AlexCTF 2017 : crypto100-many_time_secrets

CR2: Many time secrets
This time Fady learned from his old mistake and decided to use onetime pad(OTP) as his encryption technique, but he never knew why people call it one time pad!


Encrypted message:  

So, from Wikipedia:

In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked, but requires the use of a one-time pre-shared key the same size as the message being sent. In this technique, a plaintext is paired with a random secret key (also referred to as a one-time pad). Then, each bit or character of the plaintext is encrypted by combining it with the corresponding bit or character from the pad using modular addition. If the key is truly random, is at least as long as the plaintext, is NEVER REUSED in whole or in part, and is kept completely secret, then the resulting ciphertext will be impossible to decrypt or break.

At this challenge, Fady send 11 messages reusing the same private key to encrypt each one.

What could be wrong?

Let's say you have the image

..and you encrypt it by using the binary one-time-pad (XOR-ing on black and white) get the following extremely secure encryption

Impossible to decrypt this one.. but you encrypt a smiley face with the same one-time-pad get another secure encryption

But if you have both and you XOR them together

..then you get the image

Reusing the same key multiple times is called giving the encryption 'depth' - and it is intuitive that the more depth given, the more likely it is that information about the plaintext is contained within the encrypted text. (Source:

Knowing this, we just need a script that does the same w/ the 11 messages.

Luckly found this well coded script, changed the ciphers and printed out the privkey:

Summing up.. the script works by passing the 11 messages and selecting one to XOR w/ the each others..

..the result is a almost readable text like this: cure, Let*M**k*ow if *o{*a, just fix it manually to cure, Let Me know if you a and you will get a fully decrypted text.

The flag is at the private key!