minhtt159/final.py

## final.py
from pwn import *
import sys, os

def strxor(a,b):
    return ''.join([chr(ord(x)^ord(y)) for (x,y) in zip(a,b)])

records = '''I do nothing.
I'm a chat bot.
I'm from Vietnam.
My name is ChatBot.
I'm good, how are you?
My language is English.
I'm from Bkav in Vietnam.
Of course! I'd be glad to.
I'm fine. Thank you. And you?
Hi. I am Mr. ChatBot. Who are you?
You know, computing. How about you?
I'm doing fine thanks, how about yourself?
Sitting here, being a computer. How about yourself?
I'm a bot, I don't feel much of anything, how about you?'''.split('\n')
rounds = 30

# authenticate
host = "43.224.35.245"
port = 3425
p = connect(host,port)
p.sendlineafter("Your id: ", "manh")
rep = p.recvuntil("mode!\n")
print rep

#get timestamp
p.send(p64(1))
p.send(p64(1))
p.send('\x00')
time = p.recv(8)
length = p.recv(8)
data = p.recv(u64(length))
timestamp = u64(time)

#find noobkey
noobleak = ""
for i in range(rounds):
	data = os.urandom(16)
	p.send(p64(timestamp))
	p.send(p64(len(data)))
	p.send(data)
	time = p.recv(8)
	length = p.recv(8)
	data = p.recv(u64(length))
	timestamp = u64(time)
	if len(data) > len(noobleak):
		noobleak = data
	if len(noobleak) >= 50: # message is good enough
		break
record = ""
for r in records:
    if len(r) == len(data): # found record that match
        print 'Record ', r
        record = r
        break
if not len(record):
	print 'Can not find message 1'
	sys.exit(1)

#compute noobkey
noobkey = strxor(record, data)
print 'noobkey', noobkey.encode('hex')

#enter super mode
data = strxor('super', noobkey)
p.send(p64(timestamp))
p.send(p64(len(data)))
p.send(data)
time = p.recv(8)
length = p.recv(8)
data = p.recv(u64(length))
timestamp = u64(time)

#find realkey
realkey = ""
for i in range(rounds):
	data = os.urandom(16)
	p.send(p64(timestamp))
	p.send(p64(len(data)))
	p.send(data)
	time = p.recv(8)
	length = p.recv(8)
	data = p.recv(u64(length))
	timestamp = u64(time)
	if len(data) > len(realkey):
		realkey = data
	if len(realkey) > 50: # message is good enough
		break
record = ""
for r in records:
    if len(r) == len(data): # found record that match
        print 'Record ', r
        record = r
        break
if not len(record):
	print 'Can not find message 2'
	sys.exit(1)

#compute realkey
realkey = strxor(record, data)
print 'realkey', realkey.encode('hex')

#compute 'secret'
data = strxor('secret', realkey)
p.send(p64(timestamp))
p.send(p64(len(data)))
p.send(data)
time = p.recv(8)
length = p.recv(8)
data = p.recv(u64(length))
timestamp = u64(time)

print strxor(data,realkey)

sys.exit(1)
	from pwn import *
	import sys, os

	def strxor(a,b):
	return ''.join([chr(ord(x)^ord(y)) for (x,y) in zip(a,b)])

	records = '''I do nothing.
	I'm a chat bot.
	I'm from Vietnam.
	My name is ChatBot.
	I'm good, how are you?
	My language is English.
	I'm from Bkav in Vietnam.
	Of course! I'd be glad to.
	I'm fine. Thank you. And you?
	Hi. I am Mr. ChatBot. Who are you?
	You know, computing. How about you?
	I'm doing fine thanks, how about yourself?
	Sitting here, being a computer. How about yourself?
	I'm a bot, I don't feel much of anything, how about you?'''.split('\n')
	rounds = 30

	# authenticate
	host = "43.224.35.245"
	port = 3425
	p = connect(host,port)
	p.sendlineafter("Your id: ", "manh")
	rep = p.recvuntil("mode!\n")
	print rep

	#get timestamp
	p.send(p64(1))
	p.send(p64(1))
	p.send('\x00')
	time = p.recv(8)
	length = p.recv(8)
	data = p.recv(u64(length))
	timestamp = u64(time)

	#find noobkey
	noobleak = ""
	for i in range(rounds):
	data = os.urandom(16)
	p.send(p64(timestamp))
	p.send(p64(len(data)))
	p.send(data)
	time = p.recv(8)
	length = p.recv(8)
	data = p.recv(u64(length))
	timestamp = u64(time)
	if len(data) > len(noobleak):
	noobleak = data
	if len(noobleak) >= 50: # message is good enough
	break
	record = ""
	for r in records:
	if len(r) == len(data): # found record that match
	print 'Record ', r
	record = r
	break
	if not len(record):
	print 'Can not find message 1'
	sys.exit(1)

	#compute noobkey
	noobkey = strxor(record, data)
	print 'noobkey', noobkey.encode('hex')

	#enter super mode
	data = strxor('super', noobkey)
	p.send(p64(timestamp))
	p.send(p64(len(data)))
	p.send(data)
	time = p.recv(8)
	length = p.recv(8)
	data = p.recv(u64(length))
	timestamp = u64(time)

	#find realkey
	realkey = ""
	for i in range(rounds):
	data = os.urandom(16)
	p.send(p64(timestamp))
	p.send(p64(len(data)))
	p.send(data)
	time = p.recv(8)
	length = p.recv(8)
	data = p.recv(u64(length))
	timestamp = u64(time)
	if len(data) > len(realkey):
	realkey = data
	if len(realkey) > 50: # message is good enough
	break
	record = ""
	for r in records:
	if len(r) == len(data): # found record that match
	print 'Record ', r
	record = r
	break
	if not len(record):
	print 'Can not find message 2'
	sys.exit(1)

	#compute realkey
	realkey = strxor(record, data)
	print 'realkey', realkey.encode('hex')

	#compute 'secret'
	data = strxor('secret', realkey)
	p.send(p64(timestamp))
	p.send(p64(len(data)))
	p.send(data)
	time = p.recv(8)
	length = p.recv(8)
	data = p.recv(u64(length))
	timestamp = u64(time)

	print strxor(data,realkey)

	sys.exit(1)