HoLyVieR/challenge2.py

## challenge2.py
from pwn import *
import struct
import md5

r = remote('127.0.0.1', 4322)

h = "c237457a8badc2f92b66ace8dc6669e5".decode("hex")
state = list(struct.unpack("<4I", h))

#md5.md5_compress(state, final_block)

for i in range(0x5f00, 256*256, 1):
	r.recvuntil("YOUR_VALUE = ")

	to_test = (chr(i // 256) + chr(i % 256)).encode("hex")
	r.send(to_test + "\x80" + "\x00" * (64 - 32 - 1 - 8 - len(to_test))  + struct.pack("<Q", (32 + 4) << 3))

	data = r.recv(1024)
	ha = data[7:39]
	tm = data[39+13:-2]

	result = md5.md5_compress(state, tm + "\x80" + "\x00" * (64 - len(tm) - 8 - 1)  + struct.pack("<Q", (64 + len(tm)) << 3))
	hs = struct.pack("<4I", result[0], result[1], result[2], result[3]).encode("hex")

	if hs == ha:
		print("Found %s" % hex(i))
		exit()
	from pwn import *
	import struct
	import md5

	r = remote('127.0.0.1', 4322)

	h = "c237457a8badc2f92b66ace8dc6669e5".decode("hex")
	state = list(struct.unpack("<4I", h))

	#md5.md5_compress(state, final_block)

	for i in range(0x5f00, 256*256, 1):
	r.recvuntil("YOUR_VALUE = ")

	to_test = (chr(i // 256) + chr(i % 256)).encode("hex")
	r.send(to_test + "\x80" + "\x00" * (64 - 32 - 1 - 8 - len(to_test)) + struct.pack("<Q", (32 + 4) << 3))

	data = r.recv(1024)
	ha = data[7:39]
	tm = data[39+13:-2]

	result = md5.md5_compress(state, tm + "\x80" + "\x00" * (64 - len(tm) - 8 - 1) + struct.pack("<Q", (64 + len(tm)) << 3))
	hs = struct.pack("<4I", result[0], result[1], result[2], result[3]).encode("hex")

	if hs == ha:
	print("Found %s" % hex(i))
	exit()