large case
123456789101112131415161718192021222324 |
from Crypto.Util.number import *from secret import e,messagedef pad(s): if len(s)<3*L: s+=bytes(3*L-len(s)) return sL=128p=127846753573603084140032502367311687577517286192893830888210505400863747960458410091624928485398237221748639465569360357083610343901195273740653100259873512668015324620239720302434418836556626441491996755736644886234427063508445212117628827393696641594389475794455769831224080974098671804484986257952189021223q=145855456487495382044171198958191111759614682359121667762539436558951453420409098978730659224765186993202647878416602503196995715156477020462357271957894750950465766809623184979464111968346235929375202282811814079958258215558862385475337911665725569669510022344713444067774094112542265293776098223712339100693r=165967627827619421909025667485886197280531070386062799707570138462960892786375448755168117226002965841166040777799690060003514218907279202146293715568618421507166624010447447835500614000601643150187327886055136468260391127675012777934049855029499330117864969171026445847229725440665179150874362143944727374907n=p*q*rassert isPrime(GCD(e,p-1)) and isPrime(GCD(e,q-1)) and isPrime(GCD(e,r-1)) and e==GCD(e,p-1)*GCD(e,q-1)*GCD(e,r-1)assert len(message)>L and len(message)<2*Lassert b'SUSCTF' in messagem=bytes_to_long(pad(message))c=pow(m,e,n)print(c)'''2832775557487418816663494645849097066925967799754895979829784499040437385450603537732862576495758207240632734290947928291961063611897822688909447511260639429367768479378599532712621774918733304857247099714044615691877995534173849302353620399896455615474093581673774297730056975663792651743809514320379189748228186812362112753688073161375690508818356712739795492736743994105438575736577194329751372142329306630950863097761601196849158280502041616545429586870751042908365507050717385205371671658706357669408813112610215766159761927196639404951251535622349916877296956767883165696947955379829079278948514755758174884809479690995427980775293393456403529481055942899970158049070109142310832516606657100119207595631431023336544432679282722485978175459551109374822024850128128796213791820270973849303929674648894135672365776376696816104314090776423931007123128977218361110636927878232444348690591774581974226318856099862175526133892''' |
根据题目,e是p-1,q-1,r-1的一个因子之积
分解一下,考虑到最后一步肯定是开根然后CRT,e不可能太大,出题人也没那么好心,不会给你太小
所以ep应该是 757 或者 1709,eq 应该是66553,er应该是5156273
最后测出来 e = 757 * 66553 * 5156273
那么就先在 p , q , r 下分别进行一个 c 的“部分”解密,得出 m^ 757 % p, m^66553 % q,m^5156273 % r
考虑到这个 r 这部分实在是太大了,最后CRT的复杂度会很高。又注意到 原始 message的大小是介于 L 和 2L 之间的。最后是用 0 去填充到 3L 的。所以要想办法去掉这个填充。然后在 p 和 q 下去解 message 就可以了。去掉填充也很方便。因为是单纯的用 0 去填充的。所以相当于 m 乘以了一个 2^(8 * length),到 c 这里就是乘上了 2^(8 * length * e),所以最开始把 c 的这部分求逆求掉就好了。
然后就是在 p 下和 q 下 开根,再 CRT 结合。这一部分老生常谈,就不赘述了。
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384 |
import randomimport timefrom Crypto.Util.number import long_to_bytesfrom tqdm import tqdmdef AMM(o, r, q):# https://blog.soreatu.com/posts/intended-solution-to-crypto-problems-in-nctf-2019/ start = time.time() print('\n----------------------------------------------------------------------------------') print('Start to run Adleman-Manders-Miller Root Extraction Method') print('Try to find one {:#x}th root of {} modulo {}'.format(r, o, q)) g = GF(q) o = g(o) p = g(random.randint(1, q)) while p ^ ((q-1) // r) == 1: p = g(random.randint(1, q)) print('[+] Find p:{}'.format(p)) t = 0 s = q - 1 while s % r == 0: t += 1 s = s // r print('[+] Find s:{}, t:{}'.format(s, t)) k = 1 while (k * s + 1) % r != 0: k += 1 alp = (k * s + 1) // r print('[+] Find alp:{}'.format(alp)) a = p ^ (r**(t-1) * s) b = o ^ (r*alp - 1) c = p ^ s h = 1 for i in range(1, t): d = b ^ (r^(t-1-i)) if d == 1: j = 0 else: print('[+] Calculating DLP...') j = - discrete_log(d, a) print('[+] Finish DLP...') b = b * (c^r)^j h = h * c^j c = c^r result = o^alp * h end = time.time() print("Finished in {} seconds.".format(end - start)) print('Find one solution: {}'.format(result)) return result# https://jayxv.github.io/2019/12/04/%E5%AF%86%E7%A0%81%E5%AD%A6%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0%E4%B9%8B%E6%B5%85%E6%9E%90On%20r-th%20Root%20Extraction%20Algorithm%20in%20Fq/def onemod(p,r): t=p-2 while pow(t,(p-1)/r,p)==1: t-=1 return pow(t,(p-1)/r,p) def solution(p,root,e): g=onemod(p,e) may=set() for i in range(e): may.add(root*pow(g,i,p)%p) return mayc = 2832775557487418816663494645849097066925967799754895979829784499040437385450603537732862576495758207240632734290947928291961063611897822688909447511260639429367768479378599532712621774918733304857247099714044615691877995534173849302353620399896455615474093581673774297730056975663792651743809514320379189748228186812362112753688073161375690508818356712739795492736743994105438575736577194329751372142329306630950863097761601196849158280502041616545429586870751042908365507050717385205371671658706357669408813112610215766159761927196639404951251535622349916877296956767883165696947955379829079278948514755758174884809479690995427980775293393456403529481055942899970158049070109142310832516606657100119207595631431023336544432679282722485978175459551109374822024850128128796213791820270973849303929674648894135672365776376696816104314090776423931007123128977218361110636927878232444348690591774581974226318856099862175526133892p=127846753573603084140032502367311687577517286192893830888210505400863747960458410091624928485398237221748639465569360357083610343901195273740653100259873512668015324620239720302434418836556626441491996755736644886234427063508445212117628827393696641594389475794455769831224080974098671804484986257952189021223q=145855456487495382044171198958191111759614682359121667762539436558951453420409098978730659224765186993202647878416602503196995715156477020462357271957894750950465766809623184979464111968346235929375202282811814079958258215558862385475337911665725569669510022344713444067774094112542265293776098223712339100693r=165967627827619421909025667485886197280531070386062799707570138462960892786375448755168117226002965841166040777799690060003514218907279202146293715568618421507166624010447447835500614000601643150187327886055136468260391127675012777934049855029499330117864969171026445847229725440665179150874362143944727374907N = p * q * rep = 757eq = 66553er = 5156273c = (c * inverse_mod(int(pow(2,1024 * (ep*eq*er), N)), N ) % N)cp = pow(c,inverse_mod(eq*er,p-1),p)cq = pow(c,inverse_mod(ep*er,q-1),q)mp = AMM(cp, ep, p)mq = AMM(cq, eq, q)mps = solution(p,mp,ep)mqs = solution(q,mq,eq)for mpp in tqdm(mps): for mqq in mqs: solution = CRT_list([int(mpp), int(mqq)], [p, q]) if b"SUSCTF" in long_to_bytes(solution): print(long_to_bytes(solution)) |
InverseProlem
123456789101112131415 |
import numpy as np#from secret import flagdef gravity(n,d=0.25): A=np.zeros([n,n]) for i in range(n): for j in range(n): A[i,j]=d/n*(d**2+((i-j)/n)**2)**(-1.5) return An=len(flag)A=gravity(n)x=np.array(list(flag))b=A@xnp.savetxt('b.txt',b) |
代码很短啊,就是生成了一个矩阵,然后右乘了一下flag,给了输出。
原本以为给矩阵求逆一下就可以了,后来发现这个矩阵有点问题的,当 n 等于85 的时候,发现这个矩阵的行列式,,不能说是没有,也许是非常小叭。
反正此时 A^-1 * A ! = E,所以直接求逆是不可能的。这里用的也是浮点数,所以直接解方程也是会出现精度问题,导致结果向量 b 好像加了噪声似的。唉,噪声?LWE啊,用格子去约。由于太小了。我这里我给他们都放大了一定倍数。为了把 b 里面的小数点给去掉,数了下大概要 16 个0。
然后全部取整,搞成int,再在 A 里面求一个 b 的CVP,然后直接右除拿到结果。
123456789101112131415161718192021 |
import numpy as npdef gravity(n,d=0.25): A=np.zeros([n,n+1]) for i in range(n): for j in range(n): A[i,j]=int((d/n*(d**2+((i-j)/n)**2)**(-1.5))*10e16) A[i,j+1] = 0 return An=85A=gravity(n)with open ("b.txt") as f:data = f.read().split("\n")b = [int(eval(i)*10e16) for i in data]b.append(100)A = matrix(ZZ,A)Ab = A.stack(vector(b))AB = Ab.BKZ(block_size = 22)assert AB[0][-1] == 100cvp = vector(list(vector(b) - AB[0])[:-1])s = A \ cvpprint("".join(chr(i) for i in s[:-1] )) |
Ez_Pager_Tiper
magic_box.py
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253 |
class lfsr(): def __init__(self, seed, mask, length): self.length_mask = 2 ** length - 1 self.mask = mask & self.length_mask self.state = seed & self.length_mask def next(self): next_state = (self.state << 1) & self.length_mask i = self.state & self.mask & self.length_mask output = 0 while i != 0: output ^= (i & 1) i = i 1 next_state ^= output self.state = next_state return output def getrandbit(self, nbit): output = 0 for _ in range(nbit): output = (output << 1) ^ self.next() return outputclass generator(): def __init__(self, lfsr1, lfsr2, magic): self.lfsr1 = lfsr1 self.lfsr2 = lfsr2 self.magic = magic def infinit_power(self, magic): return int(magic) def malicious_magic(self, magic): now = (-magic & magic) magic ^= now return int(now), int(magic) def confusion(self, c1, c2): magic = self.magic output, cnt = magic, 0 output ^= c1 ^ c2 while magic: now, magic = self.malicious_magic(magic) cnt ^= now (now.bit_length() - 1) output ^= now output ^= cnt * c1 return int(output) def getrandbit(self, nbit): output1 = self.lfsr1.getrandbit(nbit) output2 = self.lfsr2.getrandbit(nbit) return self.confusion(output1, output2) |
problem
123456789101112131415161718192021222324252627282930313233343536 |
from magic_box import *from secret import mask1, mask2, seed1, seed2, seed3n1, n2 = 64, 12flag = 'SUSCTF{***}'def encrypt(cipher, ipath, opath): ifile=open(ipath,'rb') ofile=open(opath,'wb') plaintext=ifile.read() for ch in plaintext: c=ch^cipher.getrandbit(8) ofile.write(long_to_bytes(c)) ifile.close() ofile.close()def problem1(): r = getRandomInteger(6) magic = 1<<r lfsr1 = lfsr(seed1, mask1, n1) lfsr2 = lfsr(seed2, mask2, n2) cipher = generator(lfsr1, lfsr2, magic) encrypt(cipher, "MTk4NC0wNC0wMQ==_6d30.txt", "MTk4NC0wNC0wMQ==_6d30.enc")def problem2(): magic = getPrime(64) lfsr1=lfsr(seed1, mask1, n1) lfsr2=lfsr(seed3, mask2, n2) cipher = generator(lfsr1, lfsr2, magic) encrypt(cipher, "MTk4NC0xMi0yNQ==_76ff.txt", "MTk4NC0xMi0yNQ==_76ff.enc") # flag in it? print(f'hint={magic}') # hint = 15193544052573546419problem1()problem2() |
两个problem,三个lfsr伪随机数生成器,prob1用了lfsr1 和 lfsr2,magic是 1 << r,看到generator,对于两个lfsr的输出是放进了confusion,然后output = magic ^ c1 ^ c2,然后是while magic的循环, now, magic = self.malicious_magic(magic),经过测试,当 magic 等于 1 << r 的时候,也就是 2 的幂次的时候,
(-magic & magic) = magic,所以 now = magic, magic = 0,循环只会走一趟。接下来now取最高位,肯定是 1了,output异或一下now,相当于异或magic,那就只剩 c1 ^ c2 了。出来后 output ^= cnt * c1,cnt此时是1,所以output最后只剩 c2 了。所以 output = input ^ c2
1234 |
def malicious_magic(self, magic): now = (-magic & magic) magic ^= now return int(now), int(magic) |
那么,看到题目另一个data文件夹里,发现文件都是以Date: 开头的,然后lfsr2又只有12级,所以爆!也就是 4095^2
爆了之后就知道seed2和mask2了。
然后看到prob2,此时给出magic是一个素数,同样经过测试,会发现,所有的循环走完后,cnt是0,异或now的部分叠加起来,最后就是magic。所以最后的输出 output = input ^ c1 ^ c2
注意到,文件都是以Date: 开头,解密第一个prob也获得了线索,就是Date: 后面的日期就是文件名解base64,所以最后搞出来我们能获得16字节明文。有了16字节的明文、密文,然后这里我们是知道mask2的,我们只需要爆4095个seed3就能获得4095个c2,从而得到4095个16字节的c1。注意到lfsr1是64级的,那么我们只需要64 * 2 = 128 bit = 16 字节的输出就能恢复lfsr的所有参数了。所以我们用4095个c2去恢复参数,然后生成相应的密钥流,尝试解密,观察结果。
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128 |
from Crypto.Util.number import *from magic_box import *import osfrom tqdm import tqdmimport stringn1=64n2=16magic = 15193544052573546419with open("MTk4NC0wNC0wMQ==_6d30.enc","rb") as f:data1 = f.read()# data = data1[:4]# for i in tqdm(range(4095)):# for j in range(4095):# lfsr2 = lfsr(i, j, n2)# s = ""# for ch in data:# tmp = lfsr2.getrandbit(8)# c = chr(tmp ^ ord(ch))# if c not in "Date":# break# s+=c# else:# if c == "Date":# print(i,j,s)# # 73%|███████▎ | 2988/4095 [02:21<00:53, 20.67it/s](2989, 2053, 'Date')sage:from tqdm import tqdmfrom Crypto.Util.number import *class lfsr(): def __init__(self, seed, mask, length): self.length_mask = 2 ** length - 1 self.mask = mask & self.length_mask self.state = seed & self.length_mask def next(self): next_state = (self.state << 1) & self.length_mask i = self.state & self.mask & self.length_mask output = 0 while i != 0: output ^^= (i & 1) i = i >> 1 next_state ^^= output self.state = next_state return output def getrandbit(self, nbit): output = 0 for _ in range(nbit): output = (output << 1) ^^ self.next() return outputn1=64n2=16with open("MTk4NC0xMi0yNQ==_76ff.enc","rb") as f:outputs = f.read()# output = input ^ c1 ^ c2#已知两轮输出,恢复maskdata = b"Date: 1984-12-25"output = bytes_to_long(outputs[:16])inputs = bytes_to_long(data)for seed3 in tqdm(range(4095)):lfsr2 = lfsr(seed3, 2053, n2)tmp = lfsr2.getrandbit(128)tmpc1 = list(bin(output ^^ inputs ^^ tmp)[2:].zfill(128))#已知两轮输出,恢复maskmat = [tmpc1[i:i+64] for i in range(64)]A = matrix(GF(2),mat)if not A.det():continueB = vector(GF(2),tmpc1[64:128])mask_int = list(A.solve_right(B))mask = ''.join(str(i) for i in mask_int)#mask = [int(n.str()) for n in A.solve_right(B).transpose().entries()]# 已知后一轮输出和mask,往前恢复一轮A = []for i in range(64): B = [] for j in range(64): if j == 63: B.append(mask[i]) elif j == i-1: B.append(1) else: B.append(0) A.append(B)M = matrix(GF(2),A)M = M^64if not M.det():continuekey = ""for i in M.solve_left(vector(GF(2),tmpc1[:64])): key += str(i)key = int(key,2)lfsr1 = lfsr(key, int(mask,2), n1)lfsr2 = lfsr(seed3, 2053, n2)FLAG = ""# 少看几个,对了就停for i in range(32):tmp = lfsr1.getrandbit(8) ^^ lfsr2.getrandbit(8) ^^ (outputs[i])FLAG += chr(tmp)if FLAG[16] != "\r": #日期结束后是跟一个 \r\ncontinueelse:print(FLAG,seed3,key,int(mask,2))# ix'ÒMìýã&ÉúÈ 447 8149177008550264303 13814079135560313241984-12-25# èû£¼ñr,¤YÞìþ° 771 18096245683970471305 115606832613435467084-12-25# Së05ÔáuëÍC 1674 13294312146216746169 115187255862075445261984-12-25# 75%|███████▍ | 3053/4095 [00:49<00:16, 63.38it/s]Date: 1984-12-25# Though the hun 3054 5071452738113266023 9223372036854775811# 91%|█████████ | 3713/4095 [01:00<00:06, 60.53it/s]seed3 = 3054key = 5071452738113266023mask1 = 9223372036854775811# 然后那这几个数解完所有密文就行 |
SpecialCurve3
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263 |
from Crypto.Util.number import *from secret import flag,getMyPrimeimport hashlibimport randomclass SpecialCurve: def __init__(self,p,a,b): self.p=p self.a=a self.b=b def __str__(self): return f'SpecialCurve({self.p},{self.a},{self.b})' def add(self,P1,P2): x1,y1=P1 x2,y2=P2 if x1==0: return P2 elif x2==0: return P1 elif x1==x2 and (y1+y2)%self.p==0: return (0,0) if P1==P2: t=(2*self.a*x1-self.b)*inverse(2*y1,self.p)%self.p else: t=(y2-y1)*inverse(x2-x1,self.p)%self.p x3=self.b*inverse(self.a-t**2,self.p)%self.p y3=x3*t%self.p return (x3,y3) def mul(self,P,k): assert k>=0 Q=(0,0) while k>0: if k%2: k-=1 Q=self.add(P,Q) else: k//=2 P=self.add(P,P) return Qdef problem(size,k): p=getMyPrime(size) x=random.randint(1,p-1) y=random.randint(1,p-1) e=random.randint(1,p-1) a=k*random.randint(1,p-1)**2%p b=(a*x**2-y**2)*inverse(x,p)%p curve=SpecialCurve(p,a,b) G=(x,y) Q=curve.mul(G,e) print(f'curve={curve}') print(f'G={G}') print(f'Q={Q}') return ee1=problem(128,1)e2=problem(256,0)e3=problem(512,-1)enc=bytes_to_long(hashlib.sha512(b'%d-%d-%d'%(e1,e2,e3)).digest())^bytes_to_long(flag.encode())print(f'enc={enc}') |
三个problem,有几个华点,生成prime的方式没给,估计有蹊跷。果不其然,经过全都是p+1 smooth的。所以三条线中阶要是等于p+1,就能直接爆了。
第二个华点,problem1用的p很小,显然是要把曲线上的点映射到整数域上去开log。
第三个华点,problem2的 a = 0,一般来说是条奇异曲线,可能会有些比较简单的映射规则。(那么第一个华点应该是给problem3用的了)
先看第一个,不难看出是条圆锥曲线:y^2 = a x ^ 2 + b x
此时 a 是一个二次剩余,我们记为 y^2 = a^2 x ^ 2 + b x 好了。
用共点推的,然后直接测这个映射
f: (x,y) -> (k+a)/ (k-a)
e · (x,y) -> ((k+a)/ (k-a) )^e 其中k = y / x
发现不是共点的时候也满足,那么第一个problem解决。
第二个problem,a = 0,从上面看就知道 k2 = k1 / 2,所以y2 = y1 * x2 / (2 * x1),把 x 都用 y 表示一下,消一下,就得到了 2 * y1 = y2,再简单测一下就能发现是一个简单的倍数关系,那除一下就好了。
第三个problem,此时给 a 取负了,那么这一部分就不是二次剩余了,有限整数域下我们是求不出上面的 a 的(就是开根),所以估计要用到第一个华点,测一下这条线的阶,乘一下p +1 发现回到 0 了,那么显然了,这里就去子群里爆破求解,最后crt组合得解。
去子群里爆破的步骤,就是把G 和 Q 都降阶(就是两边乘以 (p + 1) // order),此时G 和 Q 的阶都是 order 了,然后就在这个order里去爆,当 i * G == Q 时,此时 i = e % order,
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114 |
from Crypto.Util.number import *from Crypto.Util.number import getPrime as getMyPrimeimport hashlibimport randomflag = "a"*40class SpecialCurve: def __init__(self,p,a,b): self.p=p self.a=a self.b=b def __str__(self): return f'SpecialCurve({self.p},{self.a},{self.b})' def add(self,P1,P2): x1,y1=P1 x2,y2=P2 if x1==0: return P2 elif x2==0: return P1 elif x1==x2 and (y1+y2)%self.p==0: return (0,0) if P1==P2: t=(2*self.a*x1-self.b)*inverse(2*y1,self.p)%self.p else: t=(y2-y1)*inverse(x2-x1,self.p)%self.p x3=self.b*inverse(self.a-t**2,self.p)%self.p y3=x3*t%self.p return (x3,y3) def mul(self,P,k): assert k>=0 Q=(0,0) while k>0: if k%2: k-=1 Q=self.add(P,Q) else: k//=2 P=self.add(P,P) return Qdef problem(size,k): p=getMyPrime(size) x=random.randint(1,p-1) y=random.randint(1,p-1) e=random.randint(1,p-1) a=k*random.randint(1,p-1)**2%p b=(a*x**2-y**2)*inverse(x,p)%p curve=SpecialCurve(p,a,b) G=(x,y) Q=curve.mul(G,e) print(f'curve={curve}') print(f'G={G}') print(f'Q={Q}') return esage:# problem1K = GF(p)a = int(K(a).nth_root(2))kG = K(G[1])) / K(G[0]))kQ = K(Q[1]) / K(Q[0])fG = K((kG+a)) / K((kG-a))fQ = K((kQ+a)) / K((kQ-a))e1 = log(fQ,fG)# problem2e2 = K(Q[1]) / K(G[1])# problem3p=52373730653143623993722188411805072409768054271090317191163373082830382186155222057388907031638565243831629283127812681929449631957644692314271061305360051# a=[(4, 1), (2663, 1), (5039, 1), (14759, 1), (18803, 1), (21803, 1), (22271, 1), (22307, 1), (23879, 1), (26699, 1), (35923, 1), (42727, 1), (48989, 1), (52697, 1), (57773, 1), (58129, 1), (60527, 1), (66877, 1), (69739, 1), (74363, 1), (75869, 1), (79579, 1), (80489, 1), (81043, 1), (81049, 1), (82531, 1), (84509, 1), (85009, 1), (91571, 1), (96739, 1), (98711, 1), (102481, 1), (103357, 1), (103981, 1)]# FLAG=[]# MOD=[]# for each in a:# order_left = (p+1)//each[0]# QQ = curve.mul(Q,order_left)# GG = curve.mul(G,order_left) # for i in range(each[0]):# if curve.mul(GG,i) == QQ:# FLAG.append(i)# MOD.append(each[0])# break# print(FLAG,MOD)e3 = crt(FLAG,MOD)curve=SpecialCurve(233083587295210134948821000868826832947,73126617271517175643081276880688551524,88798574825442191055315385745016140538)G=(183831340067417420551177442269962013567, 99817328357051895244693615825466756115)Q=(166671516040968894138381957537903638362, 111895361471674668502480740000666908829)e1=184572164865068633286768057743716588370print(curve.mul(G,e1)==Q)curve=SpecialCurve(191068609532021291665270648892101370598912795286064024735411416824693692132923,0,58972296113624136043935650439499285317465012097982529049067402580914449774185)G=(91006613905368145804676933482275735904909223655198185414549961004950981863863, 96989919722797171541882834089135074413922451043302800296198062675754293402989)Q=(13504049588679281286169164714588439287464466303764421302084687307396426249546, 110661224324697604640962229701359894201176516005657224773855350780007949687952)e2=131789829046710687154053378348742202935151384644040019239219239301007568911745print(curve.mul(G,e2)==Q)curve=SpecialCurve(52373730653143623993722188411805072409768054271090317191163373082830382186155222057388907031638565243831629283127812681929449631957644692314271061305360051,28655236915186704327844312279364325861102737672471191366040478446302230316126579253163690638394777612892597409996413924040027276002261574013341150279408716,42416029226399083779760024372262489355327595236815424404537477696856946194575702884812426801334149232783155054432357826688204061261064100317825443760789993)G=(15928930551986151950313548861530582114536854007449249930339281771205424453985946290830967245733880747219865184207937142979512907006835750179101295088805979, 29726385672383966862722624018664799344530038744596171136235079529609085682764414035677068447708040589338778102975312549905710028842378574272316925268724240)Q=(38121552296651560305666865284721153617113944344833289618523344614838728589487183141203437711082603199613749216407692351802119887009907921660398772094998382, 26933444836972639216676645467487306576059428042654421228626400416790420281717654664520663525738892984862698457685902674487454159311739553538883303065780163)e3=23331486889781766099145299968747599730779731613118514070077298627895623872695507249173953050022392729611030101946661150932813447054695843306184318795467216print(curve.mul(G,e3)==Q)enc=bytes_to_long(hashlib.sha512(b'%d-%d-%d'%(e1,e2,e3)).digest())^4161358072766336252252471282975567407131586510079023869994510082082055094259455767245295677764252219353961906640516887754903722158044643700643524839069337print(long_to_bytes(enc)) |
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可联系QQ 643713081,也可以邮件至 [email protected] - source:Van1sh的小屋
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论