Qwaz
diff --git a/‎GoogleCTF/2023 Quals/mhk2/MHK2.sage
+156 b/‎GoogleCTF/2023 Quals/mhk2/MHK2.sage
+156
diff --git a/‎GoogleCTF/2023 Quals/mhk2/output.py
+2 b/‎GoogleCTF/2023 Quals/mhk2/output.py
+2
diff --git a/‎GoogleCTF/2023 Quals/mhk2/output.txt
+2 b/‎GoogleCTF/2023 Quals/mhk2/output.txt
+2
diff --git a/‎GoogleCTF/2023 Quals/mhk2/solver.sage
+68 b/‎GoogleCTF/2023 Quals/mhk2/solver.sage
+68
diff --git a/‎GoogleCTF/2023 Quals/zip/bkcrack.patch
+112 b/‎GoogleCTF/2023 Quals/zip/bkcrack.patch
+112
@@ -0,0 +1,156 @@
+import secrets
+
+random = secrets.SystemRandom()
+
+MSG = "CTF{????}"
+
+
+class PrivateKey:
+    def __init__(self, length: int = 256, keytup: tuple = ()):
+        if keytup:
+            self.s1, self.s2, self.s, self.p1, self.p2, self.e1, self.e2 = keytup
+        else:
+            while True:
+                self.s1 = self._gen_sequence(length)
+                self.p1 = sum(self.s1) + 2
+                self.e1 = self._gen_pos_ints(self.p1)
+                if is_prime(self.p1): break
+
+            while True:
+                self.s2 = self._gen_sequence(length)
+                self.p2 = sum(self.s2) + 2
+                self.e2 = self._gen_pos_ints(self.p2)
+                if is_prime(self.p2): break
+
+            self.s = [self.s1[i] + self.s2[i] for i in range(length)]
+            assert self.p1 != self.p2
+
+    def _gen_sequence(self, length: int) -> list[int]:
+        return [random.getrandbits(128) for _ in range(length)]
+
+    def _gen_pos_ints(self, p) -> int:
+        return random.randint((p-1)//2, p-1)
+
+    def export_secret(self):
+        return {"s1": self.s1, "s2": self.s2, "s": self.s,
+                "p1": self.p1, "p2": self.p2, "e1": self.e1, "e2": self.e2}
+
+
+class PublicKey:
+    def __init__(self, private_key: PrivateKey):
+        self.a1 = [(private_key.e1 * s) % private_key.p1 for s in private_key.s1]
+        self.a2 = [(private_key.e2 * s) % private_key.p2 for s in private_key.s2]
+
+        self.b1 = [i % 2 for i in private_key.s1]
+        self.b2 = [i % 2 for i in private_key.s2]
+        self.b = [i % 2 for i in private_key.s]
+
+        self.t = random.randint(1, 2)
+        self.c = self.b1 if self.t == 1 else self.b2
+
+    def public_key_export(self):
+        return {"a1": self.a1, "a2": self.a2, "b": self.b, "c": self.c}
+
+
+class MHK2:
+    def __init__(
+        self,
+        length: int,
+        private_key: PrivateKey = PrivateKey,
+        public_key: PublicKey = PublicKey,
+    ):
+        self.private_key = private_key(length)
+        self.public_key = public_key(self.private_key)
+
+    def _random_bin_sequence(self, n):
+        return [random.randint(0, 1) for _ in range(n)]
+
+    def encrypt(self, msg: str):
+        ciphertext = []
+        msg_int = f'{(int.from_bytes(str.encode(msg), "big")):b}'
+        for i in msg_int:
+            ciphertext.append(self.encrypt_bit(int(i)))
+        return ciphertext
+
+    def decrypt(self, ciphertext):
+        plaintext_bin = ""
+        for i in ciphertext:
+            plaintext_bin += str(self.decrypt_bit(i))
+
+        split_bin = [plaintext_bin[i : i + 7] for i in range(0, len(plaintext_bin), 8)]
+
+        plaintext = ""
+        for seq in split_bin:
+            plaintext += chr(int(seq, 2))
+        return plaintext
+
+    # single bit {0,1}
+    def encrypt_bit(self, bit):
+        r1 = self._random_bin_sequence(len(self.public_key.b))
+        r2 = self._random_bin_sequence(len(self.public_key.b))
+
+        m1 = sum([(self.public_key.b[i] * r1[i]) for i in range(len(r1))]) % 2
+        m2 = sum([(self.public_key.b[i] * r2[i]) for i in range(len(r2))]) % 2
+
+        eq = sum([(self.public_key.c[i] * r1[i]) for i in range(len(r1))]) == sum(
+            [(self.public_key.c[i] * r2[i]) for i in range(len(r2))]
