第äžéšåïŒåå§è°é¢ è¿äžéšåç®æ¯åŒèèïŒåœ¢åŒä¹æŽåå¹³æ¶è§å°çCTFé¢ç®ïŒäžäžªé¢ç®éœæ¯pythonå å¯çïŒååºå
¶äžä»»æäžäžªå°±å¯ä»¥è¿å
¥ç¬¬äºéšåïŒä¹å°±æ¯äžäžªæŽç±»äŒŒçå®æ
å¢ç倧åå¯ç æžéç³»ç»ã
äœæ¯äžªåå§è°é¢éœæ¯æåæ°çïŒæ以就ç®åŒäºç¬¬äºéšåä¹åœç¶èŠæ¥çåã
æ¯äžªé¢ç®ä¹éœæåäžè¡çå æïŒäžè¡5%ïŒäºè¡3%ïŒäžè¡1%ïŒåšæåæåçæ¶åäŒå
æ ¹æ®åæ°åæ ¹æ®è§£é¢æ¶éŽïŒæ以è¡éåå
¶å®åŸéèŠïŒäœæ¯æéå®åšäžå€ªå€
ç¶åå°±æ¯ä»æ¯äžªåå§è°é¢äžåçé件äžä»
å
å«å å¯çšç.pyæ件ïŒè¿æäžäžª.exeæ件ïŒåŒå¯å®äŸå¹¶èŸå
¥ipå端å£ïŒä¹åé¢ç®å°±äŒäžåå å¯æ°æ®ïŒäžä»è¿è¡æ£ç¡®äº€äºåå°±èœæ¿å°flagäºã
åå§è°é¢äž(300 pts) é¢ç®ïŒ
from sympy import Mod, Integerfrom sympy.core.numbers import mod_inverse# æš¡æ° N_HEX = "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123" MODULUS = Integer(int (N_HEX, 16 )) MSG_PREFIX = "CryptoCup message:" # å å¯åœæ° def encrypt_message (message, key ): # æ·»å åçŒ message_with_prefix = MSG_PREFIX + message message_bytes = message_with_prefix.encode('utf-8' ) message_len = len (message_bytes) num_blocks = (message_len + 15 ) // 16 blocks = [message_bytes[i * 16 :(i + 1 ) * 16 ] for i in range (num_blocks)] # è¿è¡0å¡«å
blocks[-1 ] = blocks[-1 ].ljust(16 , b'\x00' ) encrypted_blocks = [] k = key # å å¯æ¯äžªåç» for block in blocks: block_int = int .from_bytes(block, byteorder='big' ) encrypted_block_int = Mod(block_int * k, MODULUS) encrypted_blocks.append(encrypted_block_int) k += 1 # å¯é¥èªå¢1 # å°å å¯åçåç»è¿æ¥ææç»çå¯æ encrypted_message = b'' .join( int (block_int).to_bytes(32 , byteorder='big' ) for block_int in encrypted_blocks ) return encrypted_message # 解å¯åœæ° def decrypt_message (encrypted_message, key ): num_blocks = len (encrypted_message) // 32 blocks = [encrypted_message[i * 32 :(i + 1 ) * 32 ] for i in range (num_blocks)] decrypted_blocks = [] k = key # 解å¯æ¯äžªåç» for block in blocks: block_int = int .from_bytes(block, byteorder='big' ) key_inv = mod_inverse(k, MODULUS) decrypted_block_int = Mod(block_int * key_inv, MODULUS) decrypted_blocks.append(decrypted_block_int) k += 1 # å¯é¥èªå¢1 # å°è§£å¯åçåç»è¿æ¥ææç»çææ decrypted_message = b'' .join( int (block_int).to_bytes(16 , byteorder='big' ) for block_int in decrypted_blocks ) # å»é€åçŒ if decrypted_message.startswith(MSG_PREFIX.encode('utf-8' )): decrypted_message = decrypted_message[len (MSG_PREFIX):] return decrypted_message.rstrip(b'\x00' ).decode('utf-8' ) # æµè¯ initial_key = Integer(0x123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0 ) message = "Hello, this is a test message." print ("Original Message:" , message)# å å¯ encrypted_message = encrypt_message(message, initial_key) print ("Encrypted Message (hex):" , encrypted_message.hex ())# è§£å¯ decrypted_message = decrypt_message(encrypted_message, initial_key) print ("Decrypted Message:" , decrypted_message)
é¢ç®å å¯æµçšå€§æŠåŠäžïŒ
æäžäžªæªç¥çinitial_keyïŒäžäžäžªæªç¥çmessage 对äºè¿äžªmessageïŒé¢ç®äŒåšä»åé¢å¡«äžäžäžªåºå®çåçŒâCryptoCup message:âïŒå¹¶åšæåè¡¥å
äžâ\x00â䜿åŸæŽäžªæ¶æ¯é¿äžº16çåæ° å°å¡«å
äºååçŒçæ¶æ¯æ16åè䞺äžç»åç» ä»ç¬¬äžäžªåç»åŒå§ïŒå°è¯¥åç»æ¶æ¯èœ¬å䞺æŽæ°ïŒè®°äžºmiïŒå¹¶è®¡ç®ïŒ å
¶äžkiæ¯keyåšå¯¹åºåç»çåŒ(keyæ¯äžªåç»ä¹åäŒèªå¢äž)
å°ææci蜬æ32åèïŒå¹¶è¿æ¥åšäžèµ·åŸå°å¯æ é¶æºåªäŒåéencrypted_messageïŒèŠåéç»ä»messageæ¥æ¿å°flagãè¿äžªå¯ä»¥è¯Žæ¯çžåœèœ»æŸäºïŒç±äºæäžäžªå·²ç¥çåçŒïŒå¹¶äžä»è¶
è¿äº16åèïŒå æ€å°±æ第äžäžªåç»å¯¹åºçææåå¯æïŒæ以就å¯ä»¥çŽæ¥æ±åºkeyæ¥ã
expïŒ
from Crypto.Util.number import *N_HEX = "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123" MODULUS = int (N_HEX, 16 ) MSG_PREFIX = b"CryptoCup message:" c = bytes .fromhex("a7ea042608ffce5be79a19ee45533506819e85f8d9250fccef5a89731151fd7a76d83aa85c47ba1357a86d0e9763470fb608cd54d0927125f500353e156a01da759fa814e96fa41a888eea3a9cf9b062923ed70774add490c7ed7f83d6b47e711e7b3c8a960dcc2838e577459bb6f2769d0917e1fd57db0829633b77652c2180" ) C = [c[32 *i:32 *i+32 ] for i in range (len (c)//32 )] msg = b"" key = bytes_to_long(C[0 ]) * inverse(bytes_to_long(MSG_PREFIX[:16 ]), MODULUS) % MODULUS for i in range (len (C)): msg += long_to_bytes(bytes_to_long(C[i]) * inverse(key,MODULUS) % MODULUS) key += 1 print (msg)#CryptoCup message:dHyNBCgxEq4prNBbxjDOiOgmvviuAgfx\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\
åémessageåå»ä¹åå°±äŒæ¿å°flagïŒä»¥åäžäžªç»åœGiteaçåžå·å¯ç ïŒ
éªè¯éè¿ flag{OYLXbASQsEc5SVkhBj7kTiSBc4AM5ZkR} gitea莊å·ïŒgiteauser2024 giteaå£ä»€ïŒS(*HD^WY63y89TY71 æ瀺ïŒgitea莊å·åå£ä»€çšäºç»åœç¬¬äºç¯èçgiteaæå¡åšïŒè¯·æ³šæä¿åïŒ
åé¢äž€äžªåå§è°é¢ä¹éœæ¯ç»äžäžªæ¿åçflagïŒä»¥åäžäžªèŽŠå·å¯ç äœäžºåŒç¬¬äºéšåçé¥åïŒæ以åé¢äž€äžªåå§è°é¢å°±äžåè¿äžªäº
åå§è°é¢äº(300 pts) é¢ç®ïŒ
import binasciifrom gmssl import sm3# 读åHMAC keyæ件 def read_hmac_key (file_path ): with open (file_path, 'rb' ) as f: hmac_key = f.read().strip() return hmac_key # çætoken def generate_token (hmac_key, counter ): # åŠæHMAC_KEYé¿åºŠäžè¶³32åèïŒååšæ«å°Ÿè¡¥0ïŒè¶
