Description
i like peppers. Download: chall.py and output.txt .
Setup
Download chall.py and output.txt.
Read chall.py to understand the modified AES scheme -- note that SubBytes is removed.
cat chall.py
cat output.txt
Solution
- Step 1Understand the linearity propertyThe Black Cobra cipher removes the SubBytes (S-box) step from AES. Without this non-linear substitution, the cipher is fully linear. This gives the key identity: E_K(P) = E_0(P) ⊕ E_K(0), where E_K means encryption under key K and E_0 means encryption under the all-zero key.
- Step 2Recover E_K(0) from a known plaintext pairUsing a known plaintext pt1 and its ciphertext ct1 from output.txt, compute E_0(pt1) with a zero key and XOR with ct1 to extract E_K(0).python3 << 'EOF' # chall.py implements AES without SubBytes -- all operations are linear # Property: E_K(P) = E_0(P) XOR E_K(0) from chall import encrypt # modified AES (no SubBytes) # From output.txt: known plaintext/ciphertext pair pt1 = bytes.fromhex("YOUR_KNOWN_PT1") ct1 = bytes.fromhex("YOUR_KNOWN_CT1") zero_key = bytes(16) # E_0(pt1): encrypt pt1 with zero key e0_pt1 = encrypt(pt1, zero_key) # Extract E_K(0): since E_K(pt1) = E_0(pt1) XOR E_K(0) e_k_0 = bytes(a ^ b for a, b in zip(ct1, e0_pt1)) print("E_K(0):", e_k_0.hex()) EOF
- Step 3Decrypt the flagTo decrypt the flag ciphertext, compute E_0(flag_ct) with the zero key and XOR with E_K(0). This reverses the linearity to recover the plaintext.python3 << 'EOF' flag_ct = bytes.fromhex("YOUR_FLAG_CT") # E_0(flag_ct) = decrypt using zero-key AES e0_flag = encrypt(flag_ct, zero_key) # or use decrypt # Recover plaintext: P = E_0(C) XOR E_K(0) # (because E_K(P) = E_0(P) XOR E_K(0), so P = E_0^{-1}(C XOR E_K(0))) pt = bytes(a ^ b for a, b in zip(e0_flag, e_k_0)) print(pt) EOF
Flag
picoCTF{bl4ck_c0br4_p3pp3r_...}
Removing SubBytes linearises AES: E_K(P) = E_0(P) ⊕ E_K(0). Compute E_0(pt1) with zero key, XOR with known ct1 to get E_K(0), then use this to decrypt any ciphertext.