Last active
September 4, 2017 02:44
-
-
Save st98/b340b5bc84415597687d9cae42b15d1b to your computer and use it in GitHub Desktop.
SECCON 2017 × CEDEC CHALLENGE - スコアのチート 1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import hashlib | |
import hmac | |
import json | |
import sys | |
import urlparse | |
import requests | |
from Crypto.Cipher import AES | |
def xor(a, b): | |
res = '' | |
if len(a) < len(b): | |
a, b = b, a | |
for k, c in enumerate(a): | |
res += chr(ord(c) ^ ord(b[k % len(b)])) | |
return res | |
HMAC_KEY = 'calcHmac' | |
def calc_hmac(msg): | |
return hmac.new(HMAC_KEY, msg, hashlib.sha256).hexdigest() | |
def pad(msg): | |
x = 16 - len(msg) % 16 | |
return msg + chr(x) * x | |
def unpad(msg): | |
return msg[:-ord(msg[-1])] | |
def encrypt(key, iv, msg): | |
c = AES.new(key, AES.MODE_CBC, IV=iv).encrypt(pad(msg)) | |
sig = calc_hmac(msg) | |
return c.encode('base64').strip(), sig | |
def decrypt(key, iv, c): | |
s = AES.new(key, AES.MODE_CBC, IV=iv).decrypt(c) | |
return unpad(s) | |
URL = 'https://cedec.seccon.jp' | |
KEY_A = 'def4ul7KeY1Z3456' | |
KEY_B = 'K33pK3y53cr3TYea' | |
KEY = xor(KEY_A, KEY_B) | |
IV = 'IVisNotSecret123' | |
key, iv = KEY, IV | |
uuid = sys.argv[1] | |
data, sig = encrypt(key, iv, json.dumps({'uuid': uuid})) | |
r = requests.post(urlparse.urljoin(URL, '/2017/key'), data={'data': data}, headers={'X-Signature': sig}) | |
cookies = r.cookies | |
metadata = json.loads(decrypt(key, iv, r.content.decode('base64')))['metadata'] | |
key, iv = metadata['key'], metadata['iv'] | |
data, sig = encrypt(key, iv, json.dumps({ | |
"myScore": { | |
"musicId": 1, | |
"difficulty": 0, | |
"score": 123456789, | |
"name": "", | |
"uuid": uuid | |
} | |
})) | |
print data | |
r = requests.post(urlparse.urljoin(URL, '/2017/score'), data={'data': data}, headers={'X-Signature': sig}, cookies=cookies) | |
cookies = r.cookies | |
res = json.loads(decrypt(key, iv, r.content.decode('base64'))) | |
scores, metadata = res['gameScores'], res['metadata'] | |
iv = metadata['iv'] | |
print json.dumps(scores) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment