from itertools import product from tqdm import tqdm from Crypto.Util.number import bytes_to_long, long_to_bytes defcheck(s): returnmin([((i<129) and (i>31)) for i in s])
c = "89b8aca257ee2748f030e7f6599cbe0cbb5db25db6d3990d3b752eda9689e30fa2b03ee748e0da3c989da2bba657b912" c_list = [int(c[i*16:i*16+16], 16) for i inrange(len(c)//16)] known_m = bytes_to_long(b'ByteCTF{') range64 = list(range(-32, 33)) cur_c = known_m^c_list[0] print(cur_c) k_cnt = 0 for a,b,c,d in tqdm(product(range64, range64, range64, range64)): last = cur_c k = [a, b, c, d] try_cur_c = convert(last, k) m1 = long_to_bytes(try_cur_c ^ c_list[1]) if check(m1): # 只筛选这第一轮的话,4836个k是满足条件的,所以得筛第二轮 last = try_cur_c try_cur_c = convert(last, k) m2 = long_to_bytes(try_cur_c ^ c_list[2]) if check(m2): k_cnt += 1 try: print(m1.decode() + m2.decode(), k) except: print("error") print(k_cnt) # keys = [-12, 26, -3, -31] # ByteCTF{5831a241s-f30980
from Crypto.Util.number import bytes_to_long, long_to_bytes
k = [-12, 26, -3, -31] c = "89b8aca257ee2748f030e7f6599cbe0cbb5db25db6d3990d3b752eda9689e30fa2b03ee748e0da3c989da2bba657b912" cl = [int(c[i*16:i*16+16], 16) for i inrange(len(c)//16)] cur_c = bytes_to_long(b'ByteCTF{') ^ cl[0]
defshift(m, k, c): if k < 0: return m ^ m >> (-k) & c return m ^ m << k & c
defconvert(m, key): c_list = [0x37386180af9ae39e, 0xaf754e29895ee11a, 0x85e1a429a2b7030c, 0x964c5a89f6d3ae8c] for t inrange(4): m = shift(m, key[t], c_list[t]) return m
defunshift_right(value, key, mask=None, nbits=32): ifnot mask: mask = (1 << (nbits + 1)) - 1 i = 0 while i * key < nbits: part_mask = ((((1 << nbits)-1) << (nbits - key)) & ((1 << nbits)-1)) >> (i * key) part = value & part_mask value ^= (part >> key) & mask i += 1 return value
defunshift_left(value, key, mask=None, nbits=32): ifnot mask: mask = (1 << (nbits + 1)) - 1 i = 0 while i * key < nbits: part_mask = ((((1 << nbits)-1) >> (nbits - key)) & ((1 << nbits)-1)) << (i * key) part = value & part_mask value ^= (part << key) & mask i += 1 return value
defre_convert(m, key): c_list = [0x37386180af9ae39e, 0xaf754e29895ee11a, 0x85e1a429a2b7030c, 0x964c5a89f6d3ae8c] for t inrange(3, -1, -1): m = my_unshift(m, key[t], c_list[t]) return m
IV = re_convert(cur_c, k) assert IV.bit_length() == 64
last = IV cur = re_convert(cl[3], k) m3 = long_to_bytes(cur ^ last) print(m3)
last = cl[3] cur = re_convert(cl[4], k) m4 = long_to_bytes(cur ^ last) print(m4)
last = cl[4] cur = re_convert(cl[5], k) m5 = long_to_bytes(cur ^ last) print(m5) print(m3 + m4 + m5) # q535af-2156547475u2t}$$$
# -------------------------------- Secp256k1 -------------------------------- p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F a, b = 0, 7 G = (0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798, 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8) # ------------------ https://en.bitcoin.it/wiki/Secp256k1 -------------------
Pc = (0xb5b1b07d251b299844d968be56284ef32dffd0baa6a0353baf10c90298dfd117, 0xea62978d102a76c3d6747e283091ac5f2b4c3ba5fc7a906fe023ee3bc61b50fe)
import requests, os, random from Crypto.Cipher import AES from Crypto.Util.number import long_to_bytes from task_data import p, a, b, G, msg21, msg23, msg25 from hashlib import sha256
E = EllipticCurve(IntegerModRing(p), [a, b]) G = E(G)
for pis in tqdm.tqdm(range(0xff, 0xffff+1)): hs = int(sha256(long_to_bytes(pis)).hexdigest(), 16) if ((hs*Ys) == Yc): print(f'pis = {pis}\nhs = {hs}') break
''' pis = 36727 hs = 67294392667457530634966084521984708026794776225602296684920633502274376489620 '''
import requests, random from Crypto.Util.number import * from Crypto.Cipher import AES from task_data import p, a, b, G, msg11, msg13, Pc from hashlib import sha256
E = EllipticCurve(IntegerModRing(p), [a, b]) G = E(G) sid1 = "8d1a95ce724141a0ea7c8ffa7eddc48605b3117c8aa886bcc2aff3b0c2175b56"
from Crypto.Util.number import * from pwn import * from tqdm import tqdm defmain(): r = remote('39.105.181.182', '30001') plaintext = b"Hello, I'm a Bytedancer. Please give me the flag!"+b"\x0f"*15
defmy_XOR(a, b): assertlen(a) == len(b) returnb''.join([long_to_bytes(a[i]^b[i]) for i inrange(len(a))])
defdecrypt(msg): newmsg = msg + b'\x00'*(256+64-len(msg)) r.recvuntil(b'Please enter your cipher in hex > ') r.sendline(newmsg.hex().encode()) r.recvline() result = r.recvline().decode().strip() returnbytes.fromhex(result)
defdecrypt_(msg): newmsg = msg + b'\x00'*(256-len(msg)) r.recvuntil(b'Please enter your cipher in hex > ') r.sendline(newmsg.hex().encode()) r.recvline() result = r.recvline().decode().strip() returnbytes.fromhex(result)
proof_of_work() msg = b'\x00'*16 decrypt(msg) c = b"" for i inrange(50): t = decrypt(c)[i] c += long_to_bytes(t^plaintext[i])
decc = decrypt_(c) print(decc) res = r.recvline()+r.recvline() ifb"Here is your flag"in res: print(r.recvline()) print(r.recvline()) r.close() return (True, len(decc)) r.close() return (False, len(decc))
ll = [] whileTrue: ss = main() ll.append(ss[1]) if ss[0]: break print(len(ll), ll)
defsmall_roots(f, bounds, m=1, d=None): ifnot d: d = f.degree() R = f.base_ring() N = R.cardinality() f /= f.coefficients().pop(0) f = f.change_ring(ZZ) G = Sequence([], f.parent()) for i inrange(m+1): base = N^(m-i) * f^i for shifts in itertools.product(range(d), repeat=f.nvariables()): g = base * prod(map(power, f.variables(), shifts)) G.append(g) B, monomials = G.coefficient_matrix() monomials = vector(monomials) factors = [monomial(*bounds) for monomial in monomials] for i, factor inenumerate(factors): B.rescale_col(i, factor) B = B.dense_matrix().LLL() B = B.change_ring(QQ) for i, factor inenumerate(factors): B.rescale_col(i, 1/factor) H = Sequence([], f.parent().change_ring(QQ)) for h infilter(None, B*monomials): H.append(h) I = H.ideal() if I.dimension() == -1: H.pop() elif I.dimension() == 0: roots = [] for root in I.variety(ring=ZZ): root = tuple(R(root[var]) for var in f.variables()) roots.append(root) return roots return []
PR.<a,b> = PolynomialRing(Zmod(p)) f = (x1 + a)**2 - x2 - b ans = small_roots(f, (2**64, 2**64), m=8) print("ans =", ans) r.sendlineafter(b'$ ', b'4') r.sendlineafter(b'secret: ', str(x1 + ans[0][0]).encode()) print(r.recvline().decode().strip()) r.close() ''' ans = [(275016199582168079, 3988784878785365375)] b'ByteCTF{0fcca5ab-c7dc-4b9a-83f0-b24d4d004c19}' '''