CSAW CTF 2014 feal(modified)

1. import os
2. import array
3. import binascii
4. import SocketServer
5. import base64 as b64
6. from hashlib import sha1
7.  
8. SUBKEY = "000000000000000000000000"
9. PLAINTEXT = "ThisIsTheTestKey"
10.  
11. def rot3(x):
12.     return ((x<<3)|(x>>5))&0xff
13.  
14.  
15. def gBox(a,b,mode):
16.     return rot3((a+b+mode)%256)
17. def fBox(plain):
18.     t0 = (plain[2] ^ plain[3])
19.     y1 = gBox(plain[0] ^ plain[1], t0, 1)
20.     y0 = gBox(plain[0], y1, 0)
21.     y2 = gBox(t0, y1, 0)
22.     y3 = gBox(plain[3], y2, 1)
23.  
24.     return [y3, y2, y1, y0]
25.  
26. def encrypt(plain,subkeys):
27.     pleft = plain[0:4]
28.     pright = plain[4:]
29.     def list_xor(l1,l2):
30.         return map(lambda x: x[0]^x[1], zip(l1,l2))
31.     left = list_xor(pleft, subkeys[4])
32.     right = list_xor(pright, subkeys[5])
33.  
34.     R2L = list_xor(left, right)
35.     R2R = list_xor(left, fBox(list_xor(R2L, subkeys[0])))
36.  
37.     R3L = R2R;
38.     R3R = list_xor(R2L, fBox(list_xor(R2R, subkeys[1])))
39.  
40.     R4L = R3R;
41.     R4R = list_xor(R3L, fBox(list_xor(R3R, subkeys[2])))
42.  
43.     cipherLeft = list_xor(R4L, fBox(list_xor(R4R, subkeys[3])))
44.     cipherRight = list_xor(cipherLeft, R4R)
45.  
46.     return cipherLeft+cipherRight
47.  
48. def decrypt(plain,subkeys):
49.     cipherLeft = plain[0:4]
50.     cipherRight = plain[4:]
51.  
52.     def list_xor(l1,l2):
53.         return map(lambda x: x[0]^x[1], zip(l1,l2))
54.     R4R = list_xor(cipherLeft,cipherRight)
55.     R4L = list_xor(cipherLeft, fBox(list_xor(R4R, subkeys[3])))
56.  
57.  
58.     R3R = R4L
59.     R3L = list_xor(R4R , fBox(list_xor(R3R, subkeys[2])))
60.  
61.     R2R = R3L
62.     R2L = list_xor(R3R, fBox(list_xor(R2R, subkeys[1])))
63.  
64.     left = list_xor(R2R, fBox(list_xor(R2L, subkeys[0])))
65.     right = list_xor(left, R2L)
66.  
67.     pleft = list_xor(left, subkeys[4])
68.     pright = list_xor(right, subkeys[5])
69.  
70.     return pleft+pright
71.  
72. def genKeys():
73.     subkeys=[]
74.     for x in xrange(6):
75.         subkeys.append(array.array("B",SUBKEY[x*4:x*4+4]))
76.     return subkeys
77.  
78. def genNull():
79.     subkeys=[]
80.     for x in xrange(6):
81.         subkeys.append([0]*8)
82.     return subkeys
83.  
84.  
85. class HandleCheckin(SocketServer.BaseRequestHandler):
86.     keyPart1 = PLAINTEXT[0:8]
87.     keyPart2 = PLAINTEXT[8:16]
88.     def handle(self):
89.         req = self.request
90.         proof = b64.b64encode(os.urandom(12))
91.         req.sendall("You must first solve a puzzle, a sha1 sum ending in 16 bit's set to 1, it must be of length %s bytes, starting with %s\n" % (len(proof)+5, proof))
92.         test = req.recv(21)
93.         ha = sha1()
94.         ha.update(test)
95.         if (test[0:16] != proof or ord(ha.digest()[-1]) != 0xff
96.                 or ord(ha.digest()[-2]) != 0xff):
97.             req.sendall("NOPE")
98.             req.close()
99.             return
100.  
101.         req.sendall("Welcome to feal 4.3\n")
102.         key=genKeys()
103.         kp1 = array.array("B",self.keyPart1)
104.         kp2 = array.array("B",self.keyPart2)
105.         kp1="".join(map(chr,encrypt(kp1,key)))
106.         kp2="".join(map(chr,encrypt(kp2,key)))
107.         req.sendall("Please decrypt: "+binascii.hexlify(kp1)+binascii.hexlify(kp2)+"\n")
108.         for x in xrange(2048):
109.             toEnc=req.recv(8)
110.             if len(toEnc)!=8:
111.                 req.sendall("Goodbye")
112.                 req.close()
113.                 return
114.             toEnc=array.array("B",toEnc)
115.             toSend=binascii.hexlify("".join(map(chr,encrypt(toEnc,key))))
116.             req.sendall(toSend+"\n")
117. class ThreadedServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer):
118.     pass
119.  
120. if __name__ == "__main__":
121.     HOST, PORT = "", int(8888)
122.     server = ThreadedServer((HOST, PORT), HandleCheckin)
123.     server.allow_reuse_address = True
124.     server.serve_forever()