def findCollision(message, prefix): extra = (7 - len(prefix))%16 if extra == 0: extra = 16 for extraPadding in itertools.product([chr(c) for c in xrange(0x30, 0x7b)], repeat=extra): new_prefix = prefix + "".join(list(extraPadding)) print new_prefix prefixHash = h2a(hash(new_prefix)) mid_part = h2a(xor_ascii_strings(prefixHash, message[:16])) if not all(ord(c)>=32 and ord(c)<127 for c in mid_part): continue mal_message = h2a(pad_pkcs_7(a2h(new_prefix)) + h2a(xor_ascii_strings(prefixHash, message[:16])) + message[16:] return mal_message return "" def solver(): message = "alert('MZA who was that?');\n" h = hash(message) prefix = b"alert('Ayo, the Wu is back!'); //" collision = findCollision(message, prefix) print "[+] Found one." print a2h(collision) return if __name__=='__main__': solver()
def decipher_block(iv, block): predict = ['\x00'] * 16 for i in xrange(15, -1, -1): for c in xrange(0, 256): predict[i] = chr(c) padding = (chr(16 - i) * (16 - i)).rjust(16, '\x00') new_iv = crypty.xor_hex_strings( crypty.xor_ascii_strings("".join(predict), crypty.h2a(iv)), crypty.a2h(padding)) if padding_oracle(block, new_iv): if i == 15: # Recheck for the correctness of found byte, whether its a genioun padding at the end or just random thing. flag = False for ch in xrange(0, 256): new_iv = crypty.xor_hex_strings( crypty.xor_ascii_strings( "".join(['\x00'] * 14) + chr(ch) + chr(c), crypty.h2a(iv)), crypty.a2h("\x00" * 14 + "\x02\x02")) if padding_oracle(block, new_iv): flag = True break if flag: break else: break return "".join(predict).encode("hex")
def get_block_size(): default_len = len(crypty.h2a(encryption_oracle(crypty.a2h('')))) for i in xrange(1, 40): plaintext = crypty.a2h('A' * i) length = len(crypty.h2a(encryption_oracle(plaintext))) if length is not default_len: return length - default_len return None
def get_initial_size(): default_len = len(crypty.h2a(encryption_oracle(crypty.a2h('')))) for i in xrange(1, 17): plaintext = crypty.a2h('A' * i) length = len(crypty.h2a(encryption_oracle(plaintext))) if length is not default_len: return default_len - i return None
def verifySignature(message, signature, e, N): block = b'\x00' + h2a(i2h(encrypt(signature, e, N))) print a2h(block) r = re.compile(b'\x00\x01\xff+?\x00(.{40})', re.DOTALL) m = r.match(block) if not m: return False digest = m.group(1) return digest == getSHA1(message)
def solve(): try: print crypty.h2a(crypty.unpad_pkcs_7(crypty.a2h("ICE ICE BABY\x04\x04\x04\x04"))) except Exception as e: print e try: print crypty.h2a(crypty.unpad_pkcs_7(crypty.a2h("ICE ICE BABY\x05\x05\x05\x05"))) except Exception as e: print e
def solve(): ciphertext = encrypter('A' * 16) blocks = crypty.get_blocks(ciphertext) old_cipher_block = blocks[1] new_cipher_block = crypty.xor_hex_strings( crypty.xor_hex_strings(old_cipher_block, crypty.a2h('A' * 16)), crypty.a2h(";admin=true;XXXX")) blocks[1] = new_cipher_block if decrypter("".join(blocks)): print "New Ciphertext : %s" % ("".join(blocks))
def solve(): ciphertext = crypty.convert_b64_to_hex(get_ciphertext()) ## Test to check hamming distance assert crypty.hamming_distance(crypty.a2h("this is a test"), crypty.a2h("wokka wokka!!!")) == 37 key_size = xor_cipher.attacks.keysize_estimator(ciphertext, 2, 40)[0][1] print "Trying for key size: %d" % (key_size) key = xor_cipher.attacks.brute_force(ciphertext, key_len=key_size) print "Found Key : %d : %s" % (len(crypty.h2a(key)), crypty.h2a(key)) plaintext = xor_cipher.infra.decrypt(ciphertext, key) print "Plaintext : %s" % (crypty.h2a(plaintext))
