Return "4n71cH3aT" + h.digest() + gamepickle Then, we can reconstruct the decrypted version of the save string to known-plaintext the XOR 'encryption'. Then play the game until we know where the mines are, reloading if need be. > encrypted = base64.standard_b64decode("+W8dj/vZKzvNsM5nRjqtIKuzAJBaKlDO2NmjNpeRQ4YjG81/r9fxgsF/5iG7NmaA/RWk69UDty0CbMVKWoKraijjsinl4pkX18B7GE8wEpPjBfqP820JvjToU9B8JTxQQG0jMTiZ2tIevjW1qP/WBLDd5noJoF/bd7dZ7r6eTjSCfR3o8Ofuax5Yqt4PO5sJN4B9kqFS+9D1FsgrGVV8CBvSyD9NJnVyS3w0OaaCBrFg9jwwPgsvr+0GtV0SY8Uo8uDBdIDii39+G+bxI6OfTp33GjdjI1SWr1SED1iiUChe/O2+U+Tz6+mYa0RFQ+gmBCeYiYzX3vUATw=") We should first save our game, and keep this first copy. We need to get the game into a predictable state so that we know what the pickle string (and its hash) will be. We're just going to reconstruct the plaintext instead.) (You can exploit that too, if you can find or make a predictable part of the save long enough to loop the key. If the save is longer than the pad then it repeats. "4n71cH3aT" and the sha1 hash of the pickle string are prepended to the beginning. Pickle lets you execute arbitrary Python so we have to exploit that. This contains w, h, mines, opened, flagged, etc. Saves are Pickle strings of the Field class's _dict_. If you run this on your own machine you can just read the encryption key but dialogue from the show indicates the key is secret (server runs on the CTF box). This one isn't very hard, Elliot doing it in like 10 seconds is impressive but it's unimpressive it took the rest of the room that long (unless they did NOT have the source).Īt first launch an encryption pad is generated (it's NOT a one-time pad though, that's the weakness) using random.SystemRandom() which uses the kernel's cryptography-grade random number generator (urandom).
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |