CodeVinci CTF 2026 - 🤓 - Cryptography Writeup

Category: Cryptography Flag: CodeVinci{I_hop3_y0u_d1dn7_sl0p_th1s_ch4lL_w1th_claude_uFf}

Challenge Description#

just a nerdy chall

Analysis#

The zip was tiny, so the first thing I did was confirm exactly what files were inside and whether this was source-first or artifact-first.

1
unzip -l nerdy.zip

1
Archive:  nerdy.zip
2
  Length      Date    Time    Name
3
---------  ---------- -----   ----
4
        0  2025-09-15 23:58   nerdy/
5
     5601  2025-09-15 22:37   nerdy/nerd.py
6
     9364  2025-09-15 22:37   nerdy/server.py
7
---------                     -------
8
    14965                     3 files

That immediately told me this challenge was about understanding service logic, not brute forcing ciphertext blobs. I connected once to see the protocol surface and target identity exposed by the server.

1
timeout 8 nc nerd.codevinci.it 9984

1
nerd service ready.
2
Commands: diag <n> | issue <user_id> | validate <token> | help | quit
3
Target user: ctf
4
>

I then pulled out the key lines in nerd.py that control the whole game: how diagnostics are computed, how token material is derived, and how validation is decided.

1
from pathlib import Path
2

3
p = Path('/home/LIGHT/Downloads/nerdy_chal/nerdy/nerd.py')
4
lines = p.read_text().splitlines()
5
for i, l in enumerate(lines, 1):
6
    if any(k in l for k in [
7
        'def _derive',
8
        'def diag_line',
9
        'def validate',
10
        'if token == self.target_token',
11
        'y_prev = self.history[self.count - 2]'
12
    ]):
13
        print(f"{i}: {l}")

1
96: def diag_line(self) -> tuple[int, int]:
2
100:         y_prev = self.history[self.count - 2]
3
105: def _derive(self, user_id: str) -> Token:
4
148: def validate(self, token_b64: str) -> tuple[bool, bool]:
5
154:         if token == self.target_token:

The important part is that validate does not recompute token authenticity from scratch; it checks equality against the precomputed target token. At the same time, diag_line leaks correlated values of consecutive MT19937 outputs. The target token is generated once at startup (t=2000), and the first issue uses that same timeline slot, which leaks the same nonce source context. From there, the solve path is: recover tempered outputs from diag, untemper to MT state words, solve missing prefix words with Z3 while modeling in-place twist semantics correctly, reconstruct y1990..y1993 for the AES key, forge exact target token bytes, and submit with validate.

Getting the MT constraints right was the painful part; a naïve non-in-place twist model made Z3 go UNSAT repeatedly even with correct output reconstruction.

tableflip

Once the in-place twist dependency was fixed in the solver, the exploit became clean and deterministic.

smile

Running the final script gave the flag directly.

1
python solve_nerdy.py

1
CodeVinci{I_hop3_y0u_d1dn7_sl0p_th1s_ch4lL_w1th_claude_uFf}

Solution#

1
import base64
2
import re
3
import socket
4
from dataclasses import dataclass
5

6
from Crypto.Cipher import AES
7
from z3 import BitVec, BitVecVal, If, LShR, Solver, sat
8

9
MASK32 = 0xFFFFFFFF
10
PROMPT = b"\n> "
11

12
def u32(x: int) -> int:
13
    return x & MASK32
14

15
def rotl32(x: int, r: int) -> int:
16
    r &= 31
17
    return u32((x << r) | (x >> (32 - r)))
18

19
def rotr32(x: int, r: int) -> int:
20
    r &= 31
21
    return u32((x >> r) | (x << (32 - r)))
22

23
def pack_u32(x: int) -> bytes:
24
    return u32(x).to_bytes(4, "big")
25

26
def temper(x: int) -> int:
27
    y = u32(x)
28
    y ^= y >> 11
29
    y ^= (y << 7) & 0x9D2C5680
30
    y ^= (y << 15) & 0xEFC60000
31
    y ^= y >> 18
32
    return u32(y)
33

