SpyFi.cs

static void Main()
{
    string flagCand = "_0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ{}.  !\"#$%&()=~`+*<>?-^\\@[;:],./";

    Console.WriteLine(GetFlagHash(0));

    string placeHolder = "ifying code is: ";
    string flag = "picoCTF{@g3nt6_1$_th3_c00l3$t_8220250}";
    for (int i = flag.Length + 1; i < 41; i++)
    {
        Console.WriteLine($"{i}番目の文字を取得します");
        string hash = GetFlagHash(i);
        Debug.WriteLine($"{i} : {hash}");
        foreach (var c in flagCand)
        {
            string plane = (placeHolder + flag + c.ToString()).Substring((placeHolder + flag).Length - 16 + 1);
            Console.WriteLine($"GetHash({plane})");
            string h = GetHash(plane);
            Debug.WriteLine($"{plane} : {h}");
            if (h == hash)
            {
                Console.WriteLine($"{i}番目の文字は : {c}");
                flag += c;
                goto end;
            }
        }
        Console.WriteLine("対応する文字が一つも見つかりませんでした。");
        end:;
    }
}

static string GetFlagHash(int end)
{
    return GetAESString("".PadLeft(44 - end, '_'))[7];
}

static string GetHash(string s)
{
    if (s.Length != 16) throw new ArgumentException();
    return GetAESString($"___________{s}_")[4];
}

static string[] GetAESString(string s)
{
    var stream = new TCPStream("2018shell2.picoctf.com", 30399, Encoding.ASCII);
    stream.ReadToEnd();
    stream.ReadToEnd();
    stream.WriteLine(s);
    string res = stream.ReadToEnd();
    List<string> spl = new List<string>();
    for (int i = 0; i < res.Length; i += 32)
    {
        spl.Add(res.Substring(i, 16));
    }
    return spl.ToArray();
}