Permalink
Fetching contributors…
Cannot retrieve contributors at this time
51 lines (39 sloc) 1.17 KB
from pwn import *
context.log_level = 'warning'
class LinearCongruentialGenerator:
def __init__(self, a, b, nbits, state):
self.a = a
self.b = b
self.nbits = nbits
self.state = state
def nextint(self):
self.state = ((self.a * self.state) + self.b) % (1 << self.nbits)
return self.state >> (self.nbits - 32)
a = 0x66e158441b6995
b = 0xB
nbits = 85
# r = process(['python', 'chall.py'])
r = remote('lucky.chall.polictf.it', 31337)
r.sendline('1')
r.readuntil("was ")
r0 = int(r.readline()[:-2])
r.sendline('1')
r.readuntil("was ")
r1 = int(r.readline()[:-2])
r.sendline('1')
r.readuntil("was ")
r2 = int(r.readline()[:-2])
t = ((1 << 53) * r1 - a * (1 << 53) * r0 - b + (1 << 53) - 1) % (1 << 85)
cnt = 0
for k in range(((1 << 53) * a - 1 - t) / (1 << 85)):
if (t + (1 << 85) * k) % a < (1 << 53):
seed = (t + (1 << 85) * k) / a + (1 << 53) * r0
generator = LinearCongruentialGenerator(a, b, nbits, seed)
if generator.nextint() == r1 and generator.nextint() == r2:
break
print '.'
while 1:
print '#'
payload = generator.nextint()
r.sendline(str(payload))
print r.recv(1024)