Skip to content

Instantly share code, notes, and snippets.

View hellopir2's full-sized avatar
💭
in

hellopir2

💭
in
8 followers · 1 following
  • Line Islands
  • 09:10 (UTC +13:00)
View GitHub Profile
@hellopir2
hellopir2 / plaidctf-hangmanpt2.md
Created April 14, 2025 20:58

Differences with part 1

Compared to part 1, part 2 allowed the bandits to get in 2x the number of failed guesses (for a total of 10 failed guesses), and we need to succeed in tricking the bandit 100 times in a row. We can check for words that fit a similar strategy to part 1, but it quickly becomes evident that there aren't any candidates. Thus, we concluded that the hash must be weak somehow.

Understanding the hash function

Stealing a python reimpl of the hash function from the pins, we can start to piece together the routine of the hash function. It works roughly as follows:

  1. The bandit's salt is used as the IV, and stored in the output array.
  2. For each block of 16 bytes in the input data (which is padded to fit), the output array is modified with the following function:
def inner(ptr, block_data, bandit_salt):
    """
@hellopir2
hellopir2 / what_flag.md
Created September 16, 2024 17:58

Intended solve process

For this challenge, we are given a python file with the following source:

#!/usr/local/bin/python3
import signal
from time import sleep
from random import random, getrandbits

flag = open('flag.txt').read()
def die(*args):