Convert hex to base64
The string:

49276d206b696c6c696e6720796f757220627261696e206c696b65206120706f69736f6e6f7573206d757368726f6f6d

Should produce:

SSdtIGtpbGxpbmcgeW91ciBicmFpbiBsaWtlIGEgcG9pc29ub3VzIG11c2hyb29t

So go ahead and make that happen. You'll need to use this code for the rest of the exercises.

In [18]:
!pip install cryptography

Collecting cryptography
  Downloading cryptography-44.0.2-cp39-abi3-manylinux_2_34_x86_64.whl.metadata (5.7 kB)
Downloading cryptography-44.0.2-cp39-abi3-manylinux_2_34_x86_64.whl (4.2 MB)
[2K   [38;2;114;156;31m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m4.2/4.2 MB[0m [31m26.5 MB/s[0m eta [36m0:00:00[0m MB/s[0m eta [36m0:00:01[0m
Installing collected packages: cryptography
Successfully installed cryptography-44.0.2


In [30]:
import codecs

data = "49276d206b696c6c696e6720796f757220627261696e206c696b65206120706f69736f6e6f7573206d757368726f6f6d"
codecs.encode(codecs.decode(data, 'hex'), 'base64')

b'SSdtIGtpbGxpbmcgeW91ciBicmFpbiBsaWtlIGEgcG9pc29ub3VzIG11c2hyb29t\n'

Fixed XOR
Write a function that takes two equal-length buffers and produces their XOR combination.

If your function works properly, then when you feed it the string:
```
1c0111001f010100061a024b53535009181c
```
... after hex decoding, and when XOR'd against:

```
686974207468652062756c6c277320657965
```
... should produce:

```
746865206b696420646f6e277420706c6179
```

In [31]:
def fixed_xor(buffer1, buffer2):
    if(len(buffer1) != len(buffer2)):
        return

    bytes1 = bytes.fromhex(buffer1)
    bytes2 = bytes.fromhex(buffer2)


    result = bytes([b1 ^ b2 for b1, b2 in zip(bytes1, bytes2)])

    return result.hex()

In [32]:
fixed_xor("1c0111001f010100061a024b53535009181c", "686974207468652062756c6c277320657965") == "746865206b696420646f6e277420706c6179"

True

Single-byte XOR cipher
The hex encoded string:
```
1b37373331363f78151b7f2b783431333d78397828372d363c78373e783a393b3736
```
... has been XOR'd against a single character. Find the key, decrypt the message.

You can do this by hand. But don't: write code to do it for you.

How? Devise some method for "scoring" a piece of English plaintext. Character frequency is a good metric. Evaluate each output and choose the one with the best score.

In [33]:
def single_byte_xor_cipher(hex_string):
    try:
        ciphertext = bytes.fromhex(hex_string.strip())
    except (ValueError, AttributeError):
        if isinstance(hex_string, bytes):
            ciphertext = hex_string
        else:
            return 0, "", -999  # Return very low score for invalid
    
    char_freq = {
        ' ': 18.0, 'e': 12.0, 't': 9.0, 'a': 8.0, 'o': 7.5, 'i': 7.0,
        'n': 6.7, 's': 6.3, 'h': 6.1, 'r': 6.0, 'd': 4.2, 'l': 4.0,
        'u': 3.4, 'c': 2.8, 'm': 2.6, 'f': 2.2, 'w': 2.0, 'g': 2.0,
        'y': 1.9, 'p': 1.9, 'b': 1.5, 'v': 1.0, 'k': 0.8, 'j': 0.2,
        'x': 0.2, 'q': 0.1, 'z': 0.1
    }
    
    best_score = 0
    best_key = 0
    best_message = ""

    for key in range(128):
        result = bytes([b ^ key for b in ciphertext])
        try:
            message = result.decode('ascii')
            score = 0;

            for char in message.lower():
                try:
                    if (32 <= ord(char) <= 126) or ord(char) in (9, 10, 13): 
                        score += char_freq.get(char, 0)
                    else:
                        score -= 10
                except:
                    score -= 10

            if score > best_score:
                try:
                    message = result.decode('ascii', errors='replace')
                    best_score = score
                    best_key = key
                    best_message = message
                except:
                    continue
                
        except Exception as e:
            continue;

    return best_key, best_message, best_score

hex_string = "1b37373331363f78151b7f2b783431333d78397828372d363c78373e783a393b3736"
key, message, score = single_byte_xor_cipher(hex_string)

print(f"Key (ASCII): '{chr(key)}'")
print(f"Message: {message}")
print(f"Score: {score}")

Key (ASCII): 'X'
Message: Cooking MC's like a pound of bacon
Score: 245.7


Detect single-character XOR
One of the 60-character strings in this file has been encrypted by single-character XOR.

Find it.

(Your code from #3 should help.)

In [34]:
with open('4.txt', 'r') as file:
    best_overall_score = -float('inf')
    best_line_number = 0
    best_key = 0
    best_message = ""
    
    for i, line in enumerate(file, 1):
        # Skip empty lines
        if not line.strip():
            continue
        
        key, message, score = single_byte_xor_cipher(line.strip())
        
        # Keep track of the line with the highest score
        if score > best_overall_score:
            best_overall_score = score
            best_line_number = i
            best_key = key
            best_message = message
    
    print(best_line_number, best_key, best_message, best_overall_score)

171 53 Now that the party is jumping
 229.3


Implement repeating-key XOR
Here is the opening stanza of an important work of the English language:

Burning 'em, if you ain't quick and nimble
I go crazy when I hear a cymbal
Encrypt it, under the key "ICE", using repeating-key XOR.

In repeating-key XOR, you'll sequentially apply each byte of the key; the first byte of plaintext will be XOR'd against I, the next C, the next E, then I again for the 4th byte, and so on.

It should come out to:
```
0b3637272a2b2e63622c2e69692a23693a2a3c6324202d623d63343c2a26226324272765272
a282b2f20430a652e2c652a3124333a653e2b2027630c692b20283165286326302e27282f
```
Encrypt a bunch of stuff using your repeating-key XOR function. Encrypt your mail. Encrypt your password file. Your .sig file. Get a feel for it. I promise, we aren't wasting your time with this.

