def test():
file_value = bytes(request.args.get("file"), "utf-8")
signature_hex = bytes(request.args.get("signature"), "utf-8")
computed_signature_hex = myhmac(sha1_from_github, file_value, HMAC_KEY)
print(computed_signature_hex)
if insecure_equals(hexToRaw(signature_hex), hexToRaw(computed_signature_hex)):
return RESPONSE_200
else:
return RESPONSE_500
def test():
file_value = bytes(request.args.get("file"), 'utf-8')
signature_hex = bytes(request.args.get("signature"), 'utf-8')
computed_signature_hex = myhmac(sha1_from_github, file_value, HMAC_KEY)
print(computed_signature_hex)
if (insecure_equals(hexToRaw(signature_hex),
hexToRaw(computed_signature_hex))):
return RESPONSE_200
else:
return RESPONSE_500
def hex_xor(hex1, hex2):
if (len(hex1) != len(hex2)):
return '';
raw1 = hexToRaw(hex1);
raw2 = hexToRaw(hex2);
rawresult = '';
for i in range(0, len(raw1)):
rawresult += chr(raw1[i] ^ raw2[i]);
# rawresult = raw1 ^ raw2;
return rawToHex(rawresult);
def findGoodKeys(cipher):
for i in range(256):
mg, plain = tryKey(cipher, rawToHexLUT[i]);
#print(str(i) + ": " + str(mg));
if (mg > .050):
print("potential key: 0x" + rawToHexLUT[i]);
print("Potential hex(plain): " + str(plain).lstrip("b'").rstrip("'"));
print(str(plain).lstrip("b'").rstrip("'"))
print("potential plaintext: " + str(hexToRaw(str(plain).lstrip("b'").rstrip("'"))))
print("potential plaintext: " + str(hexToRaw(str(plain).lstrip("b'").rstrip("'"))).lstrip("b'").rstrip("'"));
def hex_xor(hex1, hex2):
if (len(hex1) != len(hex2)):
return ''
raw1 = hexToRaw(hex1)
raw2 = hexToRaw(hex2)
rawresult = ''
for i in range(0, len(raw1)):
rawresult += chr(raw1[i] ^ raw2[i])
# rawresult = raw1 ^ raw2;
return rawToHex(rawresult)
def findGoodKeys(cipher):
for i in range(256):
mg, plain = tryKey(cipher, rawToHexLUT[i])
#print(str(i) + ": " + str(mg));
if (mg > .050):
print("potential key: 0x" + rawToHexLUT[i])
print("Potential hex(plain): " +
str(plain).lstrip("b'").rstrip("'"))
print(str(plain).lstrip("b'").rstrip("'"))
print("potential plaintext: " +
str(hexToRaw(str(plain).lstrip("b'").rstrip("'"))))
print("potential plaintext: " +
str(hexToRaw(str(plain).lstrip("b'").rstrip("'"))).lstrip(
"b'").rstrip("'"))
def rsa_demo2():
e = 3;
p = 4;
q = 4;
while ((p % e) == 1):
p = generatePrime(1024);
while ((q % e) == 1):
q = generatePrime(1024);
N = p*q;
phi = (p-1)*(q-1);
assert((phi%e) != 0);
d = invmod(e, phi);
message = 42;
encrypted = mypow(message, e, N);
decrypted = mypow(encrypted, d, N);
assert(message == decrypted);
#Finally, to encrypt a string, do something cheesy, like convert the
#string to hex and put "0x" on the front of it to turn it into a
#number. The math cares not how stupidly you feed it strings.
