def edit(cipher, offset, new_plain):
global key
new_cipher = aes_ctr(new_plain, key, 0)
return cipher[:offset] + new_cipher + new_cipher[offset + len(new_cipher):]
from chall10 import decrypt_aes_cbc
from chall18 import aes_ctr
import base64, os
def edit(cipher, offset, new_plain):
global key
new_cipher = aes_ctr(new_plain, key, 0)
return cipher[:offset] + new_cipher + new_cipher[offset + len(new_cipher):]
def pwn_edit(cipher):
payload = b'A' * len(cipher)
new_cipher = edit(cipher, 0, payload)
return bytes([x1 ^ x2 ^ ord('A') for x1, x2 in zip(cipher, new_cipher)])
iv = b'\0' * 16
key = b'YELLOW SUBMARINE'
cipher = base64.b64decode(
b"CRIwqt4+szDbqkNY+I0qbNXPg1XLaCM5etQ5Bt9DRFV/xIN2k8Go7jtArLIyP605b071DL8C+FPYSHOXPkMMMFPAKm+Nsu0nCBMQVt9mlluHbVE/yl6VaBCjNuOGvHZ9WYvt51uR/lklZZ0ObqD5UaC1rupZwCEK4pIWf6JQ4pTyPjyiPtKXg54FNQvbVIHeotUG2kHEvHGS/w2Tt4E42xEwVfi29J3yp0O/TcL7aoRZIcJjMV4qxY/uvZLGsjo1/IyhtQp3vY0nSzJjGgaLYXpvRn8TaAcEtH3cqZenBooxBH3MxNjD/TVf3NastEWGnqeGp+0D9bQx/3L0+xTf+k2VjBDrV9HPXNELRgPN0MlNo79p2gEwWjfTbx2KbF6htgsbGgCMZ6/iCshy3R8/abxkl8eK/VfCGfA6bQQkqs91bgsT0RgxXSWzjjvh4eXTSl8xYoMDCGa2opN/b6Q2MdfvW7rEvp5mwJOfQFDtkv4M5cFEO3sjmU9MReRnCpvalG3ark0XC589rm+42jC4/oFWUdwvkzGkSeoabAJdEJCifhvtGosYgvQDARUoNTQAO1+CbnwdKnA/WbQ59S9MU61QKcYSuk+jK5nAMDot2dPmvxZIeqbB6ax1IH0cdVx7qB/Z2FlJ/U927xGmC/RUFwoXQDRqL05L22wEiF85HKx2XRVB0F7keglwX/kl4gga5rk3YrZ7VbInPpxUzgEaE4+BDoEqbv/rYMuaeOuBIkVchmzXwlpPORwbN0/RUL89xwOJKCQQZM8B1YsYOqeL3HGxKfpFo7kmArXSRKRHToXuBgDq07KS/jxaS1a1Paz/tvYHjLxwY0Ot3kS+cnBeq/FGSNL/fFV3J2a8eVvydsKat3XZS3WKcNNjY2ZEY1rHgcGL5bhVHs67bxb/IGQleyY+EwLuv5eUwS3wljJkGcWeFhlqxNXQ6NDTzRNlBS0W4CkNiDBMegCcOlPKC2ZLGw2ejgr2utoNfmRtehr+3LAhLMVjLyPSRQ/zDhHjXu+Kmt4elmTmqLgAUskiOiLYpr0zI7Pb4xsEkcxRFX9rKy5WV7NhJ1lR7BKyalO94jWIL4kJmh4GoUEhO+vDCNtW49PEgQkundV8vmzxKarUHZ0xr4feL1ZJTHinyUs/KUAJAZSAQ1Zx/S4dNj1HuchZzDDm/nE/Y3DeDhhNUwpggmesLDxFtqJJ/BRn8cgwM6/SMFDWUnhkX/t8qJrHphcxBjAmIdIWxDi2d78LA6xhEPUwNdPPhUrJcu5hvhDVXcceZLa+rJEmn4aftHm6/Q06WH7dq4RaaJePP6WHvQDpzZJOIMSEisApfh3QvHqdbiybZdyErz+yXjPXlKWG90kOz6fx+GbvGcHqibb/HUfcDosYA7lY4xY17llY5sibvWM91ohFN5jyDlHtngi7nWQgFcDNfSh77TDTzltUp9NnSJSgNOOwoSSNWadm6+AgbXfQNX6oJFaU4LQiAsRNa7vX/9jRfi655uvujM4ob199CZVxEls10UI9pIemAQQ8z/3rgQ3eyL+fViyztUPg/2IvxOHveexE4owH4Fo/bRlhZK0mYIamVxsRADBuBlGqx1b0OuF4AoZZgUM4d8v3iyUufeh0QQqOkvJK/svkYHn3mf4JlUb2MTgtRQNYdZKDRgF3Q0IJaZuMyPWFsSNTYauWjMVqnj0AEDHh6QUMF8bXLM0jGwANP+r4yPdKJNsoZMpuVoUBJYWnDTV+8Ive6ZgBi4EEbPbMLXuqDMpDi4XcLE0UUPJ8VnmO5fAHMQkA64esY2QqldZ+5gEhjigueZjEf0917/X53ZYWJIRiICnmYPoM0GSYJRE0k3ycdlzZzljIGk+PQ7WgeJhthisEBDbgTuppqKNXLbNZZG/VaTdbpW1ylBv0eqamFOmyrTyh1APSGn37comTI3fmN6/wmVnmV4/FblvVwLuDvGgSCGPOF8i6FVfKvdESs+yr+1AEDJXfp6h0eNEUsM3gXaJCknGhnt3awtg1fSUiwpYfDKZxwpPOYUuer8Wi+VCDsWsUpkMxhhRqOBKaQaBDQG+kVJu6aPFlnSPQQTi1hxLwi0l0Rr38xkr+lHU7ix8LeJVgNsQdtxbovE3i7z3ZcTFY7uJkI9j9E0muDN9x8y/YN25rm6zULYaOjUoP/7FQZsSgxPIUvUiXkEq+FU2h0FqAC7H18cr3Za5x5dpw5nwawMArKoqG9qlhqc34lXV0ZYwULu58EImFIS8+kITFuu7jOeSXbBgbhx8zGPqavRXeiu0tbJd0gWs+YgMLzXtQIbQuVZENMxJSZB4aw5lPA4vr1fFBsiU4unjOEo/XAgwrTc0w0UndJFPvXRr3Ir5rFoIEOdRo+6os5DSlk82SBnUjwbje7BWsxWMkVhYO6bOGUm4VxcKWXu2jU66TxQVIHy7WHktMjioVlWJdZC5Hq0g1LHg1nWSmjPY2c/odZqN+dBBC51dCt4oi5UKmKtU5gjZsRSTcTlfhGUd6DY4Tp3CZhHjQRH4lZhg0bF/ooPTxIjLKK4r0+yR0lyRjqIYEY27HJMhZDXFDxBQQ1UkUIhAvXacDWB2pb3YyeSQjt8j/WSbQY6TzdLq8SreZiuMWcXmQk4EH3xu8bPsHlcvRI+B3gxKeLnwrVJqVLkf3m2cSGnWQhSLGbnAtgQPA6z7u3gGbBmRtP0KnAHWSK7q6onMoYTH+b5iFjCiVRqzUBVzRRKjAL4rcL2nYeV6Ec3PlnboRzJwZIjD6i7WCdcxERr4WVOjOBX4fhhKUiVvlmlcu8CkIiSnZENHZCpI41ypoVqVarHpqh2aP/PS624yfxx2N3C2ci7VIuH3DcSYcaTXEKhz/PRLJXkRgVlWxn7QuaJJzDvpBoFndoRu1+XCsup/AtkLidsSXMFTo/2Ka739+BgYDuRt1mE9EyuYyCMoxO/27sn1QWMMd1jtcv8Ze42MaM4y/PhAMp2RfCoVZALUS2K7XrOLl3s9LDFOdSrfD8GeMciBbfLGoXDvv5Oqq0S/OvjdID94UMcadpnSNsist/kcJJV0wtRGfALG2+UKYzEj/2TOiN75UlRvA5XgwfqajOvmIIXybbdhxpjnSB04X3iY82TNSYTmLLAzZlX2vmV9IKRRimZ2SpzNpvLKeB8lDhIyGzGXdiynQjFMNcVjZlmWHsH7eItAKWmCwNkeuAfFwir4TTGrgG1pMje7XA7kMT821cYbLSiPAwtlC0wm77F0Ta7jdMrLjMO29+1958CEzWPdzdfqKzlfBzsba0+dS6mcW/YTHaB4bDyXechZBk/35fUg+4geMj6PBTqLNNWXBX93dFC7fNyda+Lt9cVJnlhIi/61fr0KzxOeXNKgePKOC3Rz+fWw7Bm58FlYTgRgN63yFWSKl4sMfzihaQq0R8NMQIOjzuMl3Ie5ozSa+y9g4z52RRc69l4n4qzf0aErV/BEe7FrzRyWh4PkDj5wy5ECaRbfO7rbs1EHlshFvXfGlLdEfP2kKpT9U32NKZ4h+Gr9ymqZ6isb1KfNov1rw0KSqYNP+EyWCyLRJ3EcOYdvVwVb+vIiyzxnRdugB3vNzaNljHG5ypEJQaTLphIQnlP02xcBpMNJN69bijVtnASN/TLV5ocYvtnWPTBKu3OyOkcflMaHCEUgHPW0fmGfld4i9Tu35zrKvTDzfxkJX7+KJ72d/V+ksNKWvwn/wvMOZsa2EEOfdCidmoql027IS5XvSHynQtvFmw0HTk9UXt8HdVNTqcdy/jUFmXpXNP2Wvn8PrU2DhkkIzWhQ5Rxd/vnM2QQr9Cxa2J9GXEV3kGDiZV90+PCDSVGY4VgF8y7GedI1h"
)
plain = decrypt_aes_cbc(cipher, key, iv)
key = os.urandom(16)
cipher = aes_ctr(plain, key, 0)
print(pwn_edit(cipher))
from chall18 import aes_ctr
from chall16 import check_admin
import os
key = bytes(bytearray(os.urandom(16)))
def oracle26(a):
b = b"comment1=cooking%20MCs;userdata=" + a.replace(b';', b'').replace(
b'=', b'') + b";comment2=%20like%20a%20pound%20of%20bacon"
return aes_ctr(b, key, 0)
def pwn_oracle26(target):
payload = b"A" * (len(target) + 1)
print(payload)
out = oracle26(payload)
print(out)
pre = len("comment1=cooking%20MCs;userdata=")
post = len(";comment2=%20like%20a%20pound%20of%20bacon")
new = out[:pre + 1]
print(new)
for i in range(len(target)):
new += bytes([out[pre + 1 + i] ^ ord('A') ^ target[i]])
return new + out[-post:]
print(aes_ctr(pwn_oracle26(b";admin=true"), key, 0))
def oracle26(a):
b = b"comment1=cooking%20MCs;userdata=" + a.replace(b';', b'').replace(
b'=', b'') + b";comment2=%20like%20a%20pound%20of%20bacon"
return aes_ctr(b, key, 0)
score += CHARACTER_FREQ.get(chr(byte).lower(), 0)
return score
def singlechar_xor_brute_force(ciphertext):
candidates = []
for key_candidate in range(256):
plaintext_candidate = singlechar_xor(ciphertext, key_candidate)
candidate_score = get_english_score(plaintext_candidate)
result = {
'key': key_candidate,
'score': candidate_score,
'plaintext': plaintext_candidate
}
candidates.append(result)
return sorted(candidates, key=lambda c: c['score'], reverse=True)[0]
plains = [b'SSBoYXZlIG1ldCB0aGVtIGF0IGNsb3NlIG9mIGRheQ==', b'Q29taW5nIHdpdGggdml2aWQgZmFjZXM=', b'RnJvbSBjb3VudGVyIG9yIGRlc2sgYW1vbmcgZ3JleQ==', b'RWlnaHRlZW50aC1jZW50dXJ5IGhvdXNlcy4=', b'SSBoYXZlIHBhc3NlZCB3aXRoIGEgbm9kIG9mIHRoZSBoZWFk', b'T3IgcG9saXRlIG1lYW5pbmdsZXNzIHdvcmRzLA==', b'T3IgaGF2ZSBsaW5nZXJlZCBhd2hpbGUgYW5kIHNhaWQ=', b'UG9saXRlIG1lYW5pbmdsZXNzIHdvcmRzLA==', b'QW5kIHRob3VnaHQgYmVmb3JlIEkgaGFkIGRvbmU=', b'T2YgYSBtb2NraW5nIHRhbGUgb3IgYSBnaWJl', b'VG8gcGxlYXNlIGEgY29tcGFuaW9u', b'QXJvdW5kIHRoZSBmaXJlIGF0IHRoZSBjbHViLA==', b'QmVpbmcgY2VydGFpbiB0aGF0IHRoZXkgYW5kIEk=', b'QnV0IGxpdmVkIHdoZXJlIG1vdGxleSBpcyB3b3JuOg==', b'QWxsIGNoYW5nZWQsIGNoYW5nZWQgdXR0ZXJseTo=', b'QSB0ZXJyaWJsZSBiZWF1dHkgaXMgYm9ybi4=', b'VGhhdCB3b21hbidzIGRheXMgd2VyZSBzcGVudA==', b'SW4gaWdub3JhbnQgZ29vZCB3aWxsLA==', b'SGVyIG5pZ2h0cyBpbiBhcmd1bWVudA==', b'VW50aWwgaGVyIHZvaWNlIGdyZXcgc2hyaWxsLg==', b'V2hhdCB2b2ljZSBtb3JlIHN3ZWV0IHRoYW4gaGVycw==', b'V2hlbiB5b3VuZyBhbmQgYmVhdXRpZnVsLA==', b'U2hlIHJvZGUgdG8gaGFycmllcnM/', b'VGhpcyBtYW4gaGFkIGtlcHQgYSBzY2hvb2w=', b'QW5kIHJvZGUgb3VyIHdpbmdlZCBob3JzZS4=', b'VGhpcyBvdGhlciBoaXMgaGVscGVyIGFuZCBmcmllbmQ=', b'V2FzIGNvbWluZyBpbnRvIGhpcyBmb3JjZTs=', b'SGUgbWlnaHQgaGF2ZSB3b24gZmFtZSBpbiB0aGUgZW5kLA==', b'U28gc2Vuc2l0aXZlIGhpcyBuYXR1cmUgc2VlbWVkLA==', b'U28gZGFyaW5nIGFuZCBzd2VldCBoaXMgdGhvdWdodC4=', b'VGhpcyBvdGhlciBtYW4gSSBoYWQgZHJlYW1lZA==', b'QSBkcnVua2VuLCB2YWluLWdsb3Jpb3VzIGxvdXQu', b'SGUgaGFkIGRvbmUgbW9zdCBiaXR0ZXIgd3Jvbmc=', b'VG8gc29tZSB3aG8gYXJlIG5lYXIgbXkgaGVhcnQs', b'WWV0IEkgbnVtYmVyIGhpbSBpbiB0aGUgc29uZzs=', b'SGUsIHRvbywgaGFzIHJlc2lnbmVkIGhpcyBwYXJ0', b'SW4gdGhlIGNhc3VhbCBjb21lZHk7', b'SGUsIHRvbywgaGFzIGJlZW4gY2hhbmdlZCBpbiBoaXMgdHVybiw=', b'VHJhbnNmb3JtZWQgdXR0ZXJseTo=', b'QSB0ZXJyaWJsZSBiZWF1dHkgaXMgYm9ybi4=']
key = bytes(bytearray(os.urandom(16)))
ciphers = []
for i in plains:
print(i)
i = base64.b64decode(i)
ciphers.append(aes_ctr(i, key, 0))
lenghts = [len(x) for x in ciphers]
max_len = max(lenghts)
guessed_key =b''
for i in range(max_len):
single_key_xor = b''.join([bytes([cipher[i]]) if len(cipher) > i else b'' for cipher in ciphers])
guessed_key += bytes([singlechar_xor_brute_force(single_key_xor)["key"]])
for cipher in ciphers:
print(bytes([b1 ^ b2 for b1, b2 in zip(cipher, guessed_key)]))