh.recvuntil(b"PRFCasino is the Game 4 Super Guesser.")
n = 2**64 for _ in trange(100): nums = 100 msg = b"\x00"*nums*16 sh.sendline(msg.hex().encode()) sh.recvuntil(b"\xf0\x9f\x8e\xa9 ") enc = bytes.fromhex(sh.recvline().strip().decode())[:nums*16]
c = [[enc[16*i:16*i+8], enc[16*i+8:16*i+16]] for i inrange(nums)] Ti = [bytes_to_long(c[0][0])] + [(bytes_to_long(c[i][0])-bytes_to_long(c[i-1][0])) % n for i inrange(1, nums)] if(int(sum([i*inverse(17,n)%n for i in Ti]) / nums) > 11000000000000000000): sh.sendline(b"0") else: sh.sendline(b"1") print(sh.recvline()) sh.close()
A = block_matrix(GF(2), [ [A1, A2, A3] ]) C = vector(GF(2), C1.list() + C2.list() + C3.list()) assert v*A + C == vector(GF(2), list(map(int, bin(crc32(msg))[2:].zfill(n) + bin(crc32b(msg))[2:].zfill(n) + bin(crc32c(msg))[2:].zfill(n))))
1 2 3 4
ans = (int("2fe72772", 16) << 64) + (int("81e868d8", 16) << 32) + int("a795a60d", 16) ans = vector(GF(2), list(map(int, bin(ans)[2:].zfill(n*3)))) ans = ans - C ans = ans.list()
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
prefix = list(map(int, bin(bytes_to_long(b"aliyunctf{"))[2:].zfill(80))) for i inrange(80): #prefix: aliyunctf{ temp_v = vector(GF(2), [0]*i + [1] + [0]*(m-i-1)) A = A.augment(temp_v) ans.append(prefix[i])
suffix = list(map(int, bin(bytes_to_long(b"}\x0a"))[2:].zfill(16))) for i inrange(16): #suffix: } temp_v = vector(GF(2), [0]*(25*8+i) + [1] + [0]*(15-i)) A = A.augment(temp_v) ans.append(suffix[i])
for i inrange(15): #MSB temp_v = vector(GF(2), [0]*(10*8) + [0]*(8*i) + [1] + [0]*7 + [0]*(14*8 - 8*i) + [0]*16) A = A.augment(temp_v) ans.append(0)
1 2 3
x = A.solve_left(vector(GF(2), ans)) ker = A.left_kernel().basis() print(len(ker))
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
from itertools import * import string
for i in product([0,1],repeat=len(ker)): temp = 0 for j inrange(len(i)): temp += i[j]*ker[j] final = x + temp flag = "" for i in final: flag += str(i) flag = long_to_bytes(int(flag, 2)).decode()[:-1] if(all([j in (string.ascii_letters+string.digits+"aliyunctf{}") for j in flag])): print(flag)