[quelsolaar]

This looks fishy to me. Follow my thought: If you are looking at the very first value coming out of the stream, that value should have zero bias from the algorithm. Why? because it is an xor of two different values in the key. If both values are properly random then so should their XOR.

Note that at this point the algorithm has not yet started modifying itself, so the original key is still intact. The self modifying code may still be broken, but i think we can be fairly sure the first value has the exact same bias as the random number generator.

[andrewcooke]

so if you know the plaintext you get the user's key?

[clord]

Standard with one time pads (and symmetric encryption in general) — the key and plaintext are a shared secret.

[andrewcooke]

it's not standard with symmetric encryption in general; it's a "known plaintext attack". http://en.wikipedia.org/wiki/Known-plaintext_attack - with aes, for example, even if you know the plaintext there is no known way to obtain the key (faster than brute force search).

[quelsolaar]

The answer should be no. But I don't know.