Rating:
circuit_2.dig
```
Key
_
v
| ________
Plain4 [o]----|--|Plain |
| | Enc|---(o) Ciph4
.--|Key____|
| Block
| ________
Plain3 [o]----|--|Plain |
| | Enc|---(o) Ciph3
.--|Key____|
| Block
| ________
Plain2 [o]----|--|Plain |
| | Enc|---(o) Ciph2
.--|Key____|
| Block
| ________
Plain1 [o]----|--|Plain |
| | Enc|---(o) Ciph1
.--|Key____|
| Block
| ________
Plain0 [o]----|--|Plain |
| | Enc|---(o) Ciph0
.--|Key____|
Block
Key [o]---<|Key
```
Block.dig
```
0 ~ 63 0 ~ 31 0 ~ 31 0 ~ 63
Plain [o]--------|-------------.----------------------\ /--------.------------------------|--------(o) Enc
|-. | _____ \ / | _____ .-|
| 32 ~ 63 .-\\ \ \ / .-\\ \ 32 ~ 63 |
| ||xnor|o-. x ||xnor|o-. |
| Key1|>--//____/ | ____ / \ Key2|>--//____/ | ____ |
| .--\\ \ / \ .--\\ \ |
| ||xor|---/ \ ||xor|---.
|-------------------------//___/ \---------------------//___/
0 ~ 7
0 ~ 39 0 ~ 7 /---------| 0 ~ 31
Key [o]--------.--------- 8 ~ 31 |--------<| Key1
| 8 ~ 31 /--------|
.---------x 0 ~ 23
| 32 ~ 39 \--------| 0 ~ 31
.--------- 24 ~ 31 |--------<| Key2
\---------|
```
**Reverse:**
PlainLo = Plain & 0xFFFFFFFF
PlainHi = Plain >> 32
CiphLo = (PlainLo xnor key1) xor PlainHi
CiphHi = (CiphLo xnor key2) xor PlainLo
Enc = (CiphHi << 32) + CiphLo
Key1 = Key & 0xFFFFFFFF
Key2 = Key >> 8
**Solution:**
Known Plaintext is `bcactf{`, which is 7 bytes (28 bits).
Since there are 24 common bits in key1 and key2, so knowing those common bits from one of them can be applied to the other key.
(1) CiphLo = (PlainLo xnor key1) xor PlainHi = 0xFFFFFFFF - (PlainLo xor key1 xor PlainHi)
(2) CiphHi = (CiphLo xnor key2) xor PlainLo = 0xFFFFFFFF - (CiphLo xor key2 xor PlainLo)
By xor-ing two equations, we have
CiphLo xor CiphHi = PlainLo xor key1 xor PlainHi xor CiphLo xor key2 xor PlainLo
=> (3) CiphHi xor PlainHi = key1 xor key2
From encrypted.txt:
7B18824F93FB072A 2909D67381E26C31 57238C7EFEF9132D 7D24AD42B991216A 464B9173A2811D13
We have CiphHi = 0x7B18824F, PlainHi = 0x62636163 (`bcac`), CiphLo = 0x93FB072A, PlainLo = 0x74667b?? (`tf{?`)
Therefore, we have key1 xor key2 = 0x197be32c
Also by (1) we have the top 8 bits of key1 = (0xff - 0x93 (from CiphLo)) xor 0x74 (from PlainLo) xor 0x62 (from PlainHi) = 0x7a
by the same way, we have the top 24 bits of key1 = the bottom 24 bits of key2 = (0xffffff - 0x93fb07) xor 0x74667b xor 0x626361 = 0x7a01e2
the bottom 8 bits of key1 = 0xe2 ^ 0x2c = 0xce
the top 8 bits of key2 = 0x7a ^ 0x19 = 0x63
Therefore, key1 = 0x7a01e2ce, and key2 = 0x637a01e2.
Solving Script:
```python
key1 = 0x7a01e2ce
key2 = 0x637a01e2
c = [0x7B18824F93FB072A, 0x2909D67381E26C31, 0x57238C7EFEF9132D, 0x7D24AD42B991216A, 0x464B9173A2811D13]
for i in c:
# using (3)
plainhi = key1 ^ key2 ^ (i >> 32)
# using (2)
plainlo = (0xffffffff - (i >> 32)) ^ key2 ^ (i & 0xffffffff)
print(bytes.fromhex(hex((plainhi << 32) + plainlo)[2:]).decode(), end="")
```
Output:
```
bcactf{x0r5_4nD_NXoR5_aNd_NnX0r5_0r_xOr}
```