def get_suffix(block_size): suffix_len = get_suffix_size() guessed_suffix = "" for idx in xrange(0,suffix_len): prefix_len = block_size - len(guessed_suffix)%block_size - 1 plaintext = 'A'*prefix_len + guessed_suffix ciphertext_1 = encryption_oracle(crypty.a2h('A'*prefix_len)) last_blk_idx = len(plaintext)/block_size for c in xrange(0,256): ciphertext_2 = encryption_oracle(crypty.a2h(plaintext[last_blk_idx*block_size:]+chr(c))) if crypty.get_blocks(ciphertext_2)[0] == crypty.get_blocks(ciphertext_1)[last_blk_idx]: guessed_suffix+=chr(c) break return guessed_suffix
def encrypter(userdata): userdata = userdata.replace(";", "%3B").replace("=", "%3D") prefix = "comment1=cooking%20MCs;userdata=" suffix = ";comment2=%20like%20a%20pound%20of%20bacon" plaintext = prefix + userdata + suffix ciphertext = aes_cbc.infra.encrypt_manual(crypty.a2h(plaintext), key, iv) return ciphertext
def encrypt(plaintext, key, nounce): """ Encrypts plaintext using AES-128-CTR Block Cipher :param plaintext: Hex string :param key: Hex string :param nounce: int :return: Hex string """ plaintext = crypty.h2a(plaintext) nounce_little_endian = struct.pack("<q",nounce) keystream = [] for ctr in xrange(len(plaintext)/16 + 1): ctr_little_endian = struct.pack("<q",ctr) keystream.append(ecb_cipher.infra.encrypt(crypty.a2h(nounce_little_endian+ctr_little_endian), key)) keystream = "".join(keystream)[:len(plaintext)*2] return crypty.xor_hex_strings(keystream, crypty.a2h(plaintext))
def get_prefix_size(): for i in xrange(32, 32 + 16): ciphertext = encryption_oracle(crypty.a2h('A' * i)) idx = get_rep_block_idx(crypty.get_blocks(ciphertext)) if idx is not None: return (16 * idx) - i + 32 return None
def oracle(msg): key = generate_key() iv = generate_key() request = build_request(msg) compressed_request = zlib.compress(request) encrypted_request = aes_cbc.infra.encrypt_manual(pad_pkcs_7(a2h(compressed_request)), key, iv) return len(encrypted_request)
def MDFunction1(plaintext, IV, pad=True): hash = simplePadIVFn(IV) if pad: plaintext = simplePadMessageFn(plaintext) for block in get_blocks(a2h(plaintext), block_size=8): block = h2a(block) hash = simpleHashFn(block, hash) return hash
def solve(): block_size = get_block_size() plaintext = crypty.a2h("A" * block_size) ciphertext = encryption_oracle(plaintext) ciphertext_blks = crypty.get_blocks(ciphertext, block_size=block_size) if ciphertext_blks[0] == ciphertext_blks[1]: print "[+] Detected ECB Encryption." print get_suffix(block_size) return
def encrypt(plaintext, key): """ Encrypts plaintext with key using AES-128-ECB Provide Padded plaintext to encrypt, aligned with blocksize = 16 :param plaintext: hex string :param key: hex string :return: hex string """ encrypter = AES.new(crypty.h2a(key), AES.MODE_ECB) return crypty.a2h(encrypter.encrypt(crypty.h2a(plaintext)))
def decrypt(ciphertext, key): """ Decrypts ciphertext with key using AES-128-ECB Doesn't remove padding from decrypted string :param ciphertext: hex string :param key: hex string :return: hex string """ decrypter = AES.new(crypty.h2a(key), AES.MODE_ECB) plaintext = crypty.a2h(decrypter.decrypt(crypty.h2a(ciphertext))) return plaintext
