Tags: aes crypto pcbc 

Rating: 3.0

# Androids Encryption Writeup

### Pwn2Win CTF 2020 - crypto 115 - 108 solves

> We intercept an algorithm that is used among Androids. There are many hidden variables. Is it possible to recover the message? `nc encryption.pwn2.win 1337`

#### Observation

`BLOCK_SIZE = 16`. Two modes:

1. Encrypt user input plaintext: `enc_plaintext()`
- AES with PCBC using `key1`, `iv1`.
- `key2`, `iv2` is updated based on ciphertext result and `iv2`.
- `iv2 = AES.new(key2, AES.MODE_ECB).decrypt(iv2)`
- `key2 = xor(to_blocks(ctxt))`
- Encrypted result and iv given.
2. Encrypt flag: `enc_flag()`
- AES with PCBC using `key2`, `iv2`.
- `iv2`, `key2` is updated with same logic introduced at `1.`
- Encrypted result and iv given.

#### Exploit

I can control `key2` by encrypting single block(`'A' * BLOCK_SIZE`). `key2` is updated by the following logic.

```python
def to_blocks(txt):
return [txt[i*BLOCK_SIZE:(i+1)*BLOCK_SIZE] for i in range(len(txt)//BLOCK_SIZE)]

def xor(b1, b2=None):
if isinstance(b1, list) and b2 is None:
assert len(set([len(b) for b in b1])) == 1, 'xor() - Invalid input size'
assert all([isinstance(b, bytes) for b in b1]), 'xor() - Invalid input type'
x = [len(b) for b in b1][0]*b'\x00' # BLOCK_SIZE * 16
for b in b1:
x = xor(x, b)
return x
assert isinstance(b1, bytes) and isinstance(b2, bytes), 'xor() - Invalid input type'
return bytes([a ^ b for a, b in zip(b1, b2)])

key2 = xor(to_blocks(ctxt))
```

After controlling `key2`, ask the server to get encrypted flag. The flag must be encrypted with `key2`. Also, I know the value of `ctxt`, so `key2` is known and iv used for flag encryption is given.

```python
pt = 'A' * BLOCK_SIZE
_, ct = encrypt_your_secret(pt)
key2 = xor(to_blocks(ct))
iv, ct_flag = encrypt_my_secret()
assert len(ct_flag) == BLOCK_SIZE * 3

aes = AES.new(key2, AES.MODE_ECB)
flag = b''
blocks = to_blocks(ct_flag)
curr = iv
for block in blocks: # PCBC
flag += xor(aes.decrypt(block), curr)
curr = xor(flag[-BLOCK_SIZE:], block)
flag = flag.decode()
```

By knowing iv and key, decrypt and get the flag:

```
CTF-BR{kn3W_7h4T_7hEr3_4r3_Pc8C_r3pe471ti0ns?!?}
```

Original source: [server.py](server.py)

Exploit code: [solve.py](solve.py)

Original writeup (https://github.com/pcw109550/write-up/tree/master/2020/Pwn2Win/Androids_Encryption).