hellman

hellman

#-*- coding:utf-8 -*-

from common import *


def extend(alg, prefhashes):
    if alg == 0:
        prefhash = prefhashes[alg]
        table = {}
        seen = set()

hellman

In this challenge the flag is treated as a polynomial over GF(257), it is blinded by a random known polynomial, and then it is evaluated at 107 first integers. However, each result is corrupted with probability 43/108. The polynomial has degree 25, so we need 26 correct points to interpolate it. Observe that by choosing random 26 points from those given, we have a feasible probability of having an error-less set:

sage: math.log(binomial(108-43, 26) / binomial(108, 26), 2)
-22.716429556377932

That is, we need to try around 7 000 000 random subsets. This can be done in 10 minutes on 8 cores by a simple Sage code.

hellman

#!/usr/bin/env sage
'''
Multivariate Public Key Cryptosystems by Jintai Ding et al., Chapter 2
Explains attack by Jacques Patarin.

The idea is to find a relation of plaintext-ciphertext bytes such that
when ciphertext is fixed, the relation is linear in plaintext.
Patarin showed that a sufficient amount of such relations exists.
'''
from sage.all import *

hellman

#!/usr/bin/env sage
'''
The third LFSR has low period: 378.
If the value in positions 0,378,2*378,... is equal to 0,
then the combine functions become AND of the first two LFSRs.
If the value in positions 0,378,2*378,... is equal to 1,
then the combine functions become OR  of the first two LFSRs.
We can distinguish both cases easily by number of 0s/1s
(should be 25% in the first case and 75% in the second case)

hellman

"""
Slide attack on the TwinPeaks2 cipher from NSUCRYPTO.

Disclaimer: this is not an optimal solution, just a proof-of-concept!

An actual solution is to note that Reverse(Encrypt(Reverse(x)) = Decrypt(x), where Reverse(a,b,c,d) = (d,c,b,a).
"""

from random import shuffle, randint

hellman

#-*- coding:utf-8 -*-

from sock import Sock
from libnum import invmod, n2s, s2n, gcd

f = Sock("18.179.251.168 21700")
f.read_until("flag!")
f.read_line()
ENC = int(f.read_line().strip(), 16)
print "ENC = 0x%X" % ENC

hellman

#-*- coding:utf-8 -*-

from sock import Sock
from libnum import invmod, n2s, s2n

f = Sock("13.112.92.9 21701")
f.read_until("flag!")
f.read_line()
ENC = int(f.read_line().strip(), 16)
print "ENC = 0x%X" % ENC

hellman

#-*- coding:utf-8 -*-
'''
Writeup:
http://mslc.ctf.su/wp/midnight-ctf-2018-finals-snurre128/

...
Solution found:
130306609594991829769917756515894243368
midnight{620823e005ad9340e1dd7da6deb13028}

hellman

#-*- coding:utf-8 -*-

"""
In this challenge we need to use blind printf in order to subtract to 32-bit integers.

The two main format operators needed are (arguments given for example)
(a) %5$*7$s - write string passed in the 5th argument padded to the length passed in the 7th argument.
(b) %5$n - write number of previously written bytes to the pointer given in the 5th argument.

1. We use (a) with (b) to copy two secret integers. Then we use (b) to zero-out all-bytes except one.