Skip to content

Instantly share code, notes, and snippets.

View Aqcurate's full-sized avatar

Andrew Quach Aqcurate

9 followers · 0 following
  • -
View GitHub Profile
@Aqcurate
Aqcurate / Problem
Last active March 4, 2018 10:41
Improper encryption (100pts) - Escape
Two brothers, Shivam and Mit were fighting for the only computer they had in their house. Watching this their father got angry and locked the computer with a strong password of length 28 which consists of alphabets. To unite them he gave them a puzzle to solve.
He used two random strings and added the half-half of password in each string at some random position. He wanted to apply one-time-pad on both strings . So he used a smaller key 'k' of length 14(contains only english alphabets), and used some pseudo random generator, to get a longer key(K) of suitable size. Then he XOR each string with the generated key(K),and get encrypted message M1, and M2. He gave Shivam M1 and Mit M2 and asked them to find the password.
Also, to help them he also generated a string of suitable size by repeating k several times and then applied one time pad on it by larger key(K) to get M3.
Shivam and Mit come to you with M1, M2, and M3. Help them find the password.
M1=2d142303073d05392c3d3e273c2a1a211f082b280d2d0e33202538030135
@Aqcurate
Aqcurate / README.md
Last active August 8, 2022 18:41
Radiation Leak Writeup

Radiation Leak

The problem gives us a bunch of consecutive leaked tokens generated by the function below. The goal is to find the next token in line. We can see the token generation is an LCG, meaning we can easily use the leaked tokens to recover the internal state (seed, state_1, state_2) of the generator.

seed = random.getrandbits(64 * 8)
mask = (1 << 64) - 1
state_1 = random.getrandbits(64)
state_2 = (state_1 + random.getrandbits(64)) & mask

def generate_token():
@Aqcurate
Aqcurate / README.md
Created August 9, 2022 00:24
archival exploit

Archival

The program (source given), unpacks a custom archive file. If we run strings on the archive file, however, it appears that not all the files get unpacked, specifically a hidden "flag.png" file.

000db100: 3db9 bff7 28f0 e20b bb76 0a00 00e7 1f66  =...(....v.....f
000db110: 6c61 672e 706e 6700 4f6e 58a9 15ea 15fd  lag.png.OnX.....
000db120: 1fe7 12e7 57ae 4da3 1fe7 90e6 1fe7 01e7  ....W.M.........
@Aqcurate
Aqcurate / README.md
Last active August 9, 2022 00:33
major malfunction writeup

Major Malfunction

We see that there are long notes (4 beats) and short notes (1 beat) throughout the midi file given. The long notes represent the intended key and the short notes encode the flag in base 7 depending on its degree in the long note's key.

So for example, for the first measure, if we had c as the long note, and [d,e,f,c] as the short notes. This would translate to 1230.

If we have a key and a note, then the below code will get the degree of that note.

degrees = [0, 2, 4, 5, 7, 9, 11, 12]
degree = degrees.index((note - key) % 12)