In [49]:
plaintext = """Burning 'em, if you ain't quick and nimble
I go crazy when I hear a cymbal"""

def encrypt_using_key(string_to_encode, key):
    bytes_to_encode = bytes(string_to_encode, 'utf-8')
    bytes_key = bytes(key, 'utf-8')
    encrypted = bytearray()

    for i, byte in enumerate(bytes_to_encode):
        byte_key = bytes_key[i % len(bytes_key)]
        encrypted.append(byte_key ^ byte)

    
    return encrypted.hex()
        
    
encrypted = encrypt_using_key(plaintext, "ICE")
print(encrypted)
expected = "0b3637272a2b2e63622c2e69692a23693a2a3c6324202d623d63343c2a26226324272765272a282b2f20430a652e2c652a3124333a653e2b2027630c692b20283165286326302e27282f"
print(f"Matches expected output: {encrypted == expected}")

0b3637272a2b2e63622c2e69692a23693a2a3c6324202d623d63343c2a26226324272765272a282b2f20430a652e2c652a3124333a653e2b2027630c692b20283165286326302e27282f
Matches expected output: True


AES in ECB mode
The Base64-encoded content in this file has been encrypted via AES-128 in ECB mode under the key

"YELLOW SUBMARINE".
(case-sensitive, without the quotes; exactly 16 characters; I like "YELLOW SUBMARINE" because it's exactly 16 bytes long, and now you do too).
Decrypt it. You know the key, after all.
Easiest way: use OpenSSL::Cipher and give it AES-128-ECB as the cipher.
Do this with code.
You can obviously decrypt this using the OpenSSL command-line tool, but we're having you get ECB working in code for a reason. You'll need it a lot later on, and not just for attacking ECB.


In [36]:
import base64

def hamming_distance(str1, str2):
    if len(str1) != len(str2):
        raise ValueError("Byte strings must be of equal length")

    # byte_str1 = bytes(str1, 'utf-8')
    # byte_str2 = bytes(str2, 'utf-8')

    xor_result = bytes([b1 ^ b2 for b1, b2 in zip(str1, str2)])

    distance = 0
    for byte in xor_result:
        while byte:
            distance += byte & 1
            byte >>= 1

    return distance


def find_key_size(ciphertext, min_size=2, max_size=40, num_blocks=4):
    best_distances = []
    
    for key_size in range(min_size, max_size + 1):

        if len(ciphertext) < key_size * num_blocks:
            break
        
        distances = []
        for i in range(num_blocks - 1):
            block1 = ciphertext[i * key_size:(i + 1) * key_size]
            block2 = ciphertext[(i + 1) * key_size:(i + 2) * key_size]
            distance = hamming_distance(block1, block2)
            # Normalize by key size
            distances.append(distance / key_size)
        
        # Average the distances
        avg_distance = sum(distances) / len(distances)
        best_distances.append((key_size, avg_distance))
    
    # Sort by distance (lowest first)
    best_distances.sort(key=lambda x: x[1])
    return best_distances

def score_english_text(text):
    """
    Score text based on character frequency in English.
    Higher score means more likely to be English text.
    """
    char_freq = {
        ' ': 18.0, 'e': 12.0, 't': 9.0, 'a': 8.0, 'o': 7.5, 'i': 7.0,
        'n': 6.7, 's': 6.3, 'h': 6.1, 'r': 6.0, 'd': 4.2, 'l': 4.0,
        'u': 3.4, 'c': 2.8, 'm': 2.6, 'f': 2.2, 'w': 2.0, 'g': 2.0,
        'y': 1.9, 'p': 1.9, 'b': 1.5, 'v': 1.0, 'k': 0.8, 'j': 0.2,
        'x': 0.2, 'q': 0.1, 'z': 0.1
    }
    
    score = 0
    for char in text.lower():
        score += char_freq.get(char, 0)

        if not (32 <= ord(char) <= 126) and char not in '\t\n\r':
            score -= 10
    
    return score

def single_byte_xor_decrypt(ciphertext):
    """
    Decrypt a ciphertext that was encrypted with single-byte XOR.
    Returns the key, decrypted message, and score.
    """
    best_score = float('-inf')
    best_key = 0
    best_message = ""
    

    for key in range(256):

        result = bytes([b ^ key for b in ciphertext])

        try:
            message = result.decode('ascii', errors='replace')
            score = score_english_text(message)

            if score > best_score:
                best_score = score
                best_key = key
                best_message = message
        except:
            continue
    
    return best_key, best_message, best_score

def break_repeating_key_xor(ciphertext, key_sizes=3):
    """
    Break repeating-key XOR encryption (Vigenère cipher).
    
    Args:
        ciphertext: The encrypted bytes
        key_sizes: Number of best key sizes to try
    
    Returns:
        tuple: (key, plaintext)
    """

    potential_key_sizes = find_key_size(ciphertext)
    best_key = None
    best_plaintext = None
    best_score = float('-inf')
    
    for key_size, _ in potential_key_sizes[:key_sizes]:
        # Transpose blocks
        blocks = [[] for _ in range(key_size)]
        for i, byte in enumerate(ciphertext):
            blocks[i % key_size].append(byte)
        
        blocks = [bytes(block) for block in blocks]

        key = bytearray()
        for block in blocks:
            block_key, _, _ = single_byte_xor_decrypt(block)
            key.append(block_key)

        plaintext_bytes = bytearray()
        for i, byte in enumerate(ciphertext):
            plaintext_bytes.append(byte ^ key[i % len(key)])

        try:
            plaintext = plaintext_bytes.decode('ascii', errors='replace')
            score = score_english_text(plaintext)
            
            if score > best_score:
                best_score = score
                best_key = bytes(key)
                best_plaintext = plaintext
        except:
            continue
    
    return best_key, best_plaintext


with open('6.txt', 'r') as f:
        base64_content = f.read().strip()

ciphertext = base64.b64decode(base64_content)

key, plaintext = break_repeating_key_xor(ciphertext)

print(f"Found key: {key.decode('ascii', errors='replace')}")
print("\nDecrypted message:")
print(plaintext)

Found key: Terminator X: Bring the noise

Decrypted message:
I'm back and I'm ringin' the bell 
A rockin' on the mike while the fly girls yell 
In ecstasy in the back of me 
Well that's my DJ Deshay cuttin' all them Z's 
Hittin' hard and the girlies goin' crazy 
Vanilla's on the mike, man I'm not lazy. 

I'm lettin' my drug kick in 
It controls my mouth and I begin 
To just let it flow, let my concepts go 
My posse's to the side yellin', Go Vanilla Go! 

Smooth 'cause that's the way I will be 
And if you don't give a damn, then 
Why you starin' at me 
So get off 'cause I control the stage 
There's no dissin' allowed 
I'm in my own phase 
The girlies sa y they love me and that is ok 
And I can dance better than any kid n' play 

Stage 2 -- Yea the one ya' wanna listen to 
It's off my head so let the beat play through 
So I can funk it up and make it sound good 
1-2-3 Yo -- Knock on some wood 
For good luck, I like my rhymes atrocious 
Supercalafragilisticexpialidocious 
I'm an effect an

AES in ECB mode
The Base64-encoded content in this file has been encrypted via AES-128 in ECB mode under the key

"YELLOW SUBMARINE".
(case-sensitive, without the quotes; exactly 16 characters; I like "YELLOW SUBMARINE" because it's exactly 16 bytes long, and now you do too).

Decrypt it. You know the key, after all.

Easiest way: use OpenSSL::Cipher and give it AES-128-ECB as the cipher.

Do this with code.
You can obviously decrypt this using the OpenSSL command-line tool, but we're having you get ECB working in code for a reason. You'll need it a lot later on, and not just for attacking ECB.

In [37]:
import base64
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend

def decrypt_aes_ecb(ciphertext, key):
    """
    Decrypt AES-128 in ECB mode.
    
    Args:
        ciphertext (bytes): The encrypted content
        key (bytes): The 16-byte key
        
    Returns:
        bytes: The decrypted plaintext
    """
    cipher = Cipher(
        algorithms.AES(key),
        modes.ECB(),  # ECB mode doesn't require an IV
        backend=default_backend()
    )
    decryptor = cipher.decryptor()
    plaintext = decryptor.update(ciphertext) + decryptor.finalize()
    
    # Remove PKCS#7 padding if present
    padding_value = plaintext[-1]
    if padding_value <= 16:
        # Check if the padding is valid
        if all(p == padding_value for p in plaintext[-padding_value:]):
            plaintext = plaintext[:-padding_value]
    
    return plaintext


with open('7.txt', 'r') as f:
        base64_content = f.read().strip()
    
ciphertext = base64.b64decode(base64_content)

key = b"YELLOW SUBMARINE"

plaintext = decrypt_aes_ecb(ciphertext, key)

print(plaintext.decode('utf-8'))

I'm back and I'm ringin' the bell 
A rockin' on the mike while the fly girls yell 
In ecstasy in the back of me 
Well that's my DJ Deshay cuttin' all them Z's 
Hittin' hard and the girlies goin' crazy 
Vanilla's on the mike, man I'm not lazy. 

I'm lettin' my drug kick in 
It controls my mouth and I begin 
To just let it flow, let my concepts go 
My posse's to the side yellin', Go Vanilla Go! 

Smooth 'cause that's the way I will be 
And if you don't give a damn, then 
Why you starin' at me 
So get off 'cause I control the stage 
There's no dissin' allowed 
I'm in my own phase 
The girlies sa y they love me and that is ok 
And I can dance better than any kid n' play 

Stage 2 -- Yea the one ya' wanna listen to 
It's off my head so let the beat play through 
So I can funk it up and make it sound good 
1-2-3 Yo -- Knock on some wood 
For good luck, I like my rhymes atrocious 
Supercalafragilisticexpialidocious 
I'm an effect and that you can bet 
I can take a fly girl and make her wet. 


Detect AES in ECB mode
In this file are a bunch of hex-encoded ciphertexts.
One of them has been encrypted with ECB.
Detect it.
Remember that the problem with ECB is that it is stateless and deterministic; the same 16 byte plaintext block will always produce the same 16 byte ciphertext.

In [40]:
def detect_ecb(ciphertext, block_size=16):
    """
    Detect if a ciphertext is likely encrypted with ECB mode.
    
    Args:
        ciphertext (bytes): The encrypted content
        block_size (int): The block size in bytes (16 for AES-128)
        
    Returns:
        float: A score indicating likelihood of ECB (higher means more likely)
    """
    # Split the ciphertext into blocks
    blocks = [ciphertext[i:i+block_size] for i in range(0, len(ciphertext), block_size)]
    
    # Count the number of repeated blocks
    unique_blocks = set(blocks)
    repeats = len(blocks) - len(unique_blocks)
    
    return repeats


with open('8.txt', 'r') as f:
        ciphertexts = [bytes.fromhex(line.strip()) for line in f]
    
# Check each ciphertext for ECB characteristics
results = []
for i, ciphertext in enumerate(ciphertexts):
    repeats = detect_ecb(ciphertext)
    results.append((i, repeats, ciphertext))

# Sort by number of repeats (higher is more likely ECB)
results.sort(key=lambda x: x[1], reverse=True)

# Print the top results
for i, repeats, ciphertext in results[:5]:
    print(f"Line {i}: {repeats} repeated blocks")
    if repeats > 0:
        print(f"Hex: {ciphertext.hex()[:64]}...")
        print()

# Print the most likely ECB-encoded ciphertext
if results[0][1] > 0:
    print(f"Most likely ECB-encoded is line {results[0][0]} with {results[0][1]} repeated blocks")


Line 132: 3 repeated blocks
Hex: d880619740a8a19b7840a8a31c810a3d08649af70dc06f4fd5d2d69c744cd283...

Line 0: 0 repeated blocks
Line 1: 0 repeated blocks
Line 2: 0 repeated blocks
Line 3: 0 repeated blocks
Most likely ECB-encoded is line 132 with 3 repeated blocks


Implement PKCS#7 padding
A block cipher transforms a fixed-sized block (usually 8 or 16 bytes) of plaintext into ciphertext. But we almost never want to transform a single block; we encrypt irregularly-sized messages.
One way we account for irregularly-sized messages is by padding, creating a plaintext that is an even multiple of the blocksize. The most popular padding scheme is called PKCS#7.
So: pad any block to a specific block length, by appending the number of bytes of padding to the end of the block. For instance,


"YELLOW SUBMARINE"
... padded to 20 bytes would be:


"YELLOW SUBMARINE\x04\x04\x04\x04"

In [42]:
def pkcs7_pad(data, block_size):
    """
    Apply PKCS#7 padding to the data.
    
    Args:
        data (bytes): The data to pad
        block_size (int): The block size to pad to
        
    Returns:
        bytes: The padded data
    """
    # Calculate how many bytes of padding are needed
    padding_length = block_size - (len(data) % block_size)
    
    # If the data is already a multiple of block_size, 
    # add a full block of padding
    if padding_length == 0:
        padding_length = block_size
    
    # Create the padding bytes
    padding = bytes([padding_length] * padding_length)
    
    # Return the data with padding appended
    return data + padding

def pkcs7_unpad(padded_data):
    """
    Remove PKCS#7 padding from the data.
    
    Args:
        padded_data (bytes): The padded data
        
    Returns:
        bytes: The unpadded data
    """
    # Get the padding length from the last byte
    padding_length = padded_data[-1]
    
    # Verify that the padding is valid
    if padding_length > len(padded_data):
        raise ValueError("Invalid padding: padding length larger than data size")
    
    # Check that all padding bytes have the correct value
    for i in range(1, padding_length + 1):
        if padded_data[-i] != padding_length:
            raise ValueError("Invalid padding: inconsistent padding bytes")
    
    # Return the data without padding
    return padded_data[:-padding_length]

data = b"YELLOW SUBMARINE"
padded = pkcs7_pad(data, 20)
print(f"Original: {data}")
print(f"Padded to 20 bytes: {padded}")
print(f"Hex representation: {padded.hex()}")

# Verify by unpacking the padding
unpadded = pkcs7_unpad(padded)
print(f"Unpadded: {unpadded}")
print(f"Matches original: {unpadded == data}")

# Example 2: Pad to standard AES block size of 16 bytes
data2 = b"HELLO"
padded2 = pkcs7_pad(data2, 16)
print(f"\nOriginal: {data2}")
print(f"Padded to 16 bytes: {padded2}")
print(f"Hex representation: {padded2.hex()}")

# Example 3: Data already a multiple of block size
data3 = b"SIXTEEN BYTES..."  # 16 bytes exactly
padded3 = pkcs7_pad(data3, 16)
print(f"\nOriginal (16 bytes): {data3}")
print(f"Padded to 16 bytes: {padded3}")
print(f"Hex representation: {padded3.hex()}")

