#!/usr/bin/env python#-*- coding:utf-8 -*-from sock import Sockfrom hash

1. #!/usr/bin/env python
2. #-*- coding:utf-8 -*-
3.  
4. from sock import Sock
5. from hashlib import *
6.  
7. f = Sock("206.189.32.108 13579")
8. pref = f.read_line().strip().split()[-1].decode("hex")
9. print "got chal", pref.encode("hex")
10. for ch in xrange(2**30):
11.     h = sha256(pref + str(ch)).hexdigest()
12.     if h.startswith('00000'):
13.         break
14. else:
15.     print "fail"
16.     quit()
17.  
18. f.send_line(str(ch))
19.  
20. # modified https://github.com/eboda/mersenne-twister-recover
21. from MTRecover import MT19937Recover
22. from struct import unpack, pack
23.  
24. outputs = []
25. f.send("1\nasd\n" * 200)
26. for i in xrange(200):
27.     f.read_until("CHOOSE 1")
28.     f.read_until("give me a string: ")
29.     ct = f.read_line().strip().decode("hex")
30.     iv = ct[:16]
31.     outputs.extend(list(unpack(">4I", iv))[::-1])
32.  
33. mtr = MT19937Recover()
34. r2 = mtr.go(outputs)
35. for i in xrange(624):
36.     assert r2.prev() == outputs[623 - i]
37.  
38. # undo PoW
39. for i in xrange(2): print "%08x" % r2.prev()
40. print
41.  
42. # undo key rand
43. for i in xrange(4+4): r2.prev()
44.  
45. def pad(s):
46.     bs = 16
47.     padnum = bs - len(s) % bs
48.     return s + padnum * chr(padnum)
49.  
50. def to_string(num, max_len = 128):
51.     tmp = bin(num).lstrip('0b')[-max_len:].rjust(max_len, '0')
52.     return "".join(chr(int(tmp[i:i+8], 2)) for i in range(0, max_len, 8))
53.  
54. def gen_key(r):
55.     tmp1 = r.random()
56.     tmp2 = r.random()
57.     key = int(tmp1 * 2**128) | int(tmp2 * 2**75) | (0 & 0x3fffff)
58.     key = to_string(key)
59.     return key
60.  
61.  
62. f.send("1\nasd\n")
63. f.read_until("CHOOSE 1")
64. f.read_until("give me a string: ")
65. ct_asd = f.read_line().strip().decode("hex")
66.  
67. f.send("3\n")
68. f.read_until("CHOOSE 1")
69. f.read_until("> ")
70. ct_flag = f.read_line().strip().decode("hex")
71.  
72.  
73. r2 = r2.toPython()
74.  
75. k1 = gen_key(r2)
76. k2 = gen_key(r2)
77.  
78. from Crypto.Cipher import AES
79.  
80. iv = ct_asd[:16]
81. m = pad("asd")
82. c = ct_asd[16:32]
83.  
84.  
85. print "Stage 1"
86. tab = {}
87. for kval in xrange(2**22):
88.     if kval & 0x3ffff == 0: print hex(kval)
89.     t = unpack(">I", k1[-4:])[0]
90.     t |= kval
91.     key = k1[:-4] + pack(">I", t)
92.  
93.     a = AES.new(key, mode=AES.MODE_CBC, IV=iv)
94.     t = a.decrypt(c)
95.  
96.     tab[t] = key
97.  
98. print "Stage 2"
99. for kval in xrange(2**22):
100.     if kval & 0x3ffff == 0: print hex(kval)
101.     t = unpack(">I", k2[-4:])[0]
102.     t |= kval
103.     key = k2[:-4] + pack(">I", t)
104.  
105.     a = AES.new(key, mode=AES.MODE_CBC, IV=iv)
106.     t = a.encrypt(m)
107.     if t in tab:
108.         k1 = tab[t]
109.         k2 = key
110.         print "PWND", k1.encode("hex"), k2.encode("hex")
111.         break
112. else:
113.     print "FAIL"
114.     quit()
115.  
116. iv = ct_flag[:16]
117. c = ct_flag[16:]
118. a = AES.new(k1, mode=AES.MODE_CBC, IV=iv)
119. c = a.decrypt(c)
120. a = AES.new(k2, mode=AES.MODE_CBC, IV=iv)
121. c = a.decrypt(c)
122. print `c`
123. # PWND 1a873c3f0b75e891fb922765b0a98115 d33a05b242e90bbee4fe132377caa57c
124. # 'MeePwnCTF{DO_n0t_trust_anyth1ng}\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10'