Category: Hacking Lab

RSS

Archive for the ‘Hacking Lab’ Category

Hackvent 2019: Hidden 1

06 Dec 2019

CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com

Date Completed: 6 December 2019

Challenge

HV19.H1 Hidden One

Sometimes, there are hidden flags. Got your first?

1	Sometimes, there are hidden flags. Got your first?

Born: January 22	     	 	   	   	 	       	     	  	  
Died: April 9   	  	 	    	  	      	   		  	  
Mother: Lady Anne   		 	   	   	      	  	      	  
Father: Sir Nicholas	 	      		    	    	  	  	      	      
Secrets: unknown

Born: January 22

Died: April 9

Mother: Lady Anne

Father: Sir Nicholas

Secrets: unknown

Solution

During the Day 6 challenge HV19.06 bacon and eggs, we notice there is a lot of suspicious whitespace (space and tab) characters after each line of statistics about Francis Bacon.

As the theme for this challenge was crypto, we Google search for white space cipher. One of the first few results links us to http://www.darkside.com.au/snow/ which details Whitespace steganography which can be used to conceal messages by appending whitespace to the end of lines! We download the 32-bit executable for this tool and run it as follows:

./SNOW.EXE -C input.txt

1	./SNOW.EXE -C input.txt

Where input.txt is simply the statistic panel text including all whitespace.

This spits out our flag!

Flag: HV19{1stHiddenFound}

No Comments

Posted Mo BeigiPersianMG in Hackvent 2019

Hackvent 2019: Day 6

06 Dec 2019

CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com

Date Completed: 6 December 2019

Challenge

HV19.H1 Hidden One

Francis Bacon was an English philosopher and statesman who served as Attorney General and as Lord Chancellor of England. His works are credited with developing the scientific method and remained influential through the scientific revolution. Bacon has been called the father of empiricism. His works argued for the possibility of scientific knowledge based only upon inductive reasoning and careful observation of events in nature. Most importantly, he argued science could be achieved by use of a sceptical and methodical approach whereby scientists aim to avoid misleading themselves. Although his practical ideas about such a method, the Baconian method, did not have a long–lasting influence, the general idea of the importance and possibility of a sceptical methodology makes Bacon the father of the scientific method. This method was a new rhetorical and theoretical framework for science, the practical details of which are still central in debates about science and methodology.

Bacon was the first recipient of the Queen’s counsel designation, which was conferred in 1597 when Elizabeth I of England reserved Bacon as her legal advisor. After the accession of James VI and I in 1603, Bacon was knighted. He was later created Baron Verulam in 1618 and Viscount St. Alban in 1621. Because he had no heirs, both titles became extinct upon his death in 1626, at 65 years. Bacon died of pneumonia, with one account by John Aubrey stating that he had contracted the condition while studying the effects of freezing on the preservation of meat. He is buried at St Michael’s Church, St Albans, Hertfordshire.

Born: January 22	     	 	   	   	 	       	     	  	  
Died: April 9   	  	 	    	  	      	   		  	  
Mother: Lady Anne   		 	   	   	      	  	      	  
Father: Sir Nicholas	 	      		    	    	  	  	      	      
Secrets: unknown

Born: January 22

Died: April 9

Mother: Lady Anne

Father: Sir Nicholas

Secrets: unknown

Solution

We notice there is italic text embedded within our first paragraph. As it turns out Francis Bacon devised a cipher called the Bacon cipher. Thus, we know we must transform the above text into a bacon code which can be deciphered. Each character that is stylised with italics will be converted to a B and every other character will be converted to an A. For effeciency, we use a python script to do this:

#!/usr/bin/env python
import re
str = '<em>F</em>ra<em>n</em>cis Baco<em>n</em> <em>w</em>a<em>s</em> <em>a</em>n E<em>ng</em>lish ph<em>i</em>l<em>os</em>o<em>p</em>her a<em>n</em>d <em>s</em>tat<em>e</em>sm<em>a</em>n w<em>h</em>o se<em>rve</em>d <em>a</em>s At<em>t</em>or<em>n</em>ey Gen<em>e</em>ral and as <em>L</em>or<em>d</em> <em>Ch</em>an<em>ce</em>l<em>l</em>or of <em>En</em>g<em>l</em>an<em>d</em>. Hi<em>s</em> <em>w</em>orks ar<em>e</em> c<em>red</em>it<em>e</em>d w<em>ith</em> d<em>e</em>ve<em>lo</em>pi<em>ng</em> <em>t</em>h<em>e</em> sci<em>e</em>nt<em>i</em>fic me<em>t</em>hod and re<em>m</em>ai<em>ned</em> in<em>fl</em>u<em>en</em>ti<em>al</em> th<em>rou</em>gh <em>t</em>he s<em>cien</em>tific <em>r</em>ev<em>o</em>l<em>u</em>ti<em>o</em>n.<em>B</em>a<em>co</em>n h<em>as</em> <em>b</em>e<em>e</em>n ca<em>l</em>led <em>th</em>e <em>f</em>ath<em>e</em>r o<em>f</em> emp<em>iric</em>i<em>s</em>m. <em>Hi</em>s <em>wor</em>ks ar<em>g</em>ued for th<em>e</em> po<em>ssi</em>bi<em>li</em>t<em>y</em> of s<em>c</em>ie<em>n</em>tifi<em>c</em> <em>kno</em>wl<em>edg</em>e b<em>a</em>se<em>d</em> onl<em>y</em> u<em>p</em>on i<em>n</em>du<em>c</em>t<em>i</em>ve <em>r</em>ea<em>s</em>onin<em>g</em> <em>a</em>nd c<em>aref</em>u<em>l</em> o<em>bs</em>er<em>v</em>ation o<em>f</em> <em>e</em>v<em>e</em>nt<em>s</em> in <em>na</em>tur<em>e</em>. Mo<em>st</em> <em>i</em>mp<em>ort</em>an<em>t</em>l<em>y</em>, <em>he</em> a<em>rgue</em>d sc<em>i</em>en<em>c</em>e co<em>uld</em> <em>b</em>e <em>a</em>c<em>hi</em>eved by us<em>e</em> of a <em>s</em>ce<em>p</em>t<em>ical</em> a<em>nd</em> me<em>t</em>hod<em>i</em>ca<em>l</em> <em>a</em>pp<em>roa</em>ch wh<em>er</em>eby <em>s</em>cientist<em>s</em> ai<em>m</em> t<em>o</em> avo<em>i</em>d m<em>i</em>sl<em>ead</em>in<em>g</em> themsel<em>ve</em>s. <em>A</em>lth<em>oug</em>h <em>h</em>is <em>p</em>ra<em>c</em>tic<em>a</em>l i<em>d</em>e<em>a</em>s ab<em>out</em> <em>s</em>u<em>ch</em> <em>a</em> <em>m</em>et<em>h</em>od, <em>t</em>he B<em>a</em>con<em>i</em>an meth<em>o</em>d, d<em>i</em>d no<em>t</em> have <em>a</em> l<em>o</em>n<em>g</em>-<em>la</em>s<em>t</em>ing <em>i</em>nfluen<em>c</em>e, <em>th</em>e <em>g</em>e<em>ne</em>ral <em>i</em>dea <em>of</em> <em>t</em>he imp<em>o</em>rta<em>n</em>ce and pos<em>s</em>i<em>b</em>il<em>it</em>y o<em>f</em> a s<em>c</em>ept<em>i</em>cal'
def repl(m):
return '1' * len(m.group(1))
# Replace italic text with 1 and non-italic text with 0
str = str.replace(' ', '').replace(',', '').replace('.', '').replace('-', '')
str = re.sub('<em>(.*?)</em>', repl, str)
str = re.sub ('[A-Za-z .,-]', '0', str)
# Print as A and B's for easy decipher
str = str.replace('1', 'B').replace('0', 'A')
print(str)

#!/usr/bin/env python

import re

str = 'Francis Bacon was an English philosopher and statesman who served as Attorney General and as Lord Chancellor of England. His works are credited with developing the scientific method and remained influential through the scientific revolution.Bacon has been called the father of empiricism. His works argued for the possibility of scientific knowledge based only upon inductive reasoning and careful observation of events in nature. Most importantly, he argued science could be achieved by use of a sceptical and methodical approach whereby scientists aim to avoid misleading themselves. Although his practical ideas about such a method, the Baconian method, did not have a long-lasting influence, the general idea of the importance and possibility of a sceptical'

def repl(m):

return '1' * len(m.group(1))

# Replace italic text with 1 and non-italic text with 0

str = str.replace(' ', '').replace(',', '').replace('.', '').replace('-', '')

str = re.sub('(.*?)', repl, str)

str = re.sub ('[A-Za-z .,-]', '0', str)

# Print as A and B's for easy decipher

str = str.replace('1', 'B').replace('0', 'A')

print(str)

It is important to note that we strip out some non-alphanumeric characters such as ,.- as the Bacon cipher does not allow them in its alphabet.
Running this script we get the following output:

BAABAAAAAAABBABBAABBAAAAAABABBABAAAABABAAABAABAABAAABBBABAAABAABAAAAABAAAAAAAABAABBBAABBABAAAABBABAABAABBAAAAAABABBBAABAABBBABAABBAABBBABAAABAABAAAAABAAAAAAAABAABBBAABBABBAABBAABBBAABAAABBBBAAAAABAABABAABABABBAABBBABAAABAAABBABAAABAABAAABBBBABABBABBBAAAABAAAAAAAABAABBBAABBABAAABAABAAAABBBBAABBBAABAABAAABABAAABAABABAABAABAAAABBAAABBBBABABBAABAAAAAABBABAABAABBAAABAABBBAABBBAABABBBABBBBAAABAABAAABBBBABABBAAAAAAAABAAABAABABBBBABBAABAAABAABBAABBBAAAABBAAABAAAAAAAABAABABAAABAABAABBBAABAAAAAAABBABAAABBBABAABAABAAABAABABAAABBBBABBBBAABAABAAABAAABAAAAAABAABAAABAAAABABABBBABAAABAAAAAABABBABABBAAABAAABBBAAAAABAAABAAAAAAAABABAABBAABAABAAABAAA

