Skip to content

Instantly share code, notes, and snippets.

@Macil Macil/encryption

Created Nov 12, 2013
Embed
What would you like to do?
Experimenting with exploiting KusabaX's encryption algorithms.
<?php
function get_rnd_iv($iv_len) {
$iv = '';
while ($iv_len-- > 0) {
$iv .= chr(mt_rand() & 0xff);
}
return $iv;
}
function md5_encrypt($plain_text, $password, $iv_len = 16, $iv_init = false) {
$plain_text .= "\x13";
$n = strlen($plain_text);
if ($n % 16) $plain_text .= str_repeat("\0", 16 - ($n % 16));
$i = 0;
$enc_text = $iv_init ? $iv_init : get_rnd_iv($iv_len);
$iv = substr($password ^ $enc_text, 0, 512);
while ($i < $n) {
$block = substr($plain_text, $i, 16) ^ pack('H*', md5($iv));
$enc_text .= $block;
$iv = substr($block . $iv, 0, 512) ^ $password;
$i += 16;
}
return base64_encode($enc_text);
}
function md5_decrypt($enc_text, $password, $iv_len = 16) {
$enc_text = base64_decode($enc_text);
$n = strlen($enc_text);
$i = $iv_len;
$plain_text = '';
$iv = substr($password ^ substr($enc_text, 0, $iv_len), 0, 512);
while ($i < $n) {
$block = substr($enc_text, $i, 16);
$plain_text .= $block ^ pack('H*', md5($iv));
$iv = substr($block . $iv, 0, 512) ^ $password;
$i += 16;
}
return preg_replace('/\\x13\\x00*$/', '', $plain_text);
}
function l($t) {
fwrite(STDERR, "$t\n");
}
$secret = 'OyTjpsxnE2282p4RitIT';
$iv_force = 'iv345678901234iv';
function e($t) {
global $secret, $iv_force;
return md5_encrypt($t, $secret, 16, $iv_force);
}
function d($t) {
global $secret;
return md5_decrypt($t, $secret);
}
function pad_string($plain_text) {
$plain_text .= "\x13";
$n = strlen($plain_text);
if ($n % 16) $plain_text .= str_repeat("\0", 16 - ($n % 16));
return $plain_text;
}
// Change a ciphertext to get a new ciphertext
function main_example1() {
$enc = '6402b4gGUa1ALK2j1YxoUNR5WVt8QZWNMsBO6P4KC04=';
$encd = base64_decode($enc);
$msg = pad_string("bob");
$tgt = pad_string("admin");
$xdf = $msg ^ $tgt;
$encd = substr($encd, 0, 16) . (substr($encd, 16) ^ $xdf);
print base64_encode($encd) . "\n";
}
// Example showing how changing one byte affect decryption of subsequent 16-byte sections
function main_changer() {
$msg = 'Some text here! Really really long message! More message! 1234567890 ABCDEFGHIJKLMNOPQRSTUVWXYZ';
$tgt = 'Some text here! Really really 1ong message! More message! 1234567890 ABCDEFGHIJKLMNOPQRSTUVWXYZ';
$xdf = $msg ^ $tgt;
$encd = base64_decode(e($msg));
$encd = substr($encd, 0, 16) . (substr($encd, 16) ^ $xdf);
echo d( base64_encode($encd) );
// You may want to view this output in a hex viewer, such as by piping PHP to xxd.
}
// Example of changing one byte combined with a playback attack
function main_changeplayback() {
$msg = 'Some text here! Really really long message! More message! 1234567890 ABCDEFGHIJKLMNOPQRSTUVWXYZ';
$tgt = 'Some text here! Really really 1ong message! More message! 1234567890 ABCDEFGHIJKLMNOPQRSTUVWXYZ';
$xdf = $msg ^ $tgt;
$encd = base64_decode(e($msg));
$encd = substr($encd, 0, 16) . (substr($encd, 16, 32) ^ $xdf) . substr($encd, 16);
echo d( base64_encode($encd) );
}
main_example1();
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.