[LINE CTF 2022] ss-puzzle

ss_puzzle.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# 64 bytes
FLAG = b'LINECTF{...}'

def xor(a:bytes, b:bytes) -> bytes:
    return bytes(i^j for i, j in zip(a, b))


S = [None]*4
R = [None]*4
Share = [None]*5

S[0] = FLAG[0:8]
S[1] = FLAG[8:16]
S[2] = FLAG[16:24]
S[3] = FLAG[24:32]

# Ideally, R should be random stream. (Not hint)
R[0] = FLAG[32:40]
R[1] = FLAG[40:48]
R[2] = FLAG[48:56]
R[3] = FLAG[56:64]

Share[0] = R[0]            + xor(R[1], S[3]) + xor(R[2], S[2]) + xor(R[3],S[1])
Share[1] = xor(R[0], S[0]) + R[1]            + xor(R[2], S[3]) + xor(R[3],S[2])
Share[2] = xor(R[0], S[1]) + xor(R[1], S[0]) + R[2]            + xor(R[3],S[3])
Share[3] = xor(R[0], S[2]) + xor(R[1], S[1]) + xor(R[2], S[0]) + R[3]
Share[4] = xor(R[0], S[3]) + xor(R[1], S[2]) + xor(R[2], S[1]) + xor(R[3],S[0])


# This share is partially broken.
Share[1] = Share[1][0:8]   + b'\x00'*8       + Share[1][16:24] + Share[1][24:32]

with open('./Share1', 'wb') as f:
    f.write(Share[1])
    f.close()

with open('./Share4', 'wb') as f:
    f.write(Share[4])
    f.close()

 

We already know that S[0] = b'LINECTF{'. All the other values can be easily recovered by simple xor. You may refer a code below.

 

solver.py

# 64 bytes
FLAG = b'LINECTF{...}'

def xor(a:bytes, b:bytes) -> bytes:
    return bytes(i^j for i, j in zip(a, b))

with open('./Share1', 'rb') as f:
    s1 = f.read(64)

with open('./Share4', 'rb') as f:
    s2 = f.read()

print(s1.hex())
print(s2.hex())

S = [None]*8
R = [None]*8

S[0] = b'LINECTF{'
R[0] = xor(s1[:8], S[0])
S[3] = xor(s1[:8], s2[:8])
S[3] = xor(S[0], S[3])
S[1] = xor(s1[16:24], s2[16:24])
S[1] = xor(S[1], S[3])
S[2] = xor(s1[24:], s2[24:])
S[2] = xor(S[2], S[0])

R[1] = xor(s2[8:16], S[2])
R[2] = xor(s2[16:24], S[1])
R[3] = xor(s2[24:], S[0])

print(S[0]+S[1]+S[2]+S[3]+R[0]+R[1]+R[2]+R[3])