~# n0tr00t Security Team

Asis-ctf Simple Algorithm 100

10 May 2015 - root

[+] Author: root
[+] Team: n0tr00t security team 
[+] From: http://www.n0tr00t.com
[+] Create: 2015-05-10

Category: Crypto

The flag is encrypted by this code, can you decrypt it after finding the system?

file simple_algorithm_5a0058082857cf27d6e51c095ac59bd5
simple_algorithm_5a0058082857cf27d6e51c095ac59bd5: xz compressed data

tar -xf simple_algorithm_5a0058082857cf27d6e51c095ac59bd5

cd simple_algorithm
simple_algorithm  ls
enc.txt             simple_algorithm.py

enc.txt:

2712733801194381163880124319146586498182192151917719248224681364019142438188097307292437016388011943193619457377217328473027324319178428

simple_algorithm.py:

#!/usr/bin/python

flag = '[censored]'
hflag = flag.encode('hex')
iflag = int(hflag[2:], 16)

def FAN(n, m):
    i = 0
    z = []
    s = 0
    while n > 0:
        if n % 2 != 0:
            z.append(2 - (n % 4))
        else:
            z.append(0)
        n = (n - z[i])/2
        i = i + 1
    z = z[::-1]
    l = len(z)
    for i in range(0, l):
        s += z[i] * m ** (l - 1 - i)
    return s

i = 0
r = ''
while i < len(str(iflag)):
    d = str(iflag)[i:i+2]
    nf = FAN(int(d), 3)
    r += str(nf)
    i += 2

print r 

Burp Script

#!/usr/bin/env python
# coding=utf-8
# author=l
# website=n0tr00t.com

import re

s = ("2712733801194381163880124319146586498182192151917719248224681364"
     "019142438188097307292437016388011943193619457377217328473027324319178428")

def FAN(n, m):
    i = 0
    z = []
    s = 0
    while n > 0:
    	if n % 2 != 0:
    		z.append(2 - (n % 4))
    	else:
    		z.append(0)
    	n = (n - z[i])/2
    	i = i + 1
    z = z[::-1]
    l = len(z)
    for i in range(0, l):
        s += z[i] * m ** (l - 1 - i)
    return s

d = {}
for i in xrange(0,100):
    if i < 10:
        v = '0' + str(i)
    else:
        v = str(i)
    k = FAN(i,3)
    d[str(k)] = v


iflag = [0] * 100
iflag[0] = d['271']
def dfs(pos, x):
    if pos + 1 > len(s):
        check_flag(iflag[:x])
        if iflag[x-1].startswith('0'):
            iflag2 = iflag[:x]
            iflag2[x-1] = iflag2[x-1][1:]
            check_flag(iflag2)
        return
    for i in xrange(0,5):
        if pos+i+1 <= len(s):
            k = s[pos:pos+i+1]
            if d.has_key(k):
                iflag[x] = d[k]
                dfs(pos+i+1, x+1)

def check_flag(iflag):
    hflag = hex(int(''.join(iflag)))
    hflag = hflag.strip('0x').strip('L')
    try:
        flag = hflag.decode('hex')
        if re.findall('^[a-zA-Z0-9_{}]*$',flag)[0]:
            print flag
    except Exception,e:
        pass

dfs(3,1)