npm - @aegis-scan/skills - Versions diffs - 0.5.0 → 0.5.2 - Mend

@aegis-scan/skills 0.5.0 → 0.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (345) hide show

package/skills/offensive/airecon-fork/ctf-crypto-modern-ciphers/SKILL.md ADDED Viewed

@@ -0,0 +1,688 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+# CTF Crypto - Modern Cipher Attacks
+## Table of Contents
+- [AES-CFB-8 Static IV State Forging](#aes-cfb-8-static-iv-state-forging)
+- [ECB Pattern Leakage on Images](#ecb-pattern-leakage-on-images)
+- [Padding Oracle Attack](#padding-oracle-attack)
+- [CBC-MAC vs OFB-MAC Vulnerability](#cbc-mac-vs-ofb-mac-vulnerability)
+- [Non-Permutation S-box Collision Attack](#non-permutation-s-box-collision-attack)
+- [LCG Partial Output Recovery (0xFun 2026)](#lcg-partial-output-recovery-0xfun-2026)
+- [Weak Hash Functions / GF(2) Gaussian Elimination](#weak-hash-functions--gf2-gaussian-elimination)
+- [Affine Cipher over Composite Modulus (Nullcon 2026)](#affine-cipher-over-composite-modulus-nullcon-2026)
+- [AES-GCM with Derived Keys (EHAX 2026)](#aes-gcm-with-derived-keys-ehax-2026)
+- [Ascon-like Reduced-Round Differential Cryptanalysis (srdnlenCTF 2026)](#ascon-like-reduced-round-differential-cryptanalysis-srdnlenctf-2026)
+- [Custom Linear MAC Forgery (Nullcon 2026)](#custom-linear-mac-forgery-nullcon-2026)
+- [CBC Padding Oracle Attack](#cbc-padding-oracle-attack)
+- [Bleichenbacher / PKCS#1 v1.5 RSA Padding Oracle](#bleichenbacher--pkcs1-v15-rsa-padding-oracle)
+- [Birthday Attack / Meet-in-the-Middle](#birthday-attack--meet-in-the-middle)
+- [LFSR Stream Cipher Attacks](#lfsr-stream-cipher-attacks)
+  - [Berlekamp-Massey Algorithm](#berlekamp-massey-algorithm)
+  - [Correlation Attack](#correlation-attack)
+  - [Known-Plaintext on LFSR Keystream](#known-plaintext-on-lfsr-keystream)
+  - [Galois vs Fibonacci LFSR](#galois-vs-fibonacci-lfsr)
+  - [Common LFSR Lengths and Polynomials](#common-lfsr-lengths-and-polynomials)
+- [CRC32 Collision-Based Signature Forgery (iCTF 2013)](#crc32-collision-based-signature-forgery-ictf-2013)
+- [Blum-Goldwasser Bit-Extension Oracle (PlaidCTF 2013)](#blum-goldwasser-bit-extension-oracle-plaidctf-2013)
+- [Hash Length Extension Attack (PlaidCTF 2014)](#hash-length-extension-attack-plaidctf-2014)
+- [Compression Oracle / CRIME-Style Attack (BCTF 2015)](#compression-oracle--crime-style-attack-bctf-2015)
+- [RC4 Second-Byte Bias Distinguisher (Hackover CTF 2015)](#rc4-second-byte-bias-distinguisher-hackover-ctf-2015)
+- [XOR Consecutive Byte Correlation Attack (Defcamp 2015)](#xor-consecutive-byte-correlation-attack-defcamp-2015)
+- [Hash Function Time Reversal via Cycle Detection (BSidesSF 2025)](#hash-function-time-reversal-via-cycle-detection-bsidessf-2025)
+---
+## AES-CFB-8 Static IV State Forging
+**Pattern (Cleverly Forging Breaks):** AES-CFB with 8-bit feedback and reused IV allows state reconstruction.
+**Key insight:** After encrypting 16 known bytes, the AES internal shift register state is fully determined by those ciphertext bytes. Forge new ciphertexts by continuing encryption from known state.
+---
+## ECB Pattern Leakage on Images
+**Pattern (Electronic Christmas Book):** AES-ECB on BMP/image data preserves visual patterns.
