def hmac(key, msg, hash_func, block_size=64): if len(key) > block_size: key = hash_func(key) elif len(key) < block_size: key = key.ljust(block_size, b"\x00") outer_key = xor(key, b"\x5c" * block_size) inner_key = xor(key, b"\x36" * block_size) return hash_func(outer_key + hash_func(inner_key + msg))
def aes_cbc(s, key, iv, mode):
if mode not in ("encrypt", "decrypt"):
raise ValueError(
f"Illegal mode {mode!r} is not 'decrypt' or 'encrypt'")
if mode == "encrypt":
s = pad_pkcs7(s, 16)
blocks = map(bytes, grouper(s, 16))
full_transformed = b""
prev = iv
for block in blocks:
if mode == "encrypt":
transformed = aes_ecb(xor(block, prev), key, mode, no_pad=True)
prev = transformed
full_transformed += transformed
else:
transformed = aes_ecb(block, key, mode)
full_transformed += xor(transformed, prev)
prev = block
return full_transformed
def decrypt_cbc_padding_oracle(padding_oracle, ct, iv=None):
blocks = list(map(bytes, grouper(ct, 16)))
if iv is not None:
blocks.insert(0, iv)
pt_blocks = []
for c1, c2 in zip(blocks, blocks[1:]):
pt_block = bytearray() # reversed
intermediate_block = bytearray() # reversed
for i in range(1, 17):
for c in range(256):
c1_ = c1[:-i] + bytes([c]) + xor(itertools.repeat(i),
reversed(intermediate_block))
if padding_oracle(c2, c1_):
intermediate_byte = c ^ i
pt_byte = c1[-i] ^ intermediate_byte
pt_block.append(pt_byte)
intermediate_block.append(intermediate_byte)
break
pt_blocks.append(bytes(reversed(pt_block)))
return unpad_pkcs7(b"".join(pt_blocks))
from utils.misc import rotations
def remove_spice(b):
return 0xff & ((b >> 1) | (b << 7))
def add_spice(b):
return 0xff & ((b << 1) | (b >> 7))
def super_secret_encryption(plaintext, password):
assert (len(password) == 8) # I heard 8 character long passwords are super strong!
assert (password.decode("utf-8").isalpha()) # The numbers on my keyboard don't work...
assert (b"Isabelle" in plaintext) # Only encrypt files Isabelle has been mentioned in
ciphertext = bytearray(
add_spice(c) ^ password[i % len(password)] for i, c in enumerate(plaintext)
)
return ciphertext
def super_secret_decryption(ciphertext, password):
plaintext = bytearray(
remove_spice(c ^ password[i % len(password)]) for i, c in enumerate(ciphertext)
)
return plaintext
with open("blackmail_encrypted", "rb") as f:
ct = f.read()
x = bytes(map(remove_spice, ct))
for i in range(len(x) - 8):
key = bytes(map(add_spice, xor(x[i:i + 8], b"Isabelle")))
if all(c in string.ascii_letters.encode() for c in key):
print(key)
from utils.crypto.xor import xor flag = b'0\x02\x04\x02\x1c\\VW]c\x1f]A\x1cX[O&T[\x14Tnh%\x7f\tBQ\x01,;\rCT:R\x13TpQP.V\x1c\x0ff\x14\x06g^\x13<EI1\x02' orz = b'Never gonna give you up Never gonna let you down Never gonna run around and desert you Never gonna make you cry Never gonna say goodbye Never gonna tell a lie and hurt you' print(xor(xor(xor(flag, orz[:57]), orz[57:57 * 2]), orz[57 * 2:]).decode())
def extract_cbc_iv(s, oracle):
# see https://github.com/ashutosh1206/Crypton/tree/master/Block-Cipher/CBC-IV-Detection
# or cryptopals 27
modified = s[:16] + b"\x00" * 16 + s[:16]
plaintext = oracle(modified)
return xor(plaintext[:16], plaintext[-16:])
v = match.group(2)
curr[first_half] = v
lookup[fn[:2]] = curr
#print(lookup)
target = grouper("javautil", 2)
possible2 = []
def find(v, x):
for k2, v2 in v.items():
if v2 == x:
yield k2
for x in target:
x = "".join(x)
possible = []
for first_half, v in lookup.items():
second_halves = list(find(v, x))
second_halves = itertools.chain.from_iterable(
find(v, second_half) for second_half in second_halves)
second_halves = itertools.chain.from_iterable(
find(v, second_half) for second_half in second_halves)
possible.extend(first_half + second_half
for second_half in second_halves)
print(possible)
possible2.append(possible)
print(possible2)
print(
xor(itertools.repeat(2), "".join(p[0] for p in possible2).encode("utf-8")))
def aes_ctr(s, key, nonce):
return xor(s, aes_ctr_keystream(key, nonce))