def uHash(self, message):
res = 0
plen = 16 - (len(message) % 16)
message += chr(plen) * plen
for i in xrange(len(message) / 16):
blk = s2i(message[16 * i: 16 * i + 16])
res = gf_2_128_mul(blk ^ res, s2i(self.key))
return res
def sign(self, message, nonce):
assert len(nonce) == 16
return i2s(self.uHash(message) ^ s2i(self.prp(nonce))).ljust(16, '\x00')
'http://toilet.eatpwnnosleep.com/login/?name={}'.format(name))
return base64.b64decode(r.history[0].cookies['session'])
# prefix: 29 | <- Control Start
# {"is_admin": false, "name": "Test"}
while True:
c1 = get_cookie(
' \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00')
c2 = get_cookie(
' \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01')
if c1[:16] == c2[:16]:
break
i1 = s2i(c1[-16:])
i2 = s2i(c2[-16:])
key_square = i1 ^ i2
'''
sqrt x = x ^ (2 ^ 127)
Therefore, we can get s2i(self.key)
'''
print "key * key = %d" % key_square
key = gf_pow(key_square, 2**127)
print "key = %d" % key
key_str = i2s(key)
prp = AES.new(key_str).encrypt
nonce = "0123456789abcdef"