its an ECB oracle, ill explain this in detail later when i get the time

Flag: flag{aes_that_ick_ecb_mode_lolz}

If we try to run this, we would eventually get the flag, but it's really slow, so let's try to not do that.

If we take a look at the a() function, we can see that it

• Has a loop that goes from 1 to n (for i in range)

• Defines b to be 0

  • Checks if i is a multiple of n

    • If so, add i to b

  • If b is equal to n, return True

    Copy

    def a(n):
    b = 0
    for i in range(1, n):
        if(n % i == 0):
            b += i
    return b == n

We can see (and also guessing by the title) that this will only return true on perfect numbers. Knowing this, I just looked up a list of perfect numbers, and then just XORed each number with the corresponding perfect number.

Script below.

cipher = [list of base64decoded stuff]
p = [6,28,496,8128,33550336,8589869056,137438691328,2305843008139952128,2658455991569831744654692615953842176,191561942608236107294793378084303638130997321548169216,13164036458569648337239753460458722910223472318386943117783728128,14474011154664524427946373126085988481573677491474835889066354349131199152128,23562723457267347065789548996709904988477547858392600710143027597506337283178622239730365539602600561360255566462503270175052892578043215543382498428777152427010394496918664028644534128033831439790236838624033171435922356643219703101720713163527487298747400647801939587165936401087419375649057918549492160555646976,141053783706712069063207958086063189881486743514715667838838675999954867742652380114104193329037690251561950568709829327164087724366370087116731268159313652487450652439805877296207297446723295166658228846926807786652870188920867879451478364569313922060370695064736073572378695176473055266826253284886383715072974324463835300053138429460296575143368065570759537328128]
o = ""
for i in range(len(p)):
  o += (chr(p[i] ^ cipher[i]))

print(o)

Then we just wrap the output with flag and submit it

Flag: flag{tHE_br0kEN_Xor}

So, from the title, we guess it's using OFB encryption.

For those of you that don't know, OFB encryption works like this: Firstly, like any AES mode, there is a key, and then with OFB, you also have an IV. Then:

• Encrypt the IV using the key

• Sets the new IV to the encrypted IV

• Xor the plaintext block with the encrypted IV, and then this is the output

This repeats for each block.

After reading the script, we can work out that:

• It takes the flag.txt, and reads this

• Pads this data using pkcs7 padding

• Splits the data into blocks of 16 bytes

• Randomly shuffles these blocks

• Encrypts the blocks with the OFB we mentioned above.

Since the IV and key stay constant, we can connect and receive as many data samples as we want, and since there are 3 blocks, there are only 6 possible permutations for the blocks to be in. (doesn't really matter but whatever)

Looking even closer at the script, we see this line:

assert len(flag) % 16 == 1

This means that the length of the flag must be 33, as we have already established that there are three blocks. This also means, because of the way the data is padded, that one of the blocks must be "}\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f" (we know the last char is "}")

Now, we can simply attempt to XOR each block with this string to get the key for that block, and then XOR that with the other blocks to get the flag. I made this table for convenience.

block\position:   1                                 2                            3
1 e92c6ede25edd6694b4de6f9565624d2  7e4cdcceda0a5284178d43205b448d35 24d20b9d166edb74bb80fa7ddf96d6a7
2 fb1f66cd01ffcc75787bfbd27d4d22cd  771cbab58a7528e774dd255b0b27ed56 36e1038e327cc16888b6e756f48dd0b8
3 f24f00b65180b6161b2b9da92d2e42ae  652fb2a6ae6732fb47eb3870203ceb49 3fb165f56203bb0bebe6812da4eeb0db

We then XOR f24f00b65180b6161b2b9da92d2e42ae with 7d0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f to get 8f400fb95e8fb919142492a622214da1, which is what XOR key was used to encrypt the first block.

Then, we simply XOR this key with each of the other blocks to get the rest of the flag.

e92c6ede25edd6694b4de6f9565624d2 ^ 8f400fb95e8fb919142492a622214da1 = 666c61677b626f705f69745f74776973 = flag{bop_it_twis
fb1f66cd01ffcc75787bfbd27d4d22cd ^ 8f400fb95e8fb919142492a622214da1 = 745f69745f70756c6c5f69745f6c6f6c = t_it_pull_it_lol
f24f00b65180b6161b2b9da92d2e42ae ^ 8f400fb95e8fb919142492a622214da1 = 7d0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f = }...............

Flag: flag{bop_it_twist_it_pull_it_lol}

just a boneh durfee attack lol (make sure to change lattice size to 5)

Flag: flag{bon_appetit_that_was_one_big_meal}

So the encryption takes some data, then base64 encodes it and encrypts it by XORing each byte with the byte after it, wrapping the last byte around to the start. The result is then hexlified. So, we can simply bruteforce the first byte in order to bruteforce what the decryption is. This gives us the base64 of the flag, which can be base64 decoded to get:

Flag: flag{tyrannosauras_xor_in_reverse}