**Tags:** prng crypto

Rating:

## Solution

Here we look at the psuedorandom number generator, and we treat the `LSFR` component as a blackbox since we cannot reliably find any weaknesses there. Where we can look i at is the `next_byte(.)` function.

```python

def next_byte(self):

x = self.iv ^ self.mask

# self.next()

self.iv = self.LFSR()

x ^= x >> 16

x ^= x >> 8

return (x & 255)

```

which simplifies to

```python

def next_byte(self):

ret = self.x

self.x = self.LFSR_prime()

return x ^ self.mask_prime

```

From here, it is easy to show that the relationship between two consecutive outputs of `next_byte(.)` is constant.

Since we know that the first few bytes should be `X-MAS{` and that each plaintext byte should be less than 127, then we can easily generate the sequence of the random bytes.

__For full solution see the url__

Original writeup (https://github.com/pberba/ctf-solutions/tree/master/20181223_xmasctf/crypto-460-probably_really_nice_goodies).