def aes_cbc_dec(rawCipher, rawKey, rawIV):
cipherBlocks = chunks(rawCipher, 16);
plain = b'';
for block in cipherBlocks:
ecbOut = aes_ecb_dec(block, rawKey);
cbcOut = hexToRaw(hex_xor(rawToHex(ecbOut), rawToHex(rawIV)));
rawIV = block;
plain += cbcOut;
return plain;
def aes_cbc_dec(rawCipher, rawKey, rawIV):
cipherBlocks = chunks(rawCipher, 16)
plain = b''
for block in cipherBlocks:
ecbOut = aes_ecb_dec(block, rawKey)
cbcOut = hexToRaw(hex_xor(rawToHex(ecbOut), rawToHex(rawIV)))
rawIV = block
plain += cbcOut
return plain
def aes_cbc_enc(rawPlain, rawKey, rawIV):
plainBlocks = chunks(rawPlain, 16)
cipher = b""
for block in plainBlocks:
blockIn = hexToRaw(hex_xor(rawToHex(block), rawToHex(rawIV)))
blockOut = aes_ecb_enc(blockIn, rawKey)
rawIV = blockOut
cipher += blockOut
return cipher
def aes_cbc_dec(rawCipher, rawKey, rawIV):
cipherBlocks = chunks(rawCipher, 16)
plain = b""
for block in cipherBlocks:
ecbOut = aes_ecb_dec(block, rawKey)
cbcOut = hexToRaw(hex_xor(rawToHex(ecbOut), rawToHex(rawIV)))
rawIV = block
plain += cbcOut
return plain
def aes_cbc_enc(rawPlain, rawKey, rawIV):
plainBlocks = chunks(rawPlain, 16);
cipher = b'';
for block in plainBlocks:
blockIn = hexToRaw(hex_xor(rawToHex(block), rawToHex(rawIV)));
blockOut = aes_ecb_enc(blockIn, rawKey);
rawIV = blockOut;
cipher += blockOut;
return cipher;
def aes_cbc_enc(rawPlain, rawKey, rawIV):
plainBlocks = chunks(rawPlain, 16)
cipher = b''
for block in plainBlocks:
blockIn = hexToRaw(hex_xor(rawToHex(block), rawToHex(rawIV)))
blockOut = aes_ecb_enc(blockIn, rawKey)
rawIV = blockOut
cipher += blockOut
return cipher
def test5():
plain = "Burning 'em, if you ain't quick and nimble\nI go crazy when I hear a cymbal";
key = "ICE";
cipher = repeating_hex_xor(rawToHex(plain), rawToHex(key));
expected = b'0b3637272a2b2e63622c2e69692a23693a2a3c6324202d623d63343c2a26226324272765272a282b2f20430a652e2c652a3124333a653e2b2027630c692b20283165286326302e27282f';
if (str(expected) == str(cipher)):
return True;
print("Expected: " + str(expected));
print("Cipher : " + str(cipher));
return False;
def test30():
message = b'comment1=cooking%20MCs;userdata=foo;comment2=%20like%20a%20pound%20of%20bacon'
print('message ', message)
tag = dumbMD4HashAuth(hash_secret, message)
print('hash(secret||message) ', tag)
newtag = appendMessage(message, tag, b';admin=true')
print("new tag = ", rawToHex(newtag))
def rsa_demo2():
e = 3
p = 4
q = 4
while ((p % e) == 1):
p = generatePrime(1024)
while ((q % e) == 1):
q = generatePrime(1024)
N = p * q
phi = (p - 1) * (q - 1)
assert ((phi % e) != 0)
d = invmod(e, phi)
message = 42
encrypted = mypow(message, e, N)
decrypted = mypow(encrypted, d, N)
print('p = %d;q = %d; N = %d; e=%d; d=%d; message = %d; encrypted=%d' %
(p, q, N, e, d, message, encrypted))
assert (message == decrypted)
#Finally, to encrypt a string, do something cheesy, like convert the
#string to hex and put "0x" on the front of it to turn it into a
#number. The math cares not how stupidly you feed it strings.
rawMessage = b'May the Force be with you'
hexMessage = rawToHex(rawMessage)
intMessage = int(hexMessage, 16)
encrypted = mypow(intMessage, e, N)
decrypted = mypow(encrypted, d, N)
assert (intMessage == decrypted)
assert (hexToRaw(hex(intMessage)[2:]) == rawMessage)
def test30():
message = b"comment1=cooking%20MCs;userdata=foo;comment2=%20like%20a%20pound%20of%20bacon"
print("message ", message)
tag = dumbMD4HashAuth(hash_secret, message)
print("hash(secret||message) ", tag)
newtag = appendMessage(message, tag, b";admin=true")
print("new tag = ", rawToHex(newtag))
def discover_mac(message):
guess_mac = b'\x00' * 20;
for i in range(20):
nextbyte = guess_byte(message, i, guess_mac);
guess_mac = setByte(guess_mac, i, nextbyte);
print (rawToHex(guess_mac));
return guess_mac;
def test29():
message = b'comment1=cooking%20MCs;userdata=foo;comment2=%20like%20a%20pound%20of%20bacon'
print('message ' ,message)
tag = dumbHashAuth(hash_secret, message)
print('hash(secret||message) ',tag)
newtag = appendMessage(message, tag, b';admin=true');
print("new tag = ", rawToHex(newtag))
def rsa_demo2():
e = 3;
p = 4;
q = 4;
while ((p % e) == 1):
p = generatePrime(1024);
while ((q % e) == 1):
q = generatePrime(1024);
N = p*q;
phi = (p-1)*(q-1);
assert((phi%e) != 0);
d = invmod(e, phi);
message = 42;
encrypted = mypow(message, e, N);
decrypted = mypow(encrypted, d, N);
assert(message == decrypted);
#Finally, to encrypt a string, do something cheesy, like convert the
#string to hex and put "0x" on the front of it to turn it into a
#number. The math cares not how stupidly you feed it strings.
rawMessage = b'May the Force be with you'
hexMessage = rawToHex(rawMessage);
intMessage = int(hexMessage, 16);
encrypted = mypow(intMessage, e, N);
decrypted = mypow(encrypted, d, N);
assert(intMessage == decrypted);
assert(hexToRaw(hex(intMessage)[2:]) == rawMessage);
def findKey(split):
bestMg = 0.0;
bestKey = 0;
for i in range(256):
mg, plain = tryKey(rawToHex(split), rawToHexLUT[i]);
if (mg > bestMg):
bestMg = mg;
bestKey = i;
return chr(bestKey);
def findKey(split):
bestMg = 0.0
bestKey = 0
for i in range(256):
mg, plain = tryKey(rawToHex(split), rawToHexLUT[i])
if (mg > bestMg):
bestMg = mg
bestKey = i
return chr(bestKey)
def discover_mac(message):
guess_mac = b'\x00' * 20;
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM);
sock.connect(('127.0.0.1', 9000))
for i in range(20):
nextbyte = guess_byte(sock, message, i, guess_mac);
guess_mac = setByte(guess_mac, i, nextbyte);
print (rawToHex(guess_mac));
return guess_mac;
def discover_mac(message):
guess_mac = b'\x00' * 20
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('127.0.0.1', 9000))
for i in range(20):
nextbyte = guess_byte(sock, message, i, guess_mac)
guess_mac = setByte(guess_mac, i, nextbyte)
print(rawToHex(guess_mac))
return guess_mac
def hex_xor(hex1, hex2):
if (len(hex1) != len(hex2)):
return '';
raw1 = hexToRaw(hex1);
raw2 = hexToRaw(hex2);
rawresult = '';
for i in range(0, len(raw1)):
rawresult += chr(raw1[i] ^ raw2[i]);
# rawresult = raw1 ^ raw2;
return rawToHex(rawresult);
def hex_xor(hex1, hex2):
if (len(hex1) != len(hex2)):
return ''
raw1 = hexToRaw(hex1)
raw2 = hexToRaw(hex2)
rawresult = ''
for i in range(0, len(raw1)):
rawresult += chr(raw1[i] ^ raw2[i])
# rawresult = raw1 ^ raw2;
return rawToHex(rawresult)
def generateEncryptedAdminProfile():
# get to a fresh block
s = 'A' * (16 - (len(prefix) % 16));
#locate the IV for my block
myIVBlock = ((len(prefix) + len(s)) // 16) - 1;
# add a known block value
s += 'X' * 16;
# encrypt
cip = padAndEncryptString(s);
# extract IV for block of interest
allBlocks = chunks(cip, 16);
myIV = allBlocks[myIVBlock];
# xor in IV with desired value
hexIV = rawToHex(myIV);
hexKnown = rawToHex('X'*16);
hexDesired = rawToHex(";admin=true;XXXX")
newHexIV = hex_xor(hexIV, hex_xor(hexKnown, hexDesired));
newIV = hexToRaw(newHexIV);
# insert "error"
allBlocks[myIVBlock] = newIV;
myCipher = b'';
for b in allBlocks:
myCipher += b;
return myCipher;
def guess_byte(sock, message, index, guess_mac, numtrials=50):
timings = [0]*256;
# try each byte at the index
for i in range(256):
this_guess = setByte(guess_mac, index, i);
url = b'test?file=' + message + b'&signature=' + rawToHex(this_guess) + b'\n';
start = time.perf_counter()
for j in range(numtrials):
sock.send(url);
data = sock.recv(1024)
stop = time.perf_counter()
timings[i] = stop - start;
# assume the largest timing is the right one
value = timings.index(max(timings));
print("index: " + str(index) + " : value: " + hex(value));
return value;
def hex_xor(hex1, hex2):
if (len(hex1) != len(hex2)):
return '';
raw1 = hexToRaw(hex1);
raw2 = hexToRaw(hex2);
for i in range(len(hex2)):
a=type(hex1[i])
print(a)
print(hex1[i],hex2[i])
print(hex1[i]^hex2[i])
rawresult = '';
for i in range(0, len(raw1)):
print(raw1[i]^raw2[i])
rawresult += chr(raw1[i] ^ raw2[i]);
# rawresult = raw1 ^ raw2;
return rawToHex(rawresult);
def guess_byte(sock, message, index, guess_mac, numtrials=5):
timings = [0]*256;
# try each byte at the index
for i in range(256):
this_guess = setByte(guess_mac, index, i);
url = b'test?file=' + message + b'&signature=' + rawToHex(this_guess) + b'\n';
start = time.perf_counter()
for j in range(numtrials):
sock.send(url);
data = sock.recv(1024)
stop = time.perf_counter()
timings[i] = stop - start;
# assume the largest timing is the right one
value = timings.index(max(timings));
print("index: " + str(index) + " : value: " + hex(value));
return value;
def guess_byte(message, index, guess_mac, numtrials=1):
timings = [0]*256;
# try each byte at the index
for i in range(256):
this_guess = setByte(guess_mac, index, i);
url = b'http://127.0.0.1:9000/test?file=' + message + b'&signature=' + rawToHex(this_guess);
#print(url)
start = time.perf_counter()
requests.get(url);
stop = time.perf_counter()
timings[i] = stop - start;
# assume the largest timing is the right one
# for i in range(len(timings)):
# print(i,timings[i])
value = timings.index(max(timings));
print("index: " + str(index) + " : value: " + hex(value));
return value;
"MVQHYhoGGksABwdJAB0ASTpFNwQcTRoDBBgDUkksGioRHUkKCE5THEVCC08E" + \
"EgF0BBwJSQoOGkgGADpfADETDU5tBzcJEFMLTx0bAHQJCx8ADRJUDRdMN1RH" + \
"YgYGTi5jMURFeQEaSRAEOkURDAUCQRkKUmQ5XgBIKwYbQFIRSBVJGgwBGgtz" + \
"RRNNDwcVWE8BT3hJVCcCSQwGQx9IBE4KTwwdASEXF01jIgQATwZIPRpXKwYK" + \
"BkdEGwsRTxxDSToGMUlSCQZOFRwKUkQ5VEMnUh0BR0MBGgAAZDwGUwY7CBdN" + \
"HB5BFwMdUz0aQSwWSQoITlMcRUILTxoCEDUXF01jNw4BTwVBNlRBYhAIGhNM" + \
"EUgIRU5CRFMkOhwGBAQLTVQOHFkvUkUwF0lkbXkbHUVUBgAcFA0gRQYFCBpB" + \
"PU8FQSsaVycTAkJHYhsRSQAXABxUFzFFFggICkEDHR1OPxoqER1JDQhNEUgK" + \
"TkJPDAUAJhwQAg0XQRUBFgArU04lUh0GDlNUGwpOCU9jeTY1HFJARE4xGA4L" + \
"ACxSQTZSDxsJSw1ICFUdBgpTNjUcXk0OAUEDBxtUPRpCLQtFTgBPVB8NSRoK" + \
"SREKLUUVAklkERgOCwAsUkE2Ug8bCUsNSAhVHQYKUyI7RQUFABoEVA0dWXQa" + \
"Ry1SHgYOVBFIB08XQ0kUCnRvPgwQTgUbGBwAOVREYhAGAQBJEUgETgpPGR8E" + \
"LUUGBQgaQRIaHEshGk03AQANR1QdBAkAFwAcUwE9AFxNY2QxGA4LACxSQTZS" + \
"DxsJSw1ICFUdBgpTJjsIF00GAE1ULB1NPRpPLF5JAgJUVAUAAAYKCAFFXjUe" + \
"DBBOFRwOBgA+T04pC0kDElMdC0VXBgYdFkU2CgtNEAEUVBwTWXhTVG5SGg8e" + \
"AB0cRSo+AwgKRSANExlJCBQaBAsANU9TKxFJL0dMHRwRTAtPBRwQMAAATQcB" + \
"FlRlIkw5QwA2GggaR0YBBg5ZTgIcAAw3SVIaAQcVEU8QTyEaYy0fDE4ITlhI" + \
"Jk8DCkkcC3hFMQIEC0EbAVIqCFZBO1IdBgZUVA4QTgUWSR4QJwwRTWM="
if __name__ == "__main__":
bestKeySizes, bestScores = findKeySize(base64toHex(b64cipher), 20)
# after running this with a bunch of different number of blocks, 29 always pops out.
# I'm confident 29 is the right answer.
splits = splitCipher(base64toRaw(b64cipher), 29)
key = ""
for s in splits:
key += (findKey(s))
print("Key: " + str(key))
print("Plain: " + str(
hexToRaw(repeating_hex_xor(base64toHex(b64cipher), rawToHex(key)))))
def test5():
plain = "Burning 'em, if you ain't quick and nimble\nI go crazy when I hear a cymbal"
key = "ICE"
cipher = repeating_hex_xor(rawToHex(plain), rawToHex(key))
print("Cipher : " + str(cipher))
def test30():
message = b'comment1=cooking%20MCs;userdata=foo;comment2=%20like%20a%20pound%20of%20bacon'
tag = dumbMD4HashAuth(hash_secret, message)
newtag = appendMessage(message, tag, b';admin=true');
print("new tag = ", rawToHex(newtag))
print("Problem 30 success")
def test5():
plain = "Burning 'em, if you ain't quick and nimble\nI go crazy when I hear a cymbal";
key = "ICE";
cipher = repeating_hex_xor(rawToHex(plain), rawToHex(key));
print("Cipher : " + str(cipher));
"YgYGTi5jMURFeQEaSRAEOkURDAUCQRkKUmQ5XgBIKwYbQFIRSBVJGgwBGgtz" + \
"RRNNDwcVWE8BT3hJVCcCSQwGQx9IBE4KTwwdASEXF01jIgQATwZIPRpXKwYK" + \
"BkdEGwsRTxxDSToGMUlSCQZOFRwKUkQ5VEMnUh0BR0MBGgAAZDwGUwY7CBdN" + \
"HB5BFwMdUz0aQSwWSQoITlMcRUILTxoCEDUXF01jNw4BTwVBNlRBYhAIGhNM" + \
"EUgIRU5CRFMkOhwGBAQLTVQOHFkvUkUwF0lkbXkbHUVUBgAcFA0gRQYFCBpB" + \
"PU8FQSsaVycTAkJHYhsRSQAXABxUFzFFFggICkEDHR1OPxoqER1JDQhNEUgK" + \
"TkJPDAUAJhwQAg0XQRUBFgArU04lUh0GDlNUGwpOCU9jeTY1HFJARE4xGA4L" + \
"ACxSQTZSDxsJSw1ICFUdBgpTNjUcXk0OAUEDBxtUPRpCLQtFTgBPVB8NSRoK" + \
"SREKLUUVAklkERgOCwAsUkE2Ug8bCUsNSAhVHQYKUyI7RQUFABoEVA0dWXQa" + \
"Ry1SHgYOVBFIB08XQ0kUCnRvPgwQTgUbGBwAOVREYhAGAQBJEUgETgpPGR8E" + \
"LUUGBQgaQRIaHEshGk03AQANR1QdBAkAFwAcUwE9AFxNY2QxGA4LACxSQTZS" + \
"DxsJSw1ICFUdBgpTJjsIF00GAE1ULB1NPRpPLF5JAgJUVAUAAAYKCAFFXjUe" + \
"DBBOFRwOBgA+T04pC0kDElMdC0VXBgYdFkU2CgtNEAEUVBwTWXhTVG5SGg8e" + \
"AB0cRSo+AwgKRSANExlJCBQaBAsANU9TKxFJL0dMHRwRTAtPBRwQMAAATQcB" + \
"FlRlIkw5QwA2GggaR0YBBg5ZTgIcAAw3SVIaAQcVEU8QTyEaYy0fDE4ITlhI" + \
"Jk8DCkkcC3hFMQIEC0EbAVIqCFZBO1IdBgZUVA4QTgUWSR4QJwwRTWM=";
if __name__ == "__main__":
bestKeySizes, bestScores = findKeySize(base64toHex(b64cipher), 20);
# print(bestKeySizes);
# print(bestScores);
# after running this with a bunch of different number of blocks, 29 always pops out.
# I'm confident 29 is the right answer.
splits = splitCipher(base64toRaw(b64cipher), 29);
key = "";
for s in splits:
key += (findKey(s));
print("Key: " + str(key));
print("Plain: " + str(hexToRaw(repeating_hex_xor(base64toHex(b64cipher), rawToHex(key)))));
def test30():
message = b'comment1=cooking%20MCs;userdata=foo;comment2=%20like%20a%20pound%20of%20bacon'
tag = dumbMD4HashAuth(hash_secret, message)
newtag = appendMessage(message, tag, b';admin=true')
print("new tag = ", rawToHex(newtag))
print("Problem 30 success")
