from z3 import *# Eight byte nonce conactenated with 8 null bytes# Obtained f

1. from z3 import *
2.  
3. # Eight byte nonce conactenated with 8 null bytes
4. # Obtained from sector 54
5. nonce = [0xB0, 0x99, 0x9B, 0x9E, 0xE4, 0xEE, 0x74, 0xC2, 0, 0, 0, 0, 0, 0, 0, 0]
6.  
7.  
8. # Verification bytes xored with 0x37
9. # Obtained from sector 55
10. # Expanding the key must produce this keystream
11. targetkeystream = [
12. 0xC9, 0xF0, 0x00, 0x00, 0x3E, 0xD0, 0x00, 0x00, 0x58, 0xC5, 0x00, 0x00, 0x54, 0x03, 0x00, 0x00,
13. 0x88, 0xC0, 0x00, 0x00, 0xDC, 0xC8, 0x00, 0x00, 0xE0, 0x71, 0x00, 0x00, 0xC8, 0x85, 0x00, 0x00,
14. 0x00, 0x04, 0x00, 0x00, 0x00, 0xC1, 0x00, 0x00, 0x65, 0x5A, 0x00, 0x00, 0xCA, 0xAD, 0x00, 0x00,
15. 0x36, 0xC6, 0x00, 0x00, 0x8E, 0x33, 0x00, 0x00, 0x56, 0x85, 0x00, 0x00, 0xE8, 0xCA, 0x00, 0x00 ]
16.  
17.  
18. def rotl(value, shift):
19. return (value << shift) | LShR(value, 32-shift)
20.  
21. def quarterround(y0, y1, y2, y3):
22. y1 = y1 ^ rotl(y0 + y3, 7);
23. y2 = y2 ^ rotl(y1 + y0, 9);
24. y3 = y3 ^ rotl(y2 + y1, 13);
25. y0 = y0 ^ rotl(y3 + y2, 18);
26. return y0, y1, y2, y3
27.  
28. def rowround(y):
29. y[0], y[1], y[2], y[3] = quarterround(y[0], y[1], y[2], y[3])
30. y[5], y[6], y[7], y[4] = quarterround(y[5], y[6], y[7], y[4])
31. y[10], y[11], y[8], y[9] = quarterround(y[10], y[11], y[8], y[9])
32. y[15], y[12], y[13], y[14] = quarterround(y[15], y[12], y[13], y[14])
33. return y
34.  
35. def columnround(x):
36. x[0], x[4], x[8], x[12] = quarterround(x[0], x[4], x[8], x[12])
37. x[5], x[9], x[13], x[1] = quarterround(x[5], x[9], x[13], x[1])
38. x[10], x[14], x[2], x[6] = quarterround(x[10], x[14], x[2], x[6])
39. x[15], x[3], x[7], x[11] = quarterround(x[15], x[3], x[7], x[11])
40. return x
41.  
42. def doubleround(x):
43. x = columnround(x)
44. x = rowround(x)
45. return x
46.  
47. def littleendian(b0, b1):
48. return b1, b0
49.  
50. def rev_littleendian(b, w, i):
51. b[i + 0] = Extract(7, 0, w)
52. b[i + 1] = Extract(15, 8, w)
53. b[i + 2] = BitVecVal(0, 8)
54. b[i + 3] = BitVecVal(0, 8)
55. return b
56.  
57. def hash(seq):
58. x = [BitVec('x_%d' %i, 16) for i in range(16)]
59. z = [BitVec('z_%d' %i, 16) for i in range(16)]
60.  
61. for i in range(16):
62. b0, b1 = littleendian(seq[4*i], seq[4*i + 1])
63. x[i] = z[i] = Concat(BitVecVal(0, 8), b1) + Concat(b0, BitVecVal(0, 8))
64.  
65. for i in range(10):
66. z = doubleround(z)
67.  
68. for i in range(16):
69. z[i] += x[i]
70. seq = rev_littleendian(seq, z[i], 4*i)
71.  
72. return seq
73.  
74. def expand32(k, n, keystream):
75. o = [
76. [ 'e', 'x', 'p', 'a' ],
77. [ 'n', 'd', ' ', '3' ],
78. [ '2', '-', 'b', 'y' ],
79. [ 't', 'e', ' ', 'k' ]
80. ]
81.  
82. for i in range(0, 64, 20):
83. for j in range(4):
84. keystream[i+j] = BitVecVal(ord(o[i / 20][j]), 8)
85.  
86. for i in range(16):
87. keystream[4+i] = k[i]
88. keystream[44+i] = k[i+16]
89. keystream[24+i] = n[i]
90.  
91. keystream = hash(keystream)
92. return k, n, keystream
93.  
94. def main():
95. global nonce, targetkeystream
96.  
97. n = [BitVecVal(i, 8) for i in nonce]
98. keystream = [0] * 64
99. key, bvlist = [], []
100.  
101. for i in range(16):
102. bv = BitVec('k_%d' %i, 8)
103. bvlist.append(bv)
104. key.append(bv+122)
105. key.append(bv*2)
106.  
107. key, n, keystream = expand32(key, n, keystream)
108. s = Solver()
109.  
110. for i in range(len(targetkeystream)):
111. s.add(keystream[i] == targetkeystream[i])
112.  
113. if s.check() == sat:
114. print 'Key Found:',
115. m = s.model()
116. keystring = reduce(lambda acc, x: acc + '1' if m[x] == None else acc + chr(m[x].as_long()), bvlist, '')
117. print keystring
118.  
119. if __name__ == '__main__':
120. main()