è¿64åèåæªæ if len (hmac_key) < 32 : hmac_key = hmac_key.ljust(32 , b'\x00' ) elif len (hmac_key) > 32 : hmac_key = hmac_key[:32 ] # å°è®¡æ°åšèœ¬æ¢äžºåè衚瀺 counter_bytes = counter.to_bytes((counter.bit_length() + 7 ) // 8 , 'big' ) # print("counter_bytes:", binascii.hexlify(counter_bytes)) tobe_hashed = bytearray (hmac_key + counter_bytes) # print("tobe_hashed:", binascii.hexlify(tobe_hashed)) # 䜿çšSM3ç®æ³è®¡ç®ååžåŒ sm3_hash = sm3.sm3_hash(tobe_hashed) # å°SM3çååžåŒèœ¬æ¢äžºåå
è¿å¶å笊䞲äœäžºtoken token = sm3_hash return token current_counter = 0 def verify_token (hmac_key, counter, token ): # çætoken generated_token = generate_token(hmac_key, counter) global current_counter # æ¯èŸçæçtokenåèŸå
¥çtokenæ¯åŠçžå if generated_token == token: if counter & 0xFFFFFFFF > current_counter: current_counter = counter & 0xFFFFFFFF print ("current_counter: " , hex (current_counter)) return "Success" else : return "Error: counter must be increasing" else : return "Error: token not match" # å讟HMAC keyæä»¶è·¯åŸ hmac_key_file = 'hmac_key.txt' # å讟计æ°åšåŒ counter = 0x12345678 # 读åHMAC key hmac_key = read_hmac_key(hmac_key_file) # çætoken token = generate_token(hmac_key, counter) print ("Generated token:" , token)print (verify_token(hmac_key, counter, token))
é¢ç®å
容åŸç®åïŒ
读åäžäžªæªç¥çhmac_keyïŒå¹¶çæäžäžªéæºçcounter å°hmac_keyæ§å¶åš32åè(äžè¶³åå¡«å
â\x00âïŒè¶
åºåæªæ) å°hmac_keyäžcounteræŒæ¥èµ·æ¥è¿è¡SM3ååž ç¶åäžåçæ°æ®æïŒ
SM3åŸå°çååžåŒ counteråŒ æ们éèŠå®æçäºæ
æ¯ïŒ
æŸå°äžäžªæ°çcounterïŒäœ¿åŸæ°counterçäœ32äœæ¯åæ¥çcounter倧 计ç®åºhmac_keyäžæ°counteræŒæ¥åçSM3ååžåŒ åéæ°counteråè¿äžªååžåŒå°±èœæ¿å°flag çæçœé¢æå°±äŒç¥éè¿æ¯äžäžªåºäºSM3çååžé¿åºŠæ©å±æ»å»ïŒç±äºæ§å¶äºhmac_key䞺32åèïŒå¹¶äžcounteråªæ4åèïŒèSM3çåç»é¿åºŠæ¯64åèïŒæ以诎æ们æ¿å°çååžåŒæ¯åªæäžäžªåç»çãèæç
§SM3çå¡«å
è§åïŒè¿äžªåç»ååžçå®æŽåç»å
¶å®æ¯äžé¢è¿éšåå
容çpart1 + part2ïŒ(ååŒå·ä»£è¡šåèäž²ïŒååŒå·ä»£è¡šæ¯ç¹äž²)
#448 bits part1 = 'hmac_key' (32 bytes ) + 'counter' (4 bytes ) + "1" + "00...0" #64 bits part2 = bin (8 *(len (hmac_key + counter)))[2 :].zfill(64 )
è¿äž€éšåæŒèµ·æ¥å°±åŸå°äºå®æŽç第äžäžªåç»ã
SM3çååžé¿åºŠæ©å±æ»å»åºäºå
¶Merkle Damgardç»æïŒæ们å¯ä»¥çšäžäžªå·²ç¥åç»çååžåŒïŒå»ç»§ç»è¿ä»£è®¡ç®æŽé¿çå«æ该åç»æ¶æ¯çååžåŒïŒèäžéèŠç¥éè¿äžªåç»å¯¹åºçæææ¯ä»ä¹ãæ以æ们å®å
šå¯ä»¥æé äžé¢è¿æ ·çcounterïŒ
New_counter = 'counter' (4 bytes ) + "1" + "00...0" + bin (8 *(len (hmac_key + counter)))[2 :].zfill(64 ) + '\xff\xff\xff\xff'
é£ä¹hmac_keyæŒæ¥äžè¿äžªcounteråïŒå
¶çšäºSM3ååžçæ¶æ¯å°±äŒæ64åèå䞺䞀ç»ïŒè第äžç»æ¯åé¶æºåéçæ¶æ¯å®å
šäžæ ·çïŒå æ€æ们就å¯ä»¥å©çšååžé¿åºŠæ©å±æ»å»è¿ä»£è®¡ç®æŽäžªæ¶æ¯çååžåŒäºïŒå
·äœå®ç°ä»£ç æ¯èµåé£å€©æäžåšgithubäžé䟿æŸçïŒ
KKrias/length-extension-attack-for-SM3 (github.com)
çšåŸ®å¯¹çé¢ææ¹äžæ¹å°±å¥œã
expïŒ
def zero_fill (a,n ): if len (a)<n: a="0" *(n-len (a))+a return a def cycle_shift_left ( B, n ): n=n%32 return ((B << n) ^ (B >> (32 - n)))%(2 **32 ) def T (j ): if j>=0 and j<=15 : return int ("79cc4519" ,16 ) elif j>=16 and j<=63 : return int ("7a879d8a" ,16 ) def FF (X,Y,Z,j ): if j>=0 and j<=15 : return X^Y^Z elif j>=16 and j<=63 : return (X&Y)|(X&Z)|(Y&Z) def GG (X,Y,Z,j ): if j >= 0 and j <= 15 : return X ^ Y ^ Z elif j >= 16 and j <= 63 : return (X & Y) | (~X & Z) def P0 (x ): return x^(cycle_shift_left(x,9 ))^cycle_shift_left(x,17 ) def P1 (x ): return x^(cycle_shift_left(x,15 ))^cycle_shift_left(x,23 ) def Message_extension (a ): #açæ°äžå®èŠæ»¡è¶³512bit,äžå€èŠè¡¥é¶!! ,æ¿æ¥çæ¯å笊䞲 W1 = [] # W0-15 W2=[] # W' 0-63 #print("aæ¶æ¯æ©å±ça:",a) for i in range (int (len (a) / 8 )): W1.append(int (a[8 * i:8 * i + 8 ],16 )) #print("W1çå16䞪",a[8 * i:8 * i + 8]) for j in range (16 ,68 ): temp=P1(W1[j-16 ] ^ W1[j-9 ] ^ cycle_shift_left(W1[j-3 ],15 )) ^cycle_shift_left(W1[j-13 ],7 )^W1[j-6 ] #print("æ¶æ¯æ©å±ïŒ",hex(temp)) W1.append(temp) for j in range (0 ,64 ): W2.append(W1[j]^W1[j+4 ]) W1.append(W2) return W1 def CF (V,Bi ): #Væ¯å笊䞲 Bi=zero_fill(Bi,128 ) W=[] W=Message_extension(Bi) #æ¶æ¯æ©å±å®çæ¶æ¯å #print("W:",W) A=int (V[0 :8 ],16 ) #print("A:", hex(A)) B = int (V[8 :16 ], 16 ) C = int (V[16 :24 ], 16 ) D = int (V[24 :32 ], 16 ) E = int (V[32 :40 ], 16 ) F = int (V[40 :48 ], 16 ) G = int (V[48 :56 ], 16 ) H = int (V[56 :64 ], 16 ) for j in range (0 ,64 ): temp=(cycle_shift_left(A,12 ) + E +cycle_shift_left(T(j),j)) %(2 **32 ) SS1=cycle_shift_left(temp,7 ) SS2=SS1 ^ cycle_shift_left(A,12 ) TT1=(FF(A,B,C,j) +D +SS2 +W[-1 ][j] ) %(2 **32 ) TT2=(GG(E,F,G,j)+H+SS1+W[j])%(2 **32 ) D=C C=cycle_shift_left(B,9 ) B=A A=TT1 H=G G=cycle_shift_left(F,19 ) F=E E=P0(TT2) #print("B:", hex(B)) t1=zero_fill(hex (A^int (V[0 :8 ],16 ))[2 :],8 ) t2 = zero_fill(hex (B ^ int (V[8 :16 ], 16 ))[2 :], 8 ) t3 = zero_fill(hex (C ^ int (V[16 :24 ], 16 ))[2 :], 8 ) t4 = zero_fill(hex (D ^ int (V[24 :32 ], 16 ))[2 :], 8 ) t5 = zero_fill(hex (E ^ int (V[32 :40 ], 16 ))[2 :], 8 ) t6 = zero_fill(hex (F ^ int (V[40 :48 ], 16 ))[2 :], 8 ) t7 = zero_fill(hex (G ^ int (V[48 :56 ], 16 ))[2 :], 8 ) t8 = zero_fill(hex (H ^ int (V[56 :64 ], 16 ))[2 :], 8 ) t=t1+t2+t3+t4+t5+t6+t7+t8 return t def SM3 (plaintext ): Vtemp=IV a=(len (plaintext)*4 +1 ) % 512 #print(a) k=0 B=[] if a<=448 : k=448 -a elif a>448 : k=512 -a+448 #print(k) m=plaintext+"8" +"0" *int ((k+1 )/4 -1 )+zero_fill(str (hex (len (plaintext)*4 ))[2 :],16 ) #print(m) block_len=int ((len (plaintext)*4 + k + 65 ) / 512 ) #print(block_len) for i in range (0 ,block_len): B.append(m[128 *i:128 *i+128 ]) #åç» #print("B:",B) for i in range (0 ,block_len): Vtemp=CF(Vtemp,B[i]) return Vtemp def SM3_len_ex_ak (num_block,IV,plaintext ): Vtemp=IV a=(len (plaintext)*4 +1 ) % 512 #print(a) k=0 B=[] if a<=448 : k=448 -a elif a>448 : k=512 -a+448 #print(k) m=plaintext+"8" +"0" *int ((k+1 )/4 -1 )+zero_fill(str (hex (len (plaintext)*4 +num_block*512 ))[2 :],16 ) #print(m) block_len=int ((len (plaintext)*4 + k + 65 ) / 512 ) #print(block_len) for i in range (0 ,block_len): B.append(m[128 *i:128 *i+128 ]) #åç» #print("B:",B) for i in range (0 ,block_len): Vtemp=CF(Vtemp,B[i]) return Vtemp IV="7380166f4914b2b9172442d7da8a0600a96f30bc163138aae38dee4db0fb0e4e" ############################################################################# IV2="c2427b818b1fb3b9e72e0ec8c60d101a17865842506e6b0052278a0c156d9e7a" num_block=1 counter = "51f18456" New_Counter = hex (int ((bin (int (counter,16 ))[2 :].zfill(32 ) + "1" ) + "0" *(448 - 32 *8 - 1 - 4 *8 ) + bin (36 *8 )[2 :].zfill(64 ) , 2 ))[2 :] + "ffffffff" print (New_Counter)print (SM3_len_ex_ak(1 ,IV2,"FFFFFFFF" ))#flag{3WhlSlIw4tSOhbY52j6CMrUCAYSLfrS9}
åå§è°é¢äž(300 pts) é¢ç®ïŒ
import sympy as spimport random# 讟眮åæ° n = 16 # åéé¿åºŠ q = 251 # æš¡æ° # çæéæºåªå£°åée e = sp.Matrix(sp.randMatrix(n, 1 , min =0 , max =1 )) # åªå£°åé # çæéæºn绎ç§é¥åésån*nç©éµA s = sp.Matrix(sp.randMatrix(n, 1 , min =0 , max =q - 1 )) # ç§é¥åé Temp = sp.Matrix(sp.randMatrix(n, n, min =0 , max =q - 1 )) # äžéŽåéç©éµTemp A = Temp.inv_mod(q) # 计ç®ç©éµTempåšæš¡ q äžçéç©éµäœäžºA # 计ç®n绎å
¬é¥åéb b = (A * s + e) % q # å
¬é¥åéb = A * s + e # å å¯åœæ° def encrypt (message, A, b ): m_bin = bin (message)[2 :].zfill(n) # å°æ¶æ¯èœ¬æ¢äžº16æ¯ç¹çäºè¿å¶å笊䞲 m = sp.Matrix([int (bit) for bit in m_bin]) # 蜬æ¢äžºSymPyç©éµ x = sp.Matrix(sp.randMatrix(n, n, min =0 , max =q // (n * 4 ))) # éæºäº§çäžäžªn*nçç©éµx e1 = sp.Matrix(sp.randMatrix(n, 1 , min =0 , max =1 )) # éæºäº§çäžäžªn绎åªå£°åée c1 = (x * A) % q # å¯æéšåc1 = x * A c2 = (x * b + e1 + m * (q // 2 )) % q # å¯æéšåc2 = x * b + e1 + m * q/2 return c1, c2 # 解å¯åœæ° def decrypt (c1, c2, s ): m_dec = (c2 - c1 * s) % q m_rec = m_dec.applyfunc(lambda x: round (2 * x / q) % 2 ) # è¿åæ¶æ¯ m_bin = '' .join([str (bit) for bit in m_rec]) # å°SymPyç©éµèœ¬æ¢äžºäºè¿å¶å笊䞲 m_rec_int = int (m_bin, 2 ) # å°äºè¿å¶å笊䞲蜬æ¢äžºæŽæ° return m_rec_int # æµè¯å è§£å¯ message = random.randint(0 , 2 ** n - 1 ) # èŠå å¯çæ¶æ¯ïŒéæºçæäžäžª16æ¯ç¹æŽæ° c1, c2 = encrypt(message, A, b) # å å¯ print ("åå§æ¶æ¯: " , message)print ("å
¬é¥A=sp." , A)print ("å
¬é¥b=sp." , b)print ("å¯æc1=sp." , c1)print ("å¯æc2=sp." , c2)decrypted_message = decrypt(c1, c2, s) print ("解å¯åçæ¶æ¯: " , decrypted_message) # èŸåºè§£å¯
é¢ç®ååå«lweïŒå
·äœæ¥è¯Žç»äºäžäºåŠäžæ°æ®ïŒ
éæºçæ16绎ç01åée éæºçæ16绎çåés以å16x16çå¯éç©éµAïŒå¹¶è®¡ç®ïŒ å°m蜬å䞺æ¯ç¹äž²ïŒå¹¶è¿äžæ¥å䞺é¿åºŠäžº16ç01åé(ä¹å°±æ¯è¯Žmæ¬èº«ä¹åªæ2åè) ç»åºAãbãc1ãc2ïŒèŠæ±è¿åmessage并åéç»ä» èœç¶è¯Žé¢ç®å«lweïŒäŒŒä¹ä¹å¯ä»¥éè¿lweçæ¹æ³æ±åºsæ¥ïŒäœæ¯åŸæŸçŒçäžç¹æ¯ç»Žæ°ä»
ä»
䞺16ïŒå®åšå€ªå°äºïŒåªéèŠçŒå§2^16å
¶äžå°±äžå®ææ£ç¡®çeãe1äºã
ç¶èåä»ç»çåç°ææŽçŠ»è°±çäžç¹ïŒæ¢ç¶Aãc1éœç»å¥œäºå¹¶äžAå¯éïŒé£ä¹xçŽæ¥æ±å°±å¥œäºïŒç¶åå°±å¯ä»¥èœ»æŸåŸå°ïŒ
èç±äºe1ä¹æ¯01åéïŒä»å¯¹åétç倧å°åœ±åå¯ä»¥å¿œç¥äžè®¡ïŒæ以täžå€§äºçäºq/2çäœçœ®å°±æ¯mäžäžº1çäœçœ®ïŒåŠåå°±æ¯0ã
expïŒ
A = Matrix(ZZ,[[139 , 63 , 18 , 202 , 166 , 185 , 85 , 108 , 58 , 90 , 211 , 248 , 240 , 44 , 137 , 39 ], [5 , 230 , 89 , 226 , 139 , 24 , 233 , 20 , 12 , 108 , 127 , 11 , 52 , 64 , 188 , 156 ], [80 , 61 , 105 , 3 , 165 , 96 , 154 , 40 , 62 , 103 , 157 , 75 , 190 , 101 , 31 , 239 ], [193 , 100 , 124 , 216 , 248 , 95 , 241 , 196 , 67 , 192 , 217 , 114 , 171 , 248 , 219 , 169 ], [116 , 71 , 221 , 105 , 167 , 153 , 22 , 124 , 178 , 45 , 7 , 183 , 125 , 8 , 127 , 123 ], [182 , 162 , 164 , 184 , 27 , 148 , 206 , 73 , 217 , 86 , 187 , 137 , 82 , 150 , 99 , 65 ], [106 , 60 , 153 , 91 , 213 , 41 , 188 , 92 , 121 , 246 , 164 , 223 , 199 , 85 , 161 , 25 ], [93 , 97 , 145 , 31 , 48 , 36 , 7 , 110 , 56 , 47 , 108 , 79 , 233 , 186 , 93 , 181 ], [195 , 98 , 47 , 147 , 49 , 40 , 158 , 89 , 218 , 8 , 23 , 118 , 170 , 19 , 50 , 17 ], [127 , 95 , 37 , 48 , 230 , 244 , 130 , 37 , 75 , 125 , 103 , 154 , 148 , 218 , 227 , 178 ], [162 , 235 , 129 , 44 , 204 , 228 , 221 , 130 , 239 , 36 , 57 , 38 , 41 , 74 , 61 , 155 ], [246 , 11 , 11 , 97 , 218 , 57 , 209 , 72 , 229 , 27 , 250 , 73 , 19 , 64 , 25 , 62 ], [60 , 162 , 1 , 110 , 191 , 130 , 120 , 227 , 214 , 98 , 165 , 245 , 28 , 55 , 94 , 190 ], [129 , 212 , 185 , 156 , 119 , 239 , 83 , 221 , 4 , 174 , 65 , 218 , 32 , 211 , 213 , 223 ], [80 , 218 , 135 , 245 , 238 , 127 , 55 , 68 , 113 , 145 , 110 , 59 , 50 , 177 , 159 , 146 ], [68 , 239 , 36 , 166 , 206 , 23 , 59 , 126 , 67 , 152 , 99 , 189 , 133 , 113 , 243 , 198 ]]) b = Matrix(ZZ,[[88 ], [74 ], [219 ], [244 ], [81 ], [109 ], [81 ], [216 ], [125 ], [218 ], [170 ], [56 ], [152 ], [229 ], [204 ], [45 ]]) c1 = Matrix(ZZ,[[173 , 2 , 67 , 11 , 40 , 80 , 187 , 38 , 16 , 226 , 243 , 79 , 117 , 127 , 100 , 113 ], [208 , 231 , 211 , 196 , 2 , 146 , 35 , 2 , 221 , 119 , 12 , 25 , 208 , 152 , 83 , 201 ], [154 , 43 , 180 , 76 , 235 , 5 , 179 , 196 , 206 , 171 , 98 , 145 , 92 , 144 , 247 , 98 ], [121 , 145 , 123 , 232 , 87 , 78 , 181 , 145 , 79 , 166 , 112 , 169 , 208 , 102 , 201 , 63 ], [204 , 141 , 165 , 225 , 213 , 137 , 40 , 43 , 229 , 151 , 72 , 237 , 58 , 15 , 2 , 31 ], [35 , 114 , 241 , 31 , 122 , 123 , 164 , 231 , 197 , 89 , 41 , 236 , 128 , 22 , 152 , 82 ], [141 , 133 , 235 , 79 , 43 , 120 , 209 , 231 , 58 , 85 , 3 , 44 , 73 , 245 , 227 , 62 ], [28 , 158 , 71 , 41 , 152 , 32 , 91 , 200 , 163 , 46 , 19 , 121 , 23 , 209 , 25 , 55 ], [156 , 17 , 218 , 146 , 231 , 242 , 91 , 76 , 217 , 57 , 100 , 212 , 243 , 87 , 62 , 159 ], [100 , 111 , 107 , 62 , 106 , 72 , 51 , 79 , 223 , 93 , 86 , 145 , 192 , 21 , 218 , 243 ], [196 , 250 , 248 , 166 , 155 , 39 , 7 , 93 , 103 , 54 , 168 , 188 , 190 , 104 , 183 , 64 ], [16 , 131 , 148 , 193 , 19 , 149 , 179 , 212 , 109 , 170 , 201 , 168 , 165 , 167 , 68 , 25 ], [30 , 222 , 171 , 32 , 141 , 105 , 232 , 104 , 198 , 53 , 50 , 157 , 206 , 165 , 200 , 42 ], [90 , 149 , 148 , 112 , 142 , 228 , 231 , 119 , 235 , 248 , 233 , 9 , 242 , 102 , 241 , 93 ], [150 , 32 , 78 , 183 , 68 , 249 , 80 , 165 , 95 , 229 , 211 , 0 , 75 , 14 , 172 , 139 ], [175 , 69 , 15 , 100 , 113 , 63 , 123 , 71 , 24 , 250 , 135 , 232 , 53 , 32 , 81 , 117 ]]) c2 = Matrix(ZZ,[[18 ], [67 ], [187 ], [237 ], [99 ], [127 ], [128 ], [23 ], [83 ], [66 ], [64 ], [69 ], [7 ], [214 ], [43 ], [156 ]]) p = 251 A = Matrix(Zmod(p), A) c1 = Matrix(Zmod(p), c1) b = vector(b.T) c2 = vector(c2.T) x = c1*A^(-1 ) t = c2 - x*b m = "" for i in t: if (i >= p // 2 ): m += "1" else : m += "0" print (hex (int (m,2 )))#21c4
第äºéšåïŒå€§åå¯ç ç³»ç» è¿äžéšåå
±æ4䞪é¢ç®åäžäžªæç»ææïŒé¢ç®ä¹éŽæ¯æ顺åºå
³ç³»çïŒä¹å°±æ¯èŠå
ååºæäºé¢ç®ïŒæèœåŸå°åç»é¢ç®çé件ãæ°æ®ãç»åœå¯ç ä¹ç±»ççžå
³ä¿¡æ¯ïŒå
·äœæ¥è¯Žè¿æ¬¡ææçå
å顺åºæ¯ïŒ
flag1åflag3å¯ä»¥åæ¶ææ ååºflag1å¯ä»¥åŒå¯flag2 ååºflag3å¯ä»¥åŒå¯flag4 å
šéšå®æåå¯ä»¥åŒå¯æç»ææ
flag1(600 pts) é¢ç®ïŒ
passwordEncryptorV2.cïŒ
#include <stdio.h> #include <string.h> #include <openssl/sha.h> #define ROUND 16 //S-Box 16x16 int sBox[16 ] = { 2 , 10 , 4 , 12 , 1 , 3 , 9 , 14 , 7 , 11 , 8 , 6 , 5 , 0 , 15 , 13 }; // å°åå
è¿å¶å笊䞲蜬æ¢äžº unsigned char æ°ç» void hex_to_bytes (const char * hex_str, unsigned char * bytes, size_t bytes_len) { size_t hex_len = strlen (hex_str); if (hex_len % 2 != 0 || hex_len / 2 > bytes_len) { fprintf (stderr , "Invalid hex string length.\n" ); return ; } for (size_t i = 0 ; i < hex_len / 2 ; i++) { sscanf (hex_str + 2 * i, "%2hhx" , &bytes[i]); } } // 掟ç蜮å¯é¥ void derive_round_key (unsigned int key, unsigned char *round_key, int length) { unsigned int tmp = key; for (int i = 0 ; i < length / 16 ; i++) { memcpy (round_key + i * 16 , &tmp, 4 ); tmp++; memcpy (round_key + i * 16 + 4 , &tmp, 4 ); tmp++; memcpy (round_key + i * 16 + 8 , &tmp, 4 ); tmp++; memcpy (round_key + i * 16 + 12 , &tmp, 4 ); tmp++; } } // æ¯ç¹éåº void reverseBits (unsigned char * state) { unsigned char temp[16 ]; for (int i = 0 ; i < 16 ; i++) { unsigned char byte = 0 ; for (int j = 0 ; j < 8 ; j++) { byte |= ((state[i] >> j) & 1 ) << (7 - j); } temp[15 - i] = byte; } for (int i = 0 ; i < 16 ; i++) { state[i] = temp[i]; } } void sBoxTransform (unsigned char * state) { for (int i = 0 ; i < 16 ; i++) { int lo = sBox[state[i] & 0xF ]; int hi = sBox[state[i] >> 4 ]; state[i] = (hi << 4 ) | lo; } } void leftShiftBytes (unsigned char * state) { unsigned char temp[16 ]; for (int i = 0 ; i < 16 ; i += 4 ) { temp[i + 0 ] = state[i + 2 ] >> 5 | (state[i + 1 ] << 3 ); temp[i + 1 ] = state[i + 3 ] >> 5 | (state[i + 2 ] << 3 ); temp[i + 2 ] = state[i + 0 ] >> 5 | (state[i + 3 ] << 3 ); temp[i + 3 ] = state[i + 1 ] >> 5 | (state[i + 0 ] << 3 ); } for (int i = 0 ; i < 16 ; i++) { state[i] = temp[i]; } } // 蜮å¯é¥å void addRoundKey (unsigned char * state, unsigned char * roundKey, unsigned int round) { for (int i = 0 ; i < 16 ; i++) { for (int j = 0 ; j < 8 ; j++) { state[i] ^= ((roundKey[i + round * 16 ] >> j) & 1 ) << j; } } } // å å¯åœæ° void encrypt (unsigned char * password, unsigned int key, unsigned char * ciphertext) { unsigned char roundKeys[16 * ROUND] = {}; // // çæ蜮å¯é¥ derive_round_key(key, roundKeys, 16 * ROUND); // åå§ç¶æ䞺16åèçå£ä»€ unsigned char state[16 ]; // åå§ç¶æ䞺16åèçå¯ç memcpy (state, password, 16 ); // åå§ç¶æ䞺å¯ç çåå§åŒ // è¿ä»£å å¯è¿çš for (int round = 0 ; round < ROUND; round++) { reverseBits(state); sBoxTransform(state); leftShiftBytes(state); addRoundKey(state, roundKeys, round); } memcpy (ciphertext, state, 16 ); } void main () { unsigned char password[] = "pwd:xxxxxxxxxxxx" ; // å£ä»€ææåºå®ä»¥pwd:åŒå€ŽïŒ16åèçå£ä»€ unsigned int key = 0xF0FFFFFF ; // 4åèçå¯é¥ unsigned char ciphertext[16 ]; // 16åèçç¶æ printf ("Password: \n" ); printf ("%s\n" , password); encrypt(password, key, ciphertext); // èŸåºå å¯åçç»æ printf ("Encrypted password:\n" ); for (int i = 0 ; i < 16 ; i++) { printf ("%02X" , ciphertext[i]); } printf ("\n" ); }
é¢ç®åºäºäžäžªå¯¹ç§°å å¯ïŒç»åºäºå
¶å
·äœå®ç°æ¥éª€ãè¿æ¥é¶æºä¹åäŒç»åºå¯æïŒèŠæ±æ±åºpasswordïŒæ¥è§£å垊å¯ç çååçŸåæºç æ件å猩å
ïŒå猩å
å
å«ææ¬é¢çflagåŒä»¥åflag2çæºç ã
å¯ä»¥çåºåšækeyçæ
åµäžïŒè§£å¯å°±æ¯ææŽäžªå å¯è¿çšéäžäžïŒè¿äžéšå亀ç»åŠé¿åŸå¿«å°±å奜äºã
ç¶èåŠé¿åç°å¯¹äºé¶æºç»åºçå¯æïŒçšé¢ç®ç»å®ç0xF0FFFFFFåœäœkeyæ¯è§£äžåºä»èŠæ±çâpwd:âåŒå€ŽçpasswordçïŒæ以æçæµè¿äžªkeyåªæ¯äžªç€ºäŸïŒå®é
äžèŠçšè¿äžªå·²ç¥çåŒå€Žæ¥çç Ž4åèçkeyã4åè对äºcæ¥è¯ŽäŒŒä¹ä¹äžç®åŸå€§ïŒå æ€ç®åä¿®æ¹äžè§£å¯éšåå°±åŒçäºãäœæ¯ïŒå®é
ææ并äžæ¯åŸçæ³ïŒåŠæèŠçç Žå®ææ解空éŽçè¯ïŒå·®äžå€éèŠ2^16ç§ïŒè¿å¯¹äºä»
ä»
6hçæ¯èµæ¥è¯Žå€ªé¿äºïŒæ以èŠèèäžäºäŒåãèæ¯èµ·ä»ç»æ¥ç代ç æ¥è¯ŽïŒæç®åçäŒååœç¶æ¯çŽæ¥çšå€è¿çšæ¥åã
å¯æ¯æåªçšè¿pythonçå€è¿çšïŒå¹¶äžèèå°pythonæ¬èº«çé床ïŒäžºäºçšäžªå€è¿çšææŽäžªæ±è§£ä»£ç 蜬æpythonå®åšæ¯äžå€ªåç®ãå¯æ¯æ¯èµäžåºçœïŒèŠæ¥è¯¢èµæäžä»
éèŠç³è¯·ïŒæ¶éŽä¹åªé10minïŒè¿äŒå¯¹æŽäžªéäŒçæ绩产ç圱åïŒæŽäžåç®ãæ以æ³æ¥æ³å»ä¹åªèœäžäžªäººéœå€åŒç¹çªå£ïŒç¶åä»äžåçäœçœ®åŒçã
ä¹ç®æ¯äžç§å€è¿çšäºã
ç¶èè¿æ ·åæææ³äžå°çææââæ让åŠåŒåççç Žçé£äžªçªå£è¿äºäžæ®µæ¶éŽççè·åºäºç»æïŒè¿äžªé¢ä¹å°±é¡ºå©è§£æäºã
å®é
äžæåäžèœ®æ瀺äžææå°ïŒå 䞺æäºåå ïŒkeyéŠåèäžå®æ¯FïŒæ以åççææŽå å¿«ïŒæ€å€è¿æäžäºå
¶ä»å°æ¹å¯ä»¥åå°èæ¶ã
è¿éå°±äžä»ç»ç 究产çè¿äºäŒåçåå äºïŒå€è¿çšè¯å®æ¯ææåçXDïŒååºæ¥å°±è¡ã
expïŒ(header.hå°±æ¯é¢ç®å å¯æºç éçåœæ°)
#include "header.h" void print (unsigned char * m) { for (int i = 0 ; i < 16 ; i++) { printf ("%02X" , m[i]); } printf ("\n" ); } int sBox_inv[16 ] ={ 13 , 4 , 0 , 5 , 2 , 12 , 11 , 8 , 10 , 6 , 1 , 9 , 3 , 15 , 7 , 14 }; void rightShiftBytes (unsigned char * state) { unsigned char temp[16 ]; for (int i = 0 ; i < 16 ; i += 4 ) { temp[i + 0 ] = state[i + 2 ] << 5 | (state[i + 3 ] >> 3 ); temp[i + 1 ] = state[i + 3 ] << 5 | (state[i + 0 ] >> 3 ); temp[i + 2 ] = state[i + 0 ] << 5 | (state[i + 1 ] >> 3 ); temp[i + 3 ] = state[i + 1 ] << 5 | (state[i + 2 ] >> 3 ); } for (int i = 0 ; i < 16 ; i++) { state[i] = temp[i]; } } void decrypt (unsigned char * password, unsigned int key, unsigned char * ciphertext) { unsigned char roundKeys[16 * ROUND] = {}; derive_round_key(key, roundKeys, 16 * ROUND); unsigned char state[16 ]; memcpy (state, ciphertext, 16 ); for (int round = ROUND - 1 ; round >= 0 ; round--) { addRoundKey(state, roundKeys, round); rightShiftBytes(state); sBoxTransform(state, sBox_inv); reverseBits(state); } memcpy (password, state, 16 ); } int main () { // cipher = "B17164A27E035012107D6F7B0454D51D" // cipher = "99F2980AAB4BE8640D8F322147CBA409" unsigned char password[] = "pwd:xxxxxxxxxxxx" ; // å£ä»€ææåºå®ä»¥pwd:åŒå€ŽïŒ16åèçå£ä»€ unsigned char ciphertext[16 ]; // 16åèçç¶æ hex_to_bytes("99F2980AAB4BE8640D8F322147CBA409" , ciphertext, 16 ); for (unsigned int key = 0 ; key < 0xFFFFFFFF ; key++) { if ((key & 0xFFFF ) == 0 ) printf ("%d\n" , key); decrypt(password, key, ciphertext); if (password[0 ] == 112 && password[1 ] == 119 && password[2 ] == 100 && password[3 ] == 58 ) { print(password); } } return 0 ; }
flag2(900 pts) é¢ç®ïŒ
co-signing_client.jsïŒ
const form = ref ({ password : "" , msgdigest : "" , }) const k1 : any = ref ("" );const submit = () => { isform.value .validate ((valid: boolean ) => { if (valid) { loading.value = true ; let smPassword = ref ("" ); smPassword.value = sm3 (form.value .password ); // 客æ·ç«¯éè¿çšæ·å£ä»€ãæ¶æ¯æèŠåçšæ·ç§é¥d1ïŒè®¡ç®å®¢æ·ç«¯ååçŸååŒ p1x, p1y, q1x, q1y, r1, s1 var { str_e, str_p1x, str_p1y, str_q1x, str_q1y, str_r1, str_s1, errMessage } = clientSign1 (smPassword.value , form.value .msgdigest ); if (errMessage) { ElMessage .error (errMessage) loading.value = false ; return } let data = { q1x : str_q1x, q1y : str_q1y, e : str_e, r1 : str_r1, s1 : str_s1, p1x : str_p1x, p1y : str_p1y } // 客æ·ç«¯å° e, p1x, p1y, q1x, q1y, r1, s1åéç»æå¡ç«¯ // æå¡ç«¯çšæå¡ç«¯ç§é¥d2计ç®æå¡ç«¯ååçŸååŒ s2, s3, r åéç»å®¢æ·ç«¯ sign_param_send (data).then ((res: any ) => { // 客æ·ç«¯éè¿s2, s3, rïŒè®¡ç®ååçŸååŒ s let str_s : any = clientSign2 (smPassword.value , res.s2 , res.s3 , res.r ); if (str_s.errMessage ) { ElMessage .error (errMessage) loading.value = false ; return } ElMessage .success ("ååçŸåæå" ); signature_send ({ client_sign : str_s }).then ((res: any ) => { qmz.value = str_s; loading.value = false ; }).then ((err: any ) => { loading.value = false ; }) }).catch ((err: any ) => { loading.value = false ; }) } }) } const clientSign1 : any = (str_d1: any, str_e: any ) => { let d1 = new BN (str_d1, 16 ); // console.log("e",str_e) let e = new BN (str_e, 16 ); // console.log("e",e) const sm2 : any = new elliptic.curve .short ({ p : 'FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF' , a : 'FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC' , b : '28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93' , n : 'FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123' , g : [ '32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7' , 'BC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0' ] } as any); let n = new BN (sm2.n .toString (16 ), 16 ); let G = sm2.g ; // generate random k1 const randomBytes = cryptoRandomStringAsync ({ length : 64 }); k1.value = new BN (randomBytes as any, 16 ); while (k1.value .mod (n).isZero ()){ const randomBytes = cryptoRandomStringAsync ({ length : 64 }); k1.value = new BN (randomBytes as any, 16 ); } k1.value = k1.value .mod (n); // d1 = d1 mod n d1 = d1.mod (n); if (d1.isZero ()) { let errMessage = "d1=0ïŒçŸå倱莥" return { errMessage } } //P1 = ((d1)^(-1)) * G let tmp1 = d1.invm (n); let P1 = G.mul (tmp1); //Q1 = k1*G = (x, y) let Q1 = G.mul (k1.value ); let x = new BN (Q1 .getX ().toString (16 ), 16 ); //r1 = x mod n let r1 = x.mod (n); if (r1.isZero ()) { let errMessage = "r1=0ïŒçŸå倱莥" return { errMessage } } //s1 = k1^(-1) * (e + d1^(-1) * r1) mod n tmp1 = d1.invm (n); let tmp2 = tmp1.mul (r1).mod (n); let tmp3 = tmp2.add (e).mod (n); tmp1 = k1.value .invm (n); let s1 = tmp1.mul (tmp3).mod (n); if (s1.isZero ()) { let errMessage = "s1=0ïŒçŸå倱莥" return { errMessage } } str_e = e.toString (16 ); // console.log("str_e",str_e) let str_p1x = P1 .getX ().toString (16 ); let str_p1y = P1 .getY ().toString (16 ); let str_q1x = Q1 .getX ().toString (16 ); let str_q1y = Q1 .getY ().toString (16 ); let str_r1 = r1.toString (16 ); let str_s1 = s1.toString (16 ); return { str_e, str_p1x, str_p1y, str_q1x, str_q1y, str_r1, str_s1 } } const clientSign2 = (str_d1: any, str_s2: any, str_s3: any, str_r: any ) => { const sm2 = new elliptic.curve .short ({ p : 'FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF' , a : 'FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC' , b : '28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93' , n : 'FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123' , g : [ '32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7' , 'BC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0' ] } as any); let d1 = new BN (str_d1, 16 ); let n = new BN (sm2.n .toString (16 ), 16 ); let s2 = new BN (str_s2, 16 ); let s3 = new BN (str_s3, 16 ); let r = new BN (str_r, 16 ); //s = d1*k1*s2 + d1*s3 -r mod n let tmp1 = d1.mul (k1.value ).mod (n); let tmp2 = tmp1.mul (s2).mod (n); let tmp3 = d1.mul (s3).mod (n); tmp1 = tmp2.add (tmp3).mod (n); let s = tmp1.sub (r).mod (n); if (s.isZero ()) { let errMessage = "s=0ïŒçŸå倱莥" return { errMessage } } if (s.add (r).mod (n).isZero ()) { let errMessage = "s=n-rïŒçŸå倱莥" return { errMessage } } let str_s = s.toString (16 ); if (str_s[0 ] == '-' ) { s = s.add (n).mod (n); str_s = s.toString (16 ); } return str_s; }
co-signing_client.cïŒ
#include <stdio.h> #include <stdlib.h> #include <openssl/ec.h> #include <openssl/rand.h> #define SM2LEN 32 int error () { printf ("Error.\n" ); return 0 ; } int error_partial_verify () { printf ("Error partial verify.\n" ); return 0 ; } void print_flag2 (const BIGNUM *d2) { char *hex_str = BN_bn2hex(d2); for (int i = 0 ; hex_str[i] != '\0' ; i++) { if (hex_str[i] >= 'A' && hex_str[i] <= 'F' ) { hex_str[i] += 32 ; } } printf ("flag2{%s}\n" , hex_str); } typedef struct { char s2[SM2LEN * 2 + 1 ]; char s3[SM2LEN * 2 + 1 ]; char r[SM2LEN * 2 + 1 ]; int success; } Result; // ååçŸåæå¡ç«¯çŸåç®æ³ Result server (char * str_e,char * str_p1x,char * str_p1y,char * str_q1x,char * str_q1y,char * str_r1,char * str_s1) { Result res = {"" , "" , "" , 0 }; int rv = 1 ; BIGNUM *e,*a,*b,*p,*n,*x,*y; BIGNUM *d2,*r1,*s1,*p1x,*p1y,*q1x,*q1y; BIGNUM *u1,*u2,*xprime,*yprime,*k2,*k3,*x1,*y1,*r,*s2,*s3,*s,*tmp1,*tmp2,*tmp3; EC_GROUP* group; EC_POINT *generator,*G,*P,*P1,*Q1,*TMP; BN_CTX* bn_ctx = BN_CTX_new(); BN_CTX_start(bn_ctx); if (!bn_ctx) { error(); return res; } e = BN_CTX_get(bn_ctx); a = BN_CTX_get(bn_ctx); b = BN_CTX_get(bn_ctx); p = BN_CTX_get(bn_ctx); n = BN_CTX_get(bn_ctx); d2 = BN_CTX_get(bn_ctx); x = BN_CTX_get(bn_ctx); y = BN_CTX_get(bn_ctx); p1x = BN_CTX_get(bn_ctx); p1y = BN_CTX_get(bn_ctx); q1x = BN_CTX_get(bn_ctx); q1y = BN_CTX_get(bn_ctx); r1 = BN_CTX_get(bn_ctx); s1 = BN_CTX_get(bn_ctx); u1 = BN_CTX_get(bn_ctx); u2 = BN_CTX_get(bn_ctx); xprime = BN_CTX_get(bn_ctx); yprime = BN_CTX_get(bn_ctx); k2 = BN_CTX_get(bn_ctx); k3 = BN_CTX_get(bn_ctx); x1 = BN_CTX_get(bn_ctx); y1 = BN_CTX_get(bn_ctx); r = BN_CTX_get(bn_ctx); s2 = BN_CTX_get(bn_ctx); s3 = BN_CTX_get(bn_ctx); s = BN_CTX_get(bn_ctx); tmp1 = BN_CTX_get(bn_ctx); tmp2 = BN_CTX_get(bn_ctx); tmp3 = BN_CTX_get(bn_ctx); if ( !BN_hex2bn(&e, str_e) || !BN_hex2bn(&p1x, str_p1x) || !BN_hex2bn(&p1y, str_p1y) || !BN_hex2bn(&q1x, str_q1x) || !BN_hex2bn(&q1y, str_q1y) || !BN_hex2bn(&r1, str_r1) || !BN_hex2bn(&s1, str_s1) || !BN_hex2bn(&a, "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC" ) || !BN_hex2bn(&b, "28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93" ) || !BN_hex2bn(&p, "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF" ) || !BN_hex2bn(&n, "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123" ) || // d2 = ds (server key) !BN_hex2bn(&d2, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" ) || !BN_hex2bn(&x, "32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7" ) || !BN_hex2bn(&y, "BC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0" ) || !BN_rand_range(k2,n) || !BN_copy(k3, k2) ) { error(); return res; } // generate k2 in [1, n-1] while (BN_is_zero(k2)){ if ( !BN_rand_range(k2,n) || !BN_copy(k3, k2) ) { error(); return res; } } group = EC_GROUP_new_curve_GFp(p, a, b, bn_ctx); generator = EC_POINT_new(group); if (!generator) { error(); return res; } if (1 != EC_POINT_set_affine_coordinates_GFp(group, generator, x, y, bn_ctx)) { error(); return res; } if (1 != EC_GROUP_set_generator(group, generator, n, NULL )) { error(); return res; } G = EC_POINT_new(group); P = EC_POINT_new(group); P1 = EC_POINT_new(group); Q1 = EC_POINT_new(group); TMP = EC_POINT_new(group); // if r1=0 or s1=0, error if (BN_is_zero(r1) || BN_is_zero(s1)) { error(); return res; } // set P1 = (p1x, p1y) if (1 != EC_POINT_set_affine_coordinates_GFp(group, P1, p1x, p1y, bn_ctx)) { error(); return res; } // set Q1 = (q1x, q1y) if (1 != EC_POINT_set_affine_coordinates_GFp(group, Q1, q1x, q1y, bn_ctx)) { error(); return res; } //u1 = e * (s1^(-1)) mod n, u2 = r1 * (s1^(-1)) mod n if (!BN_mod_inverse(tmp1, s1, n, bn_ctx) || !BN_mod_mul(u1, e, tmp1, n, bn_ctx) || !BN_mod_mul(u2, r1, tmp1, n, bn_ctx) || !BN_mod(u1, u1, n, bn_ctx) || !BN_mod(u2, u2, n, bn_ctx) ) { error(); return res; } //u1*G + u2*P1 = (x', y') if (!EC_POINT_mul(group, TMP, u1, P1, u2, bn_ctx)) { error(); return res; } if (!EC_POINT_get_affine_coordinates_GFp(group, TMP, xprime, yprime, bn_ctx)) { error(); return res; } //verify r1 = x' mod n if (!BN_mod(xprime, xprime, n, bn_ctx)) { error(); return res; } if (BN_cmp(r1,xprime)) { error_partial_verify(); return res; } //k2*G + k3*Q1 = (x1, y1) if (!EC_POINT_mul(group, TMP, k2, Q1, k3, bn_ctx)) { error(); return res; } if (!EC_POINT_get_affine_coordinates_GFp(group, TMP, x1, y1, bn_ctx)) { error(); return res; } //r=(e+x1) mod n if (!BN_mod_add(r, e, x1, n, bn_ctx)) { error(); return res; } if (BN_is_zero(r)) { error(); return res; } strncpy (res.r, BN_bn2hex(r), 2 *SM2LEN+1 ); //s2 = d2 * k3 mod n, s3 = d2 * (r+k2) mod n if (!BN_mod_mul(s2, d2, k3, n, bn_ctx) || !BN_mod_add(tmp1, r, k2, n, bn_ctx) || !BN_mod_mul(s3, d2, tmp1, n, bn_ctx) || !BN_mod(s2, s2, n, bn_ctx) || !BN_mod(s3, s3, n, bn_ctx) ) { error(); return res; } printf ("s2: %s\n" ,BN_bn2hex(s2)); printf ("s3: %s\n" ,BN_bn2hex(s3)); strncpy (res.s2, BN_bn2hex(s2), 2 *SM2LEN+1 ); strncpy (res.s3, BN_bn2hex(s3), 2 *SM2LEN+1 ); // flag2 çæ ŒåŒåŠäžïŒflag2{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}ïŒå€§æ¬å·äžçå
容䞺 16 è¿å¶æ ŒåŒïŒåæ¯å°åïŒç d2ã print_flag2(d2); rv = 0 ; BN_CTX_free(bn_ctx); return rv; } // 计ç®å