def get_suffix(block_size, suffix_len, prefix_size): prefix_pad_len = (block_size - (prefix_size) % block_size) % block_size guessed_suffix = "" for idx in xrange(0, suffix_len): plaintext_len = prefix_pad_len + block_size - len( guessed_suffix) % block_size - 1 actual_plaintext = 'X' * prefix_size + 'A' * plaintext_len + guessed_suffix ciphertext_1 = encryption_oracle(crypty.a2h('A' * plaintext_len)) last_blk_idx = len(actual_plaintext) / block_size for c in xrange(0, 256): ciphertext_2 = encryption_oracle( crypty.a2h('A' * prefix_pad_len + actual_plaintext[last_blk_idx * block_size:] + chr(c))) if crypty.get_blocks( ciphertext_2)[(prefix_pad_len + prefix_size) / block_size] == crypty.get_blocks( ciphertext_1)[last_blk_idx]: guessed_suffix += chr(c) break return guessed_suffix
def solver(): (e, d, N) = rsa_init(e=3) original_message = "A" * 20 enc = encrypt(original_message, e, N) msg = mpz(a2h(original_message), base=16) s = mpz_random(rstate, N) while s < 2: s = mpz_random(rstate, N) new_enc = t_mod(pow(s, e, N) * enc, N) assert new_enc != enc dec = decrypt(new_enc, d, N) assert msg == t_mod(dec * invert(s, N), N) return
def RSA(message): e = 3 p = generatePrime(128) while (p%e)==1 : p = generatePrime(128) q = generatePrime(128) while (q%e)==1: q = generatePrime(128) N = p*q phi = (p-1)*(q-1) d = invert(e,phi) msg = mpz(a2h(message), base=16) encrypted = pow(msg, e, N) return (encrypted, e, N)
def get_cipher_indexes(hex_cipher, idx, key_len): """ Returns a string of all char at index idx in all blocks :param hex_cipher: hex string :param idx: int :return: hex string """ raw_cipher = crypty.h2a(hex_cipher) result = "" for start in xrange(0, len(raw_cipher), key_len): block = raw_cipher[start:start + key_len] if idx >= len(block): break result += block[idx] return crypty.a2h(result)
def solve(): plaintext = """Burning 'em, if you ain't quick and nimble I go crazy when I hear a cymbal""" key = "ICE" return xor_cipher.infra.encrypt(crypty.a2h(plaintext), crypty.a2h(key))
def simpleHashFn(message, state): print a2h(message), a2h(state) cipher = Blowfish.new(state, Blowfish.MODE_ECB) newState = cipher.encrypt(message) return newState
def forgeSignature(message): digest = getSHA1(message) block = b'\x00\x01\xff\x00' + digest + (b'\x00' * (128 - len(digest) - 4)) signature = iroot(mpz(a2h(block), base=16), 3)[0] + 1 print i2h(pow(signature, 3)) return signature
def solve(): print crypty.pad_pkcs_7(crypty.a2h("YELLOW SUBMARINE"), block_size=20)
def encrypter(userdata): userdata = userdata.replace(";", "%3B").replace("=", "%3D") ciphertext = aes_cbc.infra.encrypt_manual(crypty.a2h(userdata), key, iv) return ciphertext
def edit(ciphertext, key, offset, newtext): plaintext = list(aes_ctr.infra.decrypt(ciphertext, key, 0).decode("hex")) plaintext[offset:offset + len(newtext)] = list(newtext) return aes_ctr.infra.encrypt(crypty.a2h("".join(plaintext)), key, 0)
def hash(message): message = pad_pkcs_7(a2h(message)) return aes_cbc.infra.encrypt_manual(message, a2h("YELLOW SUBMARINE"), "00"*16)
def solve(): ciphertext = crypty.convert_b64_to_hex(get_ciphertexts()) key = crypty.a2h("YELLOW SUBMARINE") iv = crypty.a2h("\x00" * 16) print crypty.h2a(aes_cbc.infra.decrypt_manual(ciphertext, key, iv))
def get_plaintext(): fp = open("25.txt", "r") ciphertext = crypty.convert_b64_to_hex("".join( [l.strip() for l in fp.readlines()])) return aes_ecb.infra.decrypt(ciphertext, crypty.a2h("YELLOW SUBMARINE"))