Day 15

Day 14/decode.py

@@ -3,8 +3,10 @@
 import math
 
 c = int("2A4C9AA52257B56837369D5DD7019451C0EC04427EB95EB741D0273D55", 16)
-t = int("1398ED7F59A62962D5A47DD0D32B71156DD6AF6B46BEA949976331B8E1", 16)
 n = int("0D8A7A45D9BE42BB3F03F710CF105628E8080F6105224612481908DC721", 16)
+t = int("1398ED7F59A62962D5A47DD0D32B71156DD6AF6B46BEA949976331B8E1", 16)
+
+# print(len(hex(t)[2:])*4)
 
 def linear_diophantine_equation(a, b):
     if b > a:
@@ -26,13 +28,101 @@ def gcd(a, b):
     d, x, y = linear_diophantine_equation(a, b)
     return d
 
+def test_solution(m):
+    return (m**2) % n == c
+
+def is_square_num(n):
+    if n <= 0:
+        return False
+    return math.sqrt(n)**2 == n
+
+def is_int(n):
+    return int(n) == n
+
+# m*m - k*n = c
+# (m*m)/c - (k*n)/c = 1       k' = k * c
+# m * m * c^-1 - k' * n = 1
+
+# c = m*m - k*n
+# c = 1*x - k*n  mit x = m^2
+
+# c = gcd(m, n)
+
+d, x, y = linear_diophantine_equation(n, c)
+print(d, x, y)
+
+for i in range(-10, 10):
+    print(i, test_solution(y + i * t))
+    # h = hex(y)[2:]
+    # print(''.join([chr(int(h[i:i+2], 16)) for i in range(len(h))]))
+
+# print(y * c + x * n)
+
+# y1 * c + x1 * n = 1
+# y2 * m*m + x2 * n = 1
+
+# y2 * m*m + x2 * n = y1 * c + x1 * n
+# y2 * m*m + (x2-x1)*n = y1 * c
+# -y1*c + (x2-x1)*n = y2*m*m
+
+lcm = c * n
+while not is_square_num(lcm):
+    lcm += n
+
+print(hex(lcm))
+print(is_square_num(lcm))
+
+# tmp = -1 * y * c - x * n
+#
+# solution = tmp + n*n
+# while not is_square_num(solution) and not test_solution(math.sqrt(solution)):
+#     solution += n
+#
+#     if is_square_num(solution):
+#         print(len(hex(math.sqrt(solution))[2:]), hex(int(math.sqrt(solution))))
+#
+
+#
+# print(is_square_num(x))
+# print(test_solution(x))
+# # print(hex(d))
+
+# ggT(m², n) = ggT(c, n)
+
+# print(gcd(c,n))
+
+# gcd(m**2, n) = 1
+#
+# 1 = x*m**2 + y*n
+# 1 = x*m**2*c + y*n
+#
+# x1*m**2 + y1*n = x2*m**2*c + y2*n
+# 0 = m**2*x2*c-x1*m**2 + (y1-y2)*n
+#
+# gcd(m**2*c, n) = gcd(m**2, n)
+#
+# print(gcd(c, n))
+
+# m = int("c20cd4b471c96cc2eaab1d1c6e33494219679ae97e48506e311ddbba35", 16)
+# print(m**2 % n - c)
+# print(test_solution(m))
+
+# mult_inverse = multiplicative_inverse(c, n)
+#
+# d, x, y = linear_diophantine_equation(mult_inverse, n)
+# print(d,x,y)
+#
+# print(mult_inverse*x - y*n)
+#
+# print(is_square_num(x))
+# print(is_square_num(y))
+
+# print(is_square_num(c))
+
 # n > t > c
 
 # m              = flag
 
-def test_solution(m):
-    return m**2 % n == c
-
 # m**2 % n = x**2
 # m**2 + k*n = c
 # m % n = x
@@ -45,11 +135,10 @@ def test_solution(m):
 #     x += n
 #     print(hex(x), hex(((x**2)%n)-c))
 # print(x)
-
-mult_inverse = multiplicative_inverse(c, n)
-
-d, x, y = linear_diophantine_equation(mult_inverse, mult_inverse*n)
-print(hex(d + 6*t - 2*c), test_solution(d + 6*t - 2*c))
+#
+#
+# d, x, y = linear_diophantine_equation(mult_inverse, mult_inverse*n)
+# print(hex(d + 6*t - 2*c), test_solution(d + 6*t - 2*c))
 