Original: b'YELLOW SUBMARINE'
Padded to 20 bytes: b'YELLOW SUBMARINE\x04\x04\x04\x04'
Hex representation: 59454c4c4f57205355424d4152494e4504040404
Unpadded: b'YELLOW SUBMARINE'
Matches original: True

Original: b'HELLO'
Padded to 16 bytes: b'HELLO\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'
Hex representation: 48454c4c4f0b0b0b0b0b0b0b0b0b0b0b

Original (16 bytes): b'SIXTEEN BYTES...'
Padded to 16 bytes: b'SIXTEEN BYTES...\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10'
Hex representation: 5349585445454e2042595445532e2e2e10101010101010101010101010101010


Implement CBC mode
CBC mode is a block cipher mode that allows us to encrypt irregularly-sized messages, despite the fact that a block cipher natively only transforms individual blocks.
In CBC mode, each ciphertext block is added to the next plaintext block before the next call to the cipher core.
The first plaintext block, which has no associated previous ciphertext block, is added to a "fake 0th ciphertext block" called the initialization vector, or IV.
Implement CBC mode by hand by taking the ECB function you wrote earlier, making it encrypt instead of decrypt (verify this by decrypting whatever you encrypt to test), and using your XOR function from the previous exercise to combine them.
The file here is intelligible (somewhat) when CBC decrypted against "YELLOW SUBMARINE" with an IV of all ASCII 0 (\x00\x00\x00 &c)
Don't cheat.
Do not use OpenSSL's CBC code to do CBC mode, even to verify your results. What's the point of even doing this stuff if you aren't going to learn from it?



In [44]:
import base64
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend

def aes_ecb_encrypt(plaintext, key):
    """
    Encrypt a single block using AES in ECB mode.
    
    Args:
        plaintext (bytes): A single block to encrypt (must be 16 bytes)
        key (bytes): The AES key (16 bytes for AES-128)
    
    Returns:
        bytes: The encrypted block
    """
    cipher = Cipher(algorithms.AES(key), modes.ECB(), backend=default_backend())
    encryptor = cipher.encryptor()
    return encryptor.update(plaintext) + encryptor.finalize()

def aes_ecb_decrypt(ciphertext, key):
    """
    Decrypt a single block using AES in ECB mode.
    
    Args:
        ciphertext (bytes): A single block to decrypt (must be 16 bytes)
        key (bytes): The AES key (16 bytes for AES-128)
    
    Returns:
        bytes: The decrypted block
    """
    cipher = Cipher(algorithms.AES(key), modes.ECB(), backend=default_backend())
    decryptor = cipher.decryptor()
    return decryptor.update(ciphertext) + decryptor.finalize()

def xor_bytes(a, b):
    """
    XOR two byte strings.
    
    Args:
        a (bytes): First byte string
        b (bytes): Second byte string (same length as a)
    
    Returns:
        bytes: Result of XORing a and b
    """
    if len(a) != len(b):
        raise ValueError("Byte strings must be of equal length")
    return bytes(x ^ y for x, y in zip(a, b))

def pkcs7_pad(data, block_size):
    """
    Apply PKCS#7 padding to the data.
    
    Args:
        data (bytes): The data to pad
        block_size (int): The block size to pad to
    
    Returns:
        bytes: The padded data
    """
    padding_length = block_size - (len(data) % block_size)
    if padding_length == 0:
        padding_length = block_size
    padding = bytes([padding_length] * padding_length)
    return data + padding

def pkcs7_unpad(padded_data):
    """
    Remove PKCS#7 padding from the data.
    
    Args:
        padded_data (bytes): The padded data
    
    Returns:
        bytes: The unpadded data
    """
    padding_length = padded_data[-1]
    if padding_length > len(padded_data):
        raise ValueError("Invalid padding: padding length larger than data size")
    
    for i in range(1, padding_length + 1):
        if padded_data[-i] != padding_length:
            raise ValueError("Invalid padding: inconsistent padding bytes")
    
    return padded_data[:-padding_length]

def aes_cbc_encrypt(plaintext, key, iv):
    """
    Encrypt data using AES in CBC mode.
    
    Args:
        plaintext (bytes): The data to encrypt
        key (bytes): The AES key (16 bytes for AES-128)
        iv (bytes): The initialization vector (16 bytes)
    
    Returns:
        bytes: The encrypted data
    """
    block_size = 16  # AES block size is 16 bytes
    
    # Pad the plaintext to a multiple of the block size
    padded_plaintext = pkcs7_pad(plaintext, block_size)
    
    # Split the plaintext into blocks
    blocks = [padded_plaintext[i:i+block_size] for i in range(0, len(padded_plaintext), block_size)]
    
    # Initialize the result with the IV (not included in actual ciphertext)
    previous_block = iv
    ciphertext = bytearray()
    
    # Process each block
    for block in blocks:
        # XOR the current plaintext block with the previous ciphertext block (or IV)
        xored_block = xor_bytes(block, previous_block)
        
        # Encrypt the XORed block using AES in ECB mode
        encrypted_block = aes_ecb_encrypt(xored_block, key)
        
        # Append the encrypted block to the ciphertext
        ciphertext.extend(encrypted_block)
        
        # Update previous_block for the next iteration
        previous_block = encrypted_block
    
    return bytes(ciphertext)

def aes_cbc_decrypt(ciphertext, key, iv):
    """
    Decrypt data using AES in CBC mode.
    
    Args:
        ciphertext (bytes): The data to decrypt
        key (bytes): The AES key (16 bytes for AES-128)
        iv (bytes): The initialization vector (16 bytes)
    
    Returns:
        bytes: The decrypted data
    """
    block_size = 16  # AES block size is 16 bytes
    
    # Make sure ciphertext length is a multiple of block size
    if len(ciphertext) % block_size != 0:
        raise ValueError("Ciphertext length must be a multiple of block size")
    
    # Split the ciphertext into blocks
    blocks = [ciphertext[i:i+block_size] for i in range(0, len(ciphertext), block_size)]
    
    # Initialize the result
    plaintext = bytearray()
    previous_block = iv
    
    # Process each block
    for block in blocks:
        # Decrypt the current ciphertext block using AES in ECB mode
        decrypted_block = aes_ecb_decrypt(block, key)
        
        # XOR the decrypted block with the previous ciphertext block (or IV)
        plaintext_block = xor_bytes(decrypted_block, previous_block)
        
        # Append the plaintext block to the result
        plaintext.extend(plaintext_block)
        
        # Update previous_block for the next iteration
        previous_block = block
    
    # Remove padding
    return pkcs7_unpad(plaintext)

def test_cbc_mode():
    """Test the CBC implementation with a known example."""
    key = b"YELLOW SUBMARINE"
    iv = bytes([0] * 16)  # All zeros IV
    
