2021网络安全领军人才攻防大赛 ｜ Crypto及Reverse方向WP合集

# These three are constantsp = 12039102490128509125925019010000012423515617235219127649182470182570195018265927223g = 10729072579307052184848302322451332192456229619044181105063011741516558110216720725
# random generationm1 = "test1"m2 = "test2"
# Initializationr1, s1 = sign(m1)# r1 will be provided to player
def int2str(data, mode="big"):    if mode == "little":        return sum([ord(data[_]) * 2 ** (8 * _) for _ in range(len(data))])    elif mode == "big":        return sum([ord(data[::-1][_]) * 2 ** (8 * _) for _ in range(len(data))])
def get_parameter(m):    x = int2str(m, 'little')    y = powmod(g, x, p)    a = bytes_to_long(hashlib.sha256(long_to_bytes(y).rjust(128, "")).digest())    b = powmod(a, a, p - 1)    h = powmod(g, b, p)
    return y, h, b
def sign(m):    y, h, b = get_parameter(m)    r = getStrongPrime(512)    s = (y * powmod(h, r, p)) % p 
    return str(r),str(s)
def verify(m, r, s):    y, h, b = get_parameter(m)    if s == ((y * powmod(h, r, p)) % p):        return True    else:        return False
# Give me the (r2,s2)if r2 != r1 and s2 == s1 and verify(m2, r2, s2):    print("Congratulation!Here is your flag: %s" % flag)

from pwn import *from Crypto.Util.number import *sh=remote("139.129.98.9","30002")from pwnlib.util.iters import mbruteforcefrom hashlib import sha256import hashlibfrom math import gcdcontext.log_level = 'debug'
a=0b=7q=0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2Fgx=0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798gy=0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8order=0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
ecc = EllipticCurve(GF(q), [a,b])G = ecc(gx,gy)
import hashlib
def sha1(content):    return hashlib.sha1(content).digest()

def proof_of_work(sh):    sh.recvuntil("XXXX+")    suffix = sh.recvuntil(')').decode("utf8")[:-1]    log.success(suffix)    sh.recvuntil("== ")    cipher = sh.recvline().strip().decode("utf8")    proof = mbruteforce(lambda x: sha256((x + suffix).encode()).hexdigest() ==  cipher, string.ascii_letters + string.digits, length=4, method='fixed')    sh.sendlineafter("Give me XXXX:", proof)
proof_of_work(sh)
sh.recvuntil("Here is the frist message(64 bytes):")msg1 = sh.recvuntil("n")[:-1]
sh.recvuntil("Here is the second message(64 bytes):")msg2 = sh.recvuntil("n")[:-1]message = hex(bytes_to_long(msg1))[2:]e1=bytes_to_long(sha1(msg1))e2=bytes_to_long(sha1(msg2))
#######################################################解题核心#pubkey = sh.recvuntil("n")[:-2].decode()#r=[d * G].xd=12321r=int((d*G)[0])new_k = ((-e1-e2)*inverse(2*r,order))%ordernew_Q = new_k * Gnew_S = ((e1 + new_k*r)*inverse(d,order))%ordernewpubkey = hex(new_Q[0]).replace("0x","").rjust(64,"0")+hex(new_Q[1]).replace("0x","").rjust(64,"0")newsignature = hex(r).replace("0x","").rjust(64,"0")+hex(new_S).replace("0x","").rjust(64,"0")
######################################################
sh.recvuntil("Please choice your options:")sh.sendline("3")sh.recvuntil("Please give me your public_key(hex):")sh.sendline(newpubkey)
sh.recvuntil("Please choice your options:")sh.sendline("6")sh.recvuntil("Please give me the signature(hex) of the frist message:n")sh.sendline(newsignature)sh.recvuntil("Please give me the signature(hex) of the second message:n")sh.sendline(newsignature)
sh.interactive()

from z3 import *
s = "FLAG{H1j@cK_FPE......$e3ms_Re@lly_Easy_FOr_y0u!}x0a"sol = Solver()x = [BitVec("x%s" % i, 8) for i in range(49)]for i in range(48):    sol.add(x[i] <= x[i+1])for i in range(49):    sol.add(0x30 <= x[i])    sol.add(x[i] <= ord("}"))v3 = 0for i in range(49):    d1 = x[i] ^ ord(s[48-i])    v3 ^= d1sol.add(v3 == 0)
if (sol.check() == sat):    model = sol.model()    print(model)    flag = ""    for i in range(49):        if (model[x[i]] != None):            flag += chr(model[x[i]].as_long().real)        else:            flag += " "    print("FLAG{" + flag + "}")