Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/env python3
import os, binascii, struct
import socket
from Crypto.Cipher import AES
import sys
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect( ("104.198.243.170",2501) )
target = binascii.unhexlify(s.recv(33).rstrip().decode())
# sys.exit(0)
pad = lambda m: m + bytes([16 - len(m) % 16] * (16 - len(m) % 16))
def haggis(m):
crypt0r = AES.new(bytes(0x10), AES.MODE_CBC, bytes(0x10))
# print(len(m).to_bytes(0x10, 'big') + pad(m))
return crypt0r.encrypt(len(m).to_bytes(0x10, 'big') + pad(m))[-0x10:]
def haggis_without_padding(m,missing_len):
crypt0r = AES.new(bytes(0x10), AES.MODE_CBC, bytes(0x10))
return crypt0r.encrypt(int(len(m) + missing_len).to_bytes(0x10, 'big') + m)[-0x10:]
def dehaggis(mc):
crypt0r = AES.new(bytes(0x10), AES.MODE_CBC, bytes([0] * 16))
return crypt0r.decrypt(mc)
# target = os.urandom(0x10)
print("TARGET:" + binascii.hexlify(target).decode())
# okay, next block is 'ours'
msg = b'I solemnly swear that I am up to no good.\0' + (b'\x00' * 6)
pbase = haggis_without_padding(msg,16)
print("PBASE :" + binascii.hexlify(pbase).decode() + " (static text - no choice here)")
# [ PADDING ]
# [ MESSAGE ]
# [PREVCHUNK]
# [LASTCHUNK]
test_lastchunk_iv = bytes(dehaggis(target))
test_lastchunk_dt = b''
while len(test_lastchunk_iv) != 0x10:
test_lastchunk_iv += bytes([0])
for i in range(0,0x10):
test_lastchunk_dt += bytes([test_lastchunk_iv[i] ^ 0x10])
print("LASTCHUNK : " + binascii.hexlify(test_lastchunk_dt).decode() + " (second last chunk... almost there!)")
test_prevchunk_iv = bytes(dehaggis(test_lastchunk_dt))
test_prevchunk_dt = b''
while len(test_prevchunk_iv) != 0x10:
test_prevchunk_iv += bytes([0])
for i in range(0,0x10):
test_prevchunk_dt += bytes([test_prevchunk_iv[i] ^ pbase[i]])
print("GO! :" + binascii.hexlify(haggis(msg + test_prevchunk_dt)).decode())
s.send(binascii.hexlify(msg + test_prevchunk_dt) + b'\n')
print(s.recv(100))
sys.exit(0)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.