BAABAAAAAAABBABBAABBAAAAAABABBABAAAABABAAABAABAABAAABBBABAAABAABAAAAABAAAAAAAABAABBBAABBABAAAABBABAABAABBAAAAAABABBBAABAABBBABAABBAABBBABAAABAABAAAAABAAAAAAAABAABBBAABBABBAABBAABBBAABAAABBBBAAAAABAABABAABABABBAABBBABAAABAAABBABAAABAABAAABBBBABABBABBBAAAABAAAAAAAABAABBBAABBABAAABAABAAAABBBBAABBBAABAABAAABABAAABAABABAABAABAAAABBAAABBBBABABBAABAAAAAABBABAABAABBAAABAABBBAABBBAABABBBABBBBAAABAABAAABBBBABABBAAAAAAAABAAABAABABBBBABBAABAAABAABBAABBBAAAABBAAABAAAAAAAABAABABAAABAABAABBBAABAAAAAAABBABAAABBBABAABAABAAABAABABAAABBBBABBBBAABAABAAABAAABAAAAAABAABAAABAAAABABABBBABAAABAAAAAABABBABABBAAABAAABBBAAAAABAAABAAAAAAAABABAABBAABAABAAABAAA

We use an online Bacon Cipher tool to decipher the text and get:

SANTALIKESHISBACONBUTALSOTHISBACONTHEPASSWORDISHVXBACONCIPHERISSIMPLEBUTCOOLXREPLACEXWITHBRACKETSANDUSEUPPERCASEFORALLCHARACTER

1	SANTALIKESHISBACONBUTALSOTHISBACONTHEPASSWORDISHVXBACONCIPHERISSIMPLEBUTCOOLXREPLACEXWITHBRACKETSANDUSEUPPERCASEFORALLCHARACTER

Which can be read as:

SANTA LIKES HIS BACON BUT ALSO THIS BACON THE PASSWORD IS 
HVXBACONCIPHERISSIMPLEBUTCOOLX
REPLACE X WITH BRACKETS AND USE UPPER CASE FOR ALL CHARACTER

SANTA LIKES HIS BACON BUT ALSO THIS BACON THE PASSWORD IS

HVXBACONCIPHERISSIMPLEBUTCOOLX

REPLACE X WITH BRACKETS AND USE UPPER CASE FOR ALL CHARACTER

We follow these instructions, adding in the missing 19, to get our final flag!

Flag: HV19{BACONCIPHERISSIMPLEBUTCOOL}

Bonus

This challenge also contained the solution to HV19.H1 Hidden One.

No Comments

Posted Mo BeigiPersianMG in Hackvent 2019

Hackvent 2019: Day 5

05 Dec 2019

CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com

Date Completed: 5 December 2019

Challenge

HV19.05 Santa Parcel Tracking

Introduction
To handle the huge load of parcels Santa introduced this year a parcel tracking system. He didn't like the black and white barcode, so he invented a more solemn barcode. Unfortunately the common barcode readers can't read it anymore, it only works with the pimped models santa owns. Can you read the barcode
Resources

Introduction

To handle the huge load of parcels Santa introduced this year a parcel tracking system. He didn't like the black and white barcode, so he invented a more solemn barcode. Unfortunately the common barcode readers can't read it anymore, it only works with the pimped models santa owns. Can you read the barcode

Resources

Image mirror:

Solution

Initially we try scanning the barcode as it looks like a Code 128 barcode. It works but gives us the string Not a solution which is unfortunately a dead end. After a lot of experimentation, we manually note down the hexadecimal values for each colour in sequence. We decided to use Photoshop’s colour picker but in hindsight should have done this pragmatically using MATLAB.

This gives us the following list of 64 hex codes:

735058

745938

6c5059

6d4549

72314f

793346

735030

65515a

673850

7a3934

754c53

685438

654748

7a3056

615831

673039

6c4f7b

744f44

6c4a31

674a66

784966

7a4969

675563

6a5375

69486c

695174

76365f

763074

734d6f

73495f

615167

694933

653474

77535f

623961

74455f

754753

683450

613854

6c4e5f

715652

635633

6c5061

663664

713565

724772

634f7d

775853

664c31

713030

765639

655730

6e4a4f

67574d

78325a

653345

6b3230

6f3345

615333

6c524e

745546

793850

764236

654245

After more experimentation, we discover that the blue channel of each hex code is significant! We discard all data but the blue channel and run our sequence of hex codes through an online hex to ascii converter.

This gives us the following string which has our flag surrounded by what appears to be noise:

X8YIOF0ZP4S8HV19{D1fficult_to_g3t_a_SPT_R3ader}S1090OMZE0E3NFP6E

1	X8YIOF0ZP4S8HV19{D1fficult_to_g3t_a_SPT_R3ader}S1090OMZE0E3NFP6E

Flag: HV19{D1fficult_to_g3t_a_SPT_R3ader}

No Comments

Posted Mo BeigiPersianMG in Hackvent 2019

Hackvent 2019: Day 4

05 Dec 2019

CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com

Date Completed: 4 December 2019

Challenge

HV19.04 password policy circumvention

Santa released a new password policy (more than 40 characters, upper, lower, digit, special).
The elves can't remember such long passwords, so they found a way to continue to use their old (bad) password:
merry christmas geeks

Santa released a new password policy (more than 40 characters, upper, lower, digit, special).

The elves can't remember such long passwords, so they found a way to continue to use their old (bad) password:

merry christmas geeks

File mirror: HV19-PPC.zip

Solution

We download this zip file and extract it to find a HV19-PPC.ahk file. We know that ahk files are AutoHotKey files. Upon inspecting the ahk file we find that this is in fact the case.

The script seems to move the cursor around and type text when certain characters are typed in.
As the script and hint suggests, we have to type in merry christmas geeks letter by letter and let the script mutate the string.

Doing so gives us our flag!

Flag: HV19{R3memb3r, rem3mber - the 24th 0f December}

No Comments

Posted Mo BeigiPersianMG in Hackvent 2019

Hackvent 2019: Day 3

03 Dec 2019

CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com

Date Completed: 3 December 2019

Challenge

HV19.03 Hodor, Hodor, Hodor

$HODOR: hhodor. Hodor. Hodor!? = `hodor?!? HODOR!? hodor? Hodor oHodor. hodor? , HODOR!?! ohodor!? dhodor? hodor odhodor? d HodorHodor Hodor!? HODOR HODOR? hodor! hodor!? HODOR hodor! hodor? ! hodor?!? Hodor Hodor Hodor? Hodor HODOR rhodor? HODOR Hodor!? h4Hodor?!? Hodor?!? <span class="hljs-number">0</span>r hhodor? Hodor!? oHodor?! hodor? Hodor Hodor! HODOR Hodor hodor? <span class="hljs-number">64</span> HODOR Hodor HODOR!? hodor? Hodor!? Hodor!? . HODOR?!? hodor- hodorHoOodoOor Hodor?!? OHoOodoOorHooodorrHODOR hodor. oHODOR... Dhodor- hodor?! HooodorrHODOR HoOodoOorHooodorrHODOR RoHODOR... HODOR!?! <span class="hljs-number">1</span>hodor?! HODOR... DHODOR- HODOR!?! HooodorrHODOR Hodor- HODORHoOodoOor HODOR!?! HODOR... DHODORHoOodoOor hodor. Hodor! HoOodoOorHodor HODORHoOodoOor <span class="hljs-number">0</span>Hooodorrhodor HoOodoOorHooodorrHODOR <span class="hljs-number">0</span>=`; hodor.hod(hhodor. Hodor. Hodor!? );

$HODOR: hhodor. Hodor. Hodor!? = `hodor?!? HODOR!? hodor? Hodor oHodor. hodor? , HODOR!?! ohodor!? dhodor? hodor odhodor? d HodorHodor Hodor!? HODOR HODOR? hodor! hodor!? HODOR hodor! hodor? ! hodor?!? Hodor Hodor Hodor? Hodor HODOR rhodor? HODOR Hodor!? h4Hodor?!? Hodor?!? 0r hhodor? Hodor!? oHodor?! hodor? Hodor Hodor! HODOR Hodor hodor? 64 HODOR Hodor HODOR!? hodor? Hodor!? Hodor!? . HODOR?!? hodor- hodorHoOodoOor Hodor?!? OHoOodoOorHooodorrHODOR hodor. oHODOR... Dhodor- hodor?! HooodorrHODOR HoOodoOorHooodorrHODOR RoHODOR... HODOR!?! 1hodor?! HODOR... DHODOR- HODOR!?! HooodorrHODOR Hodor- HODORHoOodoOor HODOR!?! HODOR... DHODORHoOodoOor hodor. Hodor! HoOodoOorHodor HODORHoOodoOor 0Hooodorrhodor HoOodoOorHooodorrHODOR 0=`; hodor.hod(hhodor. Hodor. Hodor!? );

Solution

At first this looks like it may possible be a hidden code with different variations of hodor mapping to English alphabet characters. However, before we look into frequency analysis we do a Google search for hodor programming language and discover that such an esoteric language exists!

We find an online interpreter/compiler TIO capable of running Hodor code and get this output:

Awesome, you decoded Hodors language! 
As sis a real h4xx0r he loves base64 as well.
SFYxOXtoMDFkLXRoMy1kMDByLTQyMDQtbGQ0WX0=

Awesome, you decoded Hodors language!

As sis a real h4xx0r he loves base64 as well.

SFYxOXtoMDFkLXRoMy1kMDByLTQyMDQtbGQ0WX0=

As the hint suggests, we need to base64 decode that last string.

Doing so gives us our flag!

Flag: HV19{h01d-th3-d00r-4204-ld4Y}

No Comments

Posted Mo BeigiPersianMG in Hackvent 2019

HACKvent 2019: Day 2

02 Dec 2019

CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com

Date Completed: 2 December 2019

Challenge

HV19.02 Triangulation

Today we give away decorations for your Christmas tree. But be careful and do not break it.
HV19.02-Triangulation.zip

Today we give away decorations for your Christmas tree. But be careful and do not break it.

HV19.02-Triangulation.zip

File mirror:
a5f47ab8-f151-4741-b061-d2ab331bf641

Solution

We know that a stl file is 3D model file. Thus naturally we open this file up in a 3D model viewer.
On Windows we initially attempt to use 3D Builder.

From the hint that says to ‘not break it’ so we really want to break it and look inside the sphere.
Upon doing so, we quickly notice a QR code (or rather a Aztec code) sitting inside.

After much manipulation in 3D Builder, we still don’t quite have an image which scans with a QR reader:

Thus, we shamefully give up and use Blender to extract the QR code, colour it black and place it on a white background:

This image scans and gives us our flag!

Flag: HV19{Cr4ck_Th3_B411!}

No Comments

Posted Mo BeigiPersianMG in Hackvent 2019

HACKvent 2019: Day 1

02 Dec 2019

CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com

Date Completed: 2 December 2019

Challenge

HV19.01 censored

I got this little image, but it looks like the best part got censored on the way. Even the tiny preview icon looks clearer than this! Maybe they missed something that would let you restore the original content?

1	I got this little image, but it looks like the best part got censored on the way. Even the tiny preview icon looks clearer than this! Maybe they missed something that would let you restore the original content?

Solution

The hint indicates that we should have a clearer smaller image available to us.
At first we attempt to shrink the image, resharpen and enlarge but there is too much degradation for that to work. We also open the image in GIMP and mess with levels/contrast with no luck.

Finally, we use binwalk on the image to find hidden binaries and find:

$ python .\binwalk .\f182d5f0-1d10-4f0f-a0c1-7cba0981b6da.jpg
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, EXIF standard
12            0xC             TIFF image data, little-endian offset of first image directory: 8
332           0x14C           JPEG image data, JFIF standard 1.01

$ python .\binwalk .\f182d5f0-1d10-4f0f-a0c1-7cba0981b6da.jpg

DECIMAL HEXADECIMAL DESCRIPTION

--------------------------------------------------------------------------------

0 0x0 JPEG image data, EXIF standard

12 0xC TIFF image data, little-endian offset of first image directory: 8

332 0x14C JPEG image data, JFIF standard 1.01

We extract the second JPEG image in this file which gives us a smaller preview thumbnail but with a crisp QR code!

This image is good enough to scan and gives us our flag!

Flag: HV19{just-4-PREview!}

No Comments

Posted Mo BeigiPersianMG in Hackvent 2019

HACKvent 2016: Day 1

05 Dec 2016

CTF: Hackvent 2016
Link to challenge: http://hackvent.hacking-lab.com

Date Completed: 5 December 2016

Challenge

Santa receives an email with links to three pictures, but every picture is the same.
He talks with some of his elves and one says, that there is some weird stuff happening when loading these pictures.
Can you identify it?
Link 1: http://ow.ly/unCT306N19f
Link 2: http://ow.ly/xW3h306N18f
Link 3: http://ow.ly/3wfc306N10K

Santa receives an email with links to three pictures, but every picture is the same.

He talks with some of his elves and one says, that there is some weird stuff happening when loading these pictures.

Can you identify it?

Link 1: http://ow.ly/unCT306N19f

Link 2: http://ow.ly/xW3h306N18f

Link 3: http://ow.ly/3wfc306N10K

Solution

We confirm that each link does indeed lead to the same destination URL. I can notice a redirection (301 permanent) occurring with each link thanks to a nifty HTTP logging plugin I have for Chrome called Live HTTP Headers. You could also use various online services to check the redirection(s) occurring for each of the 3 links. For example, you could use: redirectcheck.com

We see the following sequences of redirection for each link:

Link 1

http://ow.ly/unCT306N19f

http://bit.do/HV16-t8Kd

https://upload.wikimedia.org/wikipedia/commons/thumb/7/7c/Intocht_van_Sinterklaas_in_Schiedam_2009_%284102602499%29_%282%29.jpg/220px-Intocht_van_Sinterklaas_in_Schiedam_2009_%284102602499%29_%282%29.jpg

Link 2

http://ow.ly/xW3h306N18f

http://bit.do/38aY-QxL5

Link 3

http://ow.ly/3wfc306N10K

http://bit.do/bn4K-c6Lw

We notice the string HV16 in the bit.do link for Link 1 and that there is 4 characters, then a hyphen, and then another 4 characters in the short URL for each link. This gives me the idea that the text after each bit.do link can be combined to create the nugget. We join these strings together, adding a hyphen in between each of the 3 strings, to obtain our flag!

Flag: HV16-t8Kd-38aY-QxL5-bn4K-c6Lw

No Comments

Posted Mo BeigiPersianMG in Hackvent 2016

HACKvent 2016: Day 5

05 Dec 2016

CTF: Hackvent 2016
Link to challenge: http://hackvent.hacking-lab.com

Date Completed: 5 December 2016

Challenge

Santa found a paper with some strange logical stuff on it. On the back of it there is the hint: "use 32 bit".
He has no clue what this means - can you show him, what "???" should be?

Santa found a paper with some strange logical stuff on it. On the back of it there is the hint: "use 32 bit".

He has no clue what this means - can you show him, what "???" should be?

everybitisimportant

Solution

This seems like a series of boolean logical operators. As the hint tell use to use 32 bits, we will solve this problem with a quick C++ program so we can guarantee the data type used is 32 bits. Furthermore, we will try both signed and unsigned variants, it turns out that we need to use signed integers for this problem.

We come up with C++ code (splitting up the operations into 3 steps):

#include <iostream>
int main(int argc, char **argv)
{
int32_t answer;
answer = (4 | 7) ^ (1337 & 424242);
answer = ~answer;
answer |= 0xB055;
std::cout << answer;
return 0;
}

#include <iostream>

int main(int argc, char **argv)

{

int32_t answer;

answer = (4 | 7) ^ (1337 & 424242);

answer = ~answer;

answer |= 0xB055;

std::cout << answer;

return 0;

}

We run the program and the the printed result is:

-291

-291

I enter this into the ball-o-matic and get the daily QR code and daily flag!

Day 5 Solution Ball

Flag: HV16-2wGq-wOX3-T2oe-n8si-hZ0A

No Comments

Posted Mo BeigiPersianMG in Hackvent 2016

HACKvent 2015: Day 15

15 Dec 2015

CTF: Hackvent 2015
Link to challenge: http://hackvent.hacking-lab.com

Date Completed: 15 December 2015

Challenge

We've captured a strange message. It looks like it is encrypted somehow ...
iw, hu, fv, lu, dv, cy, og, lc, gy, fq, od, lo, fq, is, ig, gu, hs, hi, ds, cy, oo, os, iu, fs, gu, lh, dq, lv, gu, iw, hv, gu, di, hs, cy, oc, iw, gc
We've also intercepted what seems to be a hint to the key:
bytwycju + yzvyjjdy ^ vugljtyn + ugdztnwv | xbfziozy = bzuwtwol
^         ^          ^          ^          ^
wwnnnqbw - uclfqvdu & oncycbxh | oqcnwbsd ^ cgyoyfjg = vyhyjivb
&         &          &          &          &
yzdgotby | oigsjgoj | ttligxut - dhcqxtfw & szblgodf = sfgsoxdd
+         +          +          +          +
yjjowdqh & niiqztgs + ctvtwysu & diffhlnl - thhwohwn = xsvuojtx
-         -           -         -          -
nttuhlnq ^ oqbctlzh - nshtztns ^ htwizvwi + udluvhcz = syhjizjq
=         =           =         =          =         
fjivucti   zoljwdfl   sugvqgww   uxztiywn   jqxizzxq
Note:
assume q != 0
a letter is a decimal digit is a letter
each digit has exactly two different letter representations
C-like operator precedence

We've captured a strange message. It looks like it is encrypted somehow ...

iw, hu, fv, lu, dv, cy, og, lc, gy, fq, od, lo, fq, is, ig, gu, hs, hi, ds, cy, oo, os, iu, fs, gu, lh, dq, lv, gu, iw, hv, gu, di, hs, cy, oc, iw, gc

We've also intercepted what seems to be a hint to the key:

bytwycju + yzvyjjdy ^ vugljtyn + ugdztnwv | xbfziozy = bzuwtwol

^ ^ ^ ^ ^

wwnnnqbw - uclfqvdu & oncycbxh | oqcnwbsd ^ cgyoyfjg = vyhyjivb

& & & & &

yzdgotby | oigsjgoj | ttligxut - dhcqxtfw & szblgodf = sfgsoxdd

+ + + + +

yjjowdqh & niiqztgs + ctvtwysu & diffhlnl - thhwohwn = xsvuojtx

- - - - -

nttuhlnq ^ oqbctlzh - nshtztns ^ htwizvwi + udluvhcz = syhjizjq

= = = = =

fjivucti zoljwdfl sugvqgww uxztiywn jqxizzxq

Note:

assume q != 0

a letter is a decimal digit is a letter

each digit has exactly two different letter representations

C-like operator precedence

Solution

Straight away this looks like a logic solver problem. I intend to use Z3 theorem solver (link) as I am most familiar with it out of all the available solvers out there.

First step is to understand the problem. Each letter corresponds to a single digit 0-9. The q digit cannot be 0. Each digit is represented by exactly 2 letters. In the grid of equations, a series of letters like bytwycju means 8 digits. Ie if b was 2 and y was 8, it would be a number starting with 28XXXXXX. The operations used in the equations are & ^ | + - ==. C-like operator precedence is also used but this will match up nicely with python operator precedence.

Looking at the secret message, is it 38 pairs of letters. If each letter is a single digit then each pair must correspond to a ASCII capital letters/numbers/spaces…etc. So I am going to assume the secret message is a 38 character length string.

Every letter from the alphabet is present in the challenge description and equations except for: aekmpr
This works out nicely as excluding those 6 letters leaves 20 letters total which leaves exactly 2 letters per digit, perfect!

So I start writing a new python script and add in all the rules I need. I use a BitVec of 32 bits because some operations become large. I could use a BitVec of 4 bits but then certain bitwise operations would overflow which is not what I want.

For each equation I need to generate a list of long constraints to add to the Z3 solver object. To do this I use a short python script written by OS-Freeze from Germany (thanks!) which was slightly modified by myself:

#!/usr/bin/python
# By OS-Freeze, slightly modified by PersianMG
row = "yjjowdqh & niiqztgs + ctvtwysu & diffhlnl - thhwohwn = xsvuojtx"
symbol = []
for i in row.split():
if len(i) == 8:
count = 7
dat = list(''.join(i))
result = "("
for i in dat:
result = result + "ZV['"+i+"'] * pow(10,"+str(count)+")"
if count != 0:
result += " + "
count -= 1
result += ")"
print result
elif len(i) == 1:
if i == '=':
print '=='
else:
print i

#!/usr/bin/python

# By OS-Freeze, slightly modified by PersianMG

row = "yjjowdqh & niiqztgs + ctvtwysu & diffhlnl - thhwohwn = xsvuojtx"

symbol = []

for i in row.split():

if len(i) == 8:

count = 7

dat = list(''.join(i))

result = "("

for i in dat:

result = result + "ZV['"+i+"'] * pow(10,"+str(count)+")"

if count != 0:

result += " + "

count -= 1

result += ")"

print result

elif len(i) == 1:

if i == '=':

print '=='

else:

print i

The above script would produce:

(ZV['y'] * pow(10,7) + ZV['j'] * pow(10,6) + ZV['j'] * pow(10,5) + ZV['o'] * pow(10,4) + ZV['w'] * pow(10,3) + ZV['d'] * pow(10,2) + ZV['q'] * pow(10,1) + ZV['h'] * pow(10,0))
&
(ZV['n'] * pow(10,7) + ZV['i'] * pow(10,6) + ZV['i'] * pow(10,5) + ZV['q'] * pow(10,4) + ZV['z'] * pow(10,3) + ZV['t'] * pow(10,2) + ZV['g'] * pow(10,1) + ZV['s'] * pow(10,0))
+
(ZV['c'] * pow(10,7) + ZV['t'] * pow(10,6) + ZV['v'] * pow(10,5) + ZV['t'] * pow(10,4) + ZV['w'] * pow(10,3) + ZV['y'] * pow(10,2) + ZV['s'] * pow(10,1) + ZV['u'] * pow(10,0))
&
(ZV['d'] * pow(10,7) + ZV['i'] * pow(10,6) + ZV['f'] * pow(10,5) + ZV['f'] * pow(10,4) + ZV['h'] * pow(10,3) + ZV['l'] * pow(10,2) + ZV['n'] * pow(10,1) + ZV['l'] * pow(10,0))
-
(ZV['t'] * pow(10,7) + ZV['h'] * pow(10,6) + ZV['h'] * pow(10,5) + ZV['w'] * pow(10,4) + ZV['o'] * pow(10,3) + ZV['h'] * pow(10,2) + ZV['w'] * pow(10,1) + ZV['n'] * pow(10,0))
==
(ZV['x'] * pow(10,7) + ZV['s'] * pow(10,6) + ZV['v'] * pow(10,5) + ZV['u'] * pow(10,4) + ZV['o'] * pow(10,3) + ZV['j'] * pow(10,2) + ZV['t'] * pow(10,1) + ZV['x'] * pow(10,0))

(ZV['y'] * pow(10,7) + ZV['j'] * pow(10,6) + ZV['j'] * pow(10,5) + ZV['o'] * pow(10,4) + ZV['w'] * pow(10,3) + ZV['d'] * pow(10,2) + ZV['q'] * pow(10,1) + ZV['h'] * pow(10,0))

(ZV['n'] * pow(10,7) + ZV['i'] * pow(10,6) + ZV['i'] * pow(10,5) + ZV['q'] * pow(10,4) + ZV['z'] * pow(10,3) + ZV['t'] * pow(10,2) + ZV['g'] * pow(10,1) + ZV['s'] * pow(10,0))

(ZV['c'] * pow(10,7) + ZV['t'] * pow(10,6) + ZV['v'] * pow(10,5) + ZV['t'] * pow(10,4) + ZV['w'] * pow(10,3) + ZV['y'] * pow(10,2) + ZV['s'] * pow(10,1) + ZV['u'] * pow(10,0))

(ZV['d'] * pow(10,7) + ZV['i'] * pow(10,6) + ZV['f'] * pow(10,5) + ZV['f'] * pow(10,4) + ZV['h'] * pow(10,3) + ZV['l'] * pow(10,2) + ZV['n'] * pow(10,1) + ZV['l'] * pow(10,0))

(ZV['t'] * pow(10,7) + ZV['h'] * pow(10,6) + ZV['h'] * pow(10,5) + ZV['w'] * pow(10,4) + ZV['o'] * pow(10,3) + ZV['h'] * pow(10,2) + ZV['w'] * pow(10,1) + ZV['n'] * pow(10,0))

(ZV['x'] * pow(10,7) + ZV['s'] * pow(10,6) + ZV['v'] * pow(10,5) + ZV['u'] * pow(10,4) + ZV['o'] * pow(10,3) + ZV['j'] * pow(10,2) + ZV['t'] * pow(10,1) + ZV['x'] * pow(10,0))

I simply change the equation for each equation in the challenge description until I have all of the constraints I need.

Now I can construct my actual solver script:

#!/usr/bin/python
from z3 import *
ZV = {}
# Make solver
s = Solver()
# Everything but aekmpr is in the alphabet
for l in 'bcdfghijlnoqstuvwxyz':
ZV[l] = BitVec(l, 32)
# Limit to a single digit
for l in 'bcdfghijlnoqstuvwxyz':
s.add(ZV[l] >= 0)
s.add(ZV[l] <= 9)
# assume q != 0 (removed trivial 0 case)
s.add(ZV['q'] != 0)
# Row 1 (bytwycju + yzvyjjdy ^ vugljtyn + ugdztnwv | xbfziozy = bzuwtwol)
s.add(
(ZV['b'] * pow(10,7) + ZV['y'] * pow(10,6) + ZV['t'] * pow(10,5) + ZV['w'] * pow(10,4) + ZV['y'] * pow(10,3) + ZV['c'] * pow(10,2) + ZV['j'] * pow(10,1) + ZV['u'] * pow(10,0))
+
(ZV['y'] * pow(10,7) + ZV['z'] * pow(10,6) + ZV['v'] * pow(10,5) + ZV['y'] * pow(10,4) + ZV['j'] * pow(10,3) + ZV['j'] * pow(10,2) + ZV['d'] * pow(10,1) + ZV['y'] * pow(10,0))
^
(ZV['v'] * pow(10,7) + ZV['u'] * pow(10,6) + ZV['g'] * pow(10,5) + ZV['l'] * pow(10,4) + ZV['j'] * pow(10,3) + ZV['t'] * pow(10,2) + ZV['y'] * pow(10,1) + ZV['n'] * pow(10,0))
+
(ZV['u'] * pow(10,7) + ZV['g'] * pow(10,6) + ZV['d'] * pow(10,5) + ZV['z'] * pow(10,4) + ZV['t'] * pow(10,3) + ZV['n'] * pow(10,2) + ZV['w'] * pow(10,1) + ZV['v'] * pow(10,0))
|
(ZV['x'] * pow(10,7) + ZV['b'] * pow(10,6) + ZV['f'] * pow(10,5) + ZV['z'] * pow(10,4) + ZV['i'] * pow(10,3) + ZV['o'] * pow(10,2) + ZV['z'] * pow(10,1) + ZV['y'] * pow(10,0))
==
(ZV['b'] * pow(10,7) + ZV['z'] * pow(10,6) + ZV['u'] * pow(10,5) + ZV['w'] * pow(10,4) + ZV['t'] * pow(10,3) + ZV['w'] * pow(10,2) + ZV['o'] * pow(10,1) + ZV['l'] * pow(10,0))
)
# Row 2 (wwnnnqbw - uclfqvdu & oncycbxh | oqcnwbsd ^ cgyoyfjg = vyhyjivb)
s.add(
(ZV['w'] * pow(10,7) + ZV['w'] * pow(10,6) + ZV['n'] * pow(10,5) + ZV['n'] * pow(10,4) + ZV['n'] * pow(10,3) + ZV['q'] * pow(10,2) + ZV['b'] * pow(10,1) + ZV['w'] * pow(10,0))
-
(ZV['u'] * pow(10,7) + ZV['c'] * pow(10,6) + ZV['l'] * pow(10,5) + ZV['f'] * pow(10,4) + ZV['q'] * pow(10,3) + ZV['v'] * pow(10,2) + ZV['d'] * pow(10,1) + ZV['u'] * pow(10,0))
&
(ZV['o'] * pow(10,7) + ZV['n'] * pow(10,6) + ZV['c'] * pow(10,5) + ZV['y'] * pow(10,4) + ZV['c'] * pow(10,3) + ZV['b'] * pow(10,2) + ZV['x'] * pow(10,1) + ZV['h'] * pow(10,0))
|
(ZV['o'] * pow(10,7) + ZV['q'] * pow(10,6) + ZV['c'] * pow(10,5) + ZV['n'] * pow(10,4) + ZV['w'] * pow(10,3) + ZV['b'] * pow(10,2) + ZV['s'] * pow(10,1) + ZV['d'] * pow(10,0))
^
(ZV['c'] * pow(10,7) + ZV['g'] * pow(10,6) + ZV['y'] * pow(10,5) + ZV['o'] * pow(10,4) + ZV['y'] * pow(10,3) + ZV['f'] * pow(10,2) + ZV['j'] * pow(10,1) + ZV['g'] * pow(10,0))
==
(ZV['v'] * pow(10,7) + ZV['y'] * pow(10,6) + ZV['h'] * pow(10,5) + ZV['y'] * pow(10,4) + ZV['j'] * pow(10,3) + ZV['i'] * pow(10,2) + ZV['v'] * pow(10,1) + ZV['b'] * pow(10,0))
)
# Row 3 (yzdgotby | oigsjgoj | ttligxut - dhcqxtfw & szblgodf = sfgsoxdd)
s.add(
(ZV['y'] * pow(10,7) + ZV['z'] * pow(10,6) + ZV['d'] * pow(10,5) + ZV['g'] * pow(10,4) + ZV['o'] * pow(10,3) + ZV['t'] * pow(10,2) + ZV['b'] * pow(10,1) + ZV['y'] * pow(10,0))
|
(ZV['o'] * pow(10,7) + ZV['i'] * pow(10,6) + ZV['g'] * pow(10,5) + ZV['s'] * pow(10,4) + ZV['j'] * pow(10,3) + ZV['g'] * pow(10,2) + ZV['o'] * pow(10,1) + ZV['j'] * pow(10,0))
|
(ZV['t'] * pow(10,7) + ZV['t'] * pow(10,6) + ZV['l'] * pow(10,5) + ZV['i'] * pow(10,4) + ZV['g'] * pow(10,3) + ZV['x'] * pow(10,2) + ZV['u'] * pow(10,1) + ZV['t'] * pow(10,0))
-
(ZV['d'] * pow(10,7) + ZV['h'] * pow(10,6) + ZV['c'] * pow(10,5) + ZV['q'] * pow(10,4) + ZV['x'] * pow(10,3) + ZV['t'] * pow(10,2) + ZV['f'] * pow(10,1) + ZV['w'] * pow(10,0))
&
(ZV['s'] * pow(10,7) + ZV['z'] * pow(10,6) + ZV['b'] * pow(10,5) + ZV['l'] * pow(10,4) + ZV['g'] * pow(10,3) + ZV['o'] * pow(10,2) + ZV['d'] * pow(10,1) + ZV['f'] * pow(10,0))
==
(ZV['s'] * pow(10,7) + ZV['f'] * pow(10,6) + ZV['g'] * pow(10,5) + ZV['s'] * pow(10,4) + ZV['o'] * pow(10,3) + ZV['x'] * pow(10,2) + ZV['d'] * pow(10,1) + ZV['d'] * pow(10,0))
)
# Row 4 (nttuhlnq ^ oqbctlzh - nshtztns ^ htwizvwi + udluvhcz = syhjizjq)
s.add(
(ZV['n'] * pow(10,7) + ZV['t'] * pow(10,6) + ZV['t'] * pow(10,5) + ZV['u'] * pow(10,4) + ZV['h'] * pow(10,3) + ZV['l'] * pow(10,2) + ZV['n'] * pow(10,1) + ZV['q'] * pow(10,0))
^
(ZV['o'] * pow(10,7) + ZV['q'] * pow(10,6) + ZV['b'] * pow(10,5) + ZV['c'] * pow(10,4) + ZV['t'] * pow(10,3) + ZV['l'] * pow(10,2) + ZV['z'] * pow(10,1) + ZV['h'] * pow(10,0))
-
(ZV['n'] * pow(10,7) + ZV['s'] * pow(10,6) + ZV['h'] * pow(10,5) + ZV['t'] * pow(10,4) + ZV['z'] * pow(10,3) + ZV['t'] * pow(10,2) + ZV['n'] * pow(10,1) + ZV['s'] * pow(10,0))
^
(ZV['h'] * pow(10,7) + ZV['t'] * pow(10,6) + ZV['w'] * pow(10,5) + ZV['i'] * pow(10,4) + ZV['z'] * pow(10,3) + ZV['v'] * pow(10,2) + ZV['w'] * pow(10,1) + ZV['i'] * pow(10,0))
+
(ZV['u'] * pow(10,7) + ZV['d'] * pow(10,6) + ZV['l'] * pow(10,5) + ZV['u'] * pow(10,4) + ZV['v'] * pow(10,3) + ZV['h'] * pow(10,2) + ZV['c'] * pow(10,1) + ZV['z'] * pow(10,0))
==
(ZV['s'] * pow(10,7) + ZV['y'] * pow(10,6) + ZV['h'] * pow(10,5) + ZV['j'] * pow(10,4) + ZV['i'] * pow(10,3) + ZV['z'] * pow(10,2) + ZV['j'] * pow(10,1) + ZV['q'] * pow(10,0))
)
# Column 1 (bytwycju ^ wwnnnqbw & yzdgotby + yjjowdqh  - nttuhlnq = fjivucti)
s.add(
(ZV['b'] * pow(10,7) + ZV['y'] * pow(10,6) + ZV['t'] * pow(10,5) + ZV['w'] * pow(10,4) + ZV['y'] * pow(10,3) + ZV['c'] * pow(10,2) + ZV['j'] * pow(10,1) + ZV['u'] * pow(10,0))
^
(ZV['w'] * pow(10,7) + ZV['w'] * pow(10,6) + ZV['n'] * pow(10,5) + ZV['n'] * pow(10,4) + ZV['n'] * pow(10,3) + ZV['q'] * pow(10,2) + ZV['b'] * pow(10,1) + ZV['w'] * pow(10,0))
&
(ZV['y'] * pow(10,7) + ZV['z'] * pow(10,6) + ZV['d'] * pow(10,5) + ZV['g'] * pow(10,4) + ZV['o'] * pow(10,3) + ZV['t'] * pow(10,2) + ZV['b'] * pow(10,1) + ZV['y'] * pow(10,0))
+
(ZV['y'] * pow(10,7) + ZV['j'] * pow(10,6) + ZV['j'] * pow(10,5) + ZV['o'] * pow(10,4) + ZV['w'] * pow(10,3) + ZV['d'] * pow(10,2) + ZV['q'] * pow(10,1) + ZV['h'] * pow(10,0))
-
(ZV['n'] * pow(10,7) + ZV['t'] * pow(10,6) + ZV['t'] * pow(10,5) + ZV['u'] * pow(10,4) + ZV['h'] * pow(10,3) + ZV['l'] * pow(10,2) + ZV['n'] * pow(10,1) + ZV['q'] * pow(10,0))
==
(ZV['f'] * pow(10,7) + ZV['j'] * pow(10,6) + ZV['i'] * pow(10,5) + ZV['v'] * pow(10,4) + ZV['u'] * pow(10,3) + ZV['c'] * pow(10,2) + ZV['t'] * pow(10,1) + ZV['i'] * pow(10,0))
)
# Column 2 (yzvyjjdy ^ uclfqvdu & oigsjgoj + niiqztgs - oqbctlzh = zoljwdfl)
s.add(
(ZV['y'] * pow(10,7) + ZV['z'] * pow(10,6) + ZV['v'] * pow(10,5) + ZV['y'] * pow(10,4) + ZV['j'] * pow(10,3) + ZV['j'] * pow(10,2) + ZV['d'] * pow(10,1) + ZV['y'] * pow(10,0))
^
(ZV['u'] * pow(10,7) + ZV['c'] * pow(10,6) + ZV['l'] * pow(10,5) + ZV['f'] * pow(10,4) + ZV['q'] * pow(10,3) + ZV['v'] * pow(10,2) + ZV['d'] * pow(10,1) + ZV['u'] * pow(10,0))
&
(ZV['o'] * pow(10,7) + ZV['i'] * pow(10,6) + ZV['g'] * pow(10,5) + ZV['s'] * pow(10,4) + ZV['j'] * pow(10,3) + ZV['g'] * pow(10,2) + ZV['o'] * pow(10,1) + ZV['j'] * pow(10,0))
+
(ZV['n'] * pow(10,7) + ZV['i'] * pow(10,6) + ZV['i'] * pow(10,5) + ZV['q'] * pow(10,4) + ZV['z'] * pow(10,3) + ZV['t'] * pow(10,2) + ZV['g'] * pow(10,1) + ZV['s'] * pow(10,0))
-
(ZV['o'] * pow(10,7) + ZV['q'] * pow(10,6) + ZV['b'] * pow(10,5) + ZV['c'] * pow(10,4) + ZV['t'] * pow(10,3) + ZV['l'] * pow(10,2) + ZV['z'] * pow(10,1) + ZV['h'] * pow(10,0))
==
(ZV['z'] * pow(10,7) + ZV['o'] * pow(10,6) + ZV['l'] * pow(10,5) + ZV['j'] * pow(10,4) + ZV['w'] * pow(10,3) + ZV['d'] * pow(10,2) + ZV['f'] * pow(10,1) + ZV['l'] * pow(10,0))
)
# Column 3 (vugljtyn ^ oncycbxh & ttligxut + ctvtwysu - nshtztns = sugvqgww)
s.add(
(ZV['v'] * pow(10,7) + ZV['u'] * pow(10,6) + ZV['g'] * pow(10,5) + ZV['l'] * pow(10,4) + ZV['j'] * pow(10,3) + ZV['t'] * pow(10,2) + ZV['y'] * pow(10,1) + ZV['n'] * pow(10,0))
^
(ZV['o'] * pow(10,7) + ZV['n'] * pow(10,6) + ZV['c'] * pow(10,5) + ZV['y'] * pow(10,4) + ZV['c'] * pow(10,3) + ZV['b'] * pow(10,2) + ZV['x'] * pow(10,1) + ZV['h'] * pow(10,0))
&
(ZV['t'] * pow(10,7) + ZV['t'] * pow(10,6) + ZV['l'] * pow(10,5) + ZV['i'] * pow(10,4) + ZV['g'] * pow(10,3) + ZV['x'] * pow(10,2) + ZV['u'] * pow(10,1) + ZV['t'] * pow(10,0))
+
(ZV['c'] * pow(10,7) + ZV['t'] * pow(10,6) + ZV['v'] * pow(10,5) + ZV['t'] * pow(10,4) + ZV['w'] * pow(10,3) + ZV['y'] * pow(10,2) + ZV['s'] * pow(10,1) + ZV['u'] * pow(10,0))
-
(ZV['n'] * pow(10,7) + ZV['s'] * pow(10,6) + ZV['h'] * pow(10,5) + ZV['t'] * pow(10,4) + ZV['z'] * pow(10,3) + ZV['t'] * pow(10,2) + ZV['n'] * pow(10,1) + ZV['s'] * pow(10,0))
==
(ZV['s'] * pow(10,7) + ZV['u'] * pow(10,6) + ZV['g'] * pow(10,5) + ZV['v'] * pow(10,4) + ZV['q'] * pow(10,3) + ZV['g'] * pow(10,2) + ZV['w'] * pow(10,1) + ZV['w'] * pow(10,0))
)
# Column 4 (ugdztnwv ^ oqcnwbsd & dhcqxtfw + diffhlnl - htwizvwi = uxztiywn)
s.add(
(ZV['u'] * pow(10,7) + ZV['g'] * pow(10,6) + ZV['d'] * pow(10,5) + ZV['z'] * pow(10,4) + ZV['t'] * pow(10,3) + ZV['n'] * pow(10,2) + ZV['w'] * pow(10,1) + ZV['v'] * pow(10,0))
^
(ZV['o'] * pow(10,7) + ZV['q'] * pow(10,6) + ZV['c'] * pow(10,5) + ZV['n'] * pow(10,4) + ZV['w'] * pow(10,3) + ZV['b'] * pow(10,2) + ZV['s'] * pow(10,1) + ZV['d'] * pow(10,0))
&
(ZV['d'] * pow(10,7) + ZV['h'] * pow(10,6) + ZV['c'] * pow(10,5) + ZV['q'] * pow(10,4) + ZV['x'] * pow(10,3) + ZV['t'] * pow(10,2) + ZV['f'] * pow(10,1) + ZV['w'] * pow(10,0))
+
(ZV['d'] * pow(10,7) + ZV['i'] * pow(10,6) + ZV['f'] * pow(10,5) + ZV['f'] * pow(10,4) + ZV['h'] * pow(10,3) + ZV['l'] * pow(10,2) + ZV['n'] * pow(10,1) + ZV['l'] * pow(10,0))
-
(ZV['h'] * pow(10,7) + ZV['t'] * pow(10,6) + ZV['w'] * pow(10,5) + ZV['i'] * pow(10,4) + ZV['z'] * pow(10,3) + ZV['v'] * pow(10,2) + ZV['w'] * pow(10,1) + ZV['i'] * pow(10,0))
==
(ZV['u'] * pow(10,7) + ZV['x'] * pow(10,6) + ZV['z'] * pow(10,5) + ZV['t'] * pow(10,4) + ZV['i'] * pow(10,3) + ZV['y'] * pow(10,2) + ZV['w'] * pow(10,1) + ZV['n'] * pow(10,0))
)
# Column 5 (xbfziozy ^ cgyoyfjg & szblgodf + thhwohwn - udluvhcz  = jqxizzxq)
s.add(
(ZV['x'] * pow(10,7) + ZV['b'] * pow(10,6) + ZV['f'] * pow(10,5) + ZV['z'] * pow(10,4) + ZV['i'] * pow(10,3) + ZV['o'] * pow(10,2) + ZV['z'] * pow(10,1) + ZV['y'] * pow(10,0))
^
(ZV['c'] * pow(10,7) + ZV['g'] * pow(10,6) + ZV['y'] * pow(10,5) + ZV['o'] * pow(10,4) + ZV['y'] * pow(10,3) + ZV['f'] * pow(10,2) + ZV['j'] * pow(10,1) + ZV['g'] * pow(10,0))
&
(ZV['s'] * pow(10,7) + ZV['z'] * pow(10,6) + ZV['b'] * pow(10,5) + ZV['l'] * pow(10,4) + ZV['g'] * pow(10,3) + ZV['o'] * pow(10,2) + ZV['d'] * pow(10,1) + ZV['f'] * pow(10,0))
+
(ZV['t'] * pow(10,7) + ZV['h'] * pow(10,6) + ZV['h'] * pow(10,5) + ZV['w'] * pow(10,4) + ZV['o'] * pow(10,3) + ZV['h'] * pow(10,2) + ZV['w'] * pow(10,1) + ZV['n'] * pow(10,0))
-
(ZV['u'] * pow(10,7) + ZV['d'] * pow(10,6) + ZV['l'] * pow(10,5) + ZV['u'] * pow(10,4) + ZV['v'] * pow(10,3) + ZV['h'] * pow(10,2) + ZV['c'] * pow(10,1) + ZV['z'] * pow(10,0))
==
(ZV['j'] * pow(10,7) + ZV['q'] * pow(10,6) + ZV['x'] * pow(10,5) + ZV['i'] * pow(10,4) + ZV['z'] * pow(10,3) + ZV['z'] * pow(10,2) + ZV['x'] * pow(10,1) + ZV['q'] * pow(10,0))
)
# Print answers
print(s.check())
print(s.model())

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

#!/usr/bin/python

from z3 import *

ZV = {}

# Make solver

s = Solver()

# Everything but aekmpr is in the alphabet

for l in 'bcdfghijlnoqstuvwxyz':

ZV[l] = BitVec(l, 32)

# Limit to a single digit

for l in 'bcdfghijlnoqstuvwxyz':

s.add(ZV[l] >= 0)

s.add(ZV[l] <= 9)

# assume q != 0 (removed trivial 0 case)

s.add(ZV['q'] != 0)

# Row 1 (bytwycju + yzvyjjdy ^ vugljtyn + ugdztnwv | xbfziozy = bzuwtwol)

s.add(

(ZV['b'] * pow(10,7) + ZV['y'] * pow(10,6) + ZV['t'] * pow(10,5) + ZV['w'] * pow(10,4) + ZV['y'] * pow(10,3) + ZV['c'] * pow(10,2) + ZV['j'] * pow(10,1) + ZV['u'] * pow(10,0))

(ZV['y'] * pow(10,7) + ZV['z'] * pow(10,6) + ZV['v'] * pow(10,5) + ZV['y'] * pow(10,4) + ZV['j'] * pow(10,3) + ZV['j'] * pow(10,2) + ZV['d'] * pow(10,1) + ZV['y'] * pow(10,0))

(ZV['v'] * pow(10,7) + ZV['u'] * pow(10,6) + ZV['g'] * pow(10,5) + ZV['l'] * pow(10,4) + ZV['j'] * pow(10,3) + ZV['t'] * pow(10,2) + ZV['y'] * pow(10,1) + ZV['n'] * pow(10,0))

(ZV['u'] * pow(10,7) + ZV['g'] * pow(10,6) + ZV['d'] * pow(10,5) + ZV['z'] * pow(10,4) + ZV['t'] * pow(10,3) + ZV['n'] * pow(10,2) + ZV['w'] * pow(10,1) + ZV['v'] * pow(10,0))

(ZV['x'] * pow(10,7) + ZV['b'] * pow(10,6) + ZV['f'] * pow(10,5) + ZV['z'] * pow(10,4) + ZV['i'] * pow(10,3) + ZV['o'] * pow(10,2) + ZV['z'] * pow(10,1) + ZV['y'] * pow(10,0))

(ZV['b'] * pow(10,7) + ZV['z'] * pow(10,6) + ZV['u'] * pow(10,5) + ZV['w'] * pow(10,4) + ZV['t'] * pow(10,3) + ZV['w'] * pow(10,2) + ZV['o'] * pow(10,1) + ZV['l'] * pow(10,0))

)

# Row 2 (wwnnnqbw - uclfqvdu & oncycbxh | oqcnwbsd ^ cgyoyfjg = vyhyjivb)

s.add(

(ZV['w'] * pow(10,7) + ZV['w'] * pow(10,6) + ZV['n'] * pow(10,5) + ZV['n'] * pow(10,4) + ZV['n'] * pow(10,3) + ZV['q'] * pow(10,2) + ZV['b'] * pow(10,1) + ZV['w'] * pow(10,0))

(ZV['u'] * pow(10,7) + ZV['c'] * pow(10,6) + ZV['l'] * pow(10,5) + ZV['f'] * pow(10,4) + ZV['q'] * pow(10,3) + ZV['v'] * pow(10,2) + ZV['d'] * pow(10,1) + ZV['u'] * pow(10,0))

(ZV['o'] * pow(10,7) + ZV['n'] * pow(10,6) + ZV['c'] * pow(10,5) + ZV['y'] * pow(10,4) + ZV['c'] * pow(10,3) + ZV['b'] * pow(10,2) + ZV['x'] * pow(10,1) + ZV['h'] * pow(10,0))

(ZV['o'] * pow(10,7) + ZV['q'] * pow(10,6) + ZV['c'] * pow(10,5) + ZV['n'] * pow(10,4) + ZV['w'] * pow(10,3) + ZV['b'] * pow(10,2) + ZV['s'] * pow(10,1) + ZV['d'] * pow(10,0))

(ZV['c'] * pow(10,7) + ZV['g'] * pow(10,6) + ZV['y'] * pow(10,5) + ZV['o'] * pow(10,4) + ZV['y'] * pow(10,3) + ZV['f'] * pow(10,2) + ZV['j'] * pow(10,1) + ZV['g'] * pow(10,0))

(ZV['v'] * pow(10,7) + ZV['y'] * pow(10,6) + ZV['h'] * pow(10,5) + ZV['y'] * pow(10,4) + ZV['j'] * pow(10,3) + ZV['i'] * pow(10,2) + ZV['v'] * pow(10,1) + ZV['b'] * pow(10,0))

)

# Row 3 (yzdgotby | oigsjgoj | ttligxut - dhcqxtfw & szblgodf = sfgsoxdd)

s.add(

(ZV['y'] * pow(10,7) + ZV['z'] * pow(10,6) + ZV['d'] * pow(10,5) + ZV['g'] * pow(10,4) + ZV['o'] * pow(10,3) + ZV['t'] * pow(10,2) + ZV['b'] * pow(10,1) + ZV['y'] * pow(10,0))

(ZV['o'] * pow(10,7) + ZV['i'] * pow(10,6) + ZV['g'] * pow(10,5) + ZV['s'] * pow(10,4) + ZV['j'] * pow(10,3) + ZV['g'] * pow(10,2) + ZV['o'] * pow(10,1) + ZV['j'] * pow(10,0))

(ZV['t'] * pow(10,7) + ZV['t'] * pow(10,6) + ZV['l'] * pow(10,5) + ZV['i'] * pow(10,4) + ZV['g'] * pow(10,3) + ZV['x'] * pow(10,2) + ZV['u'] * pow(10,1) + ZV['t'] * pow(10,0))

(ZV['d'] * pow(10,7) + ZV['h'] * pow(10,6) + ZV['c'] * pow(10,5) + ZV['q'] * pow(10,4) + ZV['x'] * pow(10,3) + ZV['t'] * pow(10,2) + ZV['f'] * pow(10,1) + ZV['w'] * pow(10,0))

(ZV['s'] * pow(10,7) + ZV['z'] * pow(10,6) + ZV['b'] * pow(10,5) + ZV['l'] * pow(10,4) + ZV['g'] * pow(10,3) + ZV['o'] * pow(10,2) + ZV['d'] * pow(10,1) + ZV['f'] * pow(10,0))

(ZV['s'] * pow(10,7) + ZV['f'] * pow(10,6) + ZV['g'] * pow(10,5) + ZV['s'] * pow(10,4) + ZV['o'] * pow(10,3) + ZV['x'] * pow(10,2) + ZV['d'] * pow(10,1) + ZV['d'] * pow(10,0))

)

# Row 4 (nttuhlnq ^ oqbctlzh - nshtztns ^ htwizvwi + udluvhcz = syhjizjq)

s.add(

(ZV['n'] * pow(10,7) + ZV['t'] * pow(10,6) + ZV['t'] * pow(10,5) + ZV['u'] * pow(10,4) + ZV['h'] * pow(10,3) + ZV['l'] * pow(10,2) + ZV['n'] * pow(10,1) + ZV['q'] * pow(10,0))

(ZV['o'] * pow(10,7) + ZV['q'] * pow(10,6) + ZV['b'] * pow(10,5) + ZV['c'] * pow(10,4) + ZV['t'] * pow(10,3) + ZV['l'] * pow(10,2) + ZV['z'] * pow(10,1) + ZV['h'] * pow(10,0))

(ZV['n'] * pow(10,7) + ZV['s'] * pow(10,6) + ZV['h'] * pow(10,5) + ZV['t'] * pow(10,4) + ZV['z'] * pow(10,3) + ZV['t'] * pow(10,2) + ZV['n'] * pow(10,1) + ZV['s'] * pow(10,0))

(ZV['h'] * pow(10,7) + ZV['t'] * pow(10,6) + ZV['w'] * pow(10,5) + ZV['i'] * pow(10,4) + ZV['z'] * pow(10,3) + ZV['v'] * pow(10,2) + ZV['w'] * pow(10,1) + ZV['i'] * pow(10,0))

(ZV['u'] * pow(10,7) + ZV['d'] * pow(10,6) + ZV['l'] * pow(10,5) + ZV['u'] * pow(10,4) + ZV['v'] * pow(10,3) + ZV['h'] * pow(10,2) + ZV['c'] * pow(10,1) + ZV['z'] * pow(10,0))

(ZV['s'] * pow(10,7) + ZV['y'] * pow(10,6) + ZV['h'] * pow(10,5) + ZV['j'] * pow(10,4) + ZV['i'] * pow(10,3) + ZV['z'] * pow(10,2) + ZV['j'] * pow(10,1) + ZV['q'] * pow(10,0))

)

# Column 1 (bytwycju ^ wwnnnqbw & yzdgotby + yjjowdqh - nttuhlnq = fjivucti)

s.add(

(ZV['b'] * pow(10,7) + ZV['y'] * pow(10,6) + ZV['t'] * pow(10,5) + ZV['w'] * pow(10,4) + ZV['y'] * pow(10,3) + ZV['c'] * pow(10,2) + ZV['j'] * pow(10,1) + ZV['u'] * pow(10,0))

(ZV['w'] * pow(10,7) + ZV['w'] * pow(10,6) + ZV['n'] * pow(10,5) + ZV['n'] * pow(10,4) + ZV['n'] * pow(10,3) + ZV['q'] * pow(10,2) + ZV['b'] * pow(10,1) + ZV['w'] * pow(10,0))

(ZV['y'] * pow(10,7) + ZV['z'] * pow(10,6) + ZV['d'] * pow(10,5) + ZV['g'] * pow(10,4) + ZV['o'] * pow(10,3) + ZV['t'] * pow(10,2) + ZV['b'] * pow(10,1) + ZV['y'] * pow(10,0))

(ZV['y'] * pow(10,7) + ZV['j'] * pow(10,6) + ZV['j'] * pow(10,5) + ZV['o'] * pow(10,4) + ZV['w'] * pow(10,3) + ZV['d'] * pow(10,2) + ZV['q'] * pow(10,1) + ZV['h'] * pow(10,0))

(ZV['n'] * pow(10,7) + ZV['t'] * pow(10,6) + ZV['t'] * pow(10,5) + ZV['u'] * pow(10,4) + ZV['h'] * pow(10,3) + ZV['l'] * pow(10,2) + ZV['n'] * pow(10,1) + ZV['q'] * pow(10,0))

(ZV['f'] * pow(10,7) + ZV['j'] * pow(10,6) + ZV['i'] * pow(10,5) + ZV['v'] * pow(10,4) + ZV['u'] * pow(10,3) + ZV['c'] * pow(10,2) + ZV['t'] * pow(10,1) + ZV['i'] * pow(10,0))

)

# Column 2 (yzvyjjdy ^ uclfqvdu & oigsjgoj + niiqztgs - oqbctlzh = zoljwdfl)

s.add(

(ZV['y'] * pow(10,7) + ZV['z'] * pow(10,6) + ZV['v'] * pow(10,5) + ZV['y'] * pow(10,4) + ZV['j'] * pow(10,3) + ZV['j'] * pow(10,2) + ZV['d'] * pow(10,1) + ZV['y'] * pow(10,0))

(ZV['u'] * pow(10,7) + ZV['c'] * pow(10,6) + ZV['l'] * pow(10,5) + ZV['f'] * pow(10,4) + ZV['q'] * pow(10,3) + ZV['v'] * pow(10,2) + ZV['d'] * pow(10,1) + ZV['u'] * pow(10,0))

(ZV['o'] * pow(10,7) + ZV['i'] * pow(10,6) + ZV['g'] * pow(10,5) + ZV['s'] * pow(10,4) + ZV['j'] * pow(10,3) + ZV['g'] * pow(10,2) + ZV['o'] * pow(10,1) + ZV['j'] * pow(10,0))

(ZV['n'] * pow(10,7) + ZV['i'] * pow(10,6) + ZV['i'] * pow(10,5) + ZV['q'] * pow(10,4) + ZV['z'] * pow(10,3) + ZV['t'] * pow(10,2) + ZV['g'] * pow(10,1) + ZV['s'] * pow(10,0))

(ZV['o'] * pow(10,7) + ZV['q'] * pow(10,6) + ZV['b'] * pow(10,5) + ZV['c'] * pow(10,4) + ZV['t'] * pow(10,3) + ZV['l'] * pow(10,2) + ZV['z'] * pow(10,1) + ZV['h'] * pow(10,0))

(ZV['z'] * pow(10,7) + ZV['o'] * pow(10,6) + ZV['l'] * pow(10,5) + ZV['j'] * pow(10,4) + ZV['w'] * pow(10,3) + ZV['d'] * pow(10,2) + ZV['f'] * pow(10,1) + ZV['l'] * pow(10,0))

)

# Column 3 (vugljtyn ^ oncycbxh & ttligxut + ctvtwysu - nshtztns = sugvqgww)

s.add(

(ZV['v'] * pow(10,7) + ZV['u'] * pow(10,6) + ZV['g'] * pow(10,5) + ZV['l'] * pow(10,4) + ZV['j'] * pow(10,3) + ZV['t'] * pow(10,2) + ZV['y'] * pow(10,1) + ZV['n'] * pow(10,0))

(ZV['o'] * pow(10,7) + ZV['n'] * pow(10,6) + ZV['c'] * pow(10,5) + ZV['y'] * pow(10,4) + ZV['c'] * pow(10,3) + ZV['b'] * pow(10,2) + ZV['x'] * pow(10,1) + ZV['h'] * pow(10,0))

(ZV['t'] * pow(10,7) + ZV['t'] * pow(10,6) + ZV['l'] * pow(10,5) + ZV['i'] * pow(10,4) + ZV['g'] * pow(10,3) + ZV['x'] * pow(10,2) + ZV['u'] * pow(10,1) + ZV['t'] * pow(10,0))

(ZV['c'] * pow(10,7) + ZV['t'] * pow(10,6) + ZV['v'] * pow(10,5) + ZV['t'] * pow(10,4) + ZV['w'] * pow(10,3) + ZV['y'] * pow(10,2) + ZV['s'] * pow(10,1) + ZV['u'] * pow(10,0))

(ZV['n'] * pow(10,7) + ZV['s'] * pow(10,6) + ZV['h'] * pow(10,5) + ZV['t'] * pow(10,4) + ZV['z'] * pow(10,3) + ZV['t'] * pow(10,2) + ZV['n'] * pow(10,1) + ZV['s'] * pow(10,0))

(ZV['s'] * pow(10,7) + ZV['u'] * pow(10,6) + ZV['g'] * pow(10,5) + ZV['v'] * pow(10,4) + ZV['q'] * pow(10,3) + ZV['g'] * pow(10,2) + ZV['w'] * pow(10,1) + ZV['w'] * pow(10,0))

)

# Column 4 (ugdztnwv ^ oqcnwbsd & dhcqxtfw + diffhlnl - htwizvwi = uxztiywn)

s.add(

(ZV['u'] * pow(10,7) + ZV['g'] * pow(10,6) + ZV['d'] * pow(10,5) + ZV['z'] * pow(10,4) + ZV['t'] * pow(10,3) + ZV['n'] * pow(10,2) + ZV['w'] * pow(10,1) + ZV['v'] * pow(10,0))

(ZV['o'] * pow(10,7) + ZV['q'] * pow(10,6) + ZV['c'] * pow(10,5) + ZV['n'] * pow(10,4) + ZV['w'] * pow(10,3) + ZV['b'] * pow(10,2) + ZV['s'] * pow(10,1) + ZV['d'] * pow(10,0))

(ZV['d'] * pow(10,7) + ZV['h'] * pow(10,6) + ZV['c'] * pow(10,5) + ZV['q'] * pow(10,4) + ZV['x'] * pow(10,3) + ZV['t'] * pow(10,2) + ZV['f'] * pow(10,1) + ZV['w'] * pow(10,0))

(ZV['d'] * pow(10,7) + ZV['i'] * pow(10,6) + ZV['f'] * pow(10,5) + ZV['f'] * pow(10,4) + ZV['h'] * pow(10,3) + ZV['l'] * pow(10,2) + ZV['n'] * pow(10,1) + ZV['l'] * pow(10,0))

(ZV['h'] * pow(10,7) + ZV['t'] * pow(10,6) + ZV['w'] * pow(10,5) + ZV['i'] * pow(10,4) + ZV['z'] * pow(10,3) + ZV['v'] * pow(10,2) + ZV['w'] * pow(10,1) + ZV['i'] * pow(10,0))

(ZV['u'] * pow(10,7) + ZV['x'] * pow(10,6) + ZV['z'] * pow(10,5) + ZV['t'] * pow(10,4) + ZV['i'] * pow(10,3) + ZV['y'] * pow(10,2) + ZV['w'] * pow(10,1) + ZV['n'] * pow(10,0))

)

# Column 5 (xbfziozy ^ cgyoyfjg & szblgodf + thhwohwn - udluvhcz = jqxizzxq)

s.add(

(ZV['x'] * pow(10,7) + ZV['b'] * pow(10,6) + ZV['f'] * pow(10,5) + ZV['z'] * pow(10,4) + ZV['i'] * pow(10,3) + ZV['o'] * pow(10,2) + ZV['z'] * pow(10,1) + ZV['y'] * pow(10,0))

(ZV['c'] * pow(10,7) + ZV['g'] * pow(10,6) + ZV['y'] * pow(10,5) + ZV['o'] * pow(10,4) + ZV['y'] * pow(10,3) + ZV['f'] * pow(10,2) + ZV['j'] * pow(10,1) + ZV['g'] * pow(10,0))

(ZV['s'] * pow(10,7) + ZV['z'] * pow(10,6) + ZV['b'] * pow(10,5) + ZV['l'] * pow(10,4) + ZV['g'] * pow(10,3) + ZV['o'] * pow(10,2) + ZV['d'] * pow(10,1) + ZV['f'] * pow(10,0))

(ZV['t'] * pow(10,7) + ZV['h'] * pow(10,6) + ZV['h'] * pow(10,5) + ZV['w'] * pow(10,4) + ZV['o'] * pow(10,3) + ZV['h'] * pow(10,2) + ZV['w'] * pow(10,1) + ZV['n'] * pow(10,0))

(ZV['u'] * pow(10,7) + ZV['d'] * pow(10,6) + ZV['l'] * pow(10,5) + ZV['u'] * pow(10,4) + ZV['v'] * pow(10,3) + ZV['h'] * pow(10,2) + ZV['c'] * pow(10,1) + ZV['z'] * pow(10,0))

(ZV['j'] * pow(10,7) + ZV['q'] * pow(10,6) + ZV['x'] * pow(10,5) + ZV['i'] * pow(10,4) + ZV['z'] * pow(10,3) + ZV['z'] * pow(10,2) + ZV['x'] * pow(10,1) + ZV['q'] * pow(10,0))

)

# Print answers

print(s.check())

print(s.model())

This is really a simple script. I use a dictionary called ZV to keep track of all my letters. I add in every letter as 32 bit BitVec’s. Next I add the constraint that ensures each letter is in [0,9]. I add the q != 0 contraint which eliminates the trivial all zero solution. Finally I add all the rules I generated above and run the script!

The following solution is found after 20 seconds or so:

[x = 1,  
z = 0,  
c = 3,  
v = 9,  
s = 9,  
q = 5,  
l = 8,  
g = 3,  
b = 5,  
f = 6,  
i = 8,  
o = 7,  
j = 0,  
u = 2,  
h = 7,  
w = 4,  
n = 1,  
d = 6,  
y = 2,  
t = 4]

[x = 1,

z = 0,

c = 3,

v = 9,

s = 9,

q = 5,

l = 8,

g = 3,

b = 5,

f = 6,

i = 8,

o = 7,

j = 0,

u = 2,

h = 7,

w = 4,

n = 1,

d = 6,

y = 2,

t = 4]

Nice!
I write a short script to decode the original message using the above solution (or key).
I end up with:

#!/usr/bin/python
import sys
# The secret message
# Each letter represents a digit which represents an ascii number
codes=['iw','hu','fv','lu','dv','cy','og','lc','gy','fq','od','lo','fq','is','ig','gu','hs','hi','ds','cy','oo','os','iu','fs','gu','lh','dq','lv','gu','iw','hv','gu','di','hs','cy','oc','iw','gc']
#Key
key={}
key['x']=1
key['z']=0
key['c']=3
key['v']=9
key['s']=9
key['q']=5
key['l']=8
key['g']=3
key['b']=5
key['f']=6
key['i']=8
key['o']=7
key['j']=0
key['u']=2
key['h']=7
key['w']=4
key['n']=1
key['d']=6
key['y']=2
key['t']=4
for code in codes:
ascii_num = int(key[code[0]])*10 + int(key[code[1]])
sys.stdout.write(chr(ascii_num))

#!/usr/bin/python

import sys

# The secret message

# Each letter represents a digit which represents an ascii number

codes=['iw','hu','fv','lu','dv','cy','og','lc','gy','fq','od','lo','fq','is','ig','gu','hs','hi','ds','cy','oo','os','iu','fs','gu','lh','dq','lv','gu','iw','hv','gu','di','hs','cy','oc','iw','gc']

#Key

key={}

key['x']=1

key['z']=0

key['c']=3

key['v']=9

key['s']=9

key['q']=5

key['l']=8

key['g']=3

key['b']=5

key['f']=6

key['i']=8

key['o']=7

key['j']=0

key['u']=2

key['h']=7

key['w']=4

key['n']=1

key['d']=6

key['y']=2

key['t']=4

for code in codes:

ascii_num = int(key[code[0]])*10 + int(key[code[1]])

sys.stdout.write(chr(ascii_num))

I run the script and the following message is printed:

THERE IS ALWAYS ONE MORE WAY TO DO IT!

I enter this into the ball-0-matic, get the daily QR code and the daily flag!

Day 15 Solution Ball

Flag: HV15-U3bA-BKhc-gNqN-Hit6-C1fK

No Comments

Posted Mo BeigiPersianMG in Hackvent 2015

Archive for the ‘Hacking Lab’ Category

Challenge

HV19.H1 Hidden One

Solution

Challenge

HV19.H1 Hidden One

Solution

Bonus

Challenge

HV19.05 Santa Parcel Tracking

Solution

Challenge

HV19.04 password policy circumvention

Solution

Challenge

HV19.03 Hodor, Hodor, Hodor

Solution

Challenge

HV19.02 Triangulation

Solution

Challenge

HV19.01 censored

Solution

Challenge

Solution

Challenge

Solution

Challenge

Solution

Pages

Recent Posts

Recent Comments

My Networks

Site Stats