Writeup - HackMD

# Writeup ## Decrypt Message 2 Open file with IDA ![image](https://hackmd.io/_uploads/HkJf5Hq-R.png) Program will generate ascii random key, and length of key will divide by 5. Then program converts flag and key into arrays, xor them together with modulo 5. ![image](https://hackmd.io/_uploads/HJdo5H5ZR.png) After xoring, we are given encrypt flag, but with shuffled index (`v14` is the index array) ![image](https://hackmd.io/_uploads/Hys1sS9WC.png) We need to find correct permutation of encrypt flag. We are given 5 first characters of flag is `BrU7e`. To solve this challenge, we can bruteforce to find correct permutation of encrypted flag. After found correct one, we can calculate key by xoring correct permutation of encrypted flag and known plaintext `BrU7e`. When we have key, everything is easy. After understand how to reverse, I use python to write script ```python! from itertools import * from pwn import * ct = list(bytes.fromhex("446709213550020f3b28696533183206631e030743394d4531")) known = list(b"BrU7e") def real_dec(ct, v14, key): ans = b"" for i in range(0, len(ct), 5): for j in range(5): ans += bytes([ct[v14[j] + i] ^ key[j]]) return ans for v14 in permutations(range(5)): ctt = [] for i in range(5): ctt.append(ct[v14[i]]) key = xor(ctt, known) print(real_dec(ct, v14, key)) ``` >flag: BrU7e_fORcE_l5_p0w3rFu1i! ## Decrypt Message 1 Compile source code with IDA and we have this ![image](https://hackmd.io/_uploads/BkIV3B9WR.png) Look into `_encryption` function and we have ![image](https://hackmd.io/_uploads/B1xxpBc-R.png) Let me explain how encrypt function works: - We divide `input` into chunks, each chunk has 2 elements - After divided, each chunk will go to `encryption` function ![image](https://hackmd.io/_uploads/r1RgTr5b0.png) - Because each chunk is encrypted seperately, so we can bruteforce each chunk to get flag Here is my script in python to find flag ```python! from pwn import * import string from tqdm import * enc = "188d1f2f13cd5b601bd6047f4496ff74496ff74496ff7" alphabet = string.printable flag = "" enc_parts = [] flag_parts = [] enc_check = "" for c1 in alphabet: for c2 in alphabet: inp = c1 + c2 io = process(["./encrypt", inp]) enc_part = io.recvline().strip().decode()[len("Encrypted data in hexadecimal format: "):] io.close() enc_parts.append(enc_part) flag_parts.append(inp) while len(enc_check) != len(enc): for enc_part in tqdm(enc_parts): if enc.startswith(enc_part): enc_check += enc_part flag += flag_parts[enc_parts.index(enc_part)] enc = enc[len(enc_part):] print(flag) break ``` >flag: GODGPT!!!!!!