 # x = math.sqrt(n)
 # print(x)

Day 15/Payload/HACKvent-2018.app/Base.lproj/Main.storyboardc/Info.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>UIViewControllerIdentifiersToNibNames</key>
+	<dict>
+		<key>UIViewController-BYZ-38-t0r</key>
+		<string>UIViewController-BYZ-38-t0r</string>
+	</dict>
+	<key>UIStoryboardDesignatedEntryPointIdentifier</key>
+	<string>UIViewController-BYZ-38-t0r</string>
+	<key>UIStoryboardVersion</key>
+	<integer>1</integer>
+</dict>
+</plist>

Day 15/Payload/HACKvent-2018.app/Info.xml

@@ -0,0 +1,88 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>BuildMachineOSBuild</key>
+	<string>17G65</string>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>en</string>
+	<key>CFBundleExecutable</key>
+	<string>HACKvent-2018</string>
+	<key>CFBundleIcons</key>
+	<dict>
+		<key>CFBundlePrimaryIcon</key>
+		<string>App Icon</string>
+	</dict>
+	<key>CFBundleIdentifier</key>
+	<string>com.hacking-lab.HACKvent-2018</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>HACKvent-2018</string>
+	<key>CFBundlePackageType</key>
+	<string>APPL</string>
+	<key>CFBundleShortVersionString</key>
+	<string>1.0</string>
+	<key>CFBundleSupportedPlatforms</key>
+	<array>
+		<string>AppleTVOS</string>
+	</array>
+	<key>CFBundleVersion</key>
+	<string>1</string>
+	<key>DTCompiler</key>
+	<string>com.apple.compilers.llvm.clang.1_0</string>
+	<key>DTPlatformBuild</key>
+	<string>16J364</string>
+	<key>DTPlatformName</key>
+	<string>appletvos</string>
+	<key>DTPlatformVersion</key>
+	<string>12.0</string>
+	<key>DTSDKBuild</key>
+	<string>16J364</string>
+	<key>DTSDKName</key>
+	<string>appletvos12.0</string>
+	<key>DTXcode</key>
+	<string>1000</string>
+	<key>DTXcodeBuild</key>
+	<string>10A255</string>
+	<key>LSRequiresIPhoneOS</key>
+	<true/>
+	<key>MinimumOSVersion</key>
+	<string>12.0</string>
+	<key>UIDeviceFamily</key>
+	<array>
+		<integer>3</integer>
+	</array>
+	<key>UILaunchImages</key>
+	<array>
+		<dict>
+			<key>UILaunchImageMinimumOSVersion</key>
+			<string>11.0</string>
+			<key>UILaunchImageName</key>
+			<string>LaunchImage</string>
+			<key>UILaunchImageOrientation</key>
+			<string>Landscape</string>
+			<key>UILaunchImageSize</key>
+			<string>{1920, 1080}</string>
+		</dict>
+		<dict>
+			<key>UILaunchImageMinimumOSVersion</key>
+			<string>9.0</string>
+			<key>UILaunchImageName</key>
+			<string>LaunchImage</string>
+			<key>UILaunchImageOrientation</key>
+			<string>Landscape</string>
+			<key>UILaunchImageSize</key>
+			<string>{1920, 1080}</string>
+		</dict>
+	</array>
+	<key>UIMainStoryboardFile</key>
+	<string>Main</string>
+	<key>UIRequiredDeviceCapabilities</key>
+	<array>
+		<string>arm64</string>
+	</array>
+	<key>UIUserInterfaceStyle</key>
+	<string>Automatic</string>
+</dict>
+</plist>

Day 15/Payload/HACKvent-2018.app/PkgInfo

@@ -0,0 +1 @@
+APPL????

Day 15/decode.py

@@ -0,0 +1,32 @@
+#!/usr/bin/python
+
+import base64
+from Crypto import Random
+from Crypto.Cipher import AES
+
+key = list("uQA\\-nM@=1wl\x1EbN!")
+b64 = "xQ34V+MHmhC8V88KyU66q0DE4QeOxAbp1EGy9tlpkLw="
+
+key[0] = chr(120)
+
+offset = 1
+while True:
+
+    key[offset] = chr(ord(key[offset]) + 3)
+    offset += 1
+
+    if len(key) <= offset:
+        break
+
+key = "".join(key)
+
+# print(len(key))
+# print(len(base64.b64decode(b64)))
+
+def decrypt(key, encrypted):
+    # IV = Random.new().read(BLOCK_SIZE)
+    aes = AES.new(key, AES.MODE_ECB)
+    return aes.decrypt(base64.b64decode(b64))
+
+decrypted = decrypt(key.encode("utf-8"), b64)
+print(decrypted.decode("utf-8"))