Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
from pwn import *
import struct
import md5
r = remote('127.0.0.1', 4322)
h = "c237457a8badc2f92b66ace8dc6669e5".decode("hex")
state = list(struct.unpack("<4I", h))
#md5.md5_compress(state, final_block)
for i in range(0x5f00, 256*256, 1):
r.recvuntil("YOUR_VALUE = ")
to_test = (chr(i // 256) + chr(i % 256)).encode("hex")
r.send(to_test + "\x80" + "\x00" * (64 - 32 - 1 - 8 - len(to_test)) + struct.pack("<Q", (32 + 4) << 3))
data = r.recv(1024)
ha = data[7:39]
tm = data[39+13:-2]
result = md5.md5_compress(state, tm + "\x80" + "\x00" * (64 - len(tm) - 8 - 1) + struct.pack("<Q", (64 + len(tm)) << 3))
hs = struct.pack("<4I", result[0], result[1], result[2], result[3]).encode("hex")
if hs == ha:
print("Found %s" % hex(i))
exit()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment