Tags: prng crypto 


## Solution

Here we look at the psuedorandom number generator, and we treat the `LSFR` component as a blackbox since we cannot reliably find any weaknesses there. Where we can look i at is the `next_byte(.)` function.

def next_byte(self):
x = self.iv ^ self.mask
# self.next()
self.iv = self.LFSR()
x ^= x >> 16
x ^= x >> 8
return (x & 255)

which simplifies to

def next_byte(self):
ret = self.x
self.x = self.LFSR_prime()
return x ^ self.mask_prime

From here, it is easy to show that the relationship between two consecutive outputs of `next_byte(.)` is constant.

Since we know that the first few bytes should be `X-MAS{` and that each plaintext byte should be less than 127, then we can easily generate the sequence of the random bytes.

__For full solution see the url__

Original writeup (https://github.com/pberba/ctf-solutions/tree/master/20181223_xmasctf/crypto-460-probably_really_nice_goodies).