## Solution

For these kinds of problems, where the implementation is given, it is important to know what the proper implementation of the algorithm is so that when you spot differences in the implementation, then you can deduce what kind of vulnerabilities are introduced. In this case, it claims to be `des` and is probably derived a python implementation of des, [pydes](https://github.com/RobinDavid/pydes/blob/master/pydes.py)

Here there are two main differences.
* Expansion
* S-boxes

With this we can conclude that the modified DES is linear.

Since the modified DES is linear, then you can think of it as just a big equation of `XORs`. That means __flipping 1 bit of ciphertext, predictably flips some subset of bits for any ciphertext__.

```python
xr = decrypt(m)^decrypt(m^b)
```

Given `b`, then `xr` is constant. We just choose `b` such that it flips at least half of `m`, as required by the problem.

__For the full solution see the url__

Original writeup (https://github.com/pberba/ctf-solutions/tree/master/20181223_xmasctf/crypto-482-a_white_rabbit).