    # Test string
    test_data = b"This is a test of CBC mode. Does it work correctly?"
    
    # Encrypt the test data
    encrypted = aes_cbc_encrypt(test_data, key, iv)
    
    # Decrypt the encrypted data
    decrypted = aes_cbc_decrypt(encrypted, key, iv)
    
    # Verify that decryption recovers the original data
    assert decrypted == test_data, "Decryption failed to recover the original data"
    print("Test passed: CBC encryption and decryption are working correctly")
    
    return encrypted, decrypted

def decrypt_challenge_file():
    """Decrypt the challenge file using our CBC implementation."""
    # Read the base64-encoded content
    with open('10.txt', 'r') as f:
        base64_content = f.read().strip()
    
    # Decode from base64
    ciphertext = base64.b64decode(base64_content)
    
    # Key and IV as specified in the challenge
    key = b"YELLOW SUBMARINE"
    iv = bytes([0] * 16)  # All zeros IV
    
    # Decrypt the content
    plaintext = aes_cbc_decrypt(ciphertext, key, iv)
    
    # Print the decrypted content
    print("Decrypted content from the challenge file:")
    print(plaintext.decode('utf-8'))


encrypted, decrypted = test_cbc_mode()
print(f"Original: {decrypted}")
print(f"Encrypted (hex): {encrypted.hex()[:64]}...")

# Then decrypt the challenge file
print("\n" + "="*50 + "\n")
decrypt_challenge_file()

Test passed: CBC encryption and decryption are working correctly
Original: bytearray(b'This is a test of CBC mode. Does it work correctly?')
Encrypted (hex): f6d6bba9f488c9e2bda504273828112f6eb2190b0c338b1a79a8bce56cb749f7...


Decrypted content from the challenge file:
I'm back and I'm ringin' the bell 
A rockin' on the mike while the fly girls yell 
In ecstasy in the back of me 
Well that's my DJ Deshay cuttin' all them Z's 
Hittin' hard and the girlies goin' crazy 
Vanilla's on the mike, man I'm not lazy. 

I'm lettin' my drug kick in 
It controls my mouth and I begin 
To just let it flow, let my concepts go 
My posse's to the side yellin', Go Vanilla Go! 

Smooth 'cause that's the way I will be 
And if you don't give a damn, then 
Why you starin' at me 
So get off 'cause I control the stage 
There's no dissin' allowed 
I'm in my own phase 
The girlies sa y they love me and that is ok 
And I can dance better than any kid n' play 

Stage 2 -- Yea the one ya' wanna listen to 
It's off

Byte-at-a-time ECB decryption (Simple)
Copy your oracle function to a new function that encrypts buffers under ECB mode using a consistent but unknown key (for instance, assign a single random key, once, to a global variable).
Now take that same function and have it append to the plaintext, BEFORE ENCRYPTING, the following string:


```
Um9sbGluJyBpbiBteSA1LjAKV2l0aCBteSByYWctdG9wIGRvd24gc28gbXkg
aGFpciBjYW4gYmxvdwpUaGUgZ2lybGllcyBvbiBzdGFuZGJ5IHdhdmluZyBq
dXN0IHRvIHNheSBoaQpEaWQgeW91IHN0b3A/IE5vLCBJIGp1c3QgZHJvdmUg
YnkK
```
Spoiler alert.
Do not decode this string now. Don't do it.
Base64 decode the string before appending it. Do not base64 decode the string by hand; make your code do it. The point is that you don't know its contents.
What you have now is a function that produces:


AES-128-ECB(your-string || unknown-string, random-key)
It turns out: you can decrypt "unknown-string" with repeated calls to the oracle function!
Here's roughly how:
1. Feed identical bytes of your-string to the function 1 at a time --- start with 1 byte ("A"), then "AA", then "AAA" and so on. Discover the block size of the cipher. You know it, but do this step anyway.
2. Detect that the function is using ECB. You already know, but do this step anyways.
3. Knowing the block size, craft an input block that is exactly 1 byte short (for instance, if the block size is 8 bytes, make "AAAAAAA"). Think about what the oracle function is going to put in that last byte position.
4. Make a dictionary of every possible last byte by feeding different strings to the oracle; for instance, "AAAAAAAA", "AAAAAAAB", "AAAAAAAC", remembering the first block of each invocation.
5. Match the output of the one-byte-short input to one of the entries in your dictionary. You've now discovered the first byte of unknown-string.
6. Repeat for the next byte.
Congratulations.
This is the first challenge we've given you whose solution will break real crypto. Lots of people know that when you encrypt something in ECB mode, you can see penguins through it. Not so many of them can decrypt the contents of those ciphertexts, and now you can. If our experience is any guideline, this attack will get you code execution in security tests about once a year.

In [45]:
import os
import base64
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend

# Global random key (unknown to the "attacker")
UNKNOWN_KEY = os.urandom(16)

# The unknown string to be appended (base64 encoded)
UNKNOWN_STRING_B64 = """
Um9sbGluJyBpbiBteSA1LjAKV2l0aCBteSByYWctdG9wIGRvd24gc28gbXkg
aGFpciBjYW4gYmxvdwpUaGUgZ2lybGllcyBvbiBzdGFuZGJ5IHdhdmluZyBq
dXN0IHRvIHNheSBoaQpEaWQgeW91IHN0b3A/IE5vLCBJIGp1c3QgZHJvdmUg
YnkK
""".replace("\n", "")

# Decode the unknown string
UNKNOWN_STRING = base64.b64decode(UNKNOWN_STRING_B64)

def pkcs7_pad(data, block_size):
    """Apply PKCS#7 padding to the data."""
    padding_length = block_size - (len(data) % block_size)
    if padding_length == 0:
        padding_length = block_size
    padding = bytes([padding_length] * padding_length)
    return data + padding

def aes_ecb_encrypt(plaintext, key):
    """Encrypt using AES in ECB mode."""
    # Pad the plaintext
    padded_plaintext = pkcs7_pad(plaintext, 16)
    
    # Create the cipher
    cipher = Cipher(algorithms.AES(key), modes.ECB(), backend=default_backend())
    encryptor = cipher.encryptor()
    
    # Encrypt
    return encryptor.update(padded_plaintext) + encryptor.finalize()

def encryption_oracle(your_string):
    """
    Oracle function that encrypts:
    AES-128-ECB(your-string || unknown-string, random-key)
    """
    # Combine your string with the unknown string
    plaintext = your_string + UNKNOWN_STRING
    
    # Encrypt with the unknown key
    return aes_ecb_encrypt(plaintext, UNKNOWN_KEY)

def detect_block_size(oracle_function):
    """Detect the block size of the cipher."""
    # Start with an empty string
    initial_length = len(oracle_function(b""))
    
    # Add bytes until the length changes
    input_length = 1
    while True:
        input_bytes = b"A" * input_length
        output = oracle_function(input_bytes)
        
        if len(output) > initial_length:
            # The length has increased, so we've found a block boundary
            return len(output) - initial_length
        
        input_length += 1

def detect_ecb_mode(oracle_function, block_size):
    """Detect if the oracle function is using ECB mode."""
    # Create a payload with 3 identical blocks
    payload = b"A" * (block_size * 3)
    ciphertext = oracle_function(payload)
    
    # Extract blocks and check for duplicates
    blocks = [ciphertext[i:i+block_size] for i in range(0, len(ciphertext), block_size)]
    unique_blocks = set(blocks)
    
    # If there are duplicate blocks, it's likely ECB mode
    return len(blocks) > len(unique_blocks)

def byte_at_a_time_ecb_decryption(oracle_function):
    """Decrypt the unknown string using byte-at-a-time ECB decryption."""
    # Step 1: Determine the block size
    block_size = detect_block_size(oracle_function)
    print(f"Detected block size: {block_size}")
    
    # Step 2: Detect that the function is using ECB
    is_ecb = detect_ecb_mode(oracle_function, block_size)
    print(f"ECB mode detected: {is_ecb}")
    
    if not is_ecb:
        print("Not ECB mode, cannot proceed with this attack.")
        return None
    
    # Determine the length of the unknown string
    initial_length = len(oracle_function(b""))
    unknown_length = initial_length
    
    # Step 3-6: Decrypt the unknown string byte by byte
    decrypted = bytearray()
    
    # Continue until we've decrypted the entire unknown string
    while len(decrypted) < unknown_length:
        # Determine which block we're working on
        block_index = len(decrypted) // block_size
        
        # Craft an input that's one byte short of a full block
        padding_length = block_size - (len(decrypted) % block_size) - 1
        if padding_length < 0:
            padding_length += block_size
        
        padding = b"A" * padding_length
        
        # Get the target ciphertext block
        target_ciphertext = oracle_function(padding)
        target_block = target_ciphertext[block_index * block_size:(block_index + 1) * block_size]
        
        # Try all possible bytes for the last position
        found = False
        for byte_value in range(256):
            test_input = padding + decrypted + bytes([byte_value])
            test_ciphertext = oracle_function(test_input)
            test_block = test_ciphertext[block_index * block_size:(block_index + 1) * block_size]
            
            if test_block == target_block:
                decrypted.append(byte_value)
                found = True
                print(f"Decrypted byte {len(decrypted)}: {chr(byte_value)}")
                break
        
        if not found:
            print(f"Could not find byte {len(decrypted) + 1}. Stopping.")
            break
        
        # Check if we've reached the end (PKCS#7 padding)
        if decrypted[-1] == block_size and all(b == block_size for b in decrypted[-block_size:]):
            print("Detected padding, stopping decryption.")
            decrypted = decrypted[:-block_size]  # Remove padding
            break
    
    return bytes(decrypted)

def main():
    # Run the byte-at-a-time ECB decryption attack
    decrypted = byte_at_a_time_ecb_decryption(encryption_oracle)
    
    if decrypted:
        print("\nSuccessfully decrypted the unknown string:")
        print(decrypted.decode('utf-8'))


main()

Detected block size: 16
ECB mode detected: True
Decrypted byte 1: R
Decrypted byte 2: o
Decrypted byte 3: l
Decrypted byte 4: l
Decrypted byte 5: i
Decrypted byte 6: n
Decrypted byte 7: '
Decrypted byte 8:  
Decrypted byte 9: i
Decrypted byte 10: n
Decrypted byte 11:  
Decrypted byte 12: m
Decrypted byte 13: y
Decrypted byte 14:  
Decrypted byte 15: 5
Decrypted byte 16: .
Decrypted byte 17: 0
Decrypted byte 18: 

Decrypted byte 19: W
Decrypted byte 20: i
Decrypted byte 21: t
Decrypted byte 22: h
Decrypted byte 23:  
Decrypted byte 24: m
Decrypted byte 25: y
Decrypted byte 26:  
Decrypted byte 27: r
Decrypted byte 28: a
Decrypted byte 29: g
Decrypted byte 30: -
Decrypted byte 31: t
Decrypted byte 32: o
Decrypted byte 33: p
Decrypted byte 34:  
Decrypted byte 35: d
Decrypted byte 36: o
Decrypted byte 37: w
Decrypted byte 38: n
Decrypted byte 39:  
Decrypted byte 40: s
Decrypted byte 41: o
Decrypted byte 42:  
Decrypted byte 43: m
Decrypted byte 44: y
Decrypted byte 45:  
Decrypted byte 4

ECB cut-and-paste
Write a k=v parsing routine, as if for a structured cookie. The routine should take:

foo=bar&baz=qux&zap=zazzle
... and produce:

{
  foo: 'bar',
  baz: 'qux',
  zap: 'zazzle'
}
(you know, the object; I don't care if you convert it to JSON).

Now write a function that encodes a user profile in that format, given an email address. You should have something like:

profile_for("foo@bar.com")
... and it should produce:

{
  email: 'foo@bar.com',
  uid: 10,
  role: 'user'
}
... encoded as:

email=foo@bar.com&uid=10&role=user
Your "profile_for" function should not allow encoding metacharacters (& and =). Eat them, quote them, whatever you want to do, but don't let people set their email address to "foo@bar.com&role=admin".

Now, two more easy functions. Generate a random AES key, then:

Encrypt the encoded user profile under the key; "provide" that to the "attacker".
Decrypt the encoded user profile and parse it.
Using only the user input to profile_for() (as an oracle to generate "valid" ciphertexts) and the ciphertexts themselves, make a role=admin profile.

In [50]:
import os
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend

# Generate a random AES key (unknown to the "attacker")
SECRET_KEY = os.urandom(16)

def pkcs7_pad(data, block_size):
    """Apply PKCS#7 padding to the data."""
    padding_length = block_size - (len(data) % block_size)
    if padding_length == 0:
        padding_length = block_size
    padding = bytes([padding_length] * padding_length)
    return data + padding

def pkcs7_unpad(padded_data):
    """Remove PKCS#7 padding."""
    padding_length = padded_data[-1]
    if padding_length > len(padded_data):
        raise ValueError("Invalid padding: padding length larger than data size")
    
    for i in range(1, padding_length + 1):
        if padded_data[-i] != padding_length:
            raise ValueError("Invalid padding: inconsistent padding bytes")
    
    return padded_data[:-padding_length]

def aes_ecb_encrypt(plaintext, key):
    """Encrypt using AES in ECB mode."""
    padded_plaintext = pkcs7_pad(plaintext, 16)
    cipher = Cipher(algorithms.AES(key), modes.ECB(), backend=default_backend())
    encryptor = cipher.encryptor()
    return encryptor.update(padded_plaintext) + encryptor.finalize()

def aes_ecb_decrypt(ciphertext, key):
    """Decrypt using AES in ECB mode."""
    cipher = Cipher(algorithms.AES(key), modes.ECB(), backend=default_backend())
    decryptor = cipher.decryptor()
    padded_plaintext = decryptor.update(ciphertext) + decryptor.finalize()
    return pkcs7_unpad(padded_plaintext)

def parse_cookie(cookie_str):
    """Parse a cookie string into a dictionary."""
    result = {}
    for item in cookie_str.split('&'):
        if '=' in item:
            key, value = item.split('=', 1)
            result[key] = value
    return result

def profile_for(email):
    """
    Create a profile for the given email address.
    Sanitize input to prevent metacharacter injection.
    """
    # Remove metacharacters from email
    sanitized_email = email.replace('&', '').replace('=', '')
    
    # Create profile with fixed uid and role
    profile = {
        'email': sanitized_email,
        'uid': '10',
        'role': 'user'
    }
    
    # Encode as k=v format
    encoded = '&'.join(f"{k}={v}" for k, v in profile.items())
    return encoded

def encrypt_profile(email):
    """Encrypt a user profile for the given email."""
    profile_str = profile_for(email)
    return aes_ecb_encrypt(profile_str.encode(), SECRET_KEY)

def decrypt_profile(ciphertext):
    """Decrypt and parse a user profile."""
    plaintext = aes_ecb_decrypt(ciphertext, SECRET_KEY)
    profile_str = plaintext.decode()
    return parse_cookie(profile_str)

def perform_cut_and_paste_attack():
    """
    Perform an ECB cut-and-paste attack to create an admin profile.
    
    Strategy:
    1. Create a controlled block alignment by crafting special email addresses
    2. Get encrypted blocks containing "admin" (properly padded)
    3. Cut and paste blocks to create a valid admin profile
    """
    # Step 1: Determine the block size by analyzing encrypted profiles
    print("Determining block structure...")
    # The profile string is: "email=____&uid=10&role=user"
    # We need to align our blocks to manipulate the "role" value
    
    # First, let's find out how our blocks align with a simple email
    baseline_email = "x@example.com"
    baseline_ciphertext = encrypt_profile(baseline_email)
    print(f"Baseline ciphertext length: {len(baseline_ciphertext)}")
    
    # Step 2: Craft an email to get the "admin" value in a separate block
    # We want to create an email that will make "role=" end precisely at a block boundary
    # The profile will be: "email=____&uid=10&role="
    #                       |---- block 1 ----|---- block 2 ----|
    
    # Calculate the right padding to align blocks
    # The prefix is "email=" (6 chars)
    # We need to make (email=[our-crafted-email]&uid=10&role=) end at a block boundary
    # "email=XXXXXXXX&uid=10&role=" should be a multiple of 16 bytes
    
    # We'll try different email lengths to find the right alignment
    found_alignment = False
    for pad_length in range(16):
        test_email = "A" * pad_length + "@x.com"
        test_ciphertext = encrypt_profile(test_email)
        
        # Check if we can detect a change in the pattern
        blocks = [test_ciphertext[i:i+16] for i in range(0, len(test_ciphertext), 16)]
        print(f"Email length {len(test_email)}, blocks: {len(blocks)}")
        
        # For demonstration purposes, we'll choose a specific padding
        # In a real attack, you'd analyze these results to find the perfect alignment
        if pad_length == 10:  # This value may need adjustment based on analysis
            found_alignment = True
            aligned_email = test_email
            aligned_blocks = blocks
            break
    
    if not found_alignment:
        print("Failed to find alignment, adjust the code.")
        return None
    
    print(f"Found alignment with email: {aligned_email}")
    
    # Step 3: Create a block that contains "admin" with proper PKCS#7 padding
    # We want to craft an email that will put "admin" + padding in a separate block
    # A precise calculation would be better, but this demonstrates the approach
    admin_padding = 11  # 16 - len("admin")
    admin_block_email = "x@burn.net"  # Email doesn't matter, just length
    admin_block_profile = "email=" + admin_block_email + "&uid=10&role=admin" + chr(admin_padding) * admin_padding
    
    # Encrypt the admin profile to get the block with "admin"
    admin_ciphertext = aes_ecb_encrypt(admin_block_profile.encode(), SECRET_KEY)
    admin_block = admin_ciphertext[32:48]  # This block index may need adjustment
    
    # Step 4: Create the final crafted ciphertext
    # We'll take the first parts of our aligned ciphertext and append the admin block
    crafted_ciphertext = aligned_blocks[0] + aligned_blocks[1] + admin_block
    
    # Step 5: Decrypt and verify our crafted ciphertext
    try:
        result = decrypt_profile(crafted_ciphertext)
        print("\nSuccessfully created admin profile!")
        print(f"Decrypted profile: {result}")
        return result
    except Exception as e:
        print(f"Attack failed: {e}")
        return None

def main():
    # Demonstration of the provided functions
    print("--- Original Functions ---")
    email = "user@example.com"
    profile_string = profile_for(email)
    print(f"Profile for {email}: {profile_string}")
    
    # Attempt to inject admin role
    malicious_email = "evil@example.com&role=admin"
    safe_profile = profile_for(malicious_email)
    print(f"Sanitized profile: {safe_profile}")
    
    # Encrypt and decrypt a normal profile
    encrypted = encrypt_profile(email)
    decrypted = decrypt_profile(encrypted)
    print(f"Encrypted and decrypted: {decrypted}")
    
    print("\n--- Cut-and-Paste Attack ---")
    admin_profile = perform_cut_and_paste_attack()


main()

--- Original Functions ---
Profile for user@example.com: email=user@example.com&uid=10&role=user
Sanitized profile: email=evil@example.comroleadmin&uid=10&role=user
Encrypted and decrypted: {'email': 'user@example.com', 'uid': '10', 'role': 'user'}

--- Cut-and-Paste Attack ---
Determining block structure...
Baseline ciphertext length: 48
Email length 6, blocks: 2
Email length 7, blocks: 2
Email length 8, blocks: 2
Email length 9, blocks: 3
Email length 10, blocks: 3
Email length 11, blocks: 3
Email length 12, blocks: 3
Email length 13, blocks: 3
Email length 14, blocks: 3
Email length 15, blocks: 3
Email length 16, blocks: 3
Found alignment with email: AAAAAAAAAA@x.com

Successfully created admin profile!
Decrypted profile: {'email': 'AAAAAAAAAA@x.com', 'uid': '10'}


Byte-at-a-time ECB decryption (Harder)
Take your oracle function from #12. Now generate a random count of random bytes and prepend this string to every plaintext. You are now doing:

AES-128-ECB(random-prefix || attacker-controlled || target-bytes, random-key)
Same goal: decrypt the target-bytes.

Stop and think for a second.
What's harder than challenge #12 about doing this? How would you overcome that obstacle? The hint is: you're using all the tools you already have; no crazy math is required.

Think "STIMULUS" and "RESPONSE".

In [51]:
import os
import base64
import random
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend

# Global random key (unknown to the "attacker")
UNKNOWN_KEY = os.urandom(16)

# Generate a random prefix (1-20 bytes)
RANDOM_PREFIX = os.urandom(random.randint(1, 20))
print(f"[DEBUG] Random prefix length: {len(RANDOM_PREFIX)} bytes")

# The unknown string to be appended (base64 encoded)
UNKNOWN_STRING_B64 = """
Um9sbGluJyBpbiBteSA1LjAKV2l0aCBteSByYWctdG9wIGRvd24gc28gbXkg
aGFpciBjYW4gYmxvdwpUaGUgZ2lybGllcyBvbiBzdGFuZGJ5IHdhdmluZyBq
dXN0IHRvIHNheSBoaQpEaWQgeW91IHN0b3A/IE5vLCBJIGp1c3QgZHJvdmUg
YnkK
""".replace("\n", "")

# Decode the unknown string
UNKNOWN_STRING = base64.b64decode(UNKNOWN_STRING_B64)

def pkcs7_pad(data, block_size):
    """Apply PKCS#7 padding to the data."""
    padding_length = block_size - (len(data) % block_size)
    if padding_length == 0:
        padding_length = block_size
    padding = bytes([padding_length] * padding_length)
    return data + padding

def aes_ecb_encrypt(plaintext, key):
    """Encrypt using AES in ECB mode."""
    # Pad the plaintext
    padded_plaintext = pkcs7_pad(plaintext, 16)
    
    # Create the cipher
    cipher = Cipher(algorithms.AES(key), modes.ECB(), backend=default_backend())
    encryptor = cipher.encryptor()
    
    # Encrypt
    return encryptor.update(padded_plaintext) + encryptor.finalize()

def encryption_oracle(attacker_controlled):
    """
    Oracle function that encrypts:
    AES-128-ECB(random-prefix || attacker-controlled || target-bytes, random-key)
    """
    # Combine the components
    plaintext = RANDOM_PREFIX + attacker_controlled + UNKNOWN_STRING
    
    # Encrypt with the unknown key
    return aes_ecb_encrypt(plaintext, UNKNOWN_KEY)

def detect_block_size(oracle_function):
    """Detect the block size of the cipher."""
    # Start with an empty string
    initial_length = len(oracle_function(b""))
    
    # Add bytes until the length changes
    input_length = 1
    while True:
        input_bytes = b"A" * input_length
        output = oracle_function(input_bytes)
        
        if len(output) > initial_length:
            # The length has increased, so we've found a block boundary
            return len(output) - initial_length
        
        input_length += 1
        if input_length > 100:  # Safety check
            raise ValueError("Block size detection failed")

def find_prefix_details(oracle_function, block_size):
    """
    Find details about the random prefix:
    1. Which block the prefix ends in
    2. How many bytes are needed to complete that block
    """
    # Strategy: We'll find where two identical input blocks produce
    # identical output blocks, which tells us we've aligned to block boundaries
    
    # First, let's detect when we get identical blocks in the output
    for prefix_pad in range(block_size):
        # Create a payload with two identical blocks
        test_input = b"A" * prefix_pad + b"B" * (block_size * 2)
        ciphertext = oracle_function(test_input)
        
        # Split the ciphertext into blocks
        blocks = [ciphertext[i:i+block_size] for i in range(0, len(ciphertext), block_size)]
        
        # Look for two identical consecutive blocks
        for i in range(len(blocks) - 1):
            if blocks[i] == blocks[i+1]:
                # We've found two identical consecutive blocks
                # The prefix ends in block i, and we added prefix_pad bytes to align
                return i, prefix_pad
    
    raise ValueError("Could not determine prefix details")

def byte_at_a_time_ecb_decryption(oracle_function):
    """Decrypt the unknown string using byte-at-a-time ECB decryption."""
    # Step 1: Determine the block size
    block_size = detect_block_size(oracle_function)
    print(f"Detected block size: {block_size}")
    
    # Step 2: Find details about the random prefix
    prefix_block, prefix_pad = find_prefix_details(oracle_function, block_size)
    print(f"Prefix ends in block {prefix_block}, needs {prefix_pad} bytes to align")
    
    # Calculate where our controlled input starts in the ciphertext
    prefix_length = (prefix_block * block_size) + (block_size - prefix_pad)
    print(f"Estimated prefix length: {prefix_length}")
    
    # Step 3: Decrypt the unknown string byte by byte
    decrypted = bytearray()
    
    # Create an alignment padding to make our attack blocks align with blocks
    alignment_padding = b"A" * prefix_pad
    
    # Determine the length of the unknown string (approximately)
    base_output = oracle_function(alignment_padding)
    total_length = len(base_output)
    unknown_blocks = (total_length - prefix_length) // block_size
    
    # Calculate the maximum possible length of the unknown string
    max_unknown_length = unknown_blocks * block_size
    
    # Continue until we've decrypted the entire unknown string or hit padding
    while len(decrypted) < max_unknown_length:
        # Determine which block we're working on
        current_block = (len(decrypted) // block_size) + prefix_block + 1
        position_in_block = len(decrypted) % block_size
        
        # Craft an input that's one byte short of a full block
        # We need: alignment + filler + what we've already decrypted + unknown byte
        filler_length = block_size - 1 - position_in_block
        filler = b"B" * filler_length
        
        # This input will make the unknown byte the last byte of a block
        crafted_input = alignment_padding + filler
        
        # Get the target ciphertext block
        target_ciphertext = oracle_function(crafted_input)
        target_block = target_ciphertext[current_block * block_size:(current_block + 1) * block_size]
        
        # Try all possible bytes for the last position
        found = False
        for byte_value in range(256):
            # Create input where we control all but the last byte of the target block
            test_input = alignment_padding + filler + decrypted + bytes([byte_value])
            test_ciphertext = oracle_function(test_input)
            test_block = test_ciphertext[current_block * block_size:(current_block + 1) * block_size]
            
            if test_block == target_block:
                decrypted.append(byte_value)
                found = True
                # Print the decrypted byte as a character
                print(f"Decrypted byte {len(decrypted)}: '{chr(byte_value)}'")
                break
        
        if not found:
            print(f"Could not find byte {len(decrypted) + 1}. Possible end of plaintext or padding.")
            break
        
        # Check if we've reached the end (PKCS#7 padding)
        if len(decrypted) > 0 and decrypted[-1] <= block_size:
            # Check if we might have padding
            potential_padding = decrypted[-1]
            if (len(decrypted) >= potential_padding and 
                all(b == potential_padding for b in decrypted[-potential_padding:])):
                print("Detected possible padding, stopping decryption.")
                decrypted = decrypted[:-potential_padding]  # Remove padding
                break
    
    return bytes(decrypted)

def main():
    print("Starting byte-at-a-time ECB decryption (harder version)")
    print(f"Random prefix length: {len(RANDOM_PREFIX)} bytes")
    
    # Run the byte-at-a-time ECB decryption attack
    decrypted = byte_at_a_time_ecb_decryption(encryption_oracle)
    
    if decrypted:
        print("\nSuccessfully decrypted the unknown string:")
        print(decrypted.decode('utf-8'))


main()

[DEBUG] Random prefix length: 10 bytes
Starting byte-at-a-time ECB decryption (harder version)
Random prefix length: 10 bytes
Detected block size: 16
Prefix ends in block 1, needs 6 bytes to align
Estimated prefix length: 26
Could not find byte 1. Possible end of plaintext or padding.
