I did not manage to solve this. Have to search on Github for some solution (very shameless to admit). I made some mistakes in solving the problem, which will be mentioned below. The challenge is similar to the so easy rsa challenge in HITCON 2021, in which maple3142 has a good blog entry about. Denote the Linear Congruential Generator (LCG) function as $f(x) = ax + b$, we have $q = f^x(p)$ for some unknown $x \in [2, 1000]$....
The challenge uses a LCG to generate plaintext, key and IV. To receive the flag we must present the AES-CBC encrypted plaintext given the key and IV, only we don’t know the key. The LCG resets a new state every 16 states (from the refresh function). Observing the code, we can learn that: The last 8 bytes of the plaintext and the first 8 bytes of the key are derived from some 16 consecutive states The last 8 bytes of the key and the first 8 bytes of the IV are derived from some 16 consecutive states....
This challenge is about the Dual_EC_DRBG random number generator, which is famous for being backdoored by the NSA so they can predict the output after reading only 32 bytes of the random stream. This excellent video should demonstrate how to generate the point $Q$ so that we can easily recover the state of the PRNG given that we know the relation of $P = dQ$, where $d$ is the secret component only known by the NSA....
For the challenge, we need to gain enough money (self.dollars >= 130), we should obtain the flag. Observing the PRNG, we can see that the PRNG is a Linear Congruential Generator, with properly randomized parameters. Let’s first discuss how to break the LCG. Denote the multiplier mul as $M$, increment inc as $I$, modulo as $N$. We can easily retrieve $M, I$ after obtaining three numbers from the LCG, denoted by $A, B, C$....