1
def _get_prefix_padding(encrypt_oracle, paddings):
2
    check = b"\x01" * 32
3
    for i in range(16):
4
        prefix_padding = paddings[16 - i]
5
        c = encrypt_oracle(prefix_padding + check)
6
        if c[16:32] == c[32:48]:
7
            return prefix_padding
8

9

10
def attack(encrypt_oracle, unused_byte=0):
11
    """
12
    Recovers a secret which is appended to a plaintext and encrypted using ECB.
13
    In this scenario, the encryption oracle prepends a constant, random prefix (length 0 to 16) to the plaintext.
14
    :param encrypt_oracle: the encryption oracle
15
    :param unused_byte: a byte that's never used in the secret or random prefix
16
    :return: the secret
17
    """
18
    # 17 here because _get_prefix_padding needs paddings[16].
19
    paddings = [bytes([unused_byte] * i) for i in range(17)]
20
    prefix_padding = _get_prefix_padding(encrypt_oracle, paddings)
21
    secret = bytearray()
22
    while True:
23
        padding = paddings[15 - (len(secret) % 16)]
24
        p = bytearray(prefix_padding + padding + secret + b"0" + padding)
25
        byte_index = len(prefix_padding) + len(padding) + len(secret)
26
        end1 = 16 + len(padding) + len(secret) + 1
27
        end2 = end1 + len(padding) + len(secret) + 1
28
        for i in range(256):
29
            p[byte_index] = i
30
            c = encrypt_oracle(p)
31
            if c[end1 - 16:end1] == c[end2 - 16:end2]:
32
                secret.append(i)
33
                break
34
        else:
35
            secret.pop()
36
            break
37

38
    return bytes(secret)
39

40