from Crypto.Util.number import bytes_to_long, getStrongPrime from random import randint FLAG = b'CTF{?????????????????????????????????????????????????}' def key_gen(bits): p, q = getStrongPrime(bits), getStrongPrime(bits) N = p * q return N, (p, q)

This is a detailed (probably unintended) solution for SaqrSign. Absolutely none of this is mine, this all comes from @ks in the discord, who shared his code. I didn't understand some parts of it, so I took it upon myself to attempt to. Original Solution Below is @ks's original solution, written in sage. import os;os.environ["TERM"] = 'linux' from pwn import * from ntt import NTTDomain, NTTPoints import hashlib from tqdm import trange

problem.py import os from functools import reduce from secrets import randbelow flag = os.getenvb(b"FLAG", b"FAKEFLAG{THIS_IS_FAKE}") p1 = 21267647932558653966460912964485513283 a1 = 6701852062049119913950006634400761786 b1 = 19775891958934432784881327048059215186 p2 = 21267647932558653966460912964485513289

Push it to the Limit Chunks Chunk # VM IP/Locally 0 deut vm 1 2

Goal is to find a username in all caps whose password generates to "AFMWAFPE", and there may be multiple. Seems to be a 32-bit x86 Windows Binary, so let's look at it in IDA Pro. main int __cdecl main(int argc, const char **argv, const char **envp) { void *v3; // esp unsigned __int8 a2; // [esp+2Ch] [ebp-41Ch] char Destination[16]; // [esp+30h] [ebp-418h] BYREF

AES Overview AES has 4 steps SubBytes ShiftRows MixColumns AddRoundKey If we got rid of the SubBytes and AddRoundKey steps, then AES would be a completely linear (not affine) process, meaning we can model it as a function $E(x) = A*x$.

prob.sage from Crypto.Util.number import bytes_to_long as b2l from Crypto.Util.number import long_to_bytes as l2b import random Zx.<x> = ZZ[] def convolution(f,g): return (f * g) % (x^n-1) def balancedmod(f,q):

We're basically a simple program that does this: Reads 64 bytes from /dev/urandom into a variable called buf Runs the following encryption loop for ( i = 0; i <= 63; ++i ) *((_BYTE *)buf + i) = *((_BYTE *)buf + i) % 0x5Fu + 32; This basically turns every value in buf into a value from 32 to 126 inclusive. Runs another encoding function sub_13C7 over a chunk of 8 bytes from buf eight times (ie buf[0:8], buf[8:16], etc.

task.sage from Crypto.Util.number import bytes_to_long from secrets import k, FLAG p = 13046889097521646369087469608188552207167764240347195472002158820809408567610092324592843361428437763328630003678802379234688335664907752858268976392979073 a = 10043619664651911066883029686766120169131919507076163314397915307085965058341170072938120477911396027902856306859830431800181085603701181775623189478719241 b = 12964455266041997431902182249246681423017590093048617091076729201020090112909200442573801636087298080179764338147888667898243288442212586190171993932442177 E = EllipticCurve(GF(p),[a,b])