ducnhse130201/aes_return(solve).py

## aes_return(solve).py
from Crypto.Cipher import AES
import binascii

def xor(a, b):
    """ Returns a new byte array with the elements xor'ed. """
    return bytes(i^j for i, j in zip(a, b))

def bytes2matrix(text):
    """ Converts a 16-byte array into a 4x4 matrix.  """
    return [list(text[i:i+4]) for i in range(0, len(text), 4)]
def matrix2bytes(matrix):
    """ Converts a 4x4 matrix into a 16-byte array.  """
    return bytes(sum(matrix, []))
# get flag enc first
flag_enc = binascii.unhexlify('c6c87908b972e20af88175ea46785459c2ffef77d700db0912eb9169042cabf0e8fa72b85bd4e74f04c4bc05436ba7dec6065a19fba052142e5ad2c94308e178')
IV = flag_enc[:16]
flag_enc = flag_enc[16:]
# get flag enc with sbox = 0 to leak key
flag_sbox_0 = binascii.unhexlify('d80db7681e92c4838fbae619f7343e367af01e5f63a0b26966b8915498027a677af01e5f63a0b26966b8915498027a677af01e5f63a0b26966b8915498027a67')
flag_sbox_0 = flag_sbox_0[16:32]

leak_key = flag_sbox_0[:16]
leak_key = bytes2matrix(leak_key)


r_con = (
    0x00, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40,
    0x80, 0x1B, 0x36, 0x6C, 0xD8, 0xAB, 0x4D, 0x9A,
    0x2F, 0x5E, 0xBC, 0x63, 0xC6, 0x97, 0x35, 0x6A,
    0xD4, 0xB3, 0x7D, 0xFA, 0xEF, 0xC5, 0x91, 0x39,
)

def invert_schedule(key, round):
    prev_key = [None] * 4
    prev_key[3] = xor(key[2], key[3])
    prev_key[2] = xor(key[1], key[2])
    prev_key[1] = xor(key[0], key[1])
    prev_key[0] = xor(key[0], [r_con[round], 0, 0, 0])
    return prev_key

for i in range(10, 0, -1):
    leak_key = invert_schedule(leak_key, i)

key = b''.join(leak_key)

aes = AES.new(key,AES.MODE_CBC,IV)
print(aes.decrypt(flag_enc))
	from Crypto.Cipher import AES
	import binascii

	def xor(a, b):
	""" Returns a new byte array with the elements xor'ed. """
	return bytes(i^j for i, j in zip(a, b))

	def bytes2matrix(text):
	""" Converts a 16-byte array into a 4x4 matrix. """
	return [list(text[i:i+4]) for i in range(0, len(text), 4)]
	def matrix2bytes(matrix):
	""" Converts a 4x4 matrix into a 16-byte array. """
	return bytes(sum(matrix, []))
	# get flag enc first
	flag_enc = binascii.unhexlify('c6c87908b972e20af88175ea46785459c2ffef77d700db0912eb9169042cabf0e8fa72b85bd4e74f04c4bc05436ba7dec6065a19fba052142e5ad2c94308e178')
	IV = flag_enc[:16]
	flag_enc = flag_enc[16:]
	# get flag enc with sbox = 0 to leak key
	flag_sbox_0 = binascii.unhexlify('d80db7681e92c4838fbae619f7343e367af01e5f63a0b26966b8915498027a677af01e5f63a0b26966b8915498027a677af01e5f63a0b26966b8915498027a67')
	flag_sbox_0 = flag_sbox_0[16:32]

	leak_key = flag_sbox_0[:16]
	leak_key = bytes2matrix(leak_key)


	r_con = (
	0x00, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40,
	0x80, 0x1B, 0x36, 0x6C, 0xD8, 0xAB, 0x4D, 0x9A,
	0x2F, 0x5E, 0xBC, 0x63, 0xC6, 0x97, 0x35, 0x6A,
	0xD4, 0xB3, 0x7D, 0xFA, 0xEF, 0xC5, 0x91, 0x39,
	)

	def invert_schedule(key, round):
	prev_key = [None] * 4
	prev_key[3] = xor(key[2], key[3])
	prev_key[2] = xor(key[1], key[2])
	prev_key[1] = xor(key[0], key[1])
	prev_key[0] = xor(key[0], [r_con[round], 0, 0, 0])
	return prev_key

	for i in range(10, 0, -1):
	leak_key = invert_schedule(leak_key, i)

	key = b''.join(leak_key)

	aes = AES.new(key,AES.MODE_CBC,IV)
	print(aes.decrypt(flag_enc))