Advertisement
Guest User

py4h4sher_solution.py

a guest
Aug 19th, 2014
1,555
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.47 KB | None | 0 0
  1. #!/usr/bin/python
  2. # coding: utf-8
  3.  
  4. '''
  5. Here is only explanation how I find stage1 data (stage2 and stage3 are same
  6. as others).
  7.  
  8. stage1 wants us to find the data that mysql323 hash of it is 'AAAAAAAA'.
  9. For each byte, the hash is computed as below. 'nr' is first 4 bytes.
  10. 'nr2' is last 4 bytes.
  11.  
  12.     unsigned int tmp = pass[i];
  13.     nr ^= (((nr & 63)+add)*tmp)+ (nr << 8);
  14.     nr2 += ((nr2 << 8) ^ nr);
  15.     add += tmp;
  16.  
  17. The differences between this challenge and mysql323 hash are
  18. - '\x00' is not end of string in this challenge. we can use it.
  19. - the data size of this challenge is limited by post data size (~20M should be fine)
  20.  
  21. If we use '\x00' ('tmp' is 0), the 'nr' value is simply computed as below
  22.  
  23.     nr ^= (nr << 8);
  24.  
  25. The computation is only shift and xor. If 'nr' is computed like this 4 times,
  26. it goes back to first value. This is useful because we can maintain 'nr' value
  27. while 'nr2' value is changed.
  28.  
  29. So my idea is
  30. - find the data that make 'nr' value to 'AAAA' (0x41414141)
  31. - then append '\x00\x00\x00\x00' until 'nr2' is 'AAAA'
  32.  
  33. The problem left is
  34. - while 'nr' is 'AAAA', nr2 value cannot be 'AAAA' no matter how many
  35.  '\x00\x00\x00\x00' is appended
  36. - the trail zeros might be too long for post data
  37.  
  38. I solved above problems by using lookup table. Before bruteforcing, I
  39. pre-computed the possible 'nr2' that can be changed to 'AAAA'. I also
  40. limits the trailing zeros to 16M.
  41.  
  42. Done!!.
  43.  
  44. First time I ran the program, I found 'eed70d1019' with 4016703 (~4M) zero
  45. within a minute. I got flag with this data. Then, I tried change start
  46. 'pass_len' and run program with a few minutes with each value. I found
  47. not too long zero ('4c5ac816000000007e' with 62131 zero)
  48.  
  49. Below is python code for post data.
  50. '''
  51.  
  52. import httplib
  53.  
  54. headers = {
  55.     'User-Agent': 'plnlrtfpijpuhqylxbgqiiyipieyxvfsavzgxbbcfusqkozwpngsyejqlmjsytrmd'
  56. }
  57.  
  58. conn = httplib.HTTPConnection("203.66.14.43", 80)
  59.  
  60. params = 'checksum=af247ce6e8c70768eae27ec6feae34f6&mode=a&stage1='
  61. #params += 'eed70d1019'.decode('hex')+'\x00'*4016703
  62. #params += 'e2b52d160021'.decode('hex')+'\x00'*1422017
  63. params += '4c5ac816000000007e'.decode('hex')+'\x00'*62131
  64. params += '&stage2=eBkXQTfuBqp%27cTcar%26g*&stage3=e&stage3=n&stage3=0&stage3=i&stage3=0&stage3=gma'
  65.  
  66. conn.request("POST", "/cgi-bin/py4h4sher?filename=py4h4sher&mode=download", params, headers)
  67. resp = conn.getresponse()
  68. print resp.status
  69. data = resp.read()
  70. print data
  71.  
  72. """
  73. Congrat! The flag is HITCON{th1s_1s_bas1c_cha11enge_f0r_p3nt3st3r!}
  74. """
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement