1
def attack(encrypt_oracle, unused_byte=0):
2
    """
3
    Recovers a secret which is appended to a plaintext and encrypted using ECB.
4
    :param encrypt_oracle: the encryption oracle
5
    :param unused_byte: a byte that's never used in the secret
6
    :return: the secret
7
    """
8
    paddings = [bytes([unused_byte] * i) for i in range(16)]
9
    secret = bytearray()
10
    while True:
11
        padding = paddings[15 - (len(secret) % 16)]
12
        p = bytearray(padding + secret + b"0" + padding)
13
        byte_index = len(padding) + len(secret)
14
        end1 = len(padding) + len(secret) + 1
15
        end2 = end1 + len(padding) + len(secret) + 1
16
        for i in range(256):
17
            p[byte_index] = i
18
            c = encrypt_oracle(p)
19
            if c[end1 - 16:end1] == c[end2 - 16:end2]:
20
                secret.append(i)
21
                break
22
        else:
23
            secret.pop()
24
            break
25

26
    return bytes(secret)
27

28