0xJam3z's Evolving SBox

Author:
0xJam3z

Language:
C/C++

Upload:
2025-11-27 03:43

Download

Platform:
Unix/linux etc.

Difficulty:
5.0

Quality:
5.0

Arch:
x86-64

Downloads:
46

Size:
3.29 KB

Writeups:
0

Comments:
3

Description

Hint is in the challenge name! Good luck solving and have fun! Password: crackmes.one

Comments (3)
Writeups (0)

You must be logged in to post a comment

fakesiva on 2025-12-01 12:12: i solved stage 1 and 2 then 3 patched it is that a win?

0xJam3z on 2025-12-06 15:41: If you manage to extract the flag, you've got a win! Patching will defeat the purpose but I do applaud how far you've come! Will throw another hint: Once you have seed and you run the program you have ALL you need but those are the two requirements. From there it's just a cryptographic algorithim to reverse.

karabatik on 2025-12-09 17:22: Hey thanks for the challenge and for the hints you left in the description and comments I went the “reverse everything first” route rather than patching so I ended up modeling the whole thing in Python recovered the sbox init from the LCG with seed 0xC0DE1234ABCDEF01 the key schedule based on "NotThePasswordLol" the evolving sbox core (sub_1348) and the secondary hash (sub_14DA) and validated the final constants 0xE2F2B4005FBF9874 and 0xDEADBEEFCAFEBABE against the real binary so at this point I have the exact same behavior as the original program offline I can run the hash as an oracle for any 31 byte input and I know all the seeds and constants you used from a crypto point of view though the core behaves very close to a custom 64 bit PRF over 31 bytes with 8 rounds of stateful sbox updates and non linear feedback without some hidden structural weakness the preimage problem still looks like ~2^63 work which is obviously not realistic to brute force in practice I get your point about “once you have the seed and you can run the program you have all you need” but unless there is a specific shortcut you designed into the construction I don’t really see a practical way to invert it just from the outside behavior if there is an intended non brute force solution (other than patching or leaking something trivial) I would really appreciate a short explanation or at least a high level hint about what kind of cryptanalytic trick you had in mind either way nice challenge it was fun to pick apart the evolving sbox and model the whole thing even if the actual flag stays out of reach without a serious amount of compute or a deeper break in the design dc: karabatik

You must be logged in to submit a writeup