rawMessage = b'May the Force be with you'
hexMessage = rawToHex(rawMessage);
intMessage = int(hexMessage, 16);
encrypted = mypow(intMessage, e, N);
decrypted = mypow(encrypted, d, N);
assert(intMessage == decrypted);
assert(hexToRaw(hex(intMessage)[2:]) == rawMessage);
def hex_xor(hex1, hex2):
if (len(hex1) != len(hex2)):
return '';
raw1 = hexToRaw(hex1);
raw2 = hexToRaw(hex2);
for i in range(len(hex2)):
a=type(hex1[i])
print(a)
print(hex1[i],hex2[i])
print(hex1[i]^hex2[i])
rawresult = '';
for i in range(0, len(raw1)):
print(raw1[i]^raw2[i])
rawresult += chr(raw1[i] ^ raw2[i]);
# rawresult = raw1 ^ raw2;
return rawToHex(rawresult);
def rsa_demo2():
e = 3
p = 4
q = 4
while ((p % e) == 1):
p = generatePrime(1024)
while ((q % e) == 1):
q = generatePrime(1024)
N = p * q
phi = (p - 1) * (q - 1)
assert ((phi % e) != 0)
d = invmod(e, phi)
message = 42
encrypted = mypow(message, e, N)
decrypted = mypow(encrypted, d, N)
print('p = %d;q = %d; N = %d; e=%d; d=%d; message = %d; encrypted=%d' %
(p, q, N, e, d, message, encrypted))
assert (message == decrypted)
#Finally, to encrypt a string, do something cheesy, like convert the
#string to hex and put "0x" on the front of it to turn it into a
#number. The math cares not how stupidly you feed it strings.
rawMessage = b'May the Force be with you'
hexMessage = rawToHex(rawMessage)
intMessage = int(hexMessage, 16)
encrypted = mypow(intMessage, e, N)
decrypted = mypow(encrypted, d, N)
assert (intMessage == decrypted)
assert (hexToRaw(hex(intMessage)[2:]) == rawMessage)
def aes_cbc_enc(rawPlain, rawKey, rawIV):
plainBlocks = chunks(rawPlain, 16);
cipher = b'';
for block in plainBlocks:
blockIn = hexToRaw(hex_xor(rawToHex(block), rawToHex(rawIV)));
blockOut = aes_ecb_enc(blockIn, rawKey);
rawIV = blockOut;
cipher += blockOut;
return cipher;
def myhmac(hash_function, message, key):
if (len(key) > 64):
key = hash(key)
if (len(key) < 64):
key += (b'\x00' * (64 - len(key)))
opad = raw_xor(b'\x5c' * 64, key)
ipad = raw_xor(b'\x36' * 64, key)
return (hash_function(opad + hexToRaw(hash_function(ipad + message))))
def findSingleCharXOR(ciphers):
for cip in ciphers:
for i in range(256):
mg, plain = tryKey(cip, rawToHexLUT[i]);
if (mg > .050):
print("potential key: 0x" + rawToHexLUT[i]);
print("potential hex(cipher): " + str(cip).lstrip("b'").rstrip("'"));
print("potential hex(plain): " + str(plain).lstrip("b'").rstrip("'"));
print("potential plaintext: " + str(hexToRaw(str(plain).lstrip("b'").rstrip("'"))).lstrip("b'").rstrip("'"));
def aes_cbc_dec(rawCipher, rawKey, rawIV):
cipherBlocks = chunks(rawCipher, 16)
plain = b""
for block in cipherBlocks:
ecbOut = aes_ecb_dec(block, rawKey)
cbcOut = hexToRaw(hex_xor(rawToHex(ecbOut), rawToHex(rawIV)))
rawIV = block
plain += cbcOut
return plain
def myhmac(hash_function, message, key):
if len(key) > 64:
key = hash(key)
if len(key) < 64:
key += b"\x00" * (64 - len(key))
