We Want Nudes Instead Of Nukes

IV used in encryption:

- plain[i] ^ iv[i] => plain_iv_blk

IV used in decryption is as follow, cipher_blk is decrypted cipher block

- cipher_blk ^ iv[i] => plain[i]

So cipher_blk = iv ^ plain. To make decrypted plaintext read as ‘SEND_NUDES_MELA!’, created a fake IV from known plain text and known IV.

fake_iv = cipher_blk ^ fake_plain
        = iv ^ plain ^ fake_plain

So altered message, formated as {IV,cipher}, is {2c1289a05847cfd65ecee8f7fe7efd66,8473dcb86bc12c6b6087619c00b6657e}.

block_size = 16
iv = '391e95a15847cfd95ecee8f7fe7efd66'
cipher = '8473dcb86bc12c6b6087619c00b6657e'
plain = 'FIRE_NUKES_MELA!'
fake_plain = 'SEND_NUDES_MELA!'

iv = bytes.fromhex(iv)
cipher = bytes.fromhex(cipher)
fake_iv = []

for i in range(block_size):
    fake_iv.append(iv[i] ^ ord(plain[i]) ^ ord(fake_plain[i]))

fake_iv = bytes(fake_iv)
print('iv', fake_iv.hex(), len(fake_iv))
print('flag{{{},{}}}'.format(fake_iv.hex(), cipher.hex()))