Unf33dMe

Description

Easy structure but the choice of parameters make it as strong as a Babylonian defense.

Solution

This custom hash function has a very simple structure because each round are just applied an exponentiation and a sum with a publicly known round constant. This would have meant a direct correlation between input and output bytes, making it even invertible. However, at the end is performed a shuffle which essentially swaps elements of the state pairwise. This additional operation breaks the linear correlation, therefore the polynomials generated by this function will not be univariate, but instead bivariate. To make them solvable we have to solve a small system composed of the polynomials generated by the elements that at the end are swapped. To solve this system we can use the resultants to "merge" the two polynomials into a single univariate one of higher degree. Because of the degree reached by the polynomial due to the exponentiation and the resultants, we will have with high probability more than one solution for each pair. Each of these solutions must be combined with the other possible solutions of the other swapped states. Finally, we can filter out the real flag from all the possible solutions by considering those that starts with "snakeCTF{", that contains only printable characters and have a valid padding.

Here is the solver code.