Step 4

Figure out how to get the flag

Take a look at the smart contract source code

The first step in figuring out how to get the flag is view the source code. The source code was provided was the event and can be viewed here. Navigate to move_lock.move in the source directory to find the module source code.

The flag

Take a moment to look through the module. Try to locate the get_flag() function.

This time the get_flag() function requires a ResourceObject and specifically will only emit the Flag event when the the ResourceObject's q1 attribute is true.

sources/move_lock.move

    public entry fun get_flag(resource_object: &ResourceObject, ctx: &mut TxContext) {
        if (resource_object.q1) {
            event::emit(Flag { user: tx_context::sender(ctx), flag: true })
        }
    }

The ResourceObject

The ResourceObject is an struct in the module.

sources/move_lock.move

struct ResourceObject has key, store {
    id : UID,
    balance: u128,
    q1: bool
}

sources/move_lock.move

fun init(ctx: &mut TxContext) {
    transfer::share_object(ResourceObject {
        id: object::new(ctx),
        balance: 100,
        q1: false,
    })
}

The ResourceObject struct has an id, balance, and q1. We can see that during module deployment, a ResourceObject is created with balance set to 100 and q1 set to false.

Take a moment to look at the rest of the module and figure out how to get the q1 attribute to true.

The bigger picture

sources/move_lock.move

public entry fun movectf_unlock(data1 : vector<u64>, data2 : vector<u64>, resource_object: &mut ResourceObject, _ctx: &mut TxContext) {
    
    let encrypted_flag : vector<u64> = vector[19, 16, 17, 11, 9, 21, 18, 
                                              2, 3, 22, 7, 4, 25, 21, 5, 
                                              7, 23, 6, 23, 5, 13, 3, 5, 
                                              9, 16, 12, 22, 14, 3, 14, 12, 
                                              22, 18, 4, 3, 9, 2, 19, 5, 
                                              16, 7, 20, 1, 11, 18, 23, 4, 
                                              15, 20, 5, 24, 9, 1, 12, 5, 
                                              16, 10, 7, 2, 1, 21, 1, 25, 
                                              18, 22, 2, 2, 7, 25, 15, 7, 10];

    if (movectf_lock(data1, data2) == encrypted_flag) {
        if (!resource_object.q1) {
            resource_object.q1 = true;
        }
    }

}

There is a entry function called movectf_unlock(). The function takes in two vector<u64> (u64 arrays) and the ResourceObject. The function creates another array labeled as the encrypted_flag. The two data arrays are passed into the movectf_lock() function and the output is compared with the encrypted_flag. If the output is equal to the encrypted_flag, and if the q1 attribute of the resourceObject is not true, it sets the attribute to true. This is what we want! We just need to find out how to get the output of movectf_lock() to equal the encrypted_flag.

Take a look at the movectf_lock() function to understand what is happening.

It looks like the movectf_lock() function takes the two arrays and performs a few operations on them which result in the output array. We need to reverse engineering the combination algorithm to figure out what data to feed into the function to get the desired output.

Breaking down the algorithm

sources/move_lock.move

fun movectf_lock(data1 : vector<u64>, data2 : vector<u64>) : vector<u64> {
    
    let input1 = copy data1;
    let plaintext = &mut input1;
    let plaintext_length = vector::length(plaintext);
    assert!(plaintext_length > 3, 0);

    if ( plaintext_length % 3 != 0) {
        if (3 - (plaintext_length % 3) == 2) {
            vector::push_back(plaintext, 0);
            vector::push_back(plaintext, 0);
            plaintext_length = plaintext_length + 2;
        }
        else {
            vector::push_back(plaintext, 0);
            plaintext_length = plaintext_length + 1;
        }
    };

    let complete_plaintext = vector::empty<u64>();
    vector::push_back(&mut complete_plaintext, 4);
    vector::push_back(&mut complete_plaintext, 15);
    vector::push_back(&mut complete_plaintext, 11);
    vector::push_back(&mut complete_plaintext, 0);
    vector::push_back(&mut complete_plaintext, 13);
    vector::push_back(&mut complete_plaintext, 4);
    vector::push_back(&mut complete_plaintext, 19);
    vector::push_back(&mut complete_plaintext, 19);
    vector::push_back(&mut complete_plaintext, 19);
    vector::append(&mut complete_plaintext, *plaintext);
    plaintext_length = plaintext_length + 9;