+**Exploitation:** Identical plaintext blocks produce identical ciphertext blocks, revealing image structure even when encrypted. Rearrange or identify patterns visually.
+---
+## Padding Oracle Attack
+**Pattern (The Seer):** Server reveals whether decrypted padding is valid.
+**Byte-by-byte decryption:**
+```python
+def decrypt_byte(block, prev_block, position, oracle, known):
+    """known = bytearray(16) tracking recovered intermediate bytes for this block."""
+    for guess in range(256):
+        modified = bytearray(prev_block)
+        # Set known bytes to produce valid padding
+        pad_value = 16 - position
+        for j in range(position + 1, 16):
+            modified[j] = known[j] ^ pad_value
+        modified[position] = guess
+        if oracle(bytes(modified) + block):
+            return guess ^ pad_value
+```
+---
+## CBC-MAC vs OFB-MAC Vulnerability
+OFB mode creates a keystream that can be XORed for signature forgery.
+**Attack:** If you have signature for known plaintext P1, forge for P2:
+```text
+new_sig = known_sig XOR block2_of_P1 XOR block2_of_P2
+```
+**Important:** Don't forget PKCS#7 padding in calculations! Small bruteforce space? Just try all combinations (e.g., 100 for 2 unknown digits).
+---
+## Non-Permutation S-box Collision Attack
+**Pattern (Tetraes, Nullcon 2026):** Custom AES-like cipher with S-box collisions.
+**Detection:** `len(set(sbox)) < 256` means collisions exist. Find collision pairs and their XOR delta.
+**Attack:** For each key byte, try 256 plaintexts differing by delta. When `ct1 == ct2`, S-box input was in collision set. 2-way ambiguity per byte, 2^16 brute-force. Total: 4,097 oracle queries.
+See [advanced-math.md](advanced-math.md) for full S-box collision analysis code.
+---
+## LCG Partial Output Recovery (0xFun 2026)
+**Known parameters:** If LCG (Linear Congruential Generator) constants (M, A, C) are known and output is `state mod N`, iterate by N through modulus to find state:
+```python
+# output = state % N, state = (A * prev + C) % M
+for candidate in range(output, M, N):
+    # Check if candidate is consistent with next output
+    next_state = (A * candidate + C) % M
+    if next_state % N == next_output:
+        print(f"State: {candidate}")
+```
+**Upper bits only (e.g., upper 32 of 64):** Brute-force lower 32 bits:
+```python
+for low in range(2**32):
+    state = (observed_upper << 32) | low
+    next_state = (A * state + C) % M
+    if (next_state >> 32) == next_observed_upper:
+        print(f"Full state: {state}")
+```
+---
+## Weak Hash Functions / GF(2) Gaussian Elimination
+Linear permutations (only XOR, rotations) are algebraically attackable. Build transformation matrix and solve over GF(2).
+```python
+import numpy as np
+def solve_gf2(A, b):
+    """Solve Ax = b over GF(2)."""
+    m, n = A.shape
+    Aug = np.hstack([A, b.reshape(-1, 1)]) % 2
+    pivot_cols, row = [], 0
+    for col in range(n):
+        pivot = next((r for r in range(row, m) if Aug[r, col]), None)
+        if pivot is None: continue
+        Aug[[row, pivot]] = Aug[[pivot, row]]
+        for r in range(m):
+            if r != row and Aug[r, col]: Aug[r] = (Aug[r] + Aug[row]) % 2
+        pivot_cols.append((row, col)); row += 1
+    if any(Aug[r, -1] for r in range(row, m)): return None
+    x = np.zeros(n, dtype=np.uint8)
+    for r, c in reversed(pivot_cols):
+        x[c] = Aug[r, -1] ^ sum(Aug[r, c2] * x[c2] for c2 in range(c+1, n)) % 2
+    return x
+```
+---
+## Affine Cipher over Composite Modulus (Nullcon 2026)
+Affine encryption `c = A*x + b (mod M)` with composite M: split into prime factor fields, invert independently, CRT recombine. See [advanced-math.md](advanced-math.md#affine-cipher-over-non-prime-modulus-nullcon-2026) for full chosen-plaintext key recovery and implementation.
+---
+## AES-GCM with Derived Keys (EHAX 2026)
+**Pattern:** Final decryption step after recovering a secret (e.g., from LWE, key exchange). Session nonce and AES key derived via SHA-256 hashing of the recovered secret.
+```python
+import hashlib
+from Cryptodome.Cipher import AES
+# Common key derivation chain:
+# 1. Recover secret bytes (s_bytes) from crypto challenge
+# 2. Unwrap session nonce: nonce = wrapped_nonce XOR SHA256(s_bytes)[:nonce_len]
+# 3. Derive AES key: key = SHA256(s_bytes + session_nonce)
+# 4. Decrypt AES-GCM
+def decrypt_with_derived_key(s_bytes, wrapped_nonce, ciphertext, aes_nonce, tag, nonce_len=16):
+    secret_hash = hashlib.sha256(s_bytes).digest()
+    session_nonce = bytes(a ^ b for a, b in zip(wrapped_nonce, secret_hash[:nonce_len]))
+    aes_key = hashlib.sha256(s_bytes + session_nonce).digest()
+    cipher = AES.new(aes_key, AES.MODE_GCM, nonce=aes_nonce)
+    return cipher.decrypt_and_verify(ciphertext, tag)
+```
+**Key insight:** When AES-GCM authentication fails (`ValueError: MAC check failed`), the derived key is wrong — usually means the upstream secret recovery was incorrect or endianness is swapped.
+---
+## Ascon-like Reduced-Round Differential Cryptanalysis (srdnlenCTF 2026)
+**Pattern (Lightweight):** 4-round Ascon-like permutation with reduced diffusion. Key-dependent biases in output-bit differentials allow key recovery via chosen input differences.
+**Attack:**
+1. Reproduce the permutation exactly (critical: post-S-box x4 assignment order matters)
+2. Invert the linear layer of x0 using a precomputed 64×64 GF(2) inverse matrix
+3. For each bit position i, query with `diff = (1<<i, 1<<i)` across multiple samples
+4. Measure empirical biases at output bits `j1 = (i+1) mod 64` and `j2 = (i+14) mod 64`
+5. Classify key bits `(k0[i], k1[i])` via centroid-based clustering with sign-pattern mask
+6. Verify candidate key in-session; refine low-margin bits with additional samples
+**GF(2) linear layer inversion:**
+```python
+def build_inverse(shifts=(19, 28)):
+    """Construct GF(2) inverse matrix for Ascon-like linear layer: x ^= rot(x,19) ^ rot(x,28)."""
+    # Build 64x64 matrix over GF(2)
+    M = [[0]*64 for _ in range(64)]
+    for out_bit in range(64):
+        M[out_bit][out_bit] = 1
+        for shift in shifts:
+            M[out_bit][(out_bit + shift) % 64] ^= 1
+    # Gaussian elimination to find inverse
+    aug = [row + [1 if i == j else 0 for j in range(64)] for i, row in enumerate(M)]
+    for col in range(64):
+        pivot = next(r for r in range(col, 64) if aug[r][col])
+        aug[col], aug[pivot] = aug[pivot], aug[col]
+        for r in range(64):
+            if r != col and aug[r][col]:
+                aug[r] = [a ^ b for a, b in zip(aug[r], aug[col])]
+    return [row[64:] for row in aug]
+```
+**Centroid clustering for key classification:**
+```python
+# For each bit position, measure bias at two output positions
+# 4 possible (k0[i], k1[i]) pairs → 4 centroid patterns
+# Uses sign-pattern mask CMASK=0x73 to account for bit-position-dependent behavior
+# Classify by minimum Euclidean distance in 2D bias space
+CMASK = 0x73
+for i in range(64):
+    bias_j1, bias_j2 = measure_biases(i, samples)
+    mask_bit = (CMASK >> (i % 8)) & 1
+    centroids = centroid_table[mask_bit]  # Precomputed per-position centroids
+    k0_bit, k1_bit = min(range(4), key=lambda c: euclidean_dist(
+        (bias_j1, bias_j2), centroids[c]))
+```
+**Key insight:** Reduced-round lightweight ciphers (Ascon, GIFT, etc.) have exploitable biases when the number of rounds is insufficient for full diffusion. The linear layer's inverse can be computed algebraically, and differential biases measured across chosen-plaintext queries reveal individual key bits. This is practical even with noisy measurements if you collect enough samples.
+---
+## Custom Linear MAC Forgery (Nullcon 2026)
+**Pattern (Pasty):** Server signs paste IDs with a custom SHA-256-based construction. The signature is linear in three 8-byte secret blocks derived from the key.
+**Structure:** For each 8-byte output block `i`:
+- `selector = SHA256(id)[i*8] % 3` → chooses which secret block to use
+- `out[i] = hash_block[i] XOR secret[selector] XOR chain[i-1]`
+**Recovery:** Create ~10 pastes to collect `(id, sig)` pairs. Each pair reveals `secret[selector]` for 4 selectors. With ~4-5 pairs, all 3 secret blocks are recovered. Then forge for target ID.
+**Key insight:** Linearity in custom crypto constructions (XOR-based signing) makes them trivially forgeable. Always check if the MAC has the property: knowing the secret components lets you compute valid signatures for arbitrary inputs.
+---
+## CBC Padding Oracle Attack
+**Pattern:** Server reveals whether CBC-mode ciphertext has valid PKCS#7 padding (via error messages, timing, or status codes). Decrypt any ciphertext block-by-block without the key.
+```python
+from pwn import *
+def padding_oracle(iv, ct):
+    """Returns True if server accepts padding."""
+    resp = requests.post(URL, data={'iv': iv.hex(), 'ct': ct.hex()})
+    return 'padding' not in resp.text.lower()  # or check status code
+def decrypt_block(prev_block, target_block):
+    """Decrypt one 16-byte block using padding oracle."""
+    intermediate = bytearray(16)
+    plaintext = bytearray(16)
+    for byte_pos in range(15, -1, -1):
+        pad_val = 16 - byte_pos
+        # Set already-known bytes to produce correct padding
+        crafted = bytearray(16)
+        for k in range(byte_pos + 1, 16):
+            crafted[k] = intermediate[k] ^ pad_val
+        for guess in range(256):
+            crafted[byte_pos] = guess
+            if padding_oracle(bytes(crafted), target_block):
+                intermediate[byte_pos] = guess ^ pad_val
+                plaintext[byte_pos] = intermediate[byte_pos] ^ prev_block[byte_pos]
+                break
+    return bytes(plaintext)
+```
+**Tools:**
+```bash
+# PadBuster — automated padding oracle exploitation
+padbuster http://target/decrypt.php ENCRYPTED_B64 16 \
+  -encoding 0 -error "Invalid padding"
+# Python: pip install padding-oracle
+from padding_oracle import PaddingOracle
+oracle = PaddingOracle(block_size=16, oracle_fn=check_padding)
+plaintext = oracle.decrypt(ciphertext, iv=iv)
+```
+**Key insight:** The oracle only needs to distinguish "valid padding" from "invalid padding." This can be a different HTTP status code, error message, response time, or even whether the application processes the request further. A single bit of information per query is sufficient. Decryption requires at most 256 x 16 = 4096 queries per block.
+**Detection:** CBC mode encryption + any distinguishable behavior difference on padding errors. Common in cookie encryption, token systems, and encrypted API parameters.
+---
+## Bleichenbacher / PKCS#1 v1.5 RSA Padding Oracle
+**Pattern:** RSA encryption with PKCS#1 v1.5 padding where the server reveals whether decrypted plaintext has valid `0x00 0x02` prefix. Adaptive chosen-ciphertext attack recovers the plaintext.
+```python
+import gmpy2
+def bleichenbacher_oracle(c, n, e):
+    """Returns True if RSA decryption has valid PKCS#1 v1.5 padding (0x00 0x02 prefix)."""
