Created
September 7, 2017 19:13
-
-
Save st98/c94395f3328f2d396a41349f96fe9659 to your computer and use it in GitHub Desktop.
SECCON 2017 × CEDEC CHALLENGE - リセマラ
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import hashlib | |
| import hmac | |
| import json | |
| import sys | |
| import urlparse | |
| import requests | |
| from Crypto.Cipher import AES | |
| def xor(a, b): | |
| res = '' | |
| if len(a) < len(b): | |
| a, b = b, a | |
| for k, c in enumerate(a): | |
| res += chr(ord(c) ^ ord(b[k % len(b)])) | |
| return res | |
| HMAC_KEY = 'calcHmac' | |
| def calc_hmac(msg): | |
| return hmac.new(HMAC_KEY, msg, hashlib.sha256).hexdigest() | |
| def pad(msg): | |
| x = 16 - len(msg) % 16 | |
| return msg + chr(x) * x | |
| def unpad(msg): | |
| return msg[:-ord(msg[-1])] | |
| def encrypt(key, iv, msg): | |
| c = AES.new(key, AES.MODE_CBC, IV=iv).encrypt(pad(msg)) | |
| sig = calc_hmac(msg) | |
| return c.encode('base64').strip(), sig | |
| def decrypt(key, iv, c): | |
| s = AES.new(key, AES.MODE_CBC, IV=iv).decrypt(c) | |
| return unpad(s) | |
| URL = 'https://cedec.seccon.jp' | |
| KEY_A = 'def4ul7KeY1Z3456' | |
| KEY_B = 'K33pK3y53cr3TYea' | |
| KEY = xor(KEY_A, KEY_B) | |
| IV = 'IVisNotSecret123' | |
| for _ in range(10): | |
| key, iv = KEY, IV | |
| data, sig = encrypt(key, iv, json.dumps({'name': sys.argv[1]})) | |
| r = requests.post(urlparse.urljoin(URL, '/2017/uuid'), data={'data': data}, headers={'X-Signature': sig}) | |
| cookies = r.cookies | |
| metadata = json.loads(decrypt(key, iv, r.content.decode('base64')))['metadata'] | |
| uuid, iv = metadata['uuid'], metadata['iv'] | |
| print uuid, encrypt(key, iv, uuid)[0] | |
| data, sig = encrypt(key, iv, json.dumps({'uuid': uuid})) | |
| r = requests.post(urlparse.urljoin(URL, '/2017/key'), data={'data': data}, headers={'X-Signature': sig}, cookies=cookies) | |
| cookies = r.cookies | |
| metadata = json.loads(decrypt(key, iv, r.content.decode('base64')))['metadata'] | |
| key, iv = metadata['key'], metadata['iv'] | |
| data, sig = encrypt(key, iv, json.dumps({'gacha': 10})) | |
| r = requests.post(urlparse.urljoin(URL, '/2017/gacha'), data={'data': data}, headers={'X-Signature': sig}, cookies=cookies) | |
| cookies = r.cookies | |
| res = json.loads(decrypt(key, iv, r.content.decode('base64'))) | |
| skills, metadata = res['skills'], res['metadata'] | |
| iv = metadata['iv'] | |
| print json.dumps(skills) | |
| print '=' * 25 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment