KSHMK/flagy_solve.py

## flagy_solve.py
from pwn import *
#context.log_level = 'debug'

SEED=0
def Set6b33(R0):
    global SEED
    K = R0
    T = R0
    for i in range(K):
        r9 = (((i << 0x17) & 0x7ffffff))
        r9 = (r9 >> 0x17)
        if r9 == 1:
            T += 1
    SEED = T
def Rand():
    global SEED
    SEED = (SEED * 0x1C64E6D & 0x7FFFFFF)+0x3039
    return SEED >> 0x10 & 0xff
Set6b33(0xa443) # BECAUSE FLAG START WITH CR{

"""
int to 9bits byte middle endian
"""
def int2mid(inp):
    X = inp >> 18 & 0x1ff
    Y = inp >> 9 & 0x1ff
    Z = inp >> 0 & 0x1ff

    return [Y, X, Z]


"""
convert 9bits byte to 8bts byte
: encode client's packet
args:
    inp -> list | bytearray
return:
    list

todo: make 3bytes align
"""
def conv928(inp):
    binary = ''
    for p in inp:
        binary += '{:09b}'.format(p)
    result = []
    for i in xrange(0, len(binary), 8):
        tmp = int(binary[i:i+8].ljust(8, '0'), 2)
        result.append(tmp)
    return result


"""
convert 8bits byte to 9bits byte
: decode server's packet
args:
    inp -> list | bytearray
"""
def conv829(inp):
    binary = ''
    for p in inp:
        binary += '{:08b}'.format(p)
    result = []
    for i in xrange(0, len(binary), 9):
        tmp = int(binary[i:i+9].ljust(9, '0'), 2)
        result.append(tmp)
    return result


def rv():
	r= conv829(bytearray(s.recv()))
	print ''.join(p8(t) for t in r)
	return r
def s9(dat):
	dat = conv928(bytearray(dat+'\n'))
	s.send(bytearray(dat))

RANDKEY = []
for i in range(0x21):
	RANDKEY.append(Rand())
s = remote('43.224.34.200',14200)
s.recv()
s.sendline(bytearray(conv928(RANDKEY)))
K= s.recv()
KEY = conv829(bytearray(K))
FLAG = ""
for i in range(len(RANDKEY)):
	FLAG += chr(RANDKEY[i] ^ KEY[i])
print FLAG
s.close()
	from pwn import *
	#context.log_level = 'debug'

	SEED=0
	def Set6b33(R0):
	global SEED
	K = R0
	T = R0
	for i in range(K):
	r9 = (((i << 0x17) & 0x7ffffff))
	r9 = (r9 >> 0x17)
	if r9 == 1:
	T += 1
	SEED = T
	def Rand():
	global SEED
	SEED = (SEED * 0x1C64E6D & 0x7FFFFFF)+0x3039
	return SEED >> 0x10 & 0xff
	Set6b33(0xa443) # BECAUSE FLAG START WITH CR{

	"""
	int to 9bits byte middle endian
	"""
	def int2mid(inp):
	X = inp >> 18 & 0x1ff
	Y = inp >> 9 & 0x1ff
	Z = inp >> 0 & 0x1ff

	return [Y, X, Z]


	"""
	convert 9bits byte to 8bts byte
	: encode client's packet
	args:
	inp -> list \| bytearray
	return:
	list

	todo: make 3bytes align
	"""
	def conv928(inp):
	binary = ''
	for p in inp:
	binary += '{:09b}'.format(p)
	result = []
	for i in xrange(0, len(binary), 8):
	tmp = int(binary[i:i+8].ljust(8, '0'), 2)
	result.append(tmp)
	return result


	"""
	convert 8bits byte to 9bits byte
	: decode server's packet
	args:
	inp -> list \| bytearray
	"""
	def conv829(inp):
	binary = ''
	for p in inp:
	binary += '{:08b}'.format(p)
	result = []
	for i in xrange(0, len(binary), 9):
	tmp = int(binary[i:i+9].ljust(9, '0'), 2)
	result.append(tmp)
	return result


	def rv():
	r= conv829(bytearray(s.recv()))
	print ''.join(p8(t) for t in r)
	return r
	def s9(dat):
	dat = conv928(bytearray(dat+'\n'))
	s.send(bytearray(dat))

	RANDKEY = []
	for i in range(0x21):
	RANDKEY.append(Rand())
	s = remote('43.224.34.200',14200)
	s.recv()
	s.sendline(bytearray(conv928(RANDKEY)))
	K= s.recv()
	KEY = conv829(bytearray(K))
	FLAG = ""
	for i in range(len(RANDKEY)):
	FLAG += chr(RANDKEY[i] ^ KEY[i])
	print FLAG
	s.close()