+        )
+
+        while m1 != bit or m2 != bit or not eq or r1 == r2:
+            r1 = self._random_bin_sequence(len(self.public_key.b))
+            r2 = self._random_bin_sequence(len(self.public_key.b))
+
+            m1 = (
+                sum(
+                    [
+                        (self.public_key.b[i] * r1[i])
+                        for i in range(len(self.public_key.b))
+                    ]
+                )
+                % 2
+            )
+            m2 = (
+                sum(
+                    [
+                        (self.public_key.b[i] * r2[i])
+                        for i in range(len(self.public_key.b))
+                    ]
+                )
+                % 2
+            )
+
+            eq = sum(
+                [(self.public_key.c[i] * r1[i]) for i in range(len(self.public_key.b))]
+            ) == sum(
+                [(self.public_key.c[i] * r2[i]) for i in range(len(self.public_key.b))]
+            )
+
+        C1 = sum([(self.public_key.a1[i] * r1[i]) for i in range(len(r1))])
+        C2 = sum([(self.public_key.a2[i] * r2[i]) for i in range(len(r2))])
+        return C1, C2
+
+    def decrypt_bit(self, ciphertext: tuple[int, int]) -> int:
+        C1, C2 = ciphertext
+        M1 = (
+            pow(self.private_key.e1, -1, self.private_key.p1) * C1 % self.private_key.p1
+        )
+        M2 = (
+            pow(self.private_key.e2, -1, self.private_key.p2) * C2 % self.private_key.p2
+        )
+        m = (M1 + M2) % 2
+        return m
+
+
+def main():
+    crypto = MHK2(256)
+    ciphertext = crypto.encrypt(MSG)
+    plaintext = crypto.decrypt(ciphertext)
+
+    print(crypto.public_key.public_key_export())
+    print(ciphertext)
+
+    assert plaintext == MSG
+
+
+if __name__ == "__main__":
+    main()
@@ -0,0 +1,68 @@
+from output import cipher, params
+
+N = 256
+LAMBDA = 32  # LLL scaling
+
+a1 = params["a1"]
+a2 = params["a2"]
+
+b = params["b"]
+
+b1 = params["c"]
+b2 = [(b1[i] + b[i]) % 2 for i in range(N)]
+
+assert N == len(a1) == len(a2) == len(b) == len(b1) == len(b2)
+
+
+def solve_one(v, sum_v, bits):
+    m = []
+    for i in range(N):
+        t = [0] * (N + 2)
+        t[i] = 1
+        t[N] = -LAMBDA * v[i]
+        m.append(t)
+    # Final row
+    t = [0] * (N + 2)
+    t[N] = LAMBDA * sum_v
+    t[N + 1] = 1
+    m.append(t)
+
+    mat = matrix(ZZ, m)
+    lll = mat.LLL()
+
+    for row in lll:
+        if row[N + 1] == 1 and row[N] == 0:
+            coeff_row = row
+            break
+    else:
+        print("No row found...")
+        exit(1)
+
+    bit = 0
+    for i in range(N):
+        bit = (bit + bits[i] * coeff_row[i]) % 2
+
+    return bit
+
+
+if len(cipher) % 8 == 0:
+    plaintext_bin = ""
+else:
+    plaintext_bin = "0" * (8 - len(cipher) % 8)
+
+for (i, c_bit) in enumerate(cipher):
+    m1 = solve_one(a1, c_bit[0], b2)
+    m2 = solve_one(a2, c_bit[1], b1)
+    print(m1, m2)
+
+    plaintext_bin += str((m1 + m2) % 2)
+    print(f"{i:03}/{len(cipher)}: {plaintext_bin}")
+
+split_bin = [plaintext_bin[i : i + 8] for i in range(0, len(plaintext_bin), 8)]
+
+plaintext = ""
+for seq in split_bin:
+    plaintext += chr(int(seq, 2))
+
+# CTF{faNNYPAcKs_ARe_4maZiNg_AnD_und3Rr@t3d}
+print(plaintext)
@@ -0,0 +1,112 @@
+diff --git a/include/Attack.hpp b/include/Attack.hpp
+index 0171073..5be5673 100644
+--- a/include/Attack.hpp
++++ b/include/Attack.hpp
+@@ -54,6 +54,10 @@ class Attack
+         u32arr<CONTIGUOUS_SIZE> zlist;
+         u32arr<CONTIGUOUS_SIZE> ylist; // the first two elements are not used
+         u32arr<CONTIGUOUS_SIZE> xlist; // the first four elements are not used
++
++        // Custom verification logic
++        bytevec extraCipher, extraPlain;
++        std::size_t extraPlainPosition;
+ };
+ 