34
def undo_right_shift_xor(y: int, shift: int) -> int:
35
    x = 0
36
    for i in range(31, -1, -1):
37
        yb = (y >> i) & 1
38
        xb = yb
39
        j = i + shift
40
        if j <= 31:
41
            xb ^= (x >> j) & 1
42
        x |= xb << i
43
    return u32(x)
44

45
def undo_left_shift_xor_and(y: int, shift: int, mask: int) -> int:
46
    x = 0
47
    for i in range(32):
48
        yb = (y >> i) & 1
49
        xb = yb
50
        j = i - shift
51
        if j >= 0 and ((mask >> i) & 1):
52
            xb ^= (x >> j) & 1
53
        x |= xb << i
54
    return u32(x)
55

56
def untemper(y: int) -> int:
57
    x = undo_right_shift_xor(y, 18)
58
    x = undo_left_shift_xor_and(x, 15, 0xEFC60000)
59
    x = undo_left_shift_xor_and(x, 7, 0x9D2C5680)
60
    x = undo_right_shift_xor(x, 11)
61
    return u32(x)
62

63
def pkcs7_pad(data: bytes, block_size: int = 16) -> bytes:
64
    p = block_size - (len(data) % block_size)
65
    return data + bytes([p]) * p
66

67
@dataclass
68
class Tube:
69
    sock: socket.socket
70
    buf: bytes = b""
71

72
    def recv_until(self, marker: bytes) -> bytes:
73
        while marker not in self.buf:
74
            chunk = self.sock.recv(65536)
75
            if not chunk:
76
                raise EOFError("connection closed")
77
            self.buf += chunk
78
        idx = self.buf.index(marker) + len(marker)
79
        out = self.buf[:idx]
80
        self.buf = self.buf[idx:]
81
        return out
82

83
    def cmd(self, s: str) -> bytes:
84
        self.sock.sendall(s.encode() + b"\n")
85
        return self.recv_until(PROMPT)
86

87
def parse_diag_block(blob: bytes, n: int):
88
    text = blob.decode("utf-8", "replace")
89
    pairs = []
90
    for ln in text.splitlines():
91
        ln = ln.strip()
92
        if re.fullmatch(r"[0-9a-f]{8} [0-9a-f]{8}", ln):
93
            a, b = ln.split()
94
            pairs.append((int(a, 16), int(b, 16)))
95
    if len(pairs) < n:
96
        raise RuntimeError("diag parse failed")
97
    return pairs[:n]
98

99
def recover_outputs_from_diag(pairs):
100
    n = len(pairs)
101
    a = [p[0] for p in pairs]
102
    b = [p[1] for p in pairs]
103
    H = 0xFFF00000
104
    L = 0x00000FFF
105

106
    candidates = []
107
    for mid in range(256):
108
        y1 = u32((b[0] & H) | (mid << 12) | (b[1] & L))
109
        y0 = rotr32(y1 ^ a[0], 11)
110
        if (y0 & L) != (b[0] & L):
111
            continue
112
        seq = [y0, y1]
113
        ok = True
114
        for i in range(1, n):
115
            yi = seq[i]
116
            yip1 = u32(a[i] ^ rotl32(yi, 11))
117
            if (yip1 & H) != (b[i] & H):
118
                ok = False
119
                break
120
            if i + 1 < n and (yip1 & L) != (b[i + 1] & L):
121
                ok = False
122
                break
123
            seq.append(yip1)
124
        if ok:
125
            candidates.append(seq)
126

127
    if len(candidates) != 1:
128
        raise RuntimeError("diag reconstruction ambiguous")
129
    return candidates[0]
130

131
def recover_s4_prefix_with_z3(s4_suffix, s5_full):
132
    A = 0x9908B0DF
133
    x = [BitVec(f"x{i}", 32) for i in range(128)]
134