opad = raw_xor(b"\x5c" * 64, key)
ipad = raw_xor(b"\x36" * 64, key)
return hash_function(opad + hexToRaw(hash_function(ipad + message)))
def aes_cbc_enc(rawPlain, rawKey, rawIV):
plainBlocks = chunks(rawPlain, 16)
cipher = b""
for block in plainBlocks:
blockIn = hexToRaw(hex_xor(rawToHex(block), rawToHex(rawIV)))
blockOut = aes_ecb_enc(blockIn, rawKey)
rawIV = blockOut
cipher += blockOut
return cipher
def aes_cbc_dec(rawCipher, rawKey, rawIV):
cipherBlocks = chunks(rawCipher, 16);
plain = b'';
for block in cipherBlocks:
ecbOut = aes_ecb_dec(block, rawKey);
cbcOut = hexToRaw(hex_xor(rawToHex(ecbOut), rawToHex(rawIV)));
rawIV = block;
plain += cbcOut;
return plain;
def aes_cbc_dec(rawCipher, rawKey, rawIV):
cipherBlocks = chunks(rawCipher, 16)
plain = b''
for block in cipherBlocks:
ecbOut = aes_ecb_dec(block, rawKey)
cbcOut = hexToRaw(hex_xor(rawToHex(ecbOut), rawToHex(rawIV)))
rawIV = block
plain += cbcOut
return plain
def aes_cbc_enc(rawPlain, rawKey, rawIV):
plainBlocks = chunks(rawPlain, 16)
cipher = b''
for block in plainBlocks:
blockIn = hexToRaw(hex_xor(rawToHex(block), rawToHex(rawIV)))
blockOut = aes_ecb_enc(blockIn, rawKey)
rawIV = blockOut
cipher += blockOut
return cipher
def myhmac(hash_function, message, key):
if (len(key) > BLOCKSIZE):
key = hash(key)
if (len(key) < BLOCKSIZE):
key += (b'\x00' * (BLOCKSIZE - len(key)))
opad = raw_xor(b'\x5c' * BLOCKSIZE, key)
ipad = raw_xor(b'\x36' * BLOCKSIZE, key)
return hash_function(opad + hexToRaw(hash_function(ipad + message)))
def myhmac(hash_function, message, key):
if (len(key) > BLOCKSIZE):
key = hash(key)
if (len(key) < BLOCKSIZE):
key += (b'\x00' * (BLOCKSIZE - len(key)));
opad = raw_xor(b'\x5c' * BLOCKSIZE, key);
ipad = raw_xor(b'\x36' * BLOCKSIZE, key);
return hash_function(opad + hexToRaw(hash_function(ipad + message)));
def handle(self):
while True:
# typical url: http://localhost:9000/test?file=foo&signature=46b4ec586117154dacd49d664e5d63fdc88efb51
line = self.rfile.readline().strip();
if (line == None):
break;
file_index = line.find(b'file=')
signature_index = line.find(b'&signature=')
if ((file_index == -1 ) or (signature_index == -1)):
continue;
file_value = line[file_index + len(b'file='):signature_index]
signature_hex = line[signature_index+len(b'&signature='):]
computed_signature_hex = bytes(myhmac(sha1_from_github, file_value, HMAC_KEY), 'UTF-8');
if (insecure_equals(hexToRaw(signature_hex), hexToRaw(computed_signature_hex))):
self.wfile.write(RESPONSE_200);
else:
self.wfile.write(RESPONSE_500);
self.wfile.write(self.data.upper())
def findSingleCharXOR(ciphers):
for cip in ciphers:
for i in range(256):
mg, plain = tryKey(cip, rawToHexLUT[i])
if (mg > .050):
print("potential key: 0x" + rawToHexLUT[i])
print("potential hex(cipher): " +
str(cip).lstrip("b'").rstrip("'"))
print("potential hex(plain): " +
str(plain).lstrip("b'").rstrip("'"))
print("potential plaintext: " +
str(hexToRaw(str(plain).lstrip("b'").rstrip(
"'"))).lstrip("b'").rstrip("'"))
def appendMessage(original, tag, extra):
#assume secret is between 0 and 64 bytes in length
for i in range(65):
oldpadding = generateSHAPadding(len(original)+i);
newpadding= generateSHAPadding(len(original) + len(oldpadding) + len(extra) + i);
newdata = extra + newpadding;
a = int.from_bytes(tag[0:4], byteorder='big');
b = int.from_bytes(tag[4:8], byteorder='big');
c = int.from_bytes(tag[8:12], byteorder='big');
d = int.from_bytes(tag[12:16], byteorder='big');
e = int.from_bytes(tag[16:20], byteorder='big');
newtag = hexToRaw(nopaddingSHA(newdata, h0=a, h1=b, h2=c, h3=d, h4=e))
if (checkDumbHashAuth(original + oldpadding + extra, newtag)):
return newtag
print("Failure");
def generateEncryptedAdminProfile():
# get to a fresh block
s = 'A' * (16 - (len(prefix) % 16));
#locate the IV for my block
myIVBlock = ((len(prefix) + len(s)) // 16) - 1;
# add a known block value
s += 'X' * 16;
# encrypt
cip = padAndEncryptString(s);
# extract IV for block of interest
allBlocks = chunks(cip, 16);
myIV = allBlocks[myIVBlock];
# xor in IV with desired value
hexIV = rawToHex(myIV);
hexKnown = rawToHex('X'*16);
hexDesired = rawToHex(";admin=true;XXXX")
newHexIV = hex_xor(hexIV, hex_xor(hexKnown, hexDesired));
newIV = hexToRaw(newHexIV);
# insert "error"
allBlocks[myIVBlock] = newIV;
myCipher = b'';
for b in allBlocks:
myCipher += b;
return myCipher;
def tryKey(cipher, key):
fullkey = key * len(cipher);
fullkey = fullkey[:len(cipher)];
potential_plain = hex_xor(cipher, fullkey);
return calculateMG(hexToRaw(potential_plain)), potential_plain;
"MVQHYhoGGksABwdJAB0ASTpFNwQcTRoDBBgDUkksGioRHUkKCE5THEVCC08E" + \
"EgF0BBwJSQoOGkgGADpfADETDU5tBzcJEFMLTx0bAHQJCx8ADRJUDRdMN1RH" + \
"YgYGTi5jMURFeQEaSRAEOkURDAUCQRkKUmQ5XgBIKwYbQFIRSBVJGgwBGgtz" + \
"RRNNDwcVWE8BT3hJVCcCSQwGQx9IBE4KTwwdASEXF01jIgQATwZIPRpXKwYK" + \
"BkdEGwsRTxxDSToGMUlSCQZOFRwKUkQ5VEMnUh0BR0MBGgAAZDwGUwY7CBdN" + \
"HB5BFwMdUz0aQSwWSQoITlMcRUILTxoCEDUXF01jNw4BTwVBNlRBYhAIGhNM" + \
"EUgIRU5CRFMkOhwGBAQLTVQOHFkvUkUwF0lkbXkbHUVUBgAcFA0gRQYFCBpB" + \
"PU8FQSsaVycTAkJHYhsRSQAXABxUFzFFFggICkEDHR1OPxoqER1JDQhNEUgK" + \
"TkJPDAUAJhwQAg0XQRUBFgArU04lUh0GDlNUGwpOCU9jeTY1HFJARE4xGA4L" + \
"ACxSQTZSDxsJSw1ICFUdBgpTNjUcXk0OAUEDBxtUPRpCLQtFTgBPVB8NSRoK" + \
"SREKLUUVAklkERgOCwAsUkE2Ug8bCUsNSAhVHQYKUyI7RQUFABoEVA0dWXQa" + \
"Ry1SHgYOVBFIB08XQ0kUCnRvPgwQTgUbGBwAOVREYhAGAQBJEUgETgpPGR8E" + \
"LUUGBQgaQRIaHEshGk03AQANR1QdBAkAFwAcUwE9AFxNY2QxGA4LACxSQTZS" + \
"DxsJSw1ICFUdBgpTJjsIF00GAE1ULB1NPRpPLF5JAgJUVAUAAAYKCAFFXjUe" + \
"DBBOFRwOBgA+T04pC0kDElMdC0VXBgYdFkU2CgtNEAEUVBwTWXhTVG5SGg8e" + \
"AB0cRSo+AwgKRSANExlJCBQaBAsANU9TKxFJL0dMHRwRTAtPBRwQMAAATQcB" + \
"FlRlIkw5QwA2GggaR0YBBg5ZTgIcAAw3SVIaAQcVEU8QTyEaYy0fDE4ITlhI" + \
"Jk8DCkkcC3hFMQIEC0EbAVIqCFZBO1IdBgZUVA4QTgUWSR4QJwwRTWM="
if __name__ == "__main__":
bestKeySizes, bestScores = findKeySize(base64toHex(b64cipher), 20)
# after running this with a bunch of different number of blocks, 29 always pops out.
# I'm confident 29 is the right answer.
splits = splitCipher(base64toRaw(b64cipher), 29)
key = ""
for s in splits:
key += (findKey(s))
print("Key: " + str(key))
print("Plain: " + str(
hexToRaw(repeating_hex_xor(base64toHex(b64cipher), rawToHex(key)))))
def tryKey(cipher, key):
fullkey = key * len(cipher)
fullkey = fullkey[:len(cipher)]
potential_plain = hex_xor(cipher, fullkey)
return calculateMG(hexToRaw(potential_plain)), potential_plain
def dumbHashAuth(key, message):
return hexToRaw(sha1_from_github(key + message));
def dumbHashAuth(key, message):
return hexToRaw(sha1_from_github(key + message))
"YgYGTi5jMURFeQEaSRAEOkURDAUCQRkKUmQ5XgBIKwYbQFIRSBVJGgwBGgtz" + \
"RRNNDwcVWE8BT3hJVCcCSQwGQx9IBE4KTwwdASEXF01jIgQATwZIPRpXKwYK" + \
"BkdEGwsRTxxDSToGMUlSCQZOFRwKUkQ5VEMnUh0BR0MBGgAAZDwGUwY7CBdN" + \
"HB5BFwMdUz0aQSwWSQoITlMcRUILTxoCEDUXF01jNw4BTwVBNlRBYhAIGhNM" + \
"EUgIRU5CRFMkOhwGBAQLTVQOHFkvUkUwF0lkbXkbHUVUBgAcFA0gRQYFCBpB" + \
"PU8FQSsaVycTAkJHYhsRSQAXABxUFzFFFggICkEDHR1OPxoqER1JDQhNEUgK" + \
"TkJPDAUAJhwQAg0XQRUBFgArU04lUh0GDlNUGwpOCU9jeTY1HFJARE4xGA4L" + \
"ACxSQTZSDxsJSw1ICFUdBgpTNjUcXk0OAUEDBxtUPRpCLQtFTgBPVB8NSRoK" + \
"SREKLUUVAklkERgOCwAsUkE2Ug8bCUsNSAhVHQYKUyI7RQUFABoEVA0dWXQa" + \
"Ry1SHgYOVBFIB08XQ0kUCnRvPgwQTgUbGBwAOVREYhAGAQBJEUgETgpPGR8E" + \
"LUUGBQgaQRIaHEshGk03AQANR1QdBAkAFwAcUwE9AFxNY2QxGA4LACxSQTZS" + \
"DxsJSw1ICFUdBgpTJjsIF00GAE1ULB1NPRpPLF5JAgJUVAUAAAYKCAFFXjUe" + \
"DBBOFRwOBgA+T04pC0kDElMdC0VXBgYdFkU2CgtNEAEUVBwTWXhTVG5SGg8e" + \
"AB0cRSo+AwgKRSANExlJCBQaBAsANU9TKxFJL0dMHRwRTAtPBRwQMAAATQcB" + \
"FlRlIkw5QwA2GggaR0YBBg5ZTgIcAAw3SVIaAQcVEU8QTyEaYy0fDE4ITlhI" + \
"Jk8DCkkcC3hFMQIEC0EbAVIqCFZBO1IdBgZUVA4QTgUWSR4QJwwRTWM=";
if __name__ == "__main__":
bestKeySizes, bestScores = findKeySize(base64toHex(b64cipher), 20);
# print(bestKeySizes);
# print(bestScores);
# after running this with a bunch of different number of blocks, 29 always pops out.
# I'm confident 29 is the right answer.
splits = splitCipher(base64toRaw(b64cipher), 29);
key = "";
for s in splits:
key += (findKey(s));
print("Key: " + str(key));
print("Plain: " + str(hexToRaw(repeating_hex_xor(base64toHex(b64cipher), rawToHex(key)))));