+ /// \brief Iterate on Zi[2,32) candidates to try and find complete internal keys
+diff --git a/src/Attack.cpp b/src/Attack.cpp
+index 21c2272..6938851 100644
+--- a/src/Attack.cpp
++++ b/src/Attack.cpp
+@@ -4,9 +4,44 @@
+ #include "KeystreamTab.hpp"
+ #include "MultTab.hpp"
+ 
++#include <iomanip>
++
+ Attack::Attack(const Data& data, std::size_t index, std::vector<Keys>& solutions, bool exhaustive, Progress& progress)
+  : data(data), index(index + 1 - Attack::CONTIGUOUS_SIZE), solutions(solutions), exhaustive(exhaustive), progress(progress)
+-{}
++{
++    extraPlainPosition = 11;
++    for (auto c : "\x9F\x61\x80\xB0\xE2\xFB\x7C\x52\x9E\x28\x51\x02\x5F\x12\x1E\x89") {
++        if (c == 0) break;
++        extraCipher.push_back(c);
++    }
++    for (auto c : "\x3b\xe2\xf2\xba\x77") {
++        if (c == 0) break;
++        extraPlain.push_back(c);
++    }
++
++
++    std::cout << std::setfill('0') << std::hex;
++
++    std::cout << "cipherText: ";
++    for(byte c : data.ciphertext) {
++        std::cout << std::setw(2) << static_cast<int>(c) << ' ';
++    }
++    std::cout << std::endl;
++
++    std::cout << "extraCipher: ";
++    for(byte c : extraCipher) {
++        std::cout << std::setw(2) << static_cast<int>(c) << ' ';
++    }
++    std::cout << std::endl;
++
++    std::cout << "extraPlain: ";
++    for(byte c : extraPlain) {
++        std::cout << std::setw(2) << static_cast<int>(c) << ' ';
++    }
++    std::cout << std::endl;
++
++    std::cout << std::setfill(' ') << std::dec;
++}
+ 
+ void Attack::carryout(uint32 z7_2_32)
+ {
+@@ -155,6 +190,31 @@ void Attack::testXlist()
+             return;
+     }
+ 
++    // Custom check for junk.dat
++    Keys customKey(x, ylist[3], zlist[3]);
++    using rit = std::reverse_iterator<bytevec::const_iterator>;
++    for(rit p = rit(data.plaintext.begin() + index + 3),
++            c = rit(data.ciphertext.begin() + data.offset + index + 3);
++            p != data.plaintext.rend();
++            ++p, ++c)
++    {
++        customKey.updateBackward(*c);
++    }
++    
++    // First, run backward to reset the state
++    customKey.updateBackward(data.ciphertext, data.offset, 0);
++
++    // Then, run it forward again with `junk.dat` data
++    for (std::size_t idxWithHeader = 0; idxWithHeader < extraCipher.size(); idxWithHeader++) {
++        byte c = extraCipher[idxWithHeader];
++        byte expectedP = c ^ customKey.getK();
++        if (idxWithHeader >= extraPlainPosition
++            && expectedP != extraPlain[idxWithHeader - extraPlainPosition]) {
++            return;
++        }
++        customKey.update(expectedP);
++    }
++
+     // all tests passed so the keys are found
+ 
+     // get the keys associated with the initial state
+diff --git a/src/Data.cpp b/src/Data.cpp
+index 194c298..5a14cce 100644
+--- a/src/Data.cpp
++++ b/src/Data.cpp
+@@ -141,8 +141,8 @@ Data::Data(bytevec ciphertextArg, bytevec plaintextArg, int offsetArg, const std
+     // check that there is enough known plaintext
+     if(plaintext.size() < Attack::CONTIGUOUS_SIZE)
+         throw Error("not enough contiguous plaintext ("+std::to_string(plaintext.size())+" bytes available, minimum is "+std::to_string(Attack::CONTIGUOUS_SIZE)+")");
+-    if(plaintext.size() + extraPlaintext.size() < Attack::ATTACK_SIZE)
+-        throw Error("not enough plaintext ("+std::to_string(plaintext.size() + extraPlaintext.size())+" bytes available, minimum is "+std::to_string(Attack::ATTACK_SIZE)+")");
++    // if(plaintext.size() + extraPlaintext.size() < Attack::ATTACK_SIZE)
++    //     throw Error("not enough plaintext ("+std::to_string(plaintext.size() + extraPlaintext.size())+" bytes available, minimum is "+std::to_string(Attack::ATTACK_SIZE)+")");
+ 
+     // reorder remaining extra plaintext for filtering
+     {