Created
September 22, 2013 16:07
-
-
Save jamslater/f12cebafd8a2a84bef1e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import hashlib | |
import time | |
derivation_key = 'LETSBUILDAVERYWEAKDERIVATIONKEY!' | |
def msvcrt_rand(seed): | |
seed *= 0x343FD | |
seed &= 0xFFFFFFFF | |
seed += 0x269EC3 | |
return (seed, (seed >> 0x10) & 0x7FFF) | |
# Seed LCG with current epoch time, then use it to construct a 32-bit starting value | |
def get_initial_value(seed): | |
(seed, r) = msvcrt_rand(seed) | |
initial_value = (r & 0xFF) << 24 | |
(seed, r) = msvcrt_rand(seed) | |
initial_value += (r & 0xFF) << 16 | |
(seed, r) = msvcrt_rand(seed) | |
initial_value += (r & 0xFF) << 8 | |
(seed, r) = msvcrt_rand(seed) | |
initial_value += (r & 0xFF) | |
return initial_value | |
def derive_key_part(initial_value, i): | |
r = i * 7 * ord(derivation_key[i]) | |
r &= 0xFF | |
r *= 0x1010101 | |
r ^= initial_value | |
r ^= i * 7 * 0x1010101 | |
r -= 0x5A827999 | |
r *= 0x6ED9EBA1 | |
r &= 0xFFFFFFFF | |
r -= 0x3B4704FA | |
r &= 0xFFFFFFFF | |
byte_sum = (r >> 24) + (r >> 16) + (r >> 8) + (r & 0xFF) | |
byte_sum &= 0xFF | |
r = 0x806BAE2D * byte_sum | |
r &= 0xFFFFFFFF | |
r += 0x740124A9 | |
r &= 0xFFFFFFFF | |
return r | |
def derive_key(initial_value): | |
r = '' | |
for i in xrange(0, 32): | |
c = derive_key_part(initial_value, i) & 0xFF | |
c = c * 0xA5 + 0x13 | |
c &= 0xFF | |
r += chr(c) | |
return r | |
# Get challenge from user, with no validation ;) | |
challenge = raw_input('Challenge? ') | |
# Step backwards in time, deriving keys until we find a matching challenge | |
utcnow = int(time.time()) | |
seed = utcnow | |
while True: | |
initial_value = get_initial_value(seed) | |
key = derive_key(initial_value) | |
try_challenge = hashlib.md5(key).hexdigest() | |
if try_challenge == challenge: | |
break | |
seed -= 1 | |
# Challenge matches, output access token | |
access_token = hashlib.sha1(key + 'HEREISASECURESALT!').hexdigest() | |
print "Challenge found from %d seconds ago :)" % (utcnow - seed) | |
print "Access token: %s" % (access_token) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment