def findCollision(message, prefix):
extra = (7 - len(prefix))%16
if extra == 0:
extra = 16
for extraPadding in itertools.product([chr(c) for c in xrange(0x30, 0x7b)], repeat=extra):
new_prefix = prefix + "".join(list(extraPadding))
print new_prefix
prefixHash = h2a(hash(new_prefix))
mid_part = h2a(xor_ascii_strings(prefixHash, message[:16]))
if not all(ord(c)>=32 and ord(c)<127 for c in mid_part):
continue
mal_message = h2a(pad_pkcs_7(a2h(new_prefix)) + h2a(xor_ascii_strings(prefixHash, message[:16])) + message[16:]
return mal_message
return ""
def solver():
message = "alert('MZA who was that?');\n"
h = hash(message)
prefix = b"alert('Ayo, the Wu is back!'); //"
collision = findCollision(message, prefix)
print "[+] Found one."
print a2h(collision)
return
if __name__=='__main__':
solver()
def decipher_block(iv, block):
predict = ['\x00'] * 16
for i in xrange(15, -1, -1):
for c in xrange(0, 256):
predict[i] = chr(c)
padding = (chr(16 - i) * (16 - i)).rjust(16, '\x00')
new_iv = crypty.xor_hex_strings(
crypty.xor_ascii_strings("".join(predict), crypty.h2a(iv)),
crypty.a2h(padding))
if padding_oracle(block, new_iv):
if i == 15:
# Recheck for the correctness of found byte, whether its a genioun padding at the end or just random thing.
flag = False
for ch in xrange(0, 256):
new_iv = crypty.xor_hex_strings(
crypty.xor_ascii_strings(
"".join(['\x00'] * 14) + chr(ch) + chr(c),
crypty.h2a(iv)),
crypty.a2h("\x00" * 14 + "\x02\x02"))
if padding_oracle(block, new_iv):
flag = True
break
if flag:
break
else:
break
return "".join(predict).encode("hex")
def get_block_size():
default_len = len(crypty.h2a(encryption_oracle(crypty.a2h(''))))
for i in xrange(1, 40):
plaintext = crypty.a2h('A' * i)
length = len(crypty.h2a(encryption_oracle(plaintext)))
if length is not default_len:
return length - default_len
return None
def get_initial_size():
default_len = len(crypty.h2a(encryption_oracle(crypty.a2h(''))))
for i in xrange(1, 17):
plaintext = crypty.a2h('A' * i)
length = len(crypty.h2a(encryption_oracle(plaintext)))
if length is not default_len:
return default_len - i
return None
def verifySignature(message, signature, e, N):
block = b'\x00' + h2a(i2h(encrypt(signature, e, N)))
print a2h(block)
r = re.compile(b'\x00\x01\xff+?\x00(.{40})', re.DOTALL)
m = r.match(block)
if not m:
return False
digest = m.group(1)
return digest == getSHA1(message)
def solve():
try:
print crypty.h2a(crypty.unpad_pkcs_7(crypty.a2h("ICE ICE BABY\x04\x04\x04\x04")))
except Exception as e:
print e
try:
print crypty.h2a(crypty.unpad_pkcs_7(crypty.a2h("ICE ICE BABY\x05\x05\x05\x05")))
except Exception as e:
print e
def solve():
ciphertext = encrypter('A' * 16)
blocks = crypty.get_blocks(ciphertext)
old_cipher_block = blocks[1]
new_cipher_block = crypty.xor_hex_strings(
crypty.xor_hex_strings(old_cipher_block, crypty.a2h('A' * 16)),
crypty.a2h(";admin=true;XXXX"))
blocks[1] = new_cipher_block
if decrypter("".join(blocks)):
print "New Ciphertext : %s" % ("".join(blocks))
def solve():
ciphertext = crypty.convert_b64_to_hex(get_ciphertext())
## Test to check hamming distance
assert crypty.hamming_distance(crypty.a2h("this is a test"),
crypty.a2h("wokka wokka!!!")) == 37
key_size = xor_cipher.attacks.keysize_estimator(ciphertext, 2, 40)[0][1]
print "Trying for key size: %d" % (key_size)
key = xor_cipher.attacks.brute_force(ciphertext, key_len=key_size)
print "Found Key : %d : %s" % (len(crypty.h2a(key)), crypty.h2a(key))
plaintext = xor_cipher.infra.decrypt(ciphertext, key)
print "Plaintext : %s" % (crypty.h2a(plaintext))
def get_suffix(block_size):
suffix_len = get_suffix_size()
guessed_suffix = ""
for idx in xrange(0,suffix_len):
prefix_len = block_size - len(guessed_suffix)%block_size - 1
plaintext = 'A'*prefix_len + guessed_suffix
ciphertext_1 = encryption_oracle(crypty.a2h('A'*prefix_len))
last_blk_idx = len(plaintext)/block_size
for c in xrange(0,256):
ciphertext_2 = encryption_oracle(crypty.a2h(plaintext[last_blk_idx*block_size:]+chr(c)))
if crypty.get_blocks(ciphertext_2)[0] == crypty.get_blocks(ciphertext_1)[last_blk_idx]:
guessed_suffix+=chr(c)
break
return guessed_suffix
def encrypter(userdata):
userdata = userdata.replace(";", "%3B").replace("=", "%3D")
prefix = "comment1=cooking%20MCs;userdata="
suffix = ";comment2=%20like%20a%20pound%20of%20bacon"
plaintext = prefix + userdata + suffix
ciphertext = aes_cbc.infra.encrypt_manual(crypty.a2h(plaintext), key, iv)
return ciphertext
def encrypt(plaintext, key, nounce):
"""
Encrypts plaintext using AES-128-CTR Block Cipher
:param plaintext: Hex string
:param key: Hex string
:param nounce: int
:return: Hex string
"""
plaintext = crypty.h2a(plaintext)
nounce_little_endian = struct.pack("<q",nounce)
keystream = []
for ctr in xrange(len(plaintext)/16 + 1):
ctr_little_endian = struct.pack("<q",ctr)
keystream.append(ecb_cipher.infra.encrypt(crypty.a2h(nounce_little_endian+ctr_little_endian), key))
keystream = "".join(keystream)[:len(plaintext)*2]
return crypty.xor_hex_strings(keystream, crypty.a2h(plaintext))
def get_prefix_size():
for i in xrange(32, 32 + 16):
ciphertext = encryption_oracle(crypty.a2h('A' * i))
idx = get_rep_block_idx(crypty.get_blocks(ciphertext))
if idx is not None:
return (16 * idx) - i + 32
return None
def oracle(msg):
key = generate_key()
iv = generate_key()
request = build_request(msg)
compressed_request = zlib.compress(request)
encrypted_request = aes_cbc.infra.encrypt_manual(pad_pkcs_7(a2h(compressed_request)), key, iv)
return len(encrypted_request)
def MDFunction1(plaintext, IV, pad=True):
hash = simplePadIVFn(IV)
if pad:
plaintext = simplePadMessageFn(plaintext)
for block in get_blocks(a2h(plaintext), block_size=8):
block = h2a(block)
hash = simpleHashFn(block, hash)
return hash
def solve():
block_size = get_block_size()
plaintext = crypty.a2h("A" * block_size)
ciphertext = encryption_oracle(plaintext)
ciphertext_blks = crypty.get_blocks(ciphertext, block_size=block_size)
if ciphertext_blks[0] == ciphertext_blks[1]:
print "[+] Detected ECB Encryption."
print get_suffix(block_size)
return
def encrypt(plaintext, key):
"""
Encrypts plaintext with key using AES-128-ECB
Provide Padded plaintext to encrypt, aligned with blocksize = 16
:param plaintext: hex string
:param key: hex string
:return: hex string
"""
encrypter = AES.new(crypty.h2a(key), AES.MODE_ECB)
return crypty.a2h(encrypter.encrypt(crypty.h2a(plaintext)))
def decrypt(ciphertext, key):
"""
Decrypts ciphertext with key using AES-128-ECB
Doesn't remove padding from decrypted string
:param ciphertext: hex string
:param key: hex string
:return: hex string
"""
decrypter = AES.new(crypty.h2a(key), AES.MODE_ECB)
plaintext = crypty.a2h(decrypter.decrypt(crypty.h2a(ciphertext)))
return plaintext
def get_suffix(block_size, suffix_len, prefix_size):
prefix_pad_len = (block_size - (prefix_size) % block_size) % block_size
guessed_suffix = ""
for idx in xrange(0, suffix_len):
plaintext_len = prefix_pad_len + block_size - len(
guessed_suffix) % block_size - 1
actual_plaintext = 'X' * prefix_size + 'A' * plaintext_len + guessed_suffix
ciphertext_1 = encryption_oracle(crypty.a2h('A' * plaintext_len))
last_blk_idx = len(actual_plaintext) / block_size
for c in xrange(0, 256):
ciphertext_2 = encryption_oracle(
crypty.a2h('A' * prefix_pad_len +
actual_plaintext[last_blk_idx * block_size:] +
chr(c)))
if crypty.get_blocks(
ciphertext_2)[(prefix_pad_len + prefix_size) /
block_size] == crypty.get_blocks(
ciphertext_1)[last_blk_idx]:
guessed_suffix += chr(c)
break
return guessed_suffix
def solver():
(e, d, N) = rsa_init(e=3)
original_message = "A" * 20
enc = encrypt(original_message, e, N)
msg = mpz(a2h(original_message), base=16)
s = mpz_random(rstate, N)
while s < 2:
s = mpz_random(rstate, N)
new_enc = t_mod(pow(s, e, N) * enc, N)
assert new_enc != enc
dec = decrypt(new_enc, d, N)
assert msg == t_mod(dec * invert(s, N), N)
return
def RSA(message):
e = 3
p = generatePrime(128)
while (p%e)==1 :
p = generatePrime(128)
q = generatePrime(128)
while (q%e)==1:
q = generatePrime(128)
N = p*q
phi = (p-1)*(q-1)
d = invert(e,phi)
msg = mpz(a2h(message), base=16)
encrypted = pow(msg, e, N)
return (encrypted, e, N)
def get_cipher_indexes(hex_cipher, idx, key_len):
"""
Returns a string of all char at index idx in all blocks
:param hex_cipher: hex string
:param idx: int
:return: hex string
"""
raw_cipher = crypty.h2a(hex_cipher)
result = ""
for start in xrange(0, len(raw_cipher), key_len):
block = raw_cipher[start:start + key_len]
if idx >= len(block):
break
result += block[idx]
return crypty.a2h(result)
def solve():
plaintext = """Burning 'em, if you ain't quick and nimble
I go crazy when I hear a cymbal"""
key = "ICE"
return xor_cipher.infra.encrypt(crypty.a2h(plaintext), crypty.a2h(key))
def simpleHashFn(message, state):
print a2h(message), a2h(state)
cipher = Blowfish.new(state, Blowfish.MODE_ECB)
newState = cipher.encrypt(message)
return newState
def forgeSignature(message):
digest = getSHA1(message)
block = b'\x00\x01\xff\x00' + digest + (b'\x00' * (128 - len(digest) - 4))
signature = iroot(mpz(a2h(block), base=16), 3)[0] + 1
print i2h(pow(signature, 3))
return signature
def solve():
print crypty.pad_pkcs_7(crypty.a2h("YELLOW SUBMARINE"), block_size=20)
def encrypter(userdata):
userdata = userdata.replace(";", "%3B").replace("=", "%3D")
ciphertext = aes_cbc.infra.encrypt_manual(crypty.a2h(userdata), key, iv)
return ciphertext
def edit(ciphertext, key, offset, newtext):
plaintext = list(aes_ctr.infra.decrypt(ciphertext, key, 0).decode("hex"))
plaintext[offset:offset + len(newtext)] = list(newtext)
return aes_ctr.infra.encrypt(crypty.a2h("".join(plaintext)), key, 0)
def hash(message):
message = pad_pkcs_7(a2h(message))
return aes_cbc.infra.encrypt_manual(message, a2h("YELLOW SUBMARINE"), "00"*16)
def solve():
ciphertext = crypty.convert_b64_to_hex(get_ciphertexts())
key = crypty.a2h("YELLOW SUBMARINE")
iv = crypty.a2h("\x00" * 16)
print crypty.h2a(aes_cbc.infra.decrypt_manual(ciphertext, key, iv))
def get_plaintext():
fp = open("25.txt", "r")
ciphertext = crypty.convert_b64_to_hex("".join(
[l.strip() for l in fp.readlines()]))
return aes_ecb.infra.decrypt(ciphertext, crypty.a2h("YELLOW SUBMARINE"))
