Tags: prng crypto

Rating:

## Solution

Here we look at the psuedorandom number generator, and we treat the LSFR component as a blackbox since we cannot reliably find any weaknesses there. Where we can look i at is the next_byte(.) function.

python
def next_byte(self):
# self.next()
self.iv = self.LFSR()
x ^= x >> 16
x ^= x >> 8
return (x & 255)


which simplifies to

python
def next_byte(self):
ret = self.x
self.x = self.LFSR_prime()

From here, it is easy to show that the relationship between two consecutive outputs of next_byte(.) is constant.
Since we know that the first few bytes should be X-MAS{ and that each plaintext byte should be less than 127, then we can easily generate the sequence of the random bytes.