+    resp = send_to_server(c)
+    return resp.status_code != 400  # Server returns 400 on bad padding
+def bleichenbacher_attack(c0, n, e, oracle, k):
+    """
+    c0: target ciphertext (integer)
+    k: byte length of modulus (e.g., 256 for RSA-2048)
+    """
+    B = pow(2, 8 * (k - 2))
+    # Step 1: Start with s1 = ceil(n / 3B)
+    s = (n + 3 * B - 1) // (3 * B)
+    # Step 2: Search for s where oracle(c0 * s^e mod n) is True
+    while True:
+        c_prime = (c0 * pow(s, e, n)) % n
+        if oracle(c_prime, n, e):
+            break
+        s += 1
+    # Step 3: Narrow interval [a, b] using s values
+    # Repeat: find new s, narrow interval, until a == b
+    # When interval collapses, plaintext = a * modinv(s, n) % n
+    # (Full implementation requires interval tracking — use existing tools)
+```
+**Tools:**
+```bash
+# ROBOT attack scanner (modern Bleichenbacher variant)
+python3 robot-detect.py -H target.com
+# TLS-Attacker framework
+java -jar TLS-Attacker.jar -connect target:443 -workflow_type BLEICHENBACHER
+```
+**Key insight:** The attack is adaptive — each oracle response narrows the range of possible plaintexts. Typically requires ~10,000 oracle queries for RSA-2048. The ROBOT attack (Return Of Bleichenbacher's Oracle Threat) showed this affects modern TLS implementations through subtle timing differences. Any server that distinguishes "bad padding" from "bad content" is vulnerable.
+---
+## Birthday Attack / Meet-in-the-Middle
+**Pattern:** Find collisions in hash functions or MACs using the birthday paradox. With an n-bit hash, expect a collision after ~2^(n/2) random inputs.
+```python
+import hashlib, os
+def birthday_collision(hash_fn, output_bits, prefix=b''):
+    """Find two inputs with the same truncated hash."""
+    target_bytes = output_bits // 8
+    seen = {}
+    while True:
+        msg = prefix + os.urandom(16)
+        h = hash_fn(msg).digest()[:target_bytes]
+        if h in seen:
+            return seen[h], msg  # Collision found!
+        seen[h] = msg
+# Example: find collision on first 4 bytes of SHA-256 (~65536 attempts)
+msg1, msg2 = birthday_collision(hashlib.sha256, 32)
+```
+**Meet-in-the-Middle (2DES, double encryption):**
+```python
+def meet_in_the_middle(encrypt_fn, decrypt_fn, plaintext, ciphertext, keyspace):
+    """Break double encryption E(k2, E(k1, pt)) = ct."""
+    # Forward: encrypt plaintext with all possible k1
+    forward = {}
+    for k1 in keyspace:
+        intermediate = encrypt_fn(k1, plaintext)
+        forward[intermediate] = k1
+    # Backward: decrypt ciphertext with all possible k2
+    for k2 in keyspace:
+        intermediate = decrypt_fn(k2, ciphertext)
+        if intermediate in forward:
+            return forward[intermediate], k2  # Found k1, k2!
+```
+**Key insight:** Birthday attack: n-bit hash needs ~2^(n/2) queries for 50% collision probability. 32-bit hash -> ~65K, 64-bit -> ~4 billion. Meet-in-the-middle reduces double encryption from O(2^(2k)) to O(2^k) time + O(2^k) space — this is why 2DES provides only 1 extra bit of security over DES.
+---
+## LFSR Stream Cipher Attacks
+Linear Feedback Shift Registers generate keystreams from an initial state and feedback polynomial. Common in CTF crypto challenges and lightweight/custom ciphers.
+**Detection:** Look for bit-level operations (XOR, shift, AND with tap mask), short repeating keystreams, or challenge descriptions mentioning "stream cipher", "LFSR", "shift register", or "linear recurrence".
+### Berlekamp-Massey Algorithm
+**Pattern:** Given a portion of known keystream (from known plaintext XOR), recover the minimal LFSR that generates it. Once you have the feedback polynomial and state, predict all future (and past) output.
+**Key insight:** Berlekamp-Massey finds the shortest LFSR producing a given sequence in O(n^2). If you have 2L consecutive keystream bits (where L is the LFSR length), you can fully recover the LFSR.
+```python
+from sage.all import *
+# Known keystream bits (from known plaintext XOR ciphertext)
+keystream = [1, 0, 1, 1, 0, 0, 1, 0, 1, 1, 1, 0, 0, 1]
+# Berlekamp-Massey in SageMath
+F = GF(2)
+seq = [F(b) for b in keystream]
+R = berlekamp_massey(seq)  # Returns the feedback polynomial
+print(f"LFSR polynomial: {R}")
+print(f"LFSR length: {R.degree()}")
+# Recover initial state from first L bits
+L = R.degree()
+state = keystream[:L]
+# Generate future keystream
+def lfsr_next(state, taps):
+    """taps = list of tap positions from polynomial"""
+    new_bit = 0
+    for t in taps:
+        new_bit ^= state[t]
+    return state[1:] + [new_bit]
+```
+### Correlation Attack
+**Pattern:** Combined LFSR generator (multiple LFSRs combined through a nonlinear function). If the combining function has correlation bias toward one LFSR's output, attack that LFSR independently.
+**Key insight:** If `P(output = LFSR_i output) > 0.5`, brute-force LFSR_i's initial state (2^L candidates for length-L LFSR) and check correlation with known keystream. Much faster than brute-forcing the full combined state.
+```python
+# Correlation attack on a single biased LFSR
+def correlation_attack(keystream_bits, lfsr_length, taps, threshold=0.6):
+    """Try all 2^L initial states, keep those with high correlation"""
+    best_corr, best_state = 0, None
+    for seed in range(2**lfsr_length):
+        state = [(seed >> i) & 1 for i in range(lfsr_length)]
+        matches = 0
+        s = state[:]
+        for i, bit in enumerate(keystream_bits):
+            if s[0] == bit:
+                matches += 1
+            s = lfsr_next(s, taps)
+        corr = matches / len(keystream_bits)
+        if corr > best_corr:
+            best_corr, best_state = corr, seed
+    return best_state, best_corr
+```
+### Known-Plaintext on LFSR Keystream
+**Pattern:** XOR known plaintext with ciphertext to get keystream. With >=2L keystream bits, solve the linear system directly.
+```python
+import numpy as np
+# Given 2L keystream bits, solve for L-bit state + L feedback taps
+# Keystream relation: k[i+L] = c[0]*k[i] + c[1]*k[i+1] + ... + c[L-1]*k[i+L-1] (mod 2)
+def solve_lfsr(keystream, L):
+    """Solve for LFSR feedback from 2L keystream bits over GF(2)"""
+    # Build matrix: each row is [k[i], k[i+1], ..., k[i+L-1]] = k[i+L]
+    A = []
+    b = []
+    for i in range(L):
+        A.append(keystream[i:i+L])
+        b.append(keystream[i+L])
+    # Solve over GF(2) using SageMath
+    from sage.all import matrix, vector, GF
+    M = matrix(GF(2), A)
+    v = vector(GF(2), b)
+    coeffs = M.solve_right(v)
+    return list(coeffs)
+```
+### Galois vs Fibonacci LFSR
+Two equivalent representations — same keystream, different wiring:
+- **Fibonacci:** feedback from multiple taps XOR'd into last position (most common in CTFs)
+- **Galois:** feedback distributed across the register (faster in hardware)
+Conversion: Galois polynomial is the reciprocal of Fibonacci polynomial. Most CTF tools assume Fibonacci form.
+### Common LFSR Lengths and Polynomials
+| Bits | Common primitive polynomial | Period |
+|------|---------------------------|--------|
+| 16 | x^16 + x^14 + x^13 + x^11 + 1 | 65535 |
+| 32 | x^32 + x^22 + x^2 + x + 1 | 2^32 - 1 |
+| 64 | x^64 + x^4 + x^3 + x + 1 | 2^64 - 1 |
+**Maximal-length LFSR:** Primitive polynomial -> period = 2^L - 1 (visits all nonzero states).
+---
+## CRC32 Collision-Based Signature Forgery (iCTF 2013)
+**Pattern:** CRC32 is linear — appending 4 carefully chosen bytes to any message produces a target CRC32 value, enabling signature forgery without knowing the secret key.
+**Key insight:** `CRC32(msg || secret)` is not a secure MAC. Given any signed response `(msg, sig)`, compute 4 suffix bytes that force `CRC32(forged_msg || suffix || secret) == target_sig`. The linearity of CRC32 means the suffix computation is deterministic and instant.
+```python
+import struct, binascii
+def crc32_forge(data, target_crc):
+    """Append 4 bytes to data so CRC32(data + suffix) == target_crc"""
+    current = binascii.crc32(data) & 0xFFFFFFFF
+    # CRC32 polynomial table lookup to find suffix bytes
+    # that transform current CRC into target_crc
+    suffix = b''
+    crc = target_crc ^ 0xFFFFFFFF
+    for _ in range(4):
+        byte = (crc & 0xFF)
+        crc = (crc >> 8)
+        suffix = bytes([byte]) + suffix
+    return data + suffix  # Simplified — full implementation requires polynomial division
+```
+**When to use:** Any protocol using CRC32 as a message authentication code (MAC). CRC32 is a checksum, not a cryptographic hash — it provides no integrity guarantees against adversarial modification.
+---
+## Blum-Goldwasser Bit-Extension Oracle (PlaidCTF 2013)
+**Pattern:** Exploit a decryption oracle for Blum-Goldwasser-style encryption by extending ciphertext length by one bit per query to leak plaintext via parity.
+**Key insight:** Extend ciphertext by one bit (L+1), shift ciphertext left (`c << 1`), and submit a modified `y` value. The oracle reveals the LSB (parity) of each decrypted chunk. The squaring sequence `y = pow(y, 2, N)` can be manipulated to produce valid extended ciphertexts the server hasn't seen.
+```python
+# Iterative plaintext recovery via bit-extension
+for i in range(msg_length):
+    extended_c = original_c << 1        # Shift ciphertext left by 1
+    new_y = pow(original_y, 2, N)       # Advance squaring sequence
+    response = oracle(extended_c, new_y, msg_length + 1)
+    leaked_bit = response & 1           # LSB reveals one plaintext bit
+    plaintext_bits.append(leaked_bit)
+    original_y = new_y
+```
+**When to use:** Blum-Goldwasser or BBS-based (Blum Blum Shub) encryption with a decryption oracle that accepts variable-length ciphertexts. The parity leak accumulates one bit per query.
+---
+## Hash Length Extension Attack (PlaidCTF 2014)
+**Pattern:** Server computes `hash(SECRET || user_data)` using MD5, SHA-1, or SHA-256 (Merkle-Damgard constructions). Given a valid hash and the original data, extend it with arbitrary appended data and compute a valid hash — without knowing the secret.
+```bash
+# Using HashPump (install: apt install hashpump)
+hashpump --keylength 8 \
+  --signature 'ef16c2bffbcf0b7567217f292f9c2a9a50885e01e002fa34db34c0bb916ed5c3' \
+  --data 'original_data' \
+  --additional ';admin=true'
+# Outputs: new_signature and new_data (with padding bytes)
+```
+```python
+# Python: hashpumpy
+import hashpumpy
+new_hash, new_data = hashpumpy.hashpump(
+    original_hash, original_data, append_data, secret_length
+)
+```
+**Key insight:** Merkle-Damgard hashes (MD5, SHA-1, SHA-256) process data in blocks, and the hash output IS the internal state. Given `H(secret || msg)`, you can compute `H(secret || msg || padding || extension)` without knowing `secret` — just initialize the hash state from the known output and continue hashing. Only HMAC (`H(K XOR opad || H(K XOR ipad || msg))`) is immune. If the secret length is unknown, try lengths 1-32.
+---
+## Compression Oracle / CRIME-Style Attack (BCTF 2015)
+**Pattern:** Server compresses plaintext (LZW, zlib, etc.) before encrypting. By observing ciphertext length changes with chosen plaintexts, leak the unknown plaintext character-by-character.
+```python
+import base64
+def oracle(plaintext):
+    """Send chosen plaintext, get ciphertext length."""
+    resp = send_to_server(plaintext)
+    return len(base64.b64decode(resp))
+# Baseline: empty input
+base_len = oracle("")
+# Recover secret byte-by-byte
+known = ""
+for pos in range(secret_length):
+    for c in string.printable:
+        candidate = known + c
+        length = oracle(candidate)
+        if length <= base_len + len(known):  # Compressed = match
+            known += c
+            break
+```
+**Key insight:** Compression algorithms (LZW, DEFLATE, zlib) replace repeated sequences with back-references. If `SALT + user_input` is compressed before encryption, sending input that matches part of the salt produces shorter ciphertext (the match compresses). This is the same class as CRIME (TLS), BREACH (HTTP), and HEIST attacks. The oracle is ciphertext length.
+---
+## RC4 Second-Byte Bias Distinguisher (Hackover CTF 2015)
+**Pattern:** Distinguish RC4 output from true random data by exploiting RC4's second-byte bias. The second output byte of RC4 is biased toward `0x00` with probability 1/128 (vs expected 1/256).
+```python
+count_zero = 0
+for sample in all_samples:
+    if sample[1] == 0x00:  # second byte
+        count_zero += 1
+# Expected: random = N/256, RC4 = N/128 (2x more zeros)
+if count_zero > threshold:
+    print("RC4")
+else:
+    print("Random")
+```
+**Key insight:** RC4's key scheduling creates a well-known bias where `P(second_byte == 0) = 1/128` instead of `1/256`. With ~2048 samples, RC4 produces ~16 zero second-bytes vs ~8 for random. Other RC4 biases: bytes 3-255 show weaker biases; long-term biases exist at every 256th position.
+---
+## XOR Consecutive Byte Correlation Attack (Defcamp 2015)
+When a cipher XORs consecutive ciphertext bytes, the relationship between two ciphertexts reveals plaintext differences without knowing the key:
+```python
+# Observation: xorct[i] = ct[i] ^ ct[i+1]
+# For two ciphertext/plaintext pairs:
+# plain2[i] ^ plain1[i] == xorct1[i] ^ xorct2[i]
+# With one known plaintext, decrypt the other:
+for i in range(len(ct2)):
+    xorct1 = ct1[i] ^ ct1[i+1]
+    xorct2 = ct2[i] ^ ct2[i+1]
+    plain2_char = xorct1 ^ xorct2 ^ plain1[i]
+```
+**Key insight:** XOR of consecutive bytes cancels key material, leaving only plaintext-dependent differences. One known plaintext breaks all subsequent messages.
+---
+## Hash Function Time Reversal via Cycle Detection (BSidesSF 2025)
+When a system uses iterated hashing as a "time" function (`state_t = H(state_{t-1})`), reverse time by exploiting the finite cycle structure:
+1. **Detect cycle:** Use Floyd's tortoise-and-hare or Brent's algorithm to find cycle length L
+2. **Compute backward steps:** To go from time T to earlier time T_goal: iterate forward `(L - (T - T_goal)) % L` steps
+```python
+import hashlib
+def hash_step(state):
+    return hashlib.md5(state).digest()[:8]  # Truncated hash
+def find_cycle(start):
+    """Brent's cycle detection: returns (cycle_length, start_of_cycle)"""
+    power = lam = 1
+    tortoise = start
+    hare = hash_step(start)
+    while tortoise != hare:
+        if power == lam:
+            tortoise = hare
+            power *= 2
+            lam = 0
+        hare = hash_step(hare)
+        lam += 1
+    # lam = cycle length; find cycle start
+    tortoise = hare = start
+    for _ in range(lam):
+        hare = hash_step(hare)
+    mu = 0
+    while tortoise != hare:
+        tortoise = hash_step(tortoise)
+        hare = hash_step(hare)
+        mu += 1
+    return lam, mu  # cycle_length, cycle_start_offset
+# Reverse from T_known to T_goal
+cycle_len, _ = find_cycle(known_state)
+forward_steps = (cycle_len - (t_known - t_goal)) % cycle_len
+state = known_state
+for _ in range(forward_steps):
+    state = hash_step(state)
+# state is now the value at t_goal
+```
+**Key insight:** For truncated hashes (e.g., MD5 -> 64 bits), the expected cycle length is ~2^32, making cycle detection feasible. Going "backward" N steps is equivalent to going forward (cycle_length - N) steps. Assumes the target state is within the main cycle, not on a tail.