Tags: blockcipher aes crypto 


Most of the logic doesn't matter in the end. The only thing that matters is the following two facts:

1. The flag is encrypted using `key2`
2. After every call to `encrypt()`, the value of `key2` is updated to be the resulting ciphertext

After spending some time reading the code these two points became apparent, and then it was simply a matter of getting the encrypted flag twice in a row and using the first encrypted flag as the key to decrypt the second one. Most of the time ended up being implementing a decrypt, as you can see in the following code:

See link for details.

Original writeup (https://4cad.github.io/CTF_Writeups/202005%20Pwn2Win/Androids/Pwn2Win20%20-%20Androids%20Writeup.html).