# samueltangz/ctf-archive

Fetching contributors…
Cannot retrieve contributors at this time
51 lines (39 sloc) 1.17 KB
 from pwn import * context.log_level = 'warning' class LinearCongruentialGenerator: def __init__(self, a, b, nbits, state): self.a = a self.b = b self.nbits = nbits self.state = state def nextint(self): self.state = ((self.a * self.state) + self.b) % (1 << self.nbits) return self.state >> (self.nbits - 32) a = 0x66e158441b6995 b = 0xB nbits = 85 # r = process(['python', 'chall.py']) r = remote('lucky.chall.polictf.it', 31337) r.sendline('1') r.readuntil("was ") r0 = int(r.readline()[:-2]) r.sendline('1') r.readuntil("was ") r1 = int(r.readline()[:-2]) r.sendline('1') r.readuntil("was ") r2 = int(r.readline()[:-2]) t = ((1 << 53) * r1 - a * (1 << 53) * r0 - b + (1 << 53) - 1) % (1 << 85) cnt = 0 for k in range(((1 << 53) * a - 1 - t) / (1 << 85)): if (t + (1 << 85) * k) % a < (1 << 53): seed = (t + (1 << 85) * k) / a + (1 << 53) * r0 generator = LinearCongruentialGenerator(a, b, nbits, seed) if generator.nextint() == r1 and generator.nextint() == r2: break print '.' while 1: print '#' payload = generator.nextint() r.sendline(str(payload)) print r.recv(1024)