49 lines
1.2 KiB
Python
49 lines
1.2 KiB
Python
from pwn import *
|
|
|
|
def run():
|
|
#r = process(["python", "./server.py"])
|
|
r = remote("babypad.be.ax", 1337)
|
|
enc = bytes.fromhex(r.readline().decode().strip())
|
|
print(enc.hex())
|
|
|
|
def trial(s):
|
|
if isinstance(s, str):
|
|
s = s.encode()
|
|
r.readuntil("> ")
|
|
r.sendline(s.hex())
|
|
result = r.readline().decode().strip()
|
|
return int(result) == 1
|
|
|
|
known_content = bytearray([0] * len(enc))
|
|
|
|
def run_test(position):
|
|
npads = 16 - (position % 16)
|
|
for x in range(256):
|
|
if x == npads:
|
|
continue
|
|
test = bytearray(xor(enc, known_content))
|
|
test[position] ^= x ^ npads
|
|
for z in range(position + 1, position + npads):
|
|
test[z] ^= npads
|
|
|
|
if trial(test[:position + npads]):
|
|
return x
|
|
raise Exception("none found for", position)
|
|
|
|
# actual_pad = run_test(len(enc) - 1)
|
|
# print("found pad", actual_pad)
|
|
actual_pad = 4
|
|
known_content[-4:] = b"\x04\x04\x04\x04"
|
|
|
|
i = len(enc) - 5
|
|
while i >= 0:
|
|
result = run_test(i)
|
|
print(known_content)
|
|
known_content[i] = result
|
|
i -= 1
|
|
|
|
return known_content
|
|
|
|
if __name__ == "__main__":
|
|
run()
|