|
| 1 | +import os, binascii |
| 2 | + |
| 3 | +from Crypto.Cipher import AES |
| 4 | + |
| 5 | +BLOCK_SIZE = 16 |
| 6 | + |
| 7 | + |
| 8 | +flag = '' # Solve this |
| 9 | +plaintext = """The Song of the Count |
| 10 | +
|
| 11 | +You know that I am called the Count |
| 12 | +Because I really love to count |
| 13 | +I could sit and count all day |
| 14 | +Sometimes I get carried away |
| 15 | +I count slowly, slowly, slowly getting faster |
| 16 | +Once I've started counting it's really hard to stop |
| 17 | +Faster, faster. It is so exciting! |
| 18 | +I could count forever, count until I drop |
| 19 | +1! 2! 3! 4! |
| 20 | +1-2-3-4, 1-2-3-4, |
| 21 | +1-2, i love couning whatever the ammount haha! |
| 22 | +1-2-3-4, heyyayayay heyayayay that's the sound of the count |
| 23 | +I count the spiders on the wall... |
| 24 | +I count the cobwebs in the hall... |
| 25 | +I count the candles on the shelf... |
| 26 | +When I'm alone, I count myself! |
| 27 | +I count slowly, slowly, slowly getting faster |
| 28 | +Once I've started counting it's really hard to stop |
| 29 | +Faster, faster. It is so exciting! |
| 30 | +I could count forever, count until I drop |
| 31 | +1! 2! 3! 4! |
| 32 | +1-2-3-4, 1-2-3-4, 1, |
| 33 | +2 I love counting whatever the |
| 34 | +ammount! 1-2-3-4 heyayayay heayayay 1-2-3-4 |
| 35 | +That's the song of the Count! |
| 36 | +""" + flag # plus padding to 16 byte block is added |
| 37 | + |
| 38 | +# hex-encoded ciphertext |
| 39 | +ciphertext_hex = "9d5c66e65fae92af9c8a55d9d3bf640e8a5b76a878cbf691d3901392c9b8760ebd5c62b22c88dca9d1c55098cbbb644ae9406ba32c8293bdd29139bbc2b4605bba51238f2cb399a9d0894ad9cbb8774be9406ce66fae89a6c8ef7ad9c4b87442ad1470af78e19da6d8c55096d2b9750ea8586fe668a085c2ef8a5e9cd3be6c4bba144ae66ba488e8df84418bceb2650ea84362bf0688dcabd3905d8d87a46d414626be04a58215b84263a620de3203fa4626be08e2940da35c61b82c98201ce15438cd67eb921cf77c28a969de321bf4433ea24ca59216a25b7bb662996106e11639e75ae09015bb4c2fb76d8c254fe15e6ab45cea817391547cab698c6d4ff35039b34df7df599e412fb67fde3200b55432a441f19817b01405962c9d2e1af9556aa447f09f0df75360ad6988241db91129a85deb8559a25b7bb660de084ff1cc3a0e8041bc71d71fb29883931d9d3e8f784ca743b065c91ea386909e1a9100925f4fa742b1718c1efec4d4d609df5bcb3b17e417bd268d5fe6ced4d65b9c40d6305eeb1df03e9050e68bcad241dd15b46453b85dae7cd112b2c3c7ca50dd4ddf2c1ff350f5349c5febcadbd2509c40d6340aad03bd258d5bb2d8cdc647d814d1335efe18f8718651e7c5d6b9609c57d12010fe50e939801ee1dbcbd74cce4739c1eeceba8ef87360b629ed82a6eb9d508ee381bb88e97363bf20a1cfe7a7e07cccf3cea788bd277fb265e9cde4a9b937808aa7ee85f22679a365f5c4ede5f478c0e482ab95bd3c79f731e9c9a8b6ff7cc2e6c0e0c897047fb22ba1e5afa8b778c2ef80abcabd1a37b42af4c2fce5fa60dde582a8c7971a37b42af4c2fce5e475c1f782b7cabd207bb832edd5a4e5e4130a976ad4a2fe86ac99c18491f9f6c86adae59cc4a9f33072f70ca6daede5e40b049272c8e6b980b798c69e9fb7f7891611c7758df0fc82b481d1ca9eb8e2cd5f118f26def6f693d2abc99982bce2855f038175d9e7ebcdf8a4dcca9faab0da1045857eceebed8ab68a89e0bff9f3c60a098426ceedec8daccdce8584bce6cc0d49c065c2f7f797f898c69e9fb5b0e05f019269dd88a8c2f8df89cac5f8b09d00ad16dc760ead7c3518baed47603c5b5251cc269cae93d1f8a4888699aff58942c8529f304af0362143f2bd1e37670d538753992129ff3c6c5befb21e7331590c950ac26917be39644dfba50b2b70117fcbccba57b209ae95721a1c9d36073d934b75014109102be14fb6a044a7cf9e468748976457f6342177f5a9042630622f97d2ba5a8c04a7890d4e5fcb445b7600d7c1be71b711b6b32b4444f078557ef82e4f0559225437b455aa9a0bbaff89c834531a45115125c933d6cd6cdca8f8" |
| 40 | + |
| 41 | + |
| 42 | +encrypted = b"TEST" |
| 43 | +# print(encrypted.encode("hex")) |
| 44 | +# print(binascii.hexlify(encrypted)) |
| 45 | +ciphertext = binascii.unhexlify(ciphertext_hex) |
| 46 | +print('ciphertext', ciphertext) |
| 47 | +print('len(ciphertext)', len(ciphertext)) |
| 48 | +print('type(ciphertext)', type(ciphertext)) |
| 49 | +num_blocks = len(ciphertext) // BLOCK_SIZE |
| 50 | +print('number of blocks', num_blocks, ', remainder ', len(ciphertext) % BLOCK_SIZE) |
| 51 | + |
| 52 | +def groups(seq, length): |
| 53 | + ''' |
| 54 | + Yield groups of specified length from a sequence. The final yield will provide whatever data is left in the |
| 55 | + sequence, without padding. Useful in a for statement: |
| 56 | + for pair in groups('abcdefg', 2): |
| 57 | + do_the_thing(pair) |
| 58 | + :param seq: A slicable object like string or list. |
| 59 | + :param length: The length of each group (ie. 2 for pairs) |
| 60 | + :return: |
| 61 | + ''' |
| 62 | + for i in range(0, len(seq), length): |
| 63 | + # print(i) |
| 64 | + yield seq[i:i + length] |
| 65 | + |
| 66 | +def aes_ecb_encrypt(data, key): |
| 67 | + ''' |
| 68 | + Encrypt bytes using AES ECB algorithm. |
| 69 | + :param data: |
| 70 | + :param key: |
| 71 | + :return: |
| 72 | + ''' |
| 73 | + diff = BLOCK_SIZE - (len(data) % BLOCK_SIZE) |
| 74 | + padding = bytearray([diff for x in range(diff)]) |
| 75 | + return AES.new(key=key, mode=AES.MODE_ECB).encrypt(data + padding) |
| 76 | + |
| 77 | + |
| 78 | +def random_aes_key(): |
| 79 | + # return secrets.token_bytes(16) |
| 80 | + return os.urandom(16) |
| 81 | + |
| 82 | + |
| 83 | +def test_decrypt_ecb_byte_at_time(): |
| 84 | + global plaintext |
| 85 | + detected_block_length = 16 # block size 16 |
| 86 | + random_key = random_aes_key() |
| 87 | + |
| 88 | + solved_plaintext = b'' |
| 89 | + |
| 90 | + |
| 91 | + for block in range((len(ciphertext) // detected_block_length) + 1): |
| 92 | + for position in range(detected_block_length, 0, -1): |
| 93 | + short_block = b'A' * (position - 1) |
| 94 | + print('1. block:', block, 'short_block:', short_block, 'length:', len(short_block)) |
| 95 | + known_crypt = b'' |
| 96 | + |
| 97 | + # build lookup table for unknown last character |
| 98 | + lastchar_dict = {} |
| 99 | + for i in range(256): |
| 100 | + my_str = short_block + solved_plaintext + chr(i).encode() |
| 101 | + # print('2. my_str', my_str) |
| 102 | + lastchar_dict[aes_ecb_encrypt(my_str, random_key)[ |
| 103 | + detected_block_length * block:detected_block_length * (block + 1)]] = chr(i) |
| 104 | + |
| 105 | + # print('3. lastchar_dict') |
| 106 | + # pprint(lastchar_dict) |
| 107 | + # print('length lastchar_dict:', len(lastchar_dict)) |
| 108 | + |
| 109 | + # print('4. plaintext before oracle:', short_block + base64.b64decode(unknown_str), 'length:', |
| 110 | + # len(short_block + base64.b64decode(unknown_str))) |
| 111 | + |
| 112 | + crypt_block = aes_ecb_encrypt(short_block + ciphertext, random_key)[ |
| 113 | + detected_block_length * block:detected_block_length * (block + 1)] |
| 114 | + print('5. crypt_block:', crypt_block, 'len(crypt_block):', len(crypt_block)) |
| 115 | + |
| 116 | + # if last byte of block is \x01, padding may be in use |
| 117 | + if lastchar_dict[crypt_block] == '\x01': |
| 118 | + print('Possible padding detected by last character.') |
| 119 | + break |
| 120 | + try: |
| 121 | + print('6. char:', lastchar_dict[crypt_block], ord(lastchar_dict[crypt_block]), 'type:', |
| 122 | + type(lastchar_dict[crypt_block])) |
| 123 | + except KeyError as ke: |
| 124 | + print('Possible padding detected by KeyError.') |
| 125 | + print(ke) |
| 126 | + break |
| 127 | + |
| 128 | + solved_plaintext += lastchar_dict[crypt_block].encode() |
| 129 | + print('7. plaintext solved', solved_plaintext, 'len(plaintext)', len(solved_plaintext)) |
| 130 | + |
| 131 | + print('8. plaintext:', plaintext) |
| 132 | + # assert plaintext == b"Rollin' in my 5.0\nWith my rag-top down so my hair can blow\nThe girlies on standby waving just to say hi\nDid you stop? No, I just drove by\n" |
| 133 | + # assert plaintext == ciphertext |
| 134 | + |
| 135 | +# test_decrypt_ecb_byte_at_time() |
| 136 | + |
| 137 | +def pad(data): |
| 138 | + pad_byte = 16 - len(data) % 16 |
| 139 | + |
| 140 | + chr_pad_byte = chr(pad_byte) |
| 141 | + byte_chr_pad_byte = bytes(chr_pad_byte, 'utf8') |
| 142 | + padding = (chr_pad_byte * pad_byte) |
| 143 | + padded_data = data + padding |
| 144 | + return padded_data |
| 145 | + |
| 146 | + |
| 147 | +def worker_function(block): |
| 148 | + global counter |
| 149 | + key_stream = aes.encrypt(pad(str(counter))) |
| 150 | + result = xor_string(block, key_stream) |
| 151 | + counter += 1 |
| 152 | + return result |
| 153 | + |
| 154 | + |
| 155 | +def possible_keys(): |
| 156 | + global num_blocks |
| 157 | + keys = [] |
| 158 | + for i in range(num_blocks): |
| 159 | + padded = pad(str(i)) |
| 160 | + # print(padded, bytes(padded, 'utf8')) |
| 161 | + bytes_padded = bytes(padded, 'utf8') |
| 162 | + keys.append(bytes_padded) |
| 163 | + return keys |
| 164 | + |
| 165 | + |
| 166 | +first_block = next(groups(ciphertext, BLOCK_SIZE)) |
| 167 | +print('first_block', first_block) |
| 168 | +print('type(first_block)', type(first_block)) |
| 169 | + |
| 170 | +keys = possible_keys() |
| 171 | +print(type(keys[0])) |
| 172 | +print() |
| 173 | +for key in keys: |
| 174 | + plainblock = AES.new(key, AES.MODE_ECB).decrypt(first_block) |
| 175 | + # print(plainblock) |
| 176 | + try: |
| 177 | + print(binascii.unhexlify(plainblock)) |
| 178 | + except binascii.Error: |
| 179 | + pass |
| 180 | + |
| 181 | + |
| 182 | + |
| 183 | + |
0 commit comments