Skip to content

Instantly share code, notes, and snippets.

@hakatashi

hakatashi/01-solve.py

Last active Mar 10, 2021
Embed
What would you like to do?
zer0pts CTF 2021 Tokyo Network solver script
from ptrlib import Socket, logger
from sys import exit
CIRCUIT = 'CNOT 0,1; CNOT 0,2; H 0; CNOT 2,0; TDAG 0; CNOT 1,0; T 0; CNOT 2,0; TDAG 0; CNOT 1,0; T 0; T 2; H 0; CNOT 1,2; T 1; TDAG 2; CNOT 1,2; CNOT 3,4; CNOT 3,5; H 3; CNOT 5,3; TDAG 3; CNOT 4,3; T 3; CNOT 5,3; TDAG 3; CNOT 4,3; T 3; T 5; H 3; CNOT 4,5; T 4; TDAG 5; CNOT 4,5; CNOT 6,7; CNOT 6,8; H 6; CNOT 8,6; TDAG 6; CNOT 7,6; T 6; CNOT 8,6; TDAG 6; CNOT 7,6; T 6; T 8; H 6; CNOT 7,8; T 7; TDAG 8; CNOT 7,8; H 0; H 3; H 6; CNOT 0,3; CNOT 0,6; H 0; CNOT 6,0; TDAG 0; CNOT 3,0; T 0; CNOT 6,0; TDAG 0; CNOT 3,0; T 0; T 6; H 0; CNOT 3,6; T 3; TDAG 6; CNOT 3,6;'
con = Socket('others.ctf.zer0pts.com', 11099)
Np = int(con.recvlineafter('Np = '))
logger.info('Np = {}'.format(Np))
for i in range(Np):
if i % 10 == 0:
logger.info('i = {}'.format(i))
con.sendline(CIRCUIT)
measured = con.recvlineafter('Measured state: ')
logger.info('measured = {}'.format(measured))
bb = '0' * 576 + '1' * 284
logger.info('bb = {}'.format(bb))
con.sendlineafter('bb = ', '0' * 576 + '1' * 284)
while True:
print(con.recvline())
from Crypto.Cipher import AES
from base64 import b64decode
measured = 0b01011110010111100111001010111011100001100011101101101011011100011101101100111001100000100000110001101001110101000100100011101000000010001101111011000101111111010011110010000011010111010111111100100001110101111010010110011110000010010000100100111011010100101110101110010110001100011110010100000001011101010111100101111110100010111101010110010000110100000101011001001111010010100011000100011101100000111011101011110000100101100010011001101111001001000011001101011011111010100011011000111110111000010001011100000000010101001011010100110010001100101111111100011000111000100010100011011100111111001110101101001111111011011100010110010110111110000000110111111011101110111000100000111111111110000000001011110101111111101110101000010000010110100001101011110100000010000101001111100000111000000001101100110000011110001111101000011000001000000101111101111101011011110011
bb = 0b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
ba = 0b00001001110000101110101001010101000101100110101000011110110011001011100100101101000010011010000010001001010101110000011011000010101101011100100001011011001000011100011011011001100100001100011010010110001010111011000010110010000000001000101011100001001000010100001000101011100000001010111000010011001011010110001101110001100010001100011101000011100110000111110001010101100001001110000110101100001100000000010011111010010000101001001001100100011100100100100010101010110000001000001011100111111100000001000000101010001001001101001010010000011110010001000010001011011010100011100101001011111011001100101111100110101011001100010110001000000111110001110111000101010011001010101010100001100101010011011111110100001000100001101100111101001110001000001000000001111010000000110011111110001101110010001101111101110101111001100010011100011101000010000100011110010001000010
xa = 0b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001001100101000100001100110010101110101111000010100001101010100100100100001100001100101000010001001010000100101100110100010000101010011101
m = 0b10110000000111010000010110100000010010011001010101000001001100010100010011010010110101000101011101110010000010001001000100110001010000000011011010100000110111000011100000100100011011110011000001101000100000000000001101001001101101010110010000001110110111100001010101010100011100000101000010001000010100100001000010000000001101110011100010110000011000011000000010000010010110100001111001000001010000000110001100000100000011010110100110001011100001011011011101010001001001000100100000001000000001011100011110010101100110110000000101101101000000100000000000100100100001000100011000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
c = b'NOqku7dnZ9RGZN41h0se1KI3WRX+3kG+Rls4Bsf1dG6nnOMccfPbc8AxQPZTQzTGYTxUCqN9UUbHgNX+qVayCA=='
Np = 860
N = 128
mask = int('1' * Np, 2)
Nz_bits = (mask & ~ba) & (mask & ~bb)
print(bin(Nz_bits))
ra_bits = Nz_bits & (mask & ~m)
print(bin(ra_bits))
print(bin(ra_bits).count('1'))
k = 0
for i in range(Np):
if (ra_bits >> i) & 1 == 1:
k = (k << 1) | ((measured >> i) & 1)
key = int.to_bytes(k, N // 8, 'big')
print(bin(k))
enc = b64decode(c)
print(len(enc))
iv = enc[0:16]
c = enc[16:]
print(len(iv))
print(len(c))
aes = AES.new(key=key, mode=AES.MODE_CBC, iv=iv)
flag = aes.decrypt(c)
print(flag)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment