Calc.exe is a .NET program (finally :D), which can evaluate (mostly) mathematical expressions.

At first no functions are enabled except some basic mathematical operations like addition, subtraction, etc.

But we can enable different functions by using a digitally signed X509 certficates.

We also got an example cert “guestCert.crt” which enabled some basic math and trigonomical functions.

alt

The program also adds a function called FLAG which returns the flag as string.

alt

The problem is we cannot load any certificate as there is a lot of checks before, so we had to find some vulnerability. The program uses a known crypto library, called BouncyCastle and the attached “BouncyCastle.Crypto.dll” is exactly the same as the one we can download from NuGet. As no known vulnerability exists for this library (or at least at the certificate verification part), we had to look for vulnerabilities in the program.

Although the certificate loaded into the store while it is checked, no self-signed certificates are allowed and it is removed as soon as its verification fails.

But there is a bug in the code: although some checks like the VerifyCertificate is in a try-catch block and returns a boolean value, the IsCalcExeCert can throw exception while calling SingleOrDefault method. To trigger the exception we have to put two values with the 2.5.4.1337 key into the SubjectName’s field.

alt

Although our certificate is not deleted from the trusted CA store, it is not loaded into the program, so we cannot call the FLAG function yet. But we can sign a new client certificate with this now trusted cert as a CA (certificate authority). This way our new certificate will be accepted.

The attached C# code snippet (calcexe1.cs) will generate the fake CA and the fake certificate.

The flag was: ASIS{e5cb5e25f77c1da6626fb78a48a678f3}

Exploit code

using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Runtime.ConstrainedExecution;
using System.Text;
using System.Threading.Tasks;
using Org.BouncyCastle.Asn1;
using Org.BouncyCastle.Asn1.X509;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Generators;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Crypto.Prng;
using Org.BouncyCastle.Math;
using Org.BouncyCastle.OpenSsl;
using Org.BouncyCastle.Pkcs;
using Org.BouncyCastle.Security;
using Org.BouncyCastle.Utilities;
using Org.BouncyCastle.X509;

namespace CalcExeCertGenerator
{
    class Program
    {
        public class CertWithKey
        {
            public X509Certificate Cert { get; set; }
            public RsaPrivateCrtKeyParameters Key { get; set; }

            public CertWithKey(X509Certificate cert, RsaPrivateCrtKeyParameters key)
            {
                Cert = cert;
                Key = key;
            }
        }

        public static CertWithKey GenerateCertificate(string subjectName, CertWithKey issuer = null, int keyStrength = 1024, Action<X509V3CertificateGenerator> genAction = null)
        {
            var random = new SecureRandom(new CryptoApiRandomGenerator());
            var certificateGenerator = new X509V3CertificateGenerator();
            certificateGenerator.SetSerialNumber(BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random));
            certificateGenerator.SetSignatureAlgorithm("SHA1WithRSA");
            certificateGenerator.SetIssuerDN(issuer != null ? issuer.Cert.SubjectDN : new X509Name(subjectName));
            certificateGenerator.SetSubjectDN(new X509Name(subjectName));
            certificateGenerator.SetNotBefore(DateTime.UtcNow.Date);
            certificateGenerator.SetNotAfter(DateTime.UtcNow.Date.AddYears(2));
            certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
            certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature));
            certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeID.IdKPCodeSigning));
            if (genAction != null)
                genAction(certificateGenerator);

            // Subject Public Key
            var keyPairGenerator = new RsaKeyPairGenerator();
            keyPairGenerator.Init(new KeyGenerationParameters(random, keyStrength));
            var subjectKeyPair = keyPairGenerator.GenerateKeyPair();

            certificateGenerator.SetPublicKey(subjectKeyPair.Public);

            var certificate = certificateGenerator.Generate(issuer != null ? issuer.Key : subjectKeyPair.Private, random);
            return new CertWithKey(certificate, (RsaPrivateCrtKeyParameters)subjectKeyPair.Private);
        }

        static string ToPem(object obj)
        {
            var sw = new StringWriter();
            new PemWriter(sw).WriteObject(obj);
            return sw.ToString();
        }

        static void Main(string[] args)
        {
            X509Name.DefaultLookup.Add("prg", new DerObjectIdentifier("2.5.4.1337"));
            var fakeCa = GenerateCertificate("C=IR, L=Iran, [email protected], O=calc.exe, CN=calc.exe, 2.5.4.1337=calc.exe, 2.5.4.1337=calc.exe");
            var fakeUserCert = GenerateCertificate("C=IR, L=Iran, [email protected], O=guest, CN=guest, 2.5.4.1337=calc.exe", fakeCa,
                genAction: gen => gen.AddExtension("1.1.1337.7331", false, Encoding.Default.GetBytes("ABS,ACOS,ASIN,ATAN,ATAN2,CEILING,COS,COSH,EXP,FLOOR,FLAG,INT,LN,LOG,LOG10,PI,POWER,RAND,RANDBETWEEN,SIGN,SIN,SINH,SQRT,SUM,SUMIF,TAN,TANH,TRUNC,READ,WRITE")));
            File.WriteAllText("fakeCa.crt", ToPem(fakeCa.Cert));
            File.WriteAllText("fakeUserCert.crt", ToPem(fakeUserCert.Cert));
        }
    }
}

We got an RSA public key (pub.key) encoded in PEM format and the encrypted flag (flag.enc).

These are the converted parameters:

e = 2385330119331689083455211591182934261439999376616463648565178544704114285540523381214630503109888606012730471130911882799269407391377516911847608047728411508873523338260985637241587680601172666919944195740711767256695758337633401530723721692604012809476068197687643054238649174648923555374972384090471828019
N = 2562256018798982275495595589518163432372017502243601864658538274705537914483947807120783733766118553254101235396521540936164219440561532997119915510314638089613615679231310858594698461124636943528101265406967445593951653796041336078776455339658353436309933716631455967769429086442266084993673779546522240901
c = 1624768965978244122218384915440259949773623052619109265384960524204099241405509334298217012073574245240140975823312659160847045035132501536939096089619077929998251251236783590255562951129897302725067655285503493676186062693350470482247124598766533755027440418713398509566189239815613916662987881029294277207

The public exponent is too large thus we can suspect that the private exponent is possible too small.

I tried to attack it with Wiener’s attack: https://en.wikipedia.org/wiki/Wiener%27s_attack with the following implementation, but it did not worked: https://github.com/pablocelayes/rsa-wiener-attack

So I remembered other RSA attacks from previous CTFs and how much time this page helped me: https://github.com/mimoo/RSA-and-LLL-attacks

The last attack is the Boneh Durfee attack, which is you know BO-neh DU-rfee => BODU just like the challenge’s name, so I instantly know this will solve the challenge (also a lot of other teams are already solved it, so it should be not too hard challenge either).

Running budo.sage will give us the private exponent (d):

d = 89508186630638564513494386415865407147609702392949250864642625401059935751367507

The executing pow(c,d,N) in python give us the following plaintext:

7105857801457696083098669180371125182430908825274295869462261196993232333904846182088682459845909159924079587285438988882837378435398205428800773161869836747653246664819269651173622798039814934439562046448483899123585744167522783235535219103995347045452193429764349550389498609273176996913420550906739978

Converting this to ASCII (for example with my javascript based conversion tools, hosted on https://kt.pe/tools.html) will give us the flag (it is padded with PKCS v1.5 padding, but contrary to OAEP padding the flag is readable instantly):

ASIS{b472266d4dd916a23a7b0deb5bc5e63f}

This challenge was solved by and the write up was written by one of my teammates, gym.

In this challange we are provided with a pcap file, loading it in wireshark and after a quick glance at the exported objects we can see they were using 0bin pastebin (https://github.com/sametmax/0bin).

0bin encrypts the data client side and provides a decryption key. This key if appended to the URL with a hash mark ‘#’ is used to decrypt the received data. Ideally this part of the URL should not be sent to the server, thus the server operators cannot know the content of the paste.

However in the pcap 0bin is used in conjunction with piwik, witch send the entire URL in the request, thus we have the key to decrypt the data.

GET /piwik.php?action_name=0bin%20-%20encrypted%20pastebin&idsite=1&rec=1&r=776276&h=11&m=27&s=12&url=http%3A%2F%2F0bin.asis.io%2Fpaste%2FTINcoc0f%23-krvZ7lGwZ4e2JQ8n%2B3dfsMBqyN6Xk6SUzY7i0JKbpo&urlref=http%3A%2F%2F0bin.asis.io%2F&_id=dd17974841486b63&_idts=1443081356&_idvc=1&_idn=0&_refts=0&_viewts=1443081356&send_image=0&pdf=1&qt=0&realp=0&wma=0&dir=0&fla=1&java=1&gears=0&ag=0&cookie=1&res=1440x900&gt_ms=108 HTTP/1.1

We can find three such key-id pairs in the pcap, the first one results in a fake flag, the second one has expired and the third one gives us an ASCII art of the real flag.

The last url: http://0bin.asis.io/paste/1ThAoKv4#Zz-nHPnr0vGGg3s/7/RWD2pnZPZl580x9Y2G3IUehfc

The ascii art: alt

And the flag is

ASIS{e29a3ef6f1d71d04c5f107eb3c64bbbb}

This challenge was a simple reversing challenge.

The first step was NOPing out the ptrace “anti-debug” call and finding out the main hash function which was at the 0x401B40 address.

alt

This accepted the flag as an input and used big integer math to calculate it’s hash. This hash was compared to a static buffer (there was a little trick that only every 4th number was used from that buffer).

The hash function can be summarized with this python code:

result = 0
for c in flag:
    result = result * 33 + (ord(c) ^ 0x8f)

And we know that the hash of the real flag was:

27221558106229772521592198788202006619458470800161007384471764

So we could calculate the flag easily with the following code snippet:

p = 'abcdef0123456789'
def f(h, l, x):
   if l == 0:
       if h == 210839978725:
           yield 'ASIS{' + x
   else:
       for c in p:
           if ((ord(c)^0x8f) % 33) == h%33:
               for r in f((h - (ord(c)^0x8f))//33, l-1, c+x):
                   yield r
h0 = 27221558106229772521592198788202006619458470800161007384471764
x = list(f((h0-(ord('}')^0x8f))//33, 32, '}'))
print x

The flag was:

ASIS{d5c808f5dc96567bda48be9ba82fc1d6}

This was a python-based DES encryptor / decryptor service which used 256 unknown DES keys.

We could encrypt / decrypt messages with exactly 3 keys in a row. So we could only get the result of Ek1(Ek2(Ek3(M))) or Dk1(Dk2(Dk3(M))) where k1,k2,k3 were the indices of the predefined keys.

We also got the encrypted flag, but it was encrypted with 10 keys and not 3:

key = 97c4b5a27177406c404f
ciphertext = 7f62a70857410e0e9c2bb283fc9807f8b1d34bcf7a2b456e965e860e5c6818b40ac596fa43492c30 

We looked up some vulnerabilities of DES on wikipedia: https://en.wikipedia.org/wiki/Data_Encryption_Standard#Minor_cryptanalytic_properties

There are weak keys and semi weak keys and that’s all. I solved this challenge the latest and by that time, a lot of team solved the challenge so I thought it should not be too hard.

First I tried to check weak keys by encrypting arbitrary message (ex. \x00) with kXkXk0 and k0kXkX keys and check whether they are the same. But I got no match.

Then I wanted to check for semi weak keys. For this to happen I needed the plaintext encrypted with every possible key on the server, so to do this I decrypted the ciphertext with the first 9 keys and then decrypted with the latest and two 0000 keys. Then I encrypted with two 00 keys and with every possible predefined key.

Here are the ciphertexts:

674ceb7725ccbce67a5847065fc4f58769fbb582e1529c6525ac8f059e24288a83d33c58f06e47a1
0c683c05d53293303aebe36fdea9ad152fa8240922cf7e7bc15134149889dde209163483d33e4757
dd0662ffd94e9840211f493704af1914545ee7af0dd055a2eca317fe3d4c17b90a479cc615a30348
798e0945f777ae36b0c7904eb513300fa9b8bb6d8076bf4b25a50d9319639bbe42c884a9514e7bd8
6f04598a38c928fb073a9bf3efc1a7f87f0d843cb429e0467472df1934911d7b354491d1f6db79ff
9fffa405edda869aadd429f018d096d7f19554ddb6f273bf71a6d5f3f60d2d06938a92ec7020bd8d
a18df05d43b43986f36aa1d615ce40fd51de43c774ad018d9e059bd6bd54ea80ee08551aaa153b74
f3fc1d612ecdb31ec9f293b3bf524620873303a6740886ba1acd4c1fa65cf1112b80a3eecae261c9
97438506dcd033bb9af6121fd017db7f4dc9b9227ea9ac40a11db76cd7d6692863f953be0c08b653
b45df38fe9adb9a76f86a4cc309d4c3c64c6159cd80ae014ca173b9441e61e8775c96701e0ad7aeb
0042a952b5b82543e3725d34a40a7a88a667c6d0745072ee78fe0cf04e8b24a41a8708aa2f87b66f
cdfb693f430f9d7cc01530e257f6090b26ec133e476ef7099c7c309f878cd85302a7151cb059ced6
8a934d0c57644dfc0a844f085e6de6c02a925694af37ce86493b02a7cc5fe577007a430994a6b16d
a0000408653172567c03479332ddc24de44a5f2d20fe82d7a44a7d7d2e43e6ea5bc29f6f7786277a
89d2f4465265602be5b8f0b49e38c052f07a1805eaa894c44792aa7f5b541ab110c6d01ae9c0c100
b0f0b889cba338c05d948473b6ee5fdd322248bae1d924368a8be3e00ee19547a19a5be285422152
5ca5c617b710b484574b969be1876b82a9cea0c8b4b634034b8e350891c94e25c118483a5d31c4a0
be27cf28ca88587c79304fa1c320b91ee7fa58e0c897e622426ecddf536924c59cb104e3d42829e3
e3230c835353fda4397ec87bec547e9b3f0f7f7239a04466128c4f4cbd86ad1fe082475db0edfeb8
b6fc82b1e9e1260a3baa7154530853f0f77417b7c75163bc44fa96c9564d775aae2b23d59c6855b8
c3854d5419e8aa75d25c1ab6e3195c9240527e56c4e23a7328c464aa5a5739d00794ac18a77c03bd
c85baf1a30da5f2ec75f02bb65edbeabcc33def79b7e5a7208ed6911eb123bb6786f40fc6b1cedfd
391d9ffb35916e430f01f03bee80a8632b618e2101c5974bd3ab8113cbe33485e254c3a3079b798d
82ef2f5ef8d0eb32d25734ff31661141d9ecf2bc91fcdef6e205ecfcec178d12ef2a865d21a3a6ee
316b7a28f8336e5641e4aa9eae458fd48d6881a3ae5e97ed73606f309503668498684bece62ac8b4
0e6c948c7df62f60a8405034c991ee7abb6c9fd0436c648605859a216c9204a2746646820dc9ecfa
29f87d0c0f639741c09be27b9c7cd089015a5127d1a69f0a6f3082fed7d2bce8d1ae2b9a042993aa
2fe1869d02be57b4a2180a9212bda077109efc3c17a01982ec0e2f82ff2e7e49036de5b4e8cc078a
16fa74f63d51719e250b2fb84a39f9d12a8bb5d640b0350998d7e354a999f676f40feabab51feeaf
47bcced21c1af40e92233b3b9b6a82dfff0413b0e0e851b79da8d74f7affc12ece19d2ab25efe3aa
0e300d28da9efe43c3fa15a9c8024777ec3d1e41b83fea612a87aeb2115fbb0392014e08ebd0c756
ca242feb4709fb082bda92ccd3120217b4c6eecb216a7ecd12422a4111a242732aa6887563e395ee
3a8355cceaf9e5d7f208ef0a66ba5b5662788c1a3fe53115188839a2be0807f428bbd4bb215fff7d
b64854af0e7cb5fbdfeb6a660ef81cd34c090f8d12e2e3a715c5659f505ad964dfad00f56a84f61d
9586cb7212ed0507d8658ab03a8ac0c011ecd585fc13a5b7e59b3b8786c7ea682e1b721592ff1f51
ac06279dc188e4c471310e3014195d3659394d0e043af8da1507a028d3dbad434a10029d49690837
2a47b3adc8733aec0510fdfcffbfe77b35f612822cabbbb3260e84adc096e51c66b85c6a2d4b51b3
8bb11c2ef8bc2645f86ebca3cbbcd1a3da6520d6e7c802923bd0b35c996d4b7c98683b8c89e73ab7
213768956645664f4e1bf3bcdb59cc1658519261ad9479f1f0fa68ca8dc31e8b2ae2dfb3ebf415eb
02667dd72157bd14480b6f3700567c80d66af98fe88ef541c5d6f5155abe65098920d49317957d1f
74234a4542100db00056f7a77a2e5bc7856686d95f0509ab9c796512292bff9ec0c8f06127a25b20
2cf96a56e3fc409ef3f0f00da146620a1ad1f011314a4d3cd035dcbbd04bfa59ffe3904139c42ff7
0c5bb0cb40029eb5ec2c92d0a52609351bf5b2d68b60e473fb5a0a02528733592049bf0e7625a876
3860be91e21db6303958dac8882c65ada4e0aed679ea588f154126278602c7948c8ce62cb6e88977
67b096e2a08d1d75f060c953e0ba12665a5c070ef438837f8ce27d90943f4aeea5c64ac755eb8e6c
10a0f516ce58e616545d4d917a73bfe6ddc5f7ecf6e926dd4a6ac8d0d44b9227a0d2c3862c95a7ca
dcf9544c08a5f52ff3f637c0dd2a8651e86aa98235732d0febc0243a23741594362bbee96e45d507
51267cdf44914ab955a88f6314ff1f5fd0a98d6e9b4844b44aef2cba41d933afac6c5bb738d50ced
23882b9e863a466c87efa19145b48aab2e977c4cd33e5da4d407bc7b2485b1ba13a8316bfc5926aa
3a12e7e48b6780821c347785aa1c0b4b6925630eb830d40e7c4c5ead4deb8b579646868af84191ab
255800f7e87f66aacf1a3386ac099fc19c9426e29df1bf5ef5e7c829aeb33a706a32e5b69d3f260b
b6f9c82d07d9349bdd302d551fd592ba3f7e930116db134dfebc24957e24ba3705f721f151dda54e
5c04aff64a08d55037cbbfde3cc7259ebd9693a0d9d960c7a075513660c4c2fa5d2f8e952e86dc4c
bde1b6ab17a66e160527be43cfae1a5647a46a6221098e726d4ff14f27648a7fcd892ef051b3291b
623f487f4554628df3e18df1fd92de6122c8cfceb44852c17b309eb2e96c44e65070d49250a84153
ab67d559aad58fd3312735aa181de0fbeb4ca35190cb78f5f59a9b0bf8331c062802750193ce437a
8ec2fcae0b5332c9ea1462f966fed692e58a7e46b74f3794ba13039b29a81874995aa9765a2b5b7a
8f3a2cd4bc695ef6b60c110abcf3b31e1833bc1a13b4061e887e41b4d10d9b85a3ef8f8d738f1f86
2f8645560e600193dac20877b64257279ac48216b9939756e191d6552d52556f6896cee21091d1ad
f0bd305daaafefcea9eed7fdf9a2b1b1bb0fa41efc7a2d909c23bb9229bed008eac826cc1430d24c
f623d4c97a08df4d335b319605dd8e5daa493d89fa3c1eadad26d61b39307bc4a994341e35f8cd44
4281876e02512ac2e34170af5d9c75b80712c24f4e3b7a4b8757ce8f0f8d15bf3f80bfffc01e1cf3
e98d7d3c53a67a06403746ff5367f620fc3aa3da7444bb5658e144d1ceea30aaae3cf483c0edcc66
be0473bcac1d7293b72ea4a9ab0b30f00b6cd899241a2e15221127884f852c915cb017eb55060c33
c3c8a7742063a9c0f56635bc64c5882bc25683d41a04d51d39728130ca7ad7603225785e884f7c1d
1bc42bf6678e2089dd4f5ef5adc21b337e70a240048356c1c7071169da5858d53deb5a183acf075c
a310323eba4f1b2c7811471e413f36a3d6c70aca3e7187ff204917e7243a45d145e3a12e417f8dc9
8d1c19a6e80e4b115e01183dd246dee3361b0fc50119eb6af70b8656cba4e02b7c751297f38c34b6
5a1d66c2fddb4559de3334c9f4a8fa252a71eb4348e632f0e737f21d347365923c9342db1ea533ab
d32188801b589001188ab8afbac49e251f5299ae3df0512c1f32ff157b07f7e730a6b8105f7fa8de
e3f6ec6c8d3a076432216236b1545bb95094fc5e409c17f27e1e7c834dcb3cc5ab67d1faf3ed01ad
a40f47ddcad28f53b4f72493f2ea082a62b953404f22f4cacb905041f63628ef89b0de37e91c45d8
898037c3d079e442206e4787a00206c5954a2e20cd2c6501ac3b0b9f2fabb2a80a435eb5039d3806
2a2e80e1d4cef290893e104e9c58c52cf10073d25776615c5c384ca263ed9e3d534585e1bdaf05b9
3b5d6a2818a910d6cbf68959fed9ecb39cfb95f10d18a6f0bb60bc5540270b8d1708e7efcc85b5e2
be9608fe38ff02e4715f0f22678dafe329ca0bd2db2b6c54eddbf15a2e69a5a9a9383df576ff6fc9
4bf311e9ad62d8d6fb55f23a69cb289d3e393f7f846a840e3d2f55506b1c189b5ebfcd96188594f1
7aa7baf9cda587231187b4341cb000783dd30973c5e9a8ba5a01178ab68b6d4637183f363c21391e
f341920b3e56406d4876cb6d94df4d40ee5cf9aaed1debfc4f8748504f54d1bee5bbdec6675b918d
462d859d367aebf607b71f7d7b4af8d46d1e2a7fa701c72c3a781f8021fe87f96131c7299cb13773
0c45fc2b65db639cba59075c4d2375c1fb98a6b405935bb331084d07c4e6fcb58c8f7ebe40b809f2
2ef4fe524b8d4b1cbb972e6a8cb069437c07cdb045f0f4dd0c5f5181aaad55a06e924a85a64442b4
7fa3a38b0fab964e4fd4d7b66c9f12fe97be8a0266828973f3da804c73ecb4d7b2ceb41eec7d6753
f52b6a4d5edde7a1392db12033ce1c047b3d913188904b879f44cd5d58328273279f5ad2324b3b02
1f8e20c26a93a57bfb8e042e41f426dda4dece5fc71e8172deedcfacc6e43cafe1374d7487cab419
0009ea4366f49a89d43a846e805a70564811e7ab00435e62d9e22ed61a6f45a9e090ee81a43923fc
6a134c6203dd4001ac59ef645586d09e59b3c2e94f640aeda428202e2c00671f59943fd48a00809e
371332a6c9cb3ea401be38a4ed42078e88565f37c9dfd7b4057dcd20167f01cf4ee368f4d8b2b53e
260212df3c505a442e0329f15184244694e9353ba21047cd8bfb8bbd22b9937c84fae5372000f425
6e83274a8eb13defcf365533491e3ffea3fcb60427a7026d6e9d4547665aaea4fd83355ee913709d
179cae0cdb753f8db7781c80adc15d4c1acdf6068139e1df8cbf0268e37b931ecdbf31964869383b
ff50353cfd2268ff67548e53478408bb70cad5fa59d31f7545c0a3f81241dbc3240c00e4a62e2e93
1520c80a4e3ddea4366812cb93bb235443c9cd65568ee3e4239d6d49c09088a611ac7e1f38b6e632
37c395edcc25ef968be21566cf6f497f464f8161d3cb63090a0a530cb4528b5149fd6a0ec9da3bfd
8be87da9b06ad3699e35cada7176d62273ca6320f8d0a6d8f7494ee4fbf6641e191e906c19491774
391d6bfd604f5b78f30d4f4cd3cf82ddb7ed396758c9dedc178671546da6697184017a37615b318d
2fccacfd7cdbf2ac9774af439c147ac4444e930c4b77c8b57c1430239b28f336b215d191c6755feb
edb1cc128d9029a7b6fc0e056ae954fea79119f3ad7a7f7da374265121d15e885f34253020042b06
c23397876038617ba748dac89f9a41883b7b97cbe8b0631bb7b2dd78e60fbb0e78c7a9264b502be6
0992b81a729231389d64039bc1f0965ba63f1b3db5fe13e71ce712970b7c2ad0cee1bafdaa5ec0e9
722ab2cd71a8eda69ca3b0cad7b72a3027330640d21fe7e1f9a2b08287627830f426ca55193a8be3
c7005a0d9e84e1e12d04c5d4c61963b47ebb05e1fee61683639acfe7b5e20f96ac240337e45a80fd
5296431c9091ca948683088bf222d2d3b986e57540dab6fd918fc3f3d5cd5302b7b5cc968a74eeba
43706fd827d09dda4e425a192838ab31cc33d81f2fa3ee3f768c1a80999b586f915089602320fae7
8e7706fcaf11bca2a5008f7a582880abd02657c98f09a4b12de5b2e370a9981d671aaa69325ce165
b674b7babae8fa1b747c65aa9b84430448a8956ad3e72bcb6acb3b5ddc213ca7539f599807dcd055
06a8a511df72166a5e27899ddcc209619c469ecfd9448754b71b47fa9617052f82e1698ccef9f382
751235d58a6d4e236dd5bdb074b6e0b7c4a3b005748b5849d3578e1c777a924f36244b7b97a9e8d7
5c6715492a8ce4802e0bac5f4d847da2ba1f6ba219eccc86749e9aa874355f1a73d96505826a724b
aaee675956d6b764157c31071ce5ac225800f58d74224778797b2b9d58fa385a8ed7689bf898537e
4b650c4e5a34a09244a3334589f51c62477168764fd59ba0221acd7adc18b4251d2d28c782d2eb8f
db3e20994e705708c88e52ee0b365902225e94a3da8b97f2a79e5f75e897d23507d414867bcf3fdf
67f97c93fe97ab29386c296b3db11511672dcf0be1316234590f63915eb5b01a93192d954b434b72
059627902f8fb3a170643443ed7814c854f884284fd42384774ce96945abe31c62600d1b5c831a6e
163608c753a50b3ae8a2396ba3aa8bc0bac3a3a0839128b1c65a760b287b98a5f92f529a13dd806e
22b74d12a1987ff5396c228c8041f5b36800b11fbfa5a180a7904e799cbb81c7ce8e5dbdb9c403f0
64328c64de608d65b11d978d31be06c6d458cf56aef18126ad43d48f0f2e6d9177e16bc7525eb101
4d2891b5351087969fd25df120edaae990e941dd60b2fdf32a17a98f5056fd6f803597280cb726b2
62874ba94b573e98bddc896eb89200b4a27c0fc71b82531dcbebc347a0be125a2fb7ecf76e580dc9
8e7f903388a087bf583f129b7af25ba608cfde40a58c352a225dcf8c77229f0c85bdbe2dc2a7afc2
c06e2a27fa5a2652cc2cba9525fac76f97aa20804d509dc945428305996994a24fe41a888c06c04a
f662259f477bfd467eda5ebed532918f8d3166c99ff7488ecf226b7a1ec5414b50fc911ee7ca47f5
5a1d5131a68d5e27883b3969175de46e7c30362fc596e6331f7386db02b5fc1737022a8157f4efd6
660a69174365045eeaf8acb05daa1fedd7a3c305a6d0a35938ac17bd56111b36fd518f0ad59cee27
e9e2c6cc9fcca0333abccf2b3b9aaa1f3211a1a6b136600c4221af5479ce0fc07c9fb8f7d83d7fd2
6095569e5f49d1394900292622f20d3068285b2abb5ba5568658a27c60ba04e8304257274e7785b3
2e5900238b3360409a0e3f18bd8fcaec43f0ddc66e0f2f49a41e75e71ccf268d66b471129035f3fc
58d7743a851cb0aa2fc69ff61e34331c328bd735082e5b9cc5f809cd50c9be3276b76fc94718326b
10cf8f648e66f13e9c744e9a0e6ad5bf82a4136b9960775b814d24fa904f423943df6dbd5b085610
ef1bae2579da0d65b876f2ac8c30525f823937ea8e0268a32a7b6177d8c6b7a2fd7af720db94685f
ef35061bcb9e957876a11d09564d51aba7015b8eb47669e694c8104b6a401eb8ac0d8d951c9640b4
2013e622d21ca20ff4ec0bf8db5b6e02604f15ea4eb030639950e424f0df2300d2702a8d64d365e2
8f5afc74f0ccd00e0bdcc40bda2d8e828e589a5249998798d852a7a73180687b39920c530c82ce70
c0881384fa59226a869930164ddb5c845db4fb8f178cf8d08fa4802c96c709f5cc69036fc8dde719
0fd52ad2a4444721d82c292db9428426368ba5b598945857f7a17fc3a4bfe13a9a2414ee5433fedf
d649141f08ac7acf3c1477590acd37f68078a5f8f8119c586432638c48094707070265a0d51713f4
777dcaec7861ef20818469b6a2d87036c583d1896963b4f48d30779b4e44d03734971ae82f5e7d27
916a4e19a56b104ef9e6674435db35a2abab40718997420acaee430e7dfa7defdd71735c9895e7bd
dcb7efff1dcf183aac469f4bf16cf75c49e5fcfa6db6900fcd7dbb4925e56a78615572be57c6fa6b
a54a9697091fb4378972512b746dad49220bd58fd1aca04afa83f24f0c90205e6f28c273e2a7f363
e3fc5c7a42361ebf5d08a0fed7c374ba1bd2a224e7d98c3ee5a0ca7424bcbc227b5dd5f6d2500db5
b1dea94272367dcd4b052ceaeeb8e0934c866737851d8a43ecf91291e27c3631eadb0c183ae8333b
e6933a08d0e7c1c4943c477d33ef8d803e254e42c2d54da8bb5026081903d3db3086bf8e895584ee
f3b6fa82cb0034e5826cfafcdc8905134b7eeb08a3a664a02b2c37497f227c3fc08878df2df434e6
27f5c433cc601ed131efe60ca5b1b8c1e55b27445afdb8e87a778aa991b64de67673dab34cb76fd1
415ddd33d7dae3fc3db70b78edcb96ce2a45f6cc6575647210c99dd0d41590e96710b4667dc47a10
e51675e6244b0837503fa8a301b5f3ad4a968b1d90f6e89e35f201a95363b9dae0edf501bc535eaa
00f01273c669355d1fa49e7b762fa4e219397d795139209072867b448cc793455c46111727f09f0c
dff17dc14a5dda326681f272d1170f25eedb6e97fbc92cbfe8b29a26ce0add32e2e21fd6adf24910
1a6605b8c5b56f9fe257b5f64a44470c0701510de30e6830c6f4a2c0128789399c99ed565fdfa7d2
a67f962349bdf29eccbfe4bf08980716584cca78792c8959a8436f9dda8573dc7a0f10057457c85e
15c876f9e9a20af6d2e40c5fc7de5e721f50460969a5be17fdb8c5b5a01e70da05944650ae57e2b3
199782519fa60a17d189d2cb61fb5a1080fbfba717c0a5a6eb4788d783fa71f1a4692f86b318851a
4eb0eabf270c76b8a68d280cd575d4ba06c52b1e8a22c68e573b458746c12cc6a961d08b369b6cad
5ad7af42733a93f814a7093de229f54b29f2d3bf193d42bd7d5b7a473b8fc755c402569e2f900f31
e490783fb88dec5293a67ca6eaf6a735aa208f56804471c1027f428b670225ad720aacc600050055
0ceb44bfdba346a6599723d027dd91435002e754364fb05e0eb25bff7899880bae78f68e561d3697
0dae349c90ff210c92f710c6855e3f9414548da1a91ca5788379dd101f871fe207679364ee4cc65b
03073b8b286bd836faf98a3d41e4a542ea8857886aa4d58555ba46fd2d35375f26ac179681c81b39
277fd5ac3fb6ef35f85f5fd11ba73928e3aabdffcb9a2a89f0a917892bfbb7f65ec4fbef2af90b0c
611a646cc48606832df7848946e424df92c6c4ea316093434838daff9e89ad48432c209283672a21
79be027c2979f8a3d9ca47a62bfa6b36a5216571a6363172fc3b5cc615384b96136f2712ba471015
35aaca20609a010e7031d5d804c43181457c61704518ff7a6228f96224091924a5a21065196bba7e
5a329aff66cdfb5b54a736fe4ccd99c2a5a3b841e5c98a574cf076cee4bdf0702b6b04b47da271e4
248848021fa035c6d608099404f67a59f725df0a88f76e57a1a3d603e5fa4c8a4d2d4d6eaa4516be
4820bf8361b6477aa54a6e064c22a70219c69632d3df4cb0151a1ccb23189c64b8bf854482571cde
a6b36019850648660f0a408904aebdf49d214e9cb9bff232418bce0b72d385cd0aa0bec45dd3724f
c66b6f6d3779ebbd702114122aa262422dfcc9659dd56a72b1b6cfedb7c5947a968bf1ab54fea246
83bbb92a34cf8fcfa8d5b942c6ade082e9dc4111889fc43e65c38c24108f11a3148131dd782a5d6b
7e7d4bd89b218c0633314a636fb25fca103ceb3b19f3ca7f48ef8815a09c6c0d7581c2461c80dae7
9af3eab1cab8fa84e7ce30c0deedbf403f161250000ecb0f15b8a23f756f1037ce9e38f8d8528a78
df1c8933af7142337bc8f716b0149c49f273b01703f4507d81cf61ad1d1e050ca41311d9e2748e4a
2ab272f4adfbd3545a9b40110168c46fa0e5f317b8c6b8f25004a59f39bb3d57a74da202671cc4ed
03aff0a5c9fc11fc8493b36ff5be242c5c0b21f40887e5ce0159e73ebf182d1a2da3fa80a46c826d
b17d0ecc46032f3707f7d9e78bf6ae85b843dfb7a7f974742c0b384e8ba3f948cf093f8325edd8f1
d86541c43c8aa15ce242bfdffc2ec05828cb4c8dc46053fcf48e9fac18f22f48f6427caf041af253
426b2542bfcd37c7a299d9da9286c4441f63b7afc26e9e805e2a539faf539bdef15cbf9f2d2b3a88
409f7511489be6dac4b85fbbe45aafd1901d90f66d83ed2701f748dbc0142a0de2b67f421d4873d5
fb1075793fd79a29269c484afef826abf1d0c93b4df47e3864aae3b312c1e0832e543cdc7796c125
bfa1441c78e3e530b532d5a8c3cce3c5915af7c92a3bfdd1fc0b1352615fb7ac4b86e5fa956a4859
5905bb18fe29e9921fe9da796b50ce21f2437ccd07e2c9719ece4002f738d69e97bb0accddbd4c20
9baa8592cfa5b14d747e4f42d9cef04cadfd0cac53d31b7926dd0cc927cde1ce04fa47b4f300b86e
5b37d75259f1353559203763163c4d9265600fdb2256bfe1938fd6e132602a776c7b40e1ed9c7512
c5b88beb835e5fe835be3a0046accb8b8a41348a8d53014ce4612ca505895f648681719a73993318
ad6c1e2bf4bbce4d1e92551a046f24660fadf0cbf80357a583ceb539d482604adab2eb4b02990207
e7f3e7abeff5d8b60122318d292969aa08f37907c17003fae9d00cfb2fe5a5e3fda1eb1505739bf4
5804b97a5fb75299033c0c8c69c41613fb046595d1c34f081e22ab109bda6216bae88d2d4b8e14bf
1fc33b5f9b39e7293a210cd5fc9855a7601ac0fc764775a9817483c95a6462e9a84a25a94ecfa315
0169b75daa2c8523a0f3b9e19c74bcdef6428eb0c0a6e8d0fea30dd1e64543b9f12e62e4720823db
9e859f5b7117984a02a4052a89a81c801d7ab2ef85e01bf26aa4a27c5beccd3551a10482baaeb7bb
665a04fbeb1189e02a17963cf7f67a6161007bb0dfaa6aa3653a860b6db5bc107dfb337774ae7fa6
1b833b1649cd7c77f9ce7d294ec4116b7fb51a4135b502d33f3f9d82a8903bf17d2ffc7e3d14fcbf
111587433018434c9b37b9d12ce6c463811aad1c83c174e94bca323b4238a866256b0edbb207ce7c
4a142228a076db19f682eea4ba4e783b12992b609c2742cd4d57c3220cff3ffd6afb1a30eaa9c9f1
ffa20014948ed9d78977b7bb4fc5eec7abeb03416951c0068c621b7aad21a9a5b1fa28df5bfd6c0b
3824ab2982c5d4ef880c3366f1cecf09d28d0911e85bc6200bcc6b3c02df170b14e4dcd3af31e30b
9dcc17532bb7c3097b402c5ffd85b924c7cdd666c4685b34e16df5063f22bd355ae3a718e1c624ef
674c987cc9d38164ba6aa71b05a2340277d433a8fabc66505dee04fc056a9828139c7600d820a3dd
2431006ea5e49b154333e0782fd9d4e1fdf0380ab236ae401a6c147d71b019856a57546f18f88b94
bf4d9bef1f25c0130ac8fe48a8823e1712d9cf9c30962b410f6fad28af02b2085a9fa1cdb08aa543
a7da48201156e872993b3efa59fc3429539fdc3b46facb6ec1b38a30d62ff8df36e17f0760aa12ee
acca1ce3ee737a6833b686f6682f84f4530b95dd6a64a3f50f1f06f075f2395964b350330ac730ec
fb0e5c8669118f4ecb8fa2d090ce2750f9eb0e620d8a64d6c27c3b9cde5562cc1c8ea26177a53781
496440152bcf4d17103f6c08ab2037f0e083be3260423eb5be67f7b3590d477757752e66e1055866
4b6edbadedddf4d5fe88d521c2c8f5b5c79acd5bebb82c2e26d7df4adf73e8c5da89d426a7d01bae
af7399d12e5de4f95b11ec586e71ee0a674cdd18549fa20a29fe140426f7f66353b48ceb85b49727
e11f64ba7bfe3e969cc58ce8466330edc84ab8b03a413a363e4e60a0c08c21219458b5a43d40c170
0f5707a0d1831422fbacafedcc3eab9517cbc9913fa1221b0644e20e3a96950f3a7e7b1910819d28
037116657c16255d6deb0a6852f589eef107a5d2baf0f430e3dd26b97ed24608c2c812ab8afa8995
310f23229a51d71026f039df5cf0be8e2de0aafa34249e02725ce8dc71bee8b4f5b60f04eee869bf
d7d576bb9820a695a3734a7957a1f5803143e27f28b27b895ef979c09281419610fd0a00542ccb79
661972ff37a8fbc1b8d5383a9541b979536bd67383233d877d1d3f5343512bf16c2c3436d5d84f11
1c3ebedc76fc07c69284b654e2165bb963f167efed84c8fbbab0a2adadef9367caa515d451cf988a
6457ad1ce1302c28e51534d0a79ad311db2ddcee123536b6588a836a1dac94a78b30d92a4f98c9ac
670defbebb925e1903cfd284c1bcf8da62a67291e8fa739f14a73a99eefc22e5e2771387723e5d11
460f85638bb43f32626efb6fa328b46b2bc8abf0f6c770acf7cd39893c8a1920e927832e8a7ea7bb
9d1c0edc039a5eee1dfde69622938ad041461aad90ec76f521012d9b44f92e5393695f60810bb18f
ed7c4131bfc8f6d431ff725e36d855bba3732f5d6a96e61c3bd82b881b8043059ad1af44bebea149
6b8fc0f9fea6586e312fabcbbb9a62f586d9e570053c316b49f943f9d7a5e7e9b7b614b52c10f429
157afaac9b023f3ee30a9df06655890a49f2b501759fcd0341285a146713fc94f5cc8186ebfde78c
1801ec0ab7111f43eef84505cb8423b3e81a4d90dcaa8a3a8dc6374e9ea7e7520f5b33c1879cc508
152f0358a8cca02a1bc6767e61d9291886c4a63b6c899d1d1b7e503dc7cd49eeaf2429599d631927
90c8b382bd29f48524c1f370d8b5beff370e0eb34f18485f26ad3ea2dee80643bbbea8ed28a70052
c156c6180cc905ce52f5184134877661d35bb3dd491391ecb3644511a1ce79ab060b1dce121c9ad2
00575862c7e7289aa2246366c28f569e897c820f26adb03e216c7f8e2add3fa7d4096d4b5c69331d
10a233e4536175c09a83da025b6c8bfbbc2e8162337e9c4c09d2e208e266d0a3fd7efe7eaf413bad
679a39f911461bb473a74af7a5278c894c46b067db7d6c55e267c963659f5524db578e5a03bc105e
8d857334727da3c0d3992c7b297267a5853dc7fc70cf84f23378bb98f67439e3f6604d1672c4473c
ae34923f6963510d63b7d3000096c4f0be5adf60c4d5f3f0f927c4f1589a6a0602676c1f61ebbea3
909175c8d91f9656d295f3b9318beee0e5788a86a0d760de028b13cfc2d811f10a4130a4b1e40b80
77a8fd82089a1c96302d0805b14fe7c0446c99b7d72a63d9fcb0e15c7b0c6d9be973dbc59741451c
a7ef6f46ae35b4ebadd7856ce68a32bbdceb35aa695967cff16642ca135f644ebaa30ec3d8fe81a9
e714660991cae45465ae14c29102348624140e88643702c82dd58a9bdd96e086096b213fb96b07f2
a2ee4a76404d5922210efb4eadb1b35570203cba6f4450c4c94caf8f60e815c22725badfaac18f1b
68b1a92a4288cd2d4e2ac5868f2df05d2418876664e151b45356dc78ac13876c2daa78460daa580c
c7dce6d0693356c97d18d82e4090e3f9860794997581641b63bafe2b4567579c2e508eaf08d0cd03
d827db9380c385714756cb0e8f4b6f3b6804d97d56bec3b44dde6ada00667a9862250bdf4917801b
70a95b8285aee920eb7d289d9465f5e4c474ffa11e7193ad52a8e24a5fcc8a751a7b3bd02132ac95
5428458399dc8d5612d8898720a30b244f6d24246764be392c8df6f768d695c2df6f58d188c8425a
cfafefc9ff79fea4265990f6bc66334f61ede0d5a1c71e1657639ec4ce0252197e7e8cb31066bf49
4ded975760af4a9828dc263c42eb3273f9801ca73e9c353501a8099617b7aadae633f075c633e3cc
f5a819d07ba45a616e8bafc0180e096b19bc5d74afd6b705224596e0afe358e086944c294c222b28
9a71b3eff27287b387e6566c77c3dbca9020511e23a9e31b17d39b79702b19900a7c9e0489f1d168
bbd2a7f9954696f48963868b56a4ab9a1c97ecbe8410eea94381c8e13cf0320ff29797cfe7f7f217
6cd2c33a90729ab4b9aad0d0bed11b944717b869aad1360acbee069d48599b06ef71f3e5238ed9cf
900499844d9388993c2bfbc8d440402ab4db1b8d71f5eb2e0445ab889eea35658b119a5b47b1b72d
030e41fda90fd62e0d005e6ed5ca74c07e56be250d061673b0890fced941dc6e3f11e9884680cbb4
bc12cc1be53055494fb98997e65e7cf282541f51ea118d8aa041528d19ea7c68b3d327d48336ae86
263a7f25865aadf79dd9987504e2718e89d3749db0ac08355f555966bfdf4f85be4ee34922b54787
0e36c78d4580235bf8a0426cd3f43954d6cb5d00948338fa271b8baaade5e5c80e210e2201ff50cf
944ce0b8652b149648a672f5d26ca83be534d21610b7c826cdc9155fac929611a68f8ab109b9f039
da8114b2c8f9609bf9c0ec4272af4181d9e9ec3a0473a56c6d5a7008c5fbdc1a2272141bd81b74b6
0360d507aa121d0f78699073bc9c388dd4aeca2cd954010c0a0142f91339b8eef8e42de82a7d8ecf
dcb881c2f1a4cc5654b679c21d084ea5e5bd90e21edd0596f71673d7b9ee1e6de3a54f05c76bd6b9
0c99716c7e65d3edf003675cfb1646c02b960c3cb05030899447cd2ef0cf4fae2dce2387e0d7c0c6
6808fa6e76e405c172cde411109e99c3e00699710c3453dd7ae5d003e288550d290003bb9f7f5f7e

Bruteforcing them with every possible semi weak and weak keys and grepping for “ASIS{“ it gave me the flag.

Weak keys:

0x011F011F010E010E, 0x1F011F010E010E01
0x01E001E001F101F1, 0xE001E001F101F101
0x01FE01FE01FE01FE, 0xFE01FE01FE01FE01
0x1FE01FE00EF10EF1, 0xE01FE01FF10EF10E
0x1FFE1FFE0EFE0EFE, 0xFE1FFE1FFE0EFE0E
0xE0FEE0FEF1FEF1FE, 0xFEE0FEE0FEF1FEF1
0x0101010101010101, 0xFEFEFEFEFEFEFEFE
0xE0E0E0E0F1F1F1F1, 0x1F1F1F1F0E0E0E0E

Solutions:

Key = 0x1ffe1ffe0efe0efe, Ciphertext = 0c45fc2b65db639cba59075c4d2375c1fb98a6b405935bb331084d07c4e6fcb58c8f7ebe40b809f2
Key = 0xfe1ffe1ffe0efe0e, Ciphertext = 6b8fc0f9fea6586e312fabcbbb9a62f586d9e570053c316b49f943f9d7a5e7e9b7b614b52c10f429
Plaintext = ASIS{90152c3d6e6658f2057bba4c889e5cda}\\x00\\x00