Skip to content

Instantly share code, notes, and snippets.

@blindFS
Created July 24, 2014 05:22
Show Gist options
  • Save blindFS/c38d8daecbdb2482c952 to your computer and use it in GitHub Desktop.
Save blindFS/c38d8daecbdb2482c952 to your computer and use it in GitHub Desktop.
import urllib2
import copy
TARGET = 'http://crypto-class.appspot.com/po?er='
cipher_text = 'f20bdba6ff29eed7b046d1df9fb7000058b1ffb4210a580f748b4ac714c001bd4a61044426fb515dad3f21f18aa577c0bdf302936266926ff37dbf7035d5eeb4'.decode('hex')
IV = cipher_text[:16]
c_blocks = [IV, cipher_text[16:32], cipher_text[32:48], cipher_text[48:64]]
m_blocks = [[0]*16, [0]*16, [0]*16]
class PaddingOracle(object):
def query(self, q):
target = TARGET + urllib2.quote(q) # Create query URL
req = urllib2.Request(target) # Send HTTP request to server
try:
urllib2.urlopen(req) # Wait for response
return True
except urllib2.HTTPError, e:
print "We got: %d" % e.code # Print response code
if e.code == 404:
return True # good padding
return False # bad padding
def decrypt_block(index):
c = ''.join(c_blocks[:index+2])
m = m_blocks[index]
for bi in xrange(16):
decrypt_byte(c, m, bi)
def decrypt_byte(c, m, b_index):
po = PaddingOracle()
cc = copy.copy(c)
tail = ""
for j in xrange(b_index):
old_char = ord(c[-17-j]) ^ (b_index+1) ^ m[-1-j]
tail = chr(old_char)+tail
for i in xrange(256):
# i = 127-i
i = i+9
query = cc[:-17-b_index]
char = ord(c[-17-b_index]) ^ (b_index+1) ^ i
query += chr(char)
query += tail
query += cc[-16:]
q = "".join("{:02x}".format(ord(c)) for c in query)
if po.query(q):
print "index "+str(b_index)+" OK!"
print "char:"+str(i)
m[-1-b_index] = i
return
def dec():
for i in xrange(3):
decrypt_block(i)
print ''.join(map(chr, m_blocks[i]))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment