balidani/second_stage.py Secret

## second_stage.py
seed = open('seed', 'rb').read()
count_max = 0xf81000 - 0x20

def calc4(buf, arg2):

    res = 0
    for arg3 in range(4):
        res |= calc(buf, arg2, arg3)

    return res

def calc(buf, arg2, arg3):
    shift = arg2 >> 3
    w = arg2 & 7

    v1 = ord(buf[shift + arg3])
    esi = v1 << w

    v2 = ord(buf[shift + arg3 + 1])
    edx = v2 >> (8 - w)

    eax = (esi | edx) & 0xff
    eax = eax << [24, 16, 8, 0][arg3]

    return eax

def unloop(id):

    i = id / 4
    j = id % 4
    count1 = i / count_max
    count2 = i % count_max

    result = calc4(seed, count1) ^ calc4(seed, count2)
    return (result >> [24, 16, 8, 0][j]) & 0xff

# We got these after running the first part of the solution
otp = [599521712711912, 856316164104560, 851375299807737, 226795474523010, 690343477575657, 530610340387377, 402190494029161, 435574450270296, 1003903144987565, 933916790309578, 576245728766126, 588241585631380, 897535963540551, 184202982571948, 755391352053788, 499858102942276, 573081870210472, 801849170089785, 638395633557041, 799213889332420, 1055945742133509, 525694201254105, 1047919585821714, 120655124875111, 178112910059018, 681464867239468, 330601444697131, 713225398903763, 449046221226234, 684150454390929, 83445625775525, 216053647017703, 28210504105632, 667024320238515, 630378564532229, 289267338813144, 601558443994855, 770418906081774]
flag = [0x03, 0x74, 0xef, 0xa1, 0x22, 0x15, 0xf5, 0x27, 0x35, 0xfb, 0xca, 0xfa, 0xe6, 0xd8, 0x77, 0x85, 0xd4, 0x79, 0x76, 0x23, 0x50, 0xef, 0x57, 0xd9, 0x7a, 0xf7, 0x81, 0xdb, 0x89, 0x49, 0x4e, 0xff, 0xc1, 0xc9, 0xbc, 0x7a, 0x46, 0x69]

print ''.join([chr(unloop(o) ^ f) for o, f in zip(otp, flag)])
	seed = open('seed', 'rb').read()
	count_max = 0xf81000 - 0x20

	def calc4(buf, arg2):

	res = 0
	for arg3 in range(4):
	res \|= calc(buf, arg2, arg3)

	return res

	def calc(buf, arg2, arg3):
	shift = arg2 >> 3
	w = arg2 & 7

	v1 = ord(buf[shift + arg3])
	esi = v1 << w

	v2 = ord(buf[shift + arg3 + 1])
	edx = v2 >> (8 - w)

	eax = (esi \| edx) & 0xff
	eax = eax << [24, 16, 8, 0][arg3]

	return eax

	def unloop(id):

	i = id / 4
	j = id % 4
	count1 = i / count_max
	count2 = i % count_max

	result = calc4(seed, count1) ^ calc4(seed, count2)
	return (result >> [24, 16, 8, 0][j]) & 0xff

	# We got these after running the first part of the solution
	otp = [599521712711912, 856316164104560, 851375299807737, 226795474523010, 690343477575657, 530610340387377, 402190494029161, 435574450270296, 1003903144987565, 933916790309578, 576245728766126, 588241585631380, 897535963540551, 184202982571948, 755391352053788, 499858102942276, 573081870210472, 801849170089785, 638395633557041, 799213889332420, 1055945742133509, 525694201254105, 1047919585821714, 120655124875111, 178112910059018, 681464867239468, 330601444697131, 713225398903763, 449046221226234, 684150454390929, 83445625775525, 216053647017703, 28210504105632, 667024320238515, 630378564532229, 289267338813144, 601558443994855, 770418906081774]
	flag = [0x03, 0x74, 0xef, 0xa1, 0x22, 0x15, 0xf5, 0x27, 0x35, 0xfb, 0xca, 0xfa, 0xe6, 0xd8, 0x77, 0x85, 0xd4, 0x79, 0x76, 0x23, 0x50, 0xef, 0x57, 0xd9, 0x7a, 0xf7, 0x81, 0xdb, 0x89, 0x49, 0x4e, 0xff, 0xc1, 0xc9, 0xbc, 0x7a, 0x46, 0x69]

	print ''.join([chr(unloop(o) ^ f) for o, f in zip(otp, flag)])