    let input2 = copy data2;
    let key = &mut input2;
    let a11 = *vector::borrow(key, 0);
    let a12 = *vector::borrow(key, 1);
    let a13 = *vector::borrow(key, 2);
    let a21 = *vector::borrow(key, 3);
    let a22 = *vector::borrow(key, 4);
    let a23 = *vector::borrow(key, 5);
    let a31 = *vector::borrow(key, 6);
    let a32 = *vector::borrow(key, 7);
    let a33 = *vector::borrow(key, 8);
    
    assert!(vector::length(key) == 9, 0);
    
    let i : u64 = 0;
    let ciphertext = vector::empty<u64>();
    while (i < plaintext_length) {
        let p11 = *vector::borrow(&mut complete_plaintext, i+0);
        let p21 = *vector::borrow(&mut complete_plaintext, i+1);
        let p31 = *vector::borrow(&mut complete_plaintext, i+2);

        let c11 = ( (a11 * p11) + (a12 * p21) + (a13 * p31) ) % 26;
        let c21 = ( (a21 * p11) + (a22 * p21) + (a23 * p31) ) % 26;
        let c31 = ( (a31 * p11) + (a32 * p21) + (a33 * p31) ) % 26;

        vector::push_back(&mut ciphertext, c11);
        vector::push_back(&mut ciphertext, c21);
        vector::push_back(&mut ciphertext, c31);

        i = i + 3;
    };    

    ciphertext
    
}

The first thing that is checked is that the length of data1 is greater than 3. This is checked on line 6 of the above code block with the assert function. The assert() function is a built-in function that will halt the program if the first argument does not evaulate to true. The second argument is the error value that is outputted with the error.

In the next section of code, the if statement on line 8 is checking if the length of data1 is divisible by 3 or not. This section ensures that the array length will be divisible by 3. Make sure to go through the cases to understand how it is done. For reference the vector::push_back() function appends the given element to the end of the given array.

In the next section, starting on line 20, a new array is created and filled with some numbers. That contents of data1 is then added to the end of the new array. This new array is called, complete_plaintext.

In the next section, starting on line 33, the first nine items in data2 are store as separate variables. There is also a check that makes sure that length of data2 is exactly 9.

In the final section, starting on line 47, we are creating a new array based on the provided and generated data. The array is created 3 items at a time, and uses a certain algorithm to determine the values of the new array. Take some time to break down the algorithm that generates the new array.

So we need two pieces of data, the plaintext and the key will are used to get the encrypted_flag.

Creating a script to find the key and plaintext

import { Ed25519Keypair, JsonRpcProvider, RawSigner } from '@mysten/sui.js';
import dotenv from "dotenv";

// Address of the module
const MODULE_ADDRESS = '0x5793fdbb181ad2e830bcd63a838a52197279fe7f';

// Address/Object id of the ResourceObject
const RESOURCE_OBJECT_ID = '0x8236c4e99e2ca44bfdf141334a274a91a502cb29';

// The encrypted flag found in the module
// We want to find the plaintext that was used to encrypt this
const ENCRYPTED_FLAG = [
  19, 16, 17, 
  11, 9, 21, 
  18, 2, 3,
  22, 7, 4, 
  25, 21, 5, 
  7, 23, 6, 
  23, 5, 13, 
  3, 5, 9, 
  16, 12, 22, 
  14, 3, 14, 
  12, 22, 18, 
  4, 3, 9, 
  2, 19, 5, 
  16, 7, 20, 
  1, 11, 18, 
  23, 4, 15, 
  20, 5, 24, 
  9, 1, 12, 
  5, 16, 10, 
  7, 2, 1, 
  21, 1, 25, 
  18, 22, 2, 
  2, 7, 25, 
  15, 7, 10
];

