second commit - trying to run gdb_flip_withcheck.py successfully

Author: aditi-gupta

Diff for: .~lock.results_mbedtls.csv#

@@ -0,0 +1 @@
+,user,ubuntu,26.07.2018 09:53,file:///home/user/.config/libreoffice/4;

Diff for: example.txt.sig

@@ -1,16 +1,16 @@
-56 AD 3C 1B BD 9D 25 F0 E3 E0 97 B4 10 B6 C5 DE
-47 5E 42 13 3D 1D 8B 8E D0 63 F8 F2 39 6F FC 7D
-55 F5 F5 79 69 E9 B2 B0 A9 DB 17 22 D9 67 51 46
-47 52 A8 FD 33 D2 E2 A0 80 21 B2 A5 5D 01 90 FE
-25 F9 E7 61 D2 40 66 3C 6B 9D ED D0 28 30 EE FF
-2E A8 4B 3F 08 44 99 0B C2 5D 52 BA B0 75 56 2A
-22 9D C8 EB E6 E0 89 89 78 3C 3B 0F 70 4B 82 86
-E5 76 72 1B 47 88 27 10 09 E3 19 83 22 96 20 BB
-09 0D 0A 05 1D 2E 85 BC 8E BE A3 4F C5 8C 2A 1F
-F8 FA C7 4F 42 67 A9 98 81 6A 09 8C 3C 68 22 1D
-4D BD 6E 01 39 BB AD E7 14 3E 8A 00 E6 F9 F0 78
-83 EF F8 0F 0D 7B 49 5D 7B B7 3E 98 B9 6F D3 22
-FA 63 52 EA E0 45 13 42 A6 0C 9E 04 9E E9 40 59
-2D C4 4E BC AC 2C F3 3A A8 94 DF 23 64 56 41 B2
-62 16 79 56 E7 B1 1E 77 2A D6 E2 7F AD 2F C2 CE
-D8 36 4A 00 38 97 B1 F7 89 4B 89 A5 F6 D0 0A F1
+44 CD 34 72 12 4E E5 AF 9A 1E 64 7A 23 0F 60 91
+2F 69 3D 79 4C 02 3D 65 3C 43 4A 12 1A 98 EB D6
+C9 35 04 56 4C 7C E8 AB EE A9 28 11 5B 43 E2 28
+A9 0C 70 94 A5 CA 21 96 15 9C 69 53 B3 A6 9A 4A
+0D 13 3E 55 34 25 C8 9B BF 4D 99 DF 83 4C 42 F2
+4A 66 72 B1 3F A9 19 74 27 EB B6 3C 33 35 4E 06
+71 CE B4 F5 DD 18 C4 0E AC 6B 6D C5 C6 C8 CD 63
+B3 59 F7 17 08 56 D0 28 2A 62 40 A3 4F B3 A1 C4
+73 58 A9 7E 58 F1 86 F1 B2 4B C1 04 80 B1 1F 18
+35 D1 2D E1 07 60 53 94 CB 95 15 C9 56 01 FB 2A
+93 9D 98 F0 1C 14 87 CA 74 C3 CA 66 89 46 18 F0
+54 05 05 5F C4 D9 42 98 5D 64 DC 83 05 58 BD A3
+7E 2D BA F9 38 FA AF 6E 15 F5 18 A0 A8 12 DA 13
+56 D7 1A CF BA 5B 2E 77 E8 72 93 1B F7 8E EC 54
+FE 96 21 35 7F 72 83 0C BD EB 33 E3 F1 38 55 DE
+C0 61 D6 14 67 66 40 6B 09 0B BA A9 13 4A 79 85

Diff for: example.txt_real.sig

@@ -0,0 +1,16 @@
+44 CD 34 72 12 4E E5 AF 9A 1E 64 7A 23 0F 60 91
+2F 69 3D 79 4C 02 3D 65 3C 43 4A 12 1A 98 EB D6
+C9 35 04 56 4C 7C E8 AB EE A9 28 11 5B 43 E2 28
+A9 0C 70 94 A5 CA 21 96 15 9C 69 53 B3 A6 9A 4A
+0D 13 3E 55 34 25 C8 9B BF 4D 99 DF 83 4C 42 F2
+4A 66 72 B1 3F A9 19 74 27 EB B6 3C 33 35 4E 06
+71 CE B4 F5 DD 18 C4 0E AC 6B 6D C5 C6 C8 CD 63
+B3 59 F7 17 08 56 D0 28 2A 62 40 A3 4F B3 A1 C4
+73 58 A9 7E 58 F1 86 F1 B2 4B C1 04 80 B1 1F 18
+35 D1 2D E1 07 60 53 94 CB 95 15 C9 56 01 FB 2A
+93 9D 98 F0 1C 14 87 CA 74 C3 CA 66 89 46 18 F0
+54 05 05 5F C4 D9 42 98 5D 64 DC 83 05 58 BD A3
+7E 2D BA F9 38 FA AF 6E 15 F5 18 A0 A8 12 DA 13
+56 D7 1A CF BA 5B 2E 77 E8 72 93 1B F7 8E EC 54
+FE 96 21 35 7F 72 83 0C BD EB 33 E3 F1 38 55 DE
+C0 61 D6 14 67 66 40 6B 09 0B BA A9 13 4A 79 85

Diff for: factor_signature.py

@@ -0,0 +1,12 @@
+e = int("010001", 16)
+s = int("7BAFF51CA54182F5A70181B0EC1F8603C1A39324D5A2CB49422886AE1FFDB49E009AF19ABD7D772E199BEC3046690494134B75E1201E6856D99887DCA32DBB403CF99553678D458748AA43C90A387AD3FF767F7314BF05FC1880347072706809BF3BCBDB59EA54032E5485869E7063B3EFDA8C5A6D19D1A5B3B279F2E70AF90B4C2FE485856639273539EEE50B6232EFC9D75903884F315FC377D842F948088F7E259F36BD4FECD1EB770D8FB24CE66E945E57DDE29E3EF1FB327C675940BCEE04A70D18BDC74BDE31CC32894280E2722A19B7D5FE15474E9ED5DCD51C264C7F8FA13A5372698752AB0658D857181435B430D58746FA64BE492E8D3D7D9F33A2", 16) #you get this when you replace *0x6df4e0 with 0x8
+m = int("3031300d0609608648016503040201050004207e6bb673f061cfd23cba009e648143fb07ac77dcd1681f6a9af9d5fe7c0f7f4b", 16)
+n = int("AE1EC41FDD978C18CB43F9587F9B85DF804603100611497DCB445D157E44E717C78D53FAC3644DEA302645F6CFF852A785C3DAEA525BE01A4B1960D6512D97C677436ED17D03A55DDD8E41D737456C2B1512D533806EB048C5570269CBDFABB5E335821CE69C892A825A3896FC46990A8F6FECC759DAD9D6FD76BBF55BAA34B0789CACE898B6CC8CDBB50A0BFE7073A31DAF0B67845F76B71D42942B03FC02D6D68789C6CEF502C39AA0FB392E5E84BD1581E7295BDF6C45463FEA20A5220413381B82A72F95B1BB29AC6E833B70EB5B9F9D43B4D56A94ECBD02C1CBC8C8EED903485BD2A379A8B81B8FE20216EE6019A5F19656A483CCD9C23EB3B17678050B", 16)
+p = int("F5D2772FA3DA0B5AB6A0DEE2897983D6EB0EB9B63A94860EAD14271669C2DDEB089569971093DBBDC46C7E230709FE1BE1967051FB6113F4D836CF792AE3893E487851C500F022E942E2C91FF5BC391E5401F2C41CFE9744AA76048578CC1FEB59B0B705834EE672CE7AE53B06D78831A3701BB58A0746C3B492D8B7DCDDB133", 16)
+q = int("B5544FFA117E94D9CA58FF9DB5CBA8E498D4B8192CA578C2D4E1D8828B0329EDE2CA737BBBB3AC25DD11DF04EBE1971D25B0AC3C73D26018A3C52381A520EACEF826ACBA73EBB5EA3569872FEBEC53C6B188FA6DD3B8343C22652C4A5CF2FC34EBCEA888037DBEDA22C55076A15AE1A8827F620AA64A775021851B0BF2808CC9", 16)
+
+# print (s%n)
+print ((pow(s, e)-m)%q)
+# print (s%q)
+# print n%p
+# print (n%q)

Diff for: gdb_flip.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+address=$1
+
+gdb -batch programs/pkey/rsa_sign \
+	-ex 'set args "example.txt"' \
+	-ex 'set logging on' \
+	-ex 'break main' \
+	-ex 'break *0x40d27b' \
+	-ex 'break *0x40d30d' \
+	-ex 'run' \
+	-ex 'set *'$address' ^= 0x1' \
+	-ex 'set *0x40b7f4 ^= 0x1' \
+	-ex 'set *0x40d4f6 ^= 0x10' \
+	-ex 'c' \
+	-ex 'x /64x 0x6f08a0' \
+	-ex 'c' \
+	-ex 'x /32x 0x6f0280' \
+	-ex 'x /32x 0x6f0310' \
+	-ex 'c'

Diff for: gdb_flip_python.py

@@ -0,0 +1,33 @@
+import csv
+import mbedtls_utils2 as mu
+import os
+import subprocess
+
+all_data = []
+
+e = int("010001", 16)
+n = int("AE1EC41FDD978C18CB43F9587F9B85DF804603100611497DCB445D157E44E717C78D53FAC3644DEA302645F6CFF852A785C3DAEA525BE01A4B1960D6512D97C677436ED17D03A55DDD8E41D737456C2B1512D533806EB048C5570269CBDFABB5E335821CE69C892A825A3896FC46990A8F6FECC759DAD9D6FD76BBF55BAA34B0789CACE898B6CC8CDBB50A0BFE7073A31DAF0B67845F76B71D42942B03FC02D6D68789C6CEF502C39AA0FB392E5E84BD1581E7295BDF6C45463FEA20A5220413381B82A72F95B1BB29AC6E833B70EB5B9F9D43B4D56A94ECBD02C1CBC8C8EED903485BD2A379A8B81B8FE20216EE6019A5F19656A483CCD9C23EB3B17678050B", 16)
+m = int("0001ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff003031300d0609608648016503040201050004207e6bb673f061cfd23cba009e648143fb07ac77dcd1681f6a9af9d5fe7c0f7f4b", 16)
+sigfile = "example.txt.sig"
+
+for i in range(0x40d27b, 0x40d4b1):
+	subprocess.call(["./gdb_flip.sh", str(i)])
+	i_data = {}
+	i_data['Memory Address'] = hex(i)
+	s = mu.read_sig_file(sigfile)
+	if not(s == "failed"):
+		pkeys = mu.solve_private_keys(e, s, m, n)
+		i_data['Private Keys'] = pkeys
+		os.remove(sigfile)
+		# try to decrypt some message so you know whether the private keys are correct
+	else:
+		i_data['Private Keys'] = "failed"
+
+	all_data.append(i_data)
+
+# print all_data
+fields = ['Memory Address', 'Private Keys']
+with open('results_mbedtls.csv', 'wb') as f:
+    writer = csv.DictWriter(f, fieldnames = fields)
+    writer.writeheader()
+    writer.writerows(all_data)

Diff for: gdb_flip_readkeys.py

@@ -0,0 +1,38 @@
+import csv
+import mbedtls_utils2 as mu
+import os
+import subprocess
+
+all_data = []
+
+m = int("0001ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff003031300d0609608648016503040201050004207e6bb673f061cfd23cba009e648143fb07ac77dcd1681f6a9af9d5fe7c0f7f4b", 16)
+sigfile = "example.txt.sig"
+keyfile = "rsa_pub.txt"
+n = (mu.read_pub_keys(keyfile))[0]
+e = (mu.read_pub_keys(keyfile))[1]
+
+encrypted = mu.read_file("result-enc.txt")
+correct_decrypted = int("00029c1067d5eb8e0a306c926cef12043e1d0ed40b137488772c42f35a798c557f086a93b3f90324b2d8c4c0727e3cc6645c550786b1c271a9b03a63c387753a2e5627bf220b184045ee9a14c34ce342215b3d2550a567830c3ffbe008a61b4583d1d8c14f8c88816c6911675ca73da5691a0f46c5561f7632bc338da3f759563dc640a2113fb6e07147a54f2aefc795f3e3a37eb72693c716ad5b1ac0937b08b11d8aad78c7bf24ec03e927d7c43f3bb116870cfc3eb7612c02c437eba0c0ae5b6cccc76ee88ac9a0c11b71ff2ca932e48c25877fbeb37b46ab8b7b6935786dbeb1f9efc022425a95a2b973e861482c896e006b65795f636865636b2e747874", 16)
+
+for i in range(0x40d27b, 0x40d4b1):
+	subprocess.call(["./gdb_flip.sh", str(i)])
+	i_data = {}
+	i_data['Memory Address'] = hex(i)
+	s = mu.read_file(sigfile)
+	if not(s == "failed"):
+		pkeys = mu.solve_private_keys(e, s, m, n)
+		i_data['Private Keys'] = pkeys
+		os.remove(sigfile)
+		# try to decrypt some message so you know whether the private keys are correct
+		decrypted = mu.decrypt(pkeys[0], pkeys[1], e, n, encrypted)
+		i_data['Correct?'] = mu.check_private_keys(correct_decrypted, decrypted)
+	else:
+		i_data['Private Keys'] = "failed"
+
+	all_data.append(i_data)
+
+fields = ['Memory Address', 'Private Keys', 'Correct?']
+with open('results_mbedtls_2.csv', 'wb') as f:
+    writer = csv.DictWriter(f, fieldnames = fields)
+    writer.writeheader()
+    writer.writerows(all_data)

Diff for: gdb_flip_withcheck.py

@@ -0,0 +1,46 @@
+# before running this, you need to run chmod a+x gdb_readencrypted.sh and chmod a+x gdb_flip.sh
+
+import csv
+import mbedtls_utils2 as mu
+import os
+import subprocess
+
+all_data = []
+
+sigfile = "example.txt.sig"
+keyfile = "rsa_pub.txt"
+n = (mu.read_pub_keys(keyfile))[0]
+e = (mu.read_pub_keys(keyfile))[1]
+
+subprocess.call("./gdb_readencrypted.sh")
+encrypted = mu.read_file("result-enc.txt")
+correct_decrypted = mu.read_memory(0x6ea2b0, 0x6ea3b0)
+os.remove("gdb.txt")
+
+for i in range (0x40d27b, 0x40d41b): # (0x40d2a7, 0x40d2a8): 
+	subprocess.call(["./gdb_flip.sh", str(i)])
+	m = mu.read_memory(0x6f08a0, 0x6f09a0)
+	i_data = {}
+	i_data['Memory Address'] = hex(i)
+	s = mu.read_file(sigfile)
+	if not(s == "failed"):
+		partials = mu.get_partial_sigs()
+		i_data['Partial Signatures'] = partials
+		os.remove("gdb.txt")
+		pkeys = mu.solve_private_keys(e, s, m, n)
+		i_data['Private Keys'] = pkeys
+		os.remove(sigfile)
+		decrypted = mu.decrypt(pkeys, e, n, encrypted)
+		i_data['Correct?'] = mu.check_private_keys(correct_decrypted, decrypted)
+	else:
+		i_data['Private Keys'] = "failed"
+
+	all_data.append(i_data)
+
+print all_data
+
+fields = ['Memory Address', 'Partial Signatures', 'Private Keys', 'Correct?']
+with open('results_mbedtls_checked.csv', 'wb') as f:
+    writer = csv.DictWriter(f, fieldnames = fields)
+    writer.writeheader()
+    writer.writerows(all_data)

Diff for: gdb_readencrypted.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+gdb -batch programs/pkey/rsa_encrypt \
+	-ex 'set args "key_check.txt"' \
+	-ex 'set logging on' \
+	-ex 'break *0x40ada7' \
+	-ex 'run' \
+	-ex 'x /64x 0x6ea2b0' \
+	-ex 'c'

Diff for: gdb_solve.py

@@ -0,0 +1,15 @@
+from fractions import gcd
+import binascii
+
+def solve_private_keys(e, s, m, n):
+	p = gcd(pow(s, e)-m,n)
+	q = n//p
+	private_keys = [hex(p), hex(q)]
+	return private_keys
+
+e = int("010001", 16)
+# s = int("7BAFF51CA54182F5A70181B0EC1F8603C1A39324D5A2CB49422886AE1FFDB49E009AF19ABD7D772E199BEC3046690494134B75E1201E6856D99887DCA32DBB403CF99553678D458748AA43C90A387AD3FF767F7314BF05FC1880347072706809BF3BCBDB59EA54032E5485869E7063B3EFDA8C5A6D19D1A5B3B279F2E70AF90B4C2FE485856639273539EEE50B6232EFC9D75903884F315FC377D842F948088F7E259F36BD4FECD1EB770D8FB24CE66E945E57DDE29E3EF1FB327C675940BCEE04A70D18BDC74BDE31CC32894280E2722A19B7D5FE15474E9ED5DCD51C264C7F8FA13A5372698752AB0658D857181435B430D58746FA64BE492E8D3D7D9F33A2", 16) #you get this when you replace *0x6df4e0 with 0x8
+m = int("0001ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff003031300d0609608648016503040201050004207e6bb673f061cfd23cba009e648143fb07ac77dcd1681f6a9af9d5fe7c0f7f4b", 16)
+n = int("AE1EC41FDD978C18CB43F9587F9B85DF804603100611497DCB445D157E44E717C78D53FAC3644DEA302645F6CFF852A785C3DAEA525BE01A4B1960D6512D97C677436ED17D03A55DDD8E41D737456C2B1512D533806EB048C5570269CBDFABB5E335821CE69C892A825A3896FC46990A8F6FECC759DAD9D6FD76BBF55BAA34B0789CACE898B6CC8CDBB50A0BFE7073A31DAF0B67845F76B71D42942B03FC02D6D68789C6CEF502C39AA0FB392E5E84BD1581E7295BDF6C45463FEA20A5220413381B82A72F95B1BB29AC6E833B70EB5B9F9D43B4D56A94ECBD02C1CBC8C8EED903485BD2A379A8B81B8FE20216EE6019A5F19656A483CCD9C23EB3B17678050B", 16)
+s = 6048232529457686177969401376962400063488041459930742448126231921318453589145846339827069795957707377356412190497632836672816328283714718415294819576013619263879841352328010372912925465209907456953989483858757672210769816523246879164723239381245653557154552120163093908794122262583131028503001069686925962426349725592661789866623160094320357088289341235485105905669688756982242410093060179910400723331349348672915725053901326111357414683377518577468409852678785581993823179469415205155815051079056437992185567931628547889050213840949568660812720371721600684362005874949231746113990353404990088831774533787440546993474
+print solve_private_keys(e, s, m, n)

Diff for: gdb_solve_tq.py

@@ -0,0 +1,15 @@
+from fractions import gcd
+import binascii
+
+def solve_private_keys(e, s, m, n):
+	p = gcd(pow(s, e)-m,n)
+	q = n//p
+	private_keys = [p, q]
+	return private_keys
+
+e = int("010001", 16)
+s = int("0C30066CB66F445BBA940D4A3A5B835081753177408B1A2F02CDE96349783EADEA0FB3C0B0F8F8B6B9BB50303690F6AC07EC34FDA5CB6D0095D4A13B38BBF3947194195764271ED1670C3395A550AB41D471A3BDC3219A4805A145BA524E6146FA266E53D4075AC6892357ACD9F96AC1A7851B162423BADE11D7F2B7AA78E93AEED58D2A97E68B7C6B329A3D40256DA86220057FBA09CBCD9357396B855F420CD1560DACEF0FAFD8B383EAFE9B204BF65FA7E55E872D7AE0AD4FD347D8CDA57BF69AEA5B5ABC6654A21C005591A765E1CE5D8C60DA21C5836497C231B25D49393ACB1169DB0E4A3FDE50FD328A88757B4C15F7AC9B3DE9B55D03D797166A81C2", 16) #you get this when you replace *0x6df4e0 with 0x8
+m = int("3031300d0609608648016503040201050004207e6bb673f061cfd23cba009e648143fb07ac77dcd1681f6a9af9d5fe7c0f7f4b", 16)
+n = int("AE1EC41FDD978C18CB43F9587F9B85DF804603100611497DCB445D157E44E717C78D53FAC3644DEA302645F6CFF852A785C3DAEA525BE01A4B1960D6512D97C677436ED17D03A55DDD8E41D737456C2B1512D533806EB048C5570269CBDFABB5E335821CE69C892A825A3896FC46990A8F6FECC759DAD9D6FD76BBF55BAA34B0789CACE898B6CC8CDBB50A0BFE7073A31DAF0B67845F76B71D42942B03FC02D6D68789C6CEF502C39AA0FB392E5E84BD1581E7295BDF6C45463FEA20A5220413381B82A72F95B1BB29AC6E833B70EB5B9F9D43B4D56A94ECBD02C1CBC8C8EED903485BD2A379A8B81B8FE20216EE6019A5F19656A483CCD9C23EB3B17678050B", 16)
+
+print solve_private_keys(e, s, m, n)

Diff for: glitching_skip.c

@@ -0,0 +1,26 @@
+#include <stdio.h>
+
+int mbedtls_mpi_cmp_mpi( int X, int Y )
+{
+    if(X == Y) {
+        return 0;
+    }
+    else{
+        return 1;
+    }
+}
+
+int main() {
+    int X = 12;
+    int Y = 15;
+    int ret;
+    if( mbedtls_mpi_cmp_mpi( X, Y ) != 0 )
+    {
+        ret = 1;
+    }
+    else {
+        ret = 0;
+    }
+    printf("%d\n", ret);
+}
+

Diff for: glitching_skip_correct

@@ -0,0 +1,47 @@
+from manticore import Manticore
+
+for i in range(0x400b76, 0x400bc5):
+	m = Manticore('glitching_skip_incorrect')
+	print hex(i)
+	@m.hook(0x400b60)
+	def hook(state):
+		cpu = state.cpu
+		location = cpu.read_int(i, 8)
+		flipped = location ^ 1
+		cpu.write_int(i, flipped, 8, force=True)
+
+	@m.hook(0x400bb3)
+	def hook2(state):
+		cpu = state.cpu
+		x = cpu.read_int(cpu.RBP-0x10)
+		print hex(x)
+	m.run(timeout = 30)
+
+
+# m2 = Manticore('glitching_skip_correct')
+# print "correct!"
+
+# @m2.hook(0x400bb3)
+# def hook2(state):
+# 	cpu = state.cpu
+# 	x = cpu.read_int(cpu.RBP-0x10)
+# 	print hex(x)
+# m2.run(timeout = 30)
+
+
+# for i in range(0x400b8a, 0x400b8b):
+	# m2 = Manticore('glitching_skip_correct')
+	# print hex(i)
+	# @m2.hook(0x400b60)
+	# def hook(state):
+	# 	cpu = state.cpu
+	# 	location = cpu.read_int(i, 8)
+	# 	flipped = location ^ 1
+	# 	cpu.write_int(i, flipped, 8, force=True)
+
+	# @m2.hook(0x400bb3)
+	# def hook2(state):
+	# 	cpu = state.cpu
+	# 	x = cpu.read_int(cpu.RBP-0x10)
+	# 	print hex(x)
+	# m2.run(timeout = 30)