I'm trying to learn length extension attacks, using the Python Implementation of SHA256 from Pypy (here).
As part of the attack, I have access to a SHA256 hex token and I wish to re-use it as an Initialization Vector (IV) for appending the next "string" and padding.
token = '96ef293fdc1cee33ab9b56b13c2a626927c95da2d391c71cf99a2317aaa31408'
However, I can't seem to figure out any way to change the state of SHA256 model. One way I think I can achieve the above task is by hard-coding the known token as IV in the SHA256 model's digest. But I am having a hard time understanding how to translate my Hex Token to the form expected in the digest.
img of sha256 model from pypy
Excuse me for any missing information, let me know if anything else would help to understand my query better!
Related
I am using a Keygen application (.exe). There are two input fields in it's GUI:
p1 - at least 1 digit, 10 digits max - ^[0-9]{1,10}$
p2 - 12 chars max - uppercase letters/digits/underscores - ^[A-Z0-9_]{0,12}$
Pressing generate button produce a key x.
x - 20 digits exactly - ^[0-9]{20}$
For each pair (p1,p2), there is only one x (in other words: f(p1,p2) = x is a function)
I am interested in it's encryption algorithm.
Is there any way of reverse engineering the algorithm?
I thought of two ways:
decompiling. I used snowman, but the output is too polluted. The decompiled code probably contains non-relevant parts, such as the GUI.
analyzing of input and output. I wonder if there any option to determine the used encryption algorithm by analyzing a set of f(p1,p2) = x results.
As you mentioned, using snowman or some other decompiling tools is probably the way to go.
I doubt you would be able to determine the algorithm just by looking at the input output combinations, since it is possible to write any kind of arbitrary algorithm, that can behave in any way.
Perhaps you could just ask the author what algorithm they're using ?
Unless it's something really simple, I'd rule out your option 2 of trying to figure it out by looking at input and output pairs.
For decompiling / reverse engineering a static binary, you should first determine whether it's a .NET application or something else. If it's written in .NET you can try this for decompilation:
https://www.jetbrains.com/decompiler/
It's really easy to use, unless the binary has been obfuscated.
If the application is not a .NET application, you can try Ghidra and/or Cutter which both has pretty impressive decompilers built in:
https://ghidra-sre.org/
https://cutter.re/
If static code analysis is not enough, you can add a debugger to it. Ghidra and x64dbg work really well together, and can be synced via a plugin installed in both.
If you're new to this, I can recommend both that you look into basic assembler for the x86 platform so you have a general idea of how the CPU works. Another way to get started is "crackme" style challenges from CTF competitions. Often there great write-ups with the solution, so you have both the question and answer available.
Good luck!
Type in p1 and p2. Scan the process for that byte string. Then put a hardware breakpoint for memory access on it. Generate the key, it will hit that hardware breakpoint. Then you have the address which accesses it and start reversing from there in Ghidra(Don't forget to use BASE + OFFSET) since ghidra's output won't have the same base as the running application. The relevant code HAS to access the inputs. So you know where the algorithm is. Since it either directly accesses it, or somewhere within that call chain is accessed relatively fast. Nobody can know without actually seeing the executable.
Let us assume I am using the Python3.g4 grammar:
How can I write a program that parses a python-script, walks the syntax tree and outputs the same old program?
Later I want to apply some changes to the program, but for now I would be happy if I could just reproduce the program.
By now I guess I lose some information when walking an abstract syntax tree and there is no easy way.
The problem is that you are losing all the content of tokens on the a hidden channel. Therefore you have to check each token in your parse tree whether there is a hidden token in the TokenStream next to it that is not listed in the ParseTree.
For this the methods getHiddenTokensToRight and getHiddenTokensToLeft in the BufferedTokenStream should be the right tools for this work.
However if you just want a reproduction of the parsed input you should try to access the TokenStream directly and read out Token after Token from there without taking care of the channel the Token is on.
With that you should be able to reproduce the original input without many problems.
First of all, I'm a beginner in the OpenSSL world. I apologize in advance for any basic, barbaric errors.
Consider a flow:
Initialize OpenSSL with engine using hardware (let's call it EngineHW).
Call an OpenSSL function, e.g. X509_sign.
How to check if the function called was performed on the hardware?
How to verify the EngineHW function was called? What if the function is not defined by EngineHW - will OpenSSL fallback to any default engine it has?
The question is related to asserting quality - since I've got the hardware to do crypto for me, I consider using software a regression (at least for the important functions).
Not sure what the purpose of this is. Are you testing that OpenSSL works or are you testing your own code?
It seems you want to do regression testing of OpenSSL and HSM?
However, if you want to test if X509_sign works then remove all software/disk based keys from the test system and check if you can sign something. If you get a valid signature you can be sure it comes from your HSM. If you get null back, it is not.
OpenSSL doesn't fallback to a different sign function and even if it did, it can't sign since it needs a key to sign.
Hope that answered your question.
I have inherited Android code that uses the following cipher:
ks = new SecretKeySpec(key, "AES");
ciph = Cipher.getInstance("AES");
As only "AES" is given, I don't know what the keysize, modes, and padding are. I've looked over the Bouncy Castle* documentation, but I can't find where the "AES" instance is described. I'd like to use a more explicit instance description (e.g. "AES/ECB/PCKS5Padding"), if I can.
Does anyone know what the keysize, modes, and padding are of this instance?
Thanks!
*I've read that Android uses Bouncy Castle as its default provider, but I haven't found that anywhere official, so I could be making an unhelpful assumption here.
Java defaults to "AES/ECB/PKCS5Padding" by default, as specified by the Oracle documentation.
If no mode or padding is specified, provider-specific default values
for the mode and padding scheme are used. For example, the SunJCE
provider uses ECB as the default mode, and PKCS5Padding as the default
padding scheme for DES, DES-EDE and Blowfish ciphers. This means that
in the case of the SunJCE provider:
Cipher c1 = Cipher.getInstance("DES/ECB/PKCS5Padding"); and
Cipher c1 = Cipher.getInstance("DES"); are equivalent statements.
See creating a Cipher object in the Oracle documentation.
I've just checked using a debugger myself. At least for Android 4.0 it seems that Android defaults to the same encryption and padding mode (as expected). The outcome using the default provider of a single (00-valued) byte is a padded plain text with value 000F0F0F0F0F0F0F0F0F0F0F0F0F0F0F in hexadecimals. This is clearly PKCS#5 padding, or more correctly PKCS#7 padding which is the same padding as PKCS#5 for 16-byte block ciphers.
In principle any provider can have a different default from the default "SunJCE" provider. However, that would break applications that assume that the Oracle / OpenJDK default is used.
Instead of leaving your colleague programmers in the dark, it is strongly recommended to specify the entire string including mode & padding and not to rely on defaults for cryptographic algorithms (with the exception of SecureRandom, where specifying the algorithm is usually not recommended).
From what I know, In java it stands for AES in ECB mode without padding
. And I think it's the same on android. I would recomend you running a simple test encrypt something on android and decrypt it using AES/ECB/NoPadding using Java or android. Plus if you don't see any IV in this app it's another, point in this direction.
Does anyone know how to pass password to decode function in LZMA SDK?
Looking at the sources and another thread here, I'm guessing it will be good to start looking at where and how the sha256* functions are defined and used. The documentation appears minimal to nothing, so the code should be your major guide along with your knowledge of cryptography.