-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathcollider.py
112 lines (88 loc) · 4.65 KB
/
collider.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
#! coding:utf-8
import sys
from hashlib import sha1
from PIL import Image
from Crypto.Util.number import bytes_to_long as b2l
from Crypto.Util.number import long_to_bytes as l2b
def jpeg_comment(n):
# Comment size can be only setted in 2 bytes
assert n < 0xffff, "Oversized image data (up to 65535 bytes)."
n += 2
return '\xff\xfe' + l2b(n>>8) + l2b(n & 0xff)
def main():
if len(sys.argv) != 3:
print "Usage: python collider.py <image1> <image2>"
sys.exit(1)
img1 = open(sys.argv[1], "rb").read()
img2 = open(sys.argv[2], "rb").read()
# Check JPEG format
if b2l(img1[:2]) != 0xffd8 or b2l(img2[:2]) != 0xffd8:
print "Image is not JPEG format."
sys.exit(1)
size1 = Image.open(sys.argv[1]).size
size2 = Image.open(sys.argv[2]).size
print "Image size:", size1
# Resize the image if different sizes
if size1 != size2:
new = Image.open(sys.argv[2]).resize(size1)
new.save("resized_" + sys.argv[2])
img2 = open("resized_" + sys.argv[2], "rb").read()
print "Resized:", sys.argv[2]
pdf_header = l2b(0x255044462D312E330A25E2E3CFD30A0A0A312030206F626A0A3C3C2F57696474682032203020522F4865696768742033203020522F547970652034203020522F537562747970652035203020522F46696C7465722036203020522F436F6C6F7253706163652037203020522F4C656E6774682038203020522F42697473506572436F6D706F6E656E7420383E3E0A73747265616D0A)
jpg_header = l2b(0xFFD8FFFE00245348412D3120697320646561642121212121852FEC092339759C39B1A1C63C4C97E1FFFE01)
# Collision blocks (This is the only part of the files which is different)
collision_block1 = l2b(0x7F46DC93A6B67E013B029AAA1DB2560B45CA67D688C7F84B8C4C791FE02B3DF614F86DB1690901C56B45C1530AFEDFB76038E972722FE7AD728F0E4904E046C230570FE9D41398ABE12EF5BC942BE33542A4802D98B5D70F2A332EC37FAC3514E74DDC0F2CC1A874CD0C78305A21566461309789606BD0BF3F98CDA8044629A1)
collision_block2 = l2b(0x7346DC9166B67E118F029AB621B2560FF9CA67CCA8C7F85BA84C79030C2B3DE218F86DB3A90901D5DF45C14F26FEDFB3DC38E96AC22FE7BD728F0E45BCE046D23C570FEB141398BB552EF5A0A82BE331FEA48037B8B5D71F0E332EDF93AC3500EB4DDC0DECC1A864790C782C76215660DD309791D06BD0AF3F98CDA4BC4629B1)
prefix1 = pdf_header + jpg_header + collision_block1
prefix2 = pdf_header + jpg_header + collision_block2
data = ''
data += b'\x00' * 242
data += jpeg_comment(8 + len(img1[2:]))
data += b'\x00' * 8
data += img1[2:]
data += img2[2:]
data += b'endstream\nendobj\n\n'
# Cross-reference Table
xref = b'xref\n'
xref += b'0 13 \n'
xref += b'0000000000 65535 f \n'
xref += b'0000000017 00000 n \n'
xref += b'%010d 00000 n \n' % len(prefix1+data)
# width
data += b'2 0 obj\n%010d\nendobj\n\n' % size1[0]
xref += b'%010d 00000 n \n' % len(prefix1+data)
# height
data += b'3 0 obj\n%010d\nendobj\n\n' % size1[1]
xref += b'%010d 00000 n \n' % len(prefix1+data)
data += b'4 0 obj\n/XObject\nendobj\n\n'
xref += b'%010d 00000 n \n' % len(prefix1+data)
data += b'5 0 obj\n/Image\nendobj\n\n'
xref += b'%010d 00000 n \n' % len(prefix1+data)
data += b'6 0 obj\n/DCTDecode\nendobj\n\n'
xref += b'%010d 00000 n \n' % len(prefix1+data)
data += b'7 0 obj\n/DeviceRGB\nendobj\n\n'
xref += b'%010d 00000 n \n' % len(prefix1+data)
# JPEG size
data += b'8 0 obj\n%010d\nendobj\n\n' % len(img1+img2)
xref += b'%010d 00000 n \n' % len(prefix1+data)
data += b'9 0 obj\n<<\n /Type /Catalog\n /Pages 10 0 R\n>>\nendobj\n\n'
xref += b'%010d 00000 n \n' % len(prefix1+data)
data += b'10 0 obj\n<<\n /Type /Pages\n /Count 1\n /Kids [11 0 R]\n>>\nendobj\n\n'
xref += b'%010d 00000 n \n' % len(prefix1+data)
data += b'11 0 obj\n<<\n /Type /Page\n /Parent 10 0 R\n /MediaBox [0 0 %010d %010d]\n /CropBox [0 0 %010d %010d]\n /Contents 12 0 R\n /Resources\n <<\n /XObject <</Im0 1 0 R>>\n >>\n>>\nendobj\n\n' % (size1[0], size1[1], size1[0], size1[1])
xref += b'%010d 00000 n \n' % len(prefix1+data)
data += b'12 0 obj\n<</Length 49>>\nstream\nq\n %010d 0 0 %010d 0 0 cm\n /Im0 Do\nQ\nendstream\nendobj\n\n' % (size1[0], size1[1])
xref_pos = len(prefix1 + data)
data += xref
trailer = b'\ntrailer << /Root 9 0 R /Size 13>>\n\nstartxref\n%010d\n%%%%EOF\n' % xref_pos
data += trailer
outfile1 = prefix1 + data
outfile2 = prefix2 + data
# Check SHA-1 collision
assert sha1(outfile1).hexdigest() == sha1(outfile2).hexdigest()
open(sys.argv[1].split('.')[0]+"-collision.pdf", "wb").write(outfile1)
open(sys.argv[2].split('.')[0]+"-collision.pdf", "wb").write(outfile2)
print "Successfully Generated Collision PDF !!!"
return
if __name__ == "__main__":
main()