# HKCERT CTF 2023: baDES ## Part 1: Understanding the encryption method By looking at "Guide to handwavy challenges" [here](https://hackmd.io/@blackb6a/hkcert-ctf-2023-ii-en-4e6150a89a1ff32c#%E4%B8%8B%E6%89%8B%E3%81%A7%E3%81%99%E3%81%AD--BADES-Crypto), we found out a few properties: 1. The message is padded to a size of 8, and is chopped into blocks of 8 bytes. 2. `Encrypt(Encrypt(x)) = x`. This means we just have to use a similar method to encrypt our input. It happens that the way to decrypt our input is also present in the guide. ## Part 2: Retrieving the first block ($m_1$) $m_1$ can be retrieved as stated in the guide: $\texttt{348201303ca1dd0f} \oplus \texttt{cec9b43b33d17775} = \texttt{fa4bb50b0f70aa7a}$ $\texttt{Encrypt(fa4bb50b0f70aa7a)} = \texttt{348201303ca1dd0f5ce962554ed5ef3c17354837c14f7579}$\ $\texttt{348201303ca1dd0f} \oplus \texttt{5ce962554ed5ef3c} = \texttt{686b636572743233}$ Note that we only extracted the second last block in the encryption result (in Python, it should be `s[len(s)-32:len(s)-16]`). In this and future queries, we should only extract the second last block in the encryption result. Converting $m_1 = \texttt{686b636572743233}$ from hexadecimal to ASCII gives $\texttt{hkcert23}$, which should be the first part of the flag. ## Part 3: Retrieving succeeding blocks Now, we have to generalise the method for $m_1$ to find all $m_k$. Before that, we still need to correlate strings $c$ and $m$: ::: info Note that $$\texttt{Encrypt(} m_1 || m_2 || \dots || m_{k-1} || (c_{k-1} \oplus c_k) \texttt{)} = c_0 || c_1 || \dots || c_{k-1} || (c_{k-1} \oplus m_k) || \texttt{[another block]}$$ ::: With that, $m_{i+1}$ can be easily retrieved after retrieving $m_i$. The diagram below shows the relation between retrieving $m_i$ and $m_{i+1}$:  For example, to find $m_2$: 1. Compute $c_1 \oplus c_2:$ $$ \texttt{cec9b43b33d17775} \oplus \texttt{d68fa7eb588a1060} = \texttt{184613d06b5b6715}$$ 2. Encrypt $m_1 || (c_1 \oplus c_2):$ $$\texttt{Encrypt(686b636572743233184613d06b5b6715} = \texttt{348201303ca1dd0fcec9b43b33d17775b58df1686cb2431b0320cab5ad916c7d}$$ We take $(c_1 \oplus m_2)$, which is the second last block. In this case, the result we need is $\texttt{b58df1686cb2431b}$. 3. Compute $c_1 \oplus (c_1 \oplus m_2):$ $$\texttt{cec9b43b33d17775} \oplus \texttt{b58df1686cb2431b} = \texttt{7b4445535f63346e}$$ We get $m_2 = \texttt{7b4445535f63346e}$. Using the same method, we can generate the following table: | k | $c_{k-1} \oplus c_k$ | $c_{k-1} \oplus m_k$ | $m_k$ | | :-: | :----: | :----: | :----: | | $1$ | $\texttt{fa4bb50b0f70aa7a}$ | $\texttt{5ce962554ed5ef3c}$ | $\texttt{686b636572743233}$ | | $2$ | $\texttt{184613d06b5b6715}$ | $\texttt{b58df1686cb2431b}$ | $\texttt{7b4445535f63346e}$ | | $3$ | $\texttt{907f3f93afc9167e}$ | $\texttt{89b9c2b46bbe6351}$ | $\texttt{5f36655f33347331}$ | | $4$ | $\texttt{aa9cb1c3e9d0d357}$ | $\texttt{2a89c71cc7346879}$ | $\texttt{6c795f6430776e67}$ | | $5$ | $\texttt{c73e9530d42f6ecf}$ | $\texttt{9e584d887acce330}$ | $\texttt{72346433645f3679}$ | | $6$ | $\texttt{524d3d77cd894d74}$ | $\texttt{7431d4bfa4db88b7}$ | $\texttt{5f6368346e673331}$ | | $7$ | $\texttt{c5d4e24c36385040}$ | $\texttt{1778de903641c1c3}$ | $\texttt{6e675f6c31743731}$ | | $8$ | $\texttt{ec4444d9c5532dc2}$ | $\texttt{d99417d800639fc1}$ | $\texttt{655f7468316e3973}$ | | $9$ | $\texttt{b26ed28006ab69e4}$ | $\texttt{2d88206ef3598c77}$ | $\texttt{7d07070707070707}$ |  Now, we have $m = \texttt{686b6365727432337b4445535f63346e5f36655f333473316c795f6430776e6772346433645f36795f6368346e6733316e675f6c31743731655f7468316e39737d07070707070707}$ which can be converted to $\texttt{hkcert23{DES_c4n_6e_34s1ly_d0wngr4d3d_6y_ch4ng31ng_l1t71e_th1n9s}}$.