// A portion of the plaintext that we know
const KNOWN_PLAINTEXT = [
  4, 15, 11,
  0, 13, 4, 
  19, 19, 19
];

// Max key value being tested
const MAX_NUM = 600;

// Function to figure out the key (data2) 
function getKey(keyMax: number) {

  let possible_key_vals = [] as number[][];

  for (let k11 = 0; k11 < keyMax; k11++) {
    for (let k12 = 0; k12 < keyMax; k12++) {
      for (let k13 = 0; k13 < keyMax; k13++) {
        // console.log(`Solving for key: ${k11}, ${k12}, ${k13}`);
        if (
          (((k11 * KNOWN_PLAINTEXT[0]) + (k12 * KNOWN_PLAINTEXT[1]) + (k13 * KNOWN_PLAINTEXT[2])) % 26) === ENCRYPTED_FLAG[0] &&
          (((k11 * KNOWN_PLAINTEXT[3]) + (k12 * KNOWN_PLAINTEXT[4]) + (k13 * KNOWN_PLAINTEXT[5])) % 26) === ENCRYPTED_FLAG[3] &&
          (((k11 * KNOWN_PLAINTEXT[6]) + (k12 * KNOWN_PLAINTEXT[7]) + (k13 * KNOWN_PLAINTEXT[8])) % 26) === ENCRYPTED_FLAG[6]
        ) {
          // console.log(`Found key: ${k11}, ${k12}, ${k13}`);
          // Find possible key values for 2nd item
          for (let k21 = 0; k21 < keyMax; k21++) {
            for (let k22 = 0; k22 < keyMax; k22++) {
              for (let k23 = 0; k23 < keyMax; k23++) {
                // console.log(`Solving for key: ${k11}, ${k12}, ${k13}, ${k21}, ${k22}, ${k23}`);
                if (
                  (((k21 * KNOWN_PLAINTEXT[0]) + (k22 * KNOWN_PLAINTEXT[1]) + (k23 * KNOWN_PLAINTEXT[2])) % 26) === ENCRYPTED_FLAG[1] &&
                  (((k21 * KNOWN_PLAINTEXT[3]) + (k22 * KNOWN_PLAINTEXT[4]) + (k23 * KNOWN_PLAINTEXT[5])) % 26) === ENCRYPTED_FLAG[4] &&
                  (((k21 * KNOWN_PLAINTEXT[6]) + (k22 * KNOWN_PLAINTEXT[7]) + (k23 * KNOWN_PLAINTEXT[8])) % 26) === ENCRYPTED_FLAG[7]
                ) {
                  // Find possible key values for 3rd item
                  for (let k31 = 0; k31 < keyMax; k31++) {
                    for (let k32 = 0; k32 < keyMax; k32++) {
                      for (let k33 = 0; k33 < keyMax; k33++) {
                        // console.log(`Solving for key: ${[k11, k12, k13, k21, k22, k23, k31, k32, k33]}`);
                        if (
                          (((k31 * KNOWN_PLAINTEXT[0]) + (k32 * KNOWN_PLAINTEXT[1]) + (k33 * KNOWN_PLAINTEXT[2])) % 26) === ENCRYPTED_FLAG[2] &&
                          (((k31 * KNOWN_PLAINTEXT[3]) + (k32 * KNOWN_PLAINTEXT[4]) + (k33 * KNOWN_PLAINTEXT[5])) % 26) === ENCRYPTED_FLAG[5] &&
                          (((k31 * KNOWN_PLAINTEXT[6]) + (k32 * KNOWN_PLAINTEXT[7]) + (k33 * KNOWN_PLAINTEXT[8])) % 26) === ENCRYPTED_FLAG[8]
                        ) {
                          console.log(`Found key: [${k11}, ${k12}, ${k13}, ${k21}, ${k22}, ${k23}, ${k31}, ${k32}, ${k33}]`);
                          possible_key_vals.push([k11, k12, k13, k21, k22, k23, k31, k32, k33]);
                          return [k11, k12, k13, k21, k22, k23, k31, k32, k33];
                        }
                      }
                    }
                  }
                }
              }
            }
          }
        }
      }
    }
  }