¬é¥P int getPublicKey (char *str_d2, char *str_p1x, char *str_p1y) { int rv = 1 ; BIGNUM *negone, *a, *b, *p, *n, *x, *y; BIGNUM *d2, *p1x, *p1y, *px, *py; BIGNUM *tmp1, *tmp2; EC_GROUP *group; EC_POINT *generator, *G, *P, *P1; BN_CTX *bn_ctx = BN_CTX_new(); BN_CTX_start(bn_ctx); if (!bn_ctx) { error(); return 1 ; } negone = BN_CTX_get(bn_ctx); a = BN_CTX_get(bn_ctx); b = BN_CTX_get(bn_ctx); p = BN_CTX_get(bn_ctx); n = BN_CTX_get(bn_ctx); d2 = BN_CTX_get(bn_ctx); x = BN_CTX_get(bn_ctx); y = BN_CTX_get(bn_ctx); p1x = BN_CTX_get(bn_ctx); p1y = BN_CTX_get(bn_ctx); px = BN_CTX_get(bn_ctx); py = BN_CTX_get(bn_ctx); tmp1 = BN_CTX_get(bn_ctx); tmp2 = BN_CTX_get(bn_ctx); if ( !BN_hex2bn(&d2, str_d2) || !BN_hex2bn(&p1x, str_p1x) || !BN_hex2bn(&p1y, str_p1y) || !BN_hex2bn(&a, "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC" ) || !BN_hex2bn(&b, "28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93" ) || !BN_hex2bn(&p, "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF" ) || !BN_hex2bn(&n, "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123" ) || !BN_hex2bn(&x, "32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7" ) || !BN_hex2bn(&y, "BC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0" ) ) { error(); return 1 ; } group = EC_GROUP_new_curve_GFp(p, a, b, bn_ctx); generator = EC_POINT_new(group); if (!generator) { error(); return 1 ; } if (1 != EC_POINT_set_affine_coordinates_GFp(group, generator, x, y, bn_ctx)) { error(); return 1 ; } if (1 != EC_GROUP_set_generator(group, generator, n, NULL )) { error(); return 1 ; } G = EC_POINT_new(group); P = EC_POINT_new(group); P1 = EC_POINT_new(group); // set P1 = (p1x, p1y) if (1 != EC_POINT_set_affine_coordinates_GFp(group, P1, p1x, p1y, bn_ctx)) { error(); return 1 ; } //P = ((d2)^(-1)) * P1 - G if (!BN_zero(tmp1) || !BN_one(tmp2) || !BN_mod_sub(negone, tmp1, tmp2, n, bn_ctx) ) { error(); return 1 ; } if (!BN_mod_inverse(tmp1, d2, n, bn_ctx) || !EC_POINT_mul(group, P, negone, P1, tmp1, bn_ctx)) { error(); return 1 ; } if (!EC_POINT_get_affine_coordinates_GFp(group, P, px, py, bn_ctx)) { error(); return 1 ; } printf ("Px: %s\n" , BN_bn2hex(px)); printf ("Py: %s\n" , BN_bn2hex(py)); rv = 0 ; BN_CTX_free(bn_ctx); return rv; } int main (int argc, char *argv[]) { int rv = 1 ; if (server(argv[1 ], argv[2 ], argv[3 ], argv[4 ], argv[5 ], argv[6 ], argv[7 ])) { error(); return rv; } rv = 0 ; return rv; }
è¿äžªé¢ç®ä»£ç ç¹å«ç¹å«çé¿ïŒå
·äœç»èå¯ä»¥æ
¢æ
¢è¯»ã
.jsæ件æ¯äº€äºéšåïŒæ¢³çäžäžäž»èŠäº€äºæµçšæ¯ïŒ
çšæ·èŸå
¥å£ä»€åæ¶æ¯æèŠïŒå¹¶åéç»æå¡åš çšæ·æ¬å°è®¡ç®åºåŠäžæ°æ®ïŒè¿äºæ°æ®å¯ä»¥åšåéå
çèŽèœœéæŸå°ïŒ e, p1x, p1y, q1x, q1y, r1, s1 æå¡åšæ¥æ¶å°æ°æ®åïŒè¿è¡ååçŸåïŒå¹¶åé以äžæ°æ®è¿åïŒ s2, s3, r æ们éèŠè®¡ç®åºæå¡åšçç§é¥d2ïŒd2å°±æ¯flag2çåŒ è.cæ件åæ¯åè¯æ们ååçŸåæµçšïŒè¿äºæ°æ®äž»èŠæ以äžäžäºå
³ç³»(è¿ç®ååšæš¡näžïŒnæ¯æ²çº¿é¶)ïŒ
䜿çšSM2çæ åæ²çº¿ïŒåæ°åçæå
Gåå·²ç¥ïŒæå¡åšç§é¥äžºd2ïŒå¹¶æ以äžPç¹åæ ïŒ äœ¿çšçšæ·åéæ¥çp1x, p1y, q1x, q1yè¿å 䞪æ°æ®è®Ÿçœ®ç¹P1ãQ1 䜿çšçšæ·åéæ¥çeãr1ãs1计ç®u1ãu2ïŒ è®¡ç®äžéŽç¹T(xâ,yâ)ïŒéªè¯r1=xâïŒ çæéæºæ°k2ãk3ïŒå¹¶è®¡ç®ïŒ 计ç®rïŒ è®¡ç®s2ãs3ïŒ è¿årãs2ãs3 æŽäžªæ¥éª€å°±æ¯ç泚éäžæ¥æ¥æ¢³çåºæ¥çïŒæ们çç®çæ¯ç®åºd2æ¥ïŒès2ãs3äžäžå
±æäžäžªåéd2ãk2ãk3ïŒå¹¶äžè¶³ä»¥æ±åºæææªç¥æ°ïŒæ以å¯èœéèŠå©çšråæé äžäžªçåŒæè¡ã
ç¶èè¿äžªé¢èäºäžªçžåœéŽçå°æ¹ïŒä»ç»è§å¯å¯ä»¥åç°äžè¡ä»£ç ïŒ
BN_copy(k3, k2) è¿ä¹å°±æ¯è¯Žk3=k2ïŒå æ€æªç¥æ°å®é
äžå°±åªæ䞀䞪ïŒæ以åŸèœ»æŸå°±å¯ä»¥æ¿å°d2äºXDã
expïŒ
from Crypto.Util.number import *a = int ("FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC" , 16 ) b = int ("28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93" , 16 ) p = int ("FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF" , 16 ) n = int ("FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123" , 16 ) x = int ("32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7" , 16 ) y = int ("BC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0" , 16 ) E = EllipticCurve(Zmod(p),[a,b]) G = E(x,y) ################################################################################# res e = "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" p1x = "3e8eda67c5f1b70ac1950f615c2c4e0b0fe2544823ac96cb127ba318d96b4f5" p1y = "ab1bbde72e7d1ef42e0c9d18d44a10e7250a0dfea98194f2d8d591b355fc636" q1x = "bc44ec67a42c1613d9cf99f7bd2d1d859ab94823ba6cfb1836e8083e23bbd41e" q1y = "faef1f853c095d6de79ba9ad9a2026d742042116b38b1c672ae67c7c7e9e762d" r1 = "bc44ec67a42c1613d9cf99f7bd2d1d859ab94823ba6cfb1836e8083e23bbd41e" s1 = "6c1bfef8bacf4f9c8bc4703c66458715475e50d17ba84f666372b4f4c364e16f" r = "C987C22813DD2D0537433FF583C84B047E0313DCA072E187ACBB5A638D4E2BC0" s2 = "E1E08110628EEB528DC26AA117AFEF8613B1D22EBFD77A9F42524CEFEB57F676" s3 = "758CBCCFADFB5078DB26DF382A179C9AFDE1D0617D92EC5496F67380162235B6" tt = [e,p1x,p1y,q1x,q1y,r1,s1,r,s2,s3] e,p1x,p1y,q1x,q1y,r1,s1,r,s2,s3 = [int (i,16 ) for i in tt] P1 = E(p1x,p1y) Q1 = E(q1x,q1y) u1 = e * inverse(s1, n) % n u2 = r1 * inverse(s1, n) % n T = u1*G + u2*P1 x_, y_ = T.xy() assert r1 == x_x1 = r - e d2 = (s3-s2)*inverse(r,n) % n print (hex (d2))#flag2{a61bdbacbad62b141284a6955b14a27df01c09984e23785ec75b5e5c79e18f62}
flag3(500 pts) é¢ç®ïŒ
login.goïŒ
package controllersimport ( "crypto/ecdsa" "encoding/hex" "encoding/pem" "fmt" jwtgo "github.com/dgrijalva/jwt-go" "github.com/gin-gonic/gin" "github.com/tjfoc/gmsm/sm2" "github.com/tjfoc/gmsