User:Ihaveahax/OTP bitflip finder

User page
< User:IhaveahaxThis is the approved revision of this page, as well as being the most recent.

This was used to find a bitflip in an OTP in mid 2021. It goes through each bit of the encrypted OTP, flips it, decrypts, and verifies hashes. It only checks keydata, though, it could be modified to check the entire OTP.

check.py

from pyctr.crypto import CryptoEngine
from Cryptodome.Cipher import AES
from hashlib import sha256

a = CryptoEngine()

with open('otp_dec.bin', 'rb') as f:
    beginning = f.read(0x90)

with open('otp.bin', 'rb') as f:
    f.seek(0x80)
    iv = f.read(0x10)
    remaining = f.read()

ints = bytearray(remaining)
for x in range(len(remaining)):
    orig = ints[x]
    for bit in range(8):
        new = orig ^ (1 << bit)
        ints[x] = new
        cipher = AES.new(a.otp_key, AES.MODE_CBC, iv)
        data = cipher.decrypt(ints)
        before_hash = data[0:0x50]
        ohash = data[0x50:]
        hash_before_hash = sha256(beginning + before_hash).hexdigest()
        print(x, bit, hash_before_hash, ohash.hex(), hash_before_hash == ohash.hex())
        if hash_before_hash == ohash.hex():
            print(beginning + before_hash + ohash)
    ints[x] = orig
Retrieved from "https://wiki.hacks.guide/w/index.php?title=User:Ihaveahax/OTP_bitflip_finder&oldid=5040"