68 lines
1.9 KiB
Python
68 lines
1.9 KiB
Python
import os
|
|
os.environ['PWNLIB_NOTERM'] = 'True'
|
|
os.environ['PWNLIB_SILENT'] = 'True'
|
|
|
|
if __name__ == '__main__':
|
|
#server = remote(HOST, PORT)
|
|
#server.send(iv)
|
|
#server.send(ciphertext)
|
|
#response = server.recv(1024)
|
|
#print(response)
|
|
#server.close()
|
|
|
|
#server = remote(HOST, PORT)
|
|
#server.send(iv)
|
|
|
|
#edt = bytearray(ciphertext)
|
|
#edt[-1] = 0
|
|
#server.send(edt)
|
|
#response = server.recv(1024)
|
|
#print(response)
|
|
#server.close()
|
|
#---------------
|
|
print(len(ciphertext)//AES.block_size)
|
|
N = len(ciphertext)//AES.block_size)
|
|
#This initial part will be non modifiabke
|
|
#We put all the block except the last one
|
|
initial_part = ciphertext[:(N-2)*AES.block_size]
|
|
#The second to last block is the one swapped in CBC then it is not dependent from the others(?)
|
|
block_to_modify = bytearray(ciphertext[(N-2)*AES.block_size:(N-1)*AES.block_size])
|
|
last_block = ciphertext[(N-1]*AES.block_size:]
|
|
|
|
byte_index = AES.block_size - 1
|
|
c15 = block_to_modify[byte_index]
|
|
|
|
for c_prime_15 in range(256):
|
|
|
|
block_to_modify[byte_index] = c_prime_15
|
|
to_send = initial_part + block_to_modify + last_block
|
|
|
|
server = remote(HOST, PORT)
|
|
server.send(iv)
|
|
server.send(to_send)
|
|
response = server.recv(1024)
|
|
#print(response)
|
|
server.close()
|
|
|
|
if response = b'OK':
|
|
print("c_prime_15"+str(c_prime_15))
|
|
p_prime_15 = c_prime_15 ^ 1
|
|
p_15 = p_prime_15 ^ c_15
|
|
print("p_prime_15"+str(p_prime_15))
|
|
print("p_15"+str(p_15))
|
|
p_prime_15 = 191
|
|
|
|
c_second_15 = p_prime_15 ^ 2
|
|
block_to_modify[byte_index] = c_second_15
|
|
|
|
byte_index -= 1
|
|
c_14 = block_to_modify[byte_index]
|
|
|
|
for c_prime_14 in range(256):
|
|
|
|
block_to_modify[byte_index] = c_prime_14
|
|
to_send = initial_part + block_to_modify + last_block
|
|
|
|
##connect to the server etc
|
|
|