135
    def s4(i):
136
        if i < 128:
137
            return x[i]
138
        return BitVecVal(s4_suffix[i], 32)
139

140
    solver = Solver()
141
    for i in range(624):
142
        xi = s4(i)
143
        if i == 623:
144
            xip1 = BitVecVal(s5_full[0], 32)
145
        else:
146
            xip1 = s4(i + 1)
147

148
        if i >= 227:
149
            xi397 = BitVecVal(s5_full[i - 227], 32)
150
        else:
151
            xi397 = s4(i + 397)
152

153
        y = (xi & BitVecVal(0x80000000, 32)) | (xip1 & BitVecVal(0x7FFFFFFF, 32))
154
        mag = If((xip1 & BitVecVal(1, 32)) == BitVecVal(1, 32), BitVecVal(A, 32), BitVecVal(0, 32))
155
        nxt = xi397 ^ LShR(y, 1) ^ mag
156
        solver.add(nxt == BitVecVal(s5_full[i], 32))
157

158
    if solver.check() != sat:
159
        raise RuntimeError("z3 unsat")
160

161
    model = solver.model()
162
    s4_full = [0] * 624
163
    for i in range(128):
164
        s4_full[i] = model.evaluate(x[i]).as_long() & MASK32
165
    for i in range(128, 624):
166
        s4_full[i] = s4_suffix[i]
167
    return s4_full
168

169
def forge_target_token(target_user: str, nonce: bytes, y1990: int, y1991: int, y1992: int, y1993: int) -> str:
170
    key = pack_u32(y1990) + pack_u32(y1991) + pack_u32(y1992) + pack_u32(y1993)
171
    pt = pkcs7_pad(target_user.encode() + nonce, 16)
172
    mac = AES.new(key, AES.MODE_ECB).encrypt(pt)[:16]
173
    raw = bytes([len(target_user)]) + target_user.encode() + nonce + mac
174
    return base64.b64encode(raw).decode()
175

176
def main():
177
    s = socket.create_connection(("nerd.codevinci.it", 9984), timeout=10)
178
    s.settimeout(30)
179
    t = Tube(s)
180
    banner = t.recv_until(PROMPT).decode("utf-8", "replace")
181
    target_user = re.search(r"Target user:\s*(\S+)", banner).group(1)
182

183
    issue_resp = t.cmd("issue a").decode("utf-8", "replace")
184
    token_line = next(ln.strip() for ln in issue_resp.splitlines() if re.fullmatch(r"[A-Za-z0-9+/=]+", ln.strip()))
185
    raw = base64.b64decode(token_line, validate=True)
186
    nonce = raw[1 + raw[0]:1 + raw[0] + 8]
187

188
    pairs = parse_diag_block(t.cmd("diag 1120"), 1120)
189
    outputs = recover_outputs_from_diag(pairs)
190

191
    s4_suffix = {j % 624: untemper(outputs[j - 2000]) for j in range(2000, 2496)}
192
    s5_full = [0] * 624
193
    for j in range(2496, 3120):
194
        s5_full[j % 624] = untemper(outputs[j - 2000])
195

196
    s4_full = recover_s4_prefix_with_z3(s4_suffix, s5_full)
197
    y1990 = temper(s4_full[118])
198
    y1991 = temper(s4_full[119])
199
    y1992 = temper(s4_full[120])
200
    y1993 = temper(s4_full[121])
201

202
    forged = forge_target_token(target_user, nonce, y1990, y1991, y1992, y1993)
203
    out = t.cmd(f"validate {forged}").decode("utf-8", "replace")
204
    print(re.search(r"CodeVinci\{[^}]+\}", out).group(0))
205

206
if __name__ == "__main__":
207
    main()

1
python solve_nerdy.py

1
CodeVinci{I_hop3_y0u_d1dn7_sl0p_th1s_ch4lL_w1th_claude_uFf}