第五空间


有点可惜

ecc

introduction

print 'Try to solve the 3 ECC'

from secret import flag
from Crypto.Util.number import *
assert(flag[:5]=='flag{')
flag = flag[5:-1]
num1 = bytes_to_long(flag[:7])
num2 = bytes_to_long(flag[7:14])
num3 = bytes_to_long(flag[14:])

def ECC1(num):
    p = 146808027458411567
    A = 46056180
    B = 2316783294673
    E = EllipticCurve(GF(p),[A,B])
    P = E.random_point() 
    Q = num*P
    print E
    print 'P:',P
    print 'Q:',Q

def ECC2(num):
    p = 1256438680873352167711863680253958927079458741172412327087203
    #import random
    #A = random.randrange(389718923781273978681723687163812)
    #B = random.randrange(816378675675716537126387613131232121431231)
    A = 377999945830334462584412960368612
    B = 604811648267717218711247799143415167229480
    E = EllipticCurve(GF(p),[A,B])
    P = E.random_point() 
    Q = num*P
    print E
    print 'P:',P
    print 'Q:',Q
    factors, exponents = zip(*factor(E.order()))
    primes = [factors[i] ^ exponents[i] for i in range(len(factors))][:-1]
    print primes
    dlogs = []
    for fac in primes:
        t = int(int(P.order()) / int(fac))
        dlog = discrete_log(t*Q,t*P,operation="+")
        dlogs += [dlog]
        print("factor: "+str(fac)+", Discrete Log: "+str(dlog)) #calculates discrete logarithm for each prime order
    print num
    print crt(dlogs,primes)



def ECC3(num):
    p = 0xd3ceec4c84af8fa5f3e9af91e00cabacaaaecec3da619400e29a25abececfdc9bd678e2708a58acb1bd15370acc39c596807dab6229dca11fd3a217510258d1b
    A = 0x95fc77eb3119991a0022168c83eee7178e6c3eeaf75e0fdf1853b8ef4cb97a9058c271ee193b8b27938a07052f918c35eccb027b0b168b4e2566b247b91dc07
    B = 0x926b0e42376d112ca971569a8d3b3eda12172dfb4929aea13da7f10fb81f3b96bf1e28b4a396a1fcf38d80b463582e45d06a548e0dc0d567fc668bd119c346b2
    E = EllipticCurve(GF(p),[A,B])
    P = E.random_point() 
    Q = num*P
    print E
    print 'P:',P
    print 'Q:',Q

ECC1(num1)
print '=============='
ECC2(num2)
print '=============='
ECC3(num3)

exploit

由于值很小, 考虑bsgs直接求

#!/usr/bin/python

from Crypto.Util.number import long_to_bytes
from sage.groups.generic import bsgs

p = 146808027458411567
A = 46056180
B = 2316783294673
E = EllipticCurve(GF(p),[A,B])
P = E.random_point() 
G = E.gen(0)

P =  E(119851377153561800 , 50725039619018388  )
Q =  E(22306318711744209  , 111808951703508717 )

key = discrete_log(Q, P,  operation='+')
print(long_to_bytes(key))
# b'025ab3d'

题中给出了提示, 但我写错参数了, 做了一下午, 麻了

#!/usr/bin/python
from Crypto.Util.number import long_to_bytes

p = 1256438680873352167711863680253958927079458741172412327087203
A = 377999945830334462584412960368612
B = 604811648267717218711247799143415167229480
print(E)
E = EllipticCurve(GF(p),[A,B])

factors, exponents = zip(*factor(E.order()))
primes = [factors[i] ^ exponents[i] for i in range(len(factors))][:-1]
dlogs = []

P = E(550637390822762334900354060650869238926454800955557622817950 , 700751312208881169841494663466728684704743091638451132521079 )
Q = E(1152079922659509908913443110457333432642379532625238229329830 , 819973744403969324837069647827669815566569448190043645544592 )

print("done")
for fac in primes:
    print(fac)
    t = int(int(P.order()) // int(fac))
    dlog = discrete_log(t*Q,t*P,operation="+")
    dlogs += [dlog]
    print("factor: "+str(fac)+", Discrete Log: "+str(dlog)) 

print(long_to_bytes(crt(dlogs,primes)))
# b'9-2521-'

TJCTFcurvature

参考链接

#!/usr/bin/python
import gmpy2
from Crypto.Util.number import long_to_bytes
from sage.all import *

p = 0xd3ceec4c84af8fa5f3e9af91e00cabacaaaecec3da619400e29a25abececfdc9bd678e2708a58acb1bd15370acc39c596807dab6229dca11fd3a217510258d1b
A = 0x95fc77eb3119991a0022168c83eee7178e6c3eeaf75e0fdf1853b8ef4cb97a9058c271ee193b8b27938a07052f918c35eccb027b0b168b4e2566b247b91dc07
B = 0x926b0e42376d112ca971569a8d3b3eda12172dfb4929aea13da7f10fb81f3b96bf1e28b4a396a1fcf38d80b463582e45d06a548e0dc0d567fc668bd119c346b2
E = EllipticCurve(GF(p), [ A, B ])

g = E(10121571443191913072732572831490534620810835306892634555532657696255506898960536955568544782337611042739846570602400973952350443413585203452769205144937861 , 8425218582467077730409837945083571362745388328043930511865174847436798990397124804357982565055918658197831123970115905304092351218676660067914209199149610 )
v = E(964864009142237137341389653756165935542611153576641370639729304570649749004810980672415306977194223081235401355646820597987366171212332294914445469010927 , 5162185780511783278449342529269970453734248460302908455520831950343371147566682530583160574217543701164101226640565768860451999819324219344705421407572537 )

def hensel_lift(curve, p, point):
    A, B = map(int, (E.a4(), E.a6()))
    x, y = map(int, point.xy())

    fr = y**2 - (x**3 + A*x + B)
    t = (- fr / p) % p 
    t *= inverse_mod(2 * y, p)  # (y**2)' = 2 * y
    t %= p
    new_y = y + p * t
    return x, new_y

# lift points
x1, y1 = g.xy()
x2, y2 = v.xy()
if 0:
    # Hensel lift can preserve the curve
    x1, y1 = hensel_lift(E, p, g)
    x2, y2 = hensel_lift(E, p, v)
else:
    # we can calso lift by adding random multiple of p
    # just need to compute new curve
    x1 = int(x1)
    x2 = int(x2)
    y1 = int(y1)+p
    y2 = int(y2)+p

# calculate new A, B (actually, they will be the same here)
mod = p ** 2

A2 = y2**2 - y1**2 - (x2**3 - x1**3)
A2 = A2 * inverse_mod(x2 - x1, mod)
A2 %= mod

B2 = y1**2 - x1**3 - A2 * x1
B2 %= mod

# new curve
E2 = EllipticCurve(IntegerModRing(p**2), [A2, B2])

# calculate dlog
g2s = (p - 1) * E2(x1, y1)
v2s = (p - 1) * E2(x2, y2)

x1s, y1s = map(int, g2s.xy())
x2s, y2s = map(int, v2s.xy())

assert (x1s - x1) % p == 0
assert (x2s - x2) % p == 0
dx1 = (x1s - x1) / p
dx2 = (x2s - x2) / p
dy1 = (y1s - y1)
dy2 = (y2s - y2)

print(dx1, dx2, dy1, dy2)

dx1, dx2, dy1, dy2 = 10966591219958497513035194764803092601566544529994487058067262538957952386159422275417804158956865522213498320047430073336445285907559849098683706307656026,6244563408872408450641511675388002988157684282445174228411869548575392781850652542140536138320217688051452189024804182426807891618921603303796192070003437,30772334076778266355433249099870960868494272262435117258196281238082018361648811748538673451908846285277361662645852926824425155141156814541588534562885178172139748436815329528484493935429636052250302384865474796939651413613433478212742922208940063761343371178151671100600483206324948226142664122409650408410,31814607131704219179984029260677075438864077919394724796034364794094280791538610265476022141684359269921091195379883479653353003492328944414062688232121859939494104968535691968194234054670136102995631214584114887306975745141126594956595397331477235755854979936505664145105224287059281351218256104779758171213


p = 0xd3ceec4c84af8fa5f3e9af91e00cabacaaaecec3da619400e29a25abececfdc9bd678e2708a58acb1bd15370acc39c596807dab6229dca11fd3a217510258d1b
t1 = gmpy2.invert(dx1, p)
t2 = gmpy2.invert(dy2,p)

m = dy1 * t1 * dx2 * t2
m %= p

print(long_to_bytes(m))
# b'4a81-9957-8c3381622434'

doublesage

测试的时候直接把flag给试出来了

后面听说是直接LLL就可以了

1.png
2.png
3.png
4.png
5.png

babymi

队友做的,二血爷爷太猛了, 复现了下

首先提取数据

#!/usr/bin/python

from Gallimaufry.USB import USB
pcap = USB("usb.pcap")
cap_datas = [packet['_source']['layers']['usb.capdata'] for packet in pcap.pcap_filter(bus_id=1, device_address=7, endpoint_number=1) if 'usb.capdata' in packet['_source']['layers']]
f=open("out","w") 
f.write("".join(cap_datas))

去掉”:”

#!/usr/bin/python
import binascii

with open('out','r') as f:
    data = f.read().replace(':','')
    with open('out2','w') as ff:
        ff.write(data)
        ff.close()
        f.close()

然后写成新文件

#!/usr/bin/python
import binascii

with open('out2','r') as f:
    data = f.read()
    data = binascii.unhexlify(data)
    with open('file2','wb') as ff:
        ff.write(data)
        ff.close()
        f.close()

发现磁盘文件头, 用磁盘精灵恢复即可(binwalk分离不出来)
6.png
7.png


  TOC