Set g = cs[i], y0 = 1 and y1 = cs[i], we can get flag with simple math.

```
from pwn import *
import ast
from Crypto.Util.number import *
from hashlib import sha256

p = 0xffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca237327ffffffffffffffff
size = 128

def main():
r = remote("crypto2.ctf.nullcon.net", 5000)
print(r.recvuntil("Bellare-Micali OT\n"))
cs = r.recvuntil("]\n")
cs = ast.literal_eval(cs.strip().decode())
#for c in cs:
# print(c)
otinp = []
otinp_to_send = []
for c in cs:
g = c
y0 = 1
y1 = c
to_send = "({0},{1},{2})".format(g, y0, y1)
otinp.append((g, y0, y1))
otinp_to_send.append(to_send)
r.send(" ".join(otinp_to_send) + "\n")
print(r.recvuntil("Server response:"))
resp = r.recvuntil("]\n")
resp = ast.literal_eval(resp.strip().decode())
a = [0] * size
b = [0] * size
t = int(sha256(long_to_bytes(1)).hexdigest(), 16)
for i in range(size):
b[i] = t ^ resp[i][0][1]
a[i] = resp[i][1][1] ^ int(sha256(long_to_bytes(resp[i][1][0])).hexdigest(), 16) ^ b[i]
str_a = str(a)
str_b = str(b)
print("a: ", str_a)
print(r.recvuntil("Enter a:"))
r.send(str_a + "\n")
print("b: ", str_b)
print(r.recvuntil("Enter b:"))
r.send(str_b + "\n")
print(r.recv(4096))
r.close()

# hackim20{this_was_the_most_fun_way_to_include_curveball_that_i_could_find}

if __name__ == '__main__':
main()

```