  // No key was found
  console.log(`No key found`);
  return
  
}

// Function to decrypt the flag using the key
function getPlaintext(key: number[]) {
  let plaintext = [] as number[];

  // Helper function to check all possible plaintext values
  const findPlaintext = (index: number) => {
    for(let a = 0; a < 100; a++) {
      for(let b = 0; b < 100; b++) {
        for(let c = 0; c < 100; c++) {
          if (
            (((key[0] * a) + (key[1] * b) + (key[2] * c)) % 26) === ENCRYPTED_FLAG[index] &&
            (((key[3] * a) + (key[4] * b) + (key[5] * c)) % 26) === ENCRYPTED_FLAG[index + 1] &&
            (((key[6] * a) + (key[7] * b) + (key[8] * c)) % 26) === ENCRYPTED_FLAG[index + 2]
          ) {
            return [a, b, c];
          }
        }
      }
    }
    return [-1, -1, -1];
  }
  
  // Generate the plaintext
  for (let i = 0; i < ENCRYPTED_FLAG.length; i+= 3) {
    plaintext.push(...findPlaintext(i));
  }

  // Slice to ignore the 9 values that are provided in the module
  return plaintext.slice(9);
}

// Function to call the module's unlock function with the key and plaintext
async function unlock(key: number[], plaintext: number[]) {

  dotenv.config();

  // connect to local RPC server
  const provider = new JsonRpcProvider();

  // Create signer instance
  const keyPair = Ed25519Keypair.deriveKeypair(process.env.RECOVERY_PHRASE || 'hell0')
  const signer = new RawSigner(keyPair, provider);

  // Use this if you need to request SUI from the faucet
  // await provider.requestSuiFromFaucet(
  //   await signer.getAddress()
  // );

  console.log(`Signer address: ${await signer.getAddress()}`);

  // Call the get flag function in our solution module
  console.log(`Calling movectf_unlock() in solution module...`);
  const moveCallTxn = await signer.executeMoveCallWithRequestType({
    packageObjectId: MODULE_ADDRESS,
    module: 'move_lock',
    function: 'movectf_unlock',
    typeArguments: [],
    arguments: [
      plaintext, 
      key,
      RESOURCE_OBJECT_ID
    ],
    gasBudget: 10000,
  });
  console.log('Unlock transaction:', moveCallTxn);

  // Fetch information about the ResourceObject
  const resourceObject = await provider.getObject(RESOURCE_OBJECT_ID);
  const resourceObjectDetails = resourceObject.details as unknown as {data: {fields: {balance: number, q1: boolean}}};
  const q1 = resourceObjectDetails.data.fields.q1;

  // Exit if q1 is not true
  if (!q1) {
    console.log(`Q1 is not true. Exiting...`);
    return;
  }

  // Use the unlocked resource object to get the flag
  console.log(`Calling get_flag() in solution module...`);
  const moveCallTxn2 = await signer.executeMoveCallWithRequestType({
    packageObjectId: MODULE_ADDRESS,
    module: 'move_lock',
    function: 'get_flag',
    typeArguments: [],
    arguments: [
      RESOURCE_OBJECT_ID
    ],
    gasBudget: 10000,
  });
  console.log('Get flag transaction:', moveCallTxn2);
  
  return;
}

async function main() {
  const key = getKey(MAX_NUM);

  // Exit program if key was not found
  if (!key) {
    console.log(`No key found`);
    console.log(`Exiting...`);
    return;
  }

  // Decrypt the flag
  const plaintext = getPlaintext(key);
  console.log(`Plaintext: ${plaintext}`);

  // Unlock the resource object
  console.log(`Unlocking resource object...`);
  await unlock(key, plaintext);

  return
}

main();

This program will use the known plaintext and the encrypted_flag to find the key, use the key to generate the full plaintext, and then interact with the module to get the Flag event emitted.

View the transaction on the Sui blockchain explorer

The script will output all of the generate encryption data as well as the transaction data for function calls, including the transaction hash that contains the Flag event emittance.

Submit transaction hash

The transaction hash associated with the transaction where the Flag event was emitted can now be submitted!