We get given challenge.py and encrypted.bin. Analysing challenge.py:
import randomfrom math import gcddefencrypt(dt): mod =256whileTrue: a = random.randint(1, mod)ifgcd(a, mod)==1:break b = random.randint(1, mod) res =b''for byte in dt: enc = (a * byte + b) % mod res +=bytes([enc])return resdt =open('letter.pdf', 'rb').read()res =encrypt(dt)f =open('encrypted.bin', 'wb')f.write(res)f.close()
It calculates two random values, a and b. For every byte k in the plaintext file, it then calculates
ak+bmod256
And appends the result of that as the encrypted character in encrypted.bin.
Analysis
The plaintext file appears to be letter.pdf, and using this we can work out the values of a and b because we know the first 4 bytes of every PDF file are %PDF. We can extract the first two bytes of encrypted.bin and compare to the expected two bytes:
withopen('encrypted.bin', 'rb')as f: res = f.read()print(res[0])print(res[1])print(ord('%'))print(ord('P'))
Gives us
131123780
So we can form two equations here using this information:
a⋅37+b≡13mod256a⋅80+b≡112mod256
We subtract (2) from (1) to get that
43a≡99mod256
And we can multiply both sides by the modular multiplicative inverse of 43, i.e. 43−1mod256, which is 131, to get that
a≡99⋅131≡169mod256
And then we can calculate b:
b≡13−169∗37≡160mod256
Solution
So now we have the values for a and b, it's simply a matter of going byte-by-byte and reversing it. I created a simple Sage script to do this with me, and it took a bit of time to run but eventually got the flag.
withopen('encrypted.bin', 'rb')as f: res = f.read()final =b''R =IntegerModRing(256)for char in res: b =bytes([ (R(char) -R(160)) /R(169) ])print(b.decode('latin-1'), end='') final += bwithopen('answer.pdf', 'wb')as f: f.write(final)
And the resulting PDF has the flag HTB{4ff1n3_c1ph3r_15_51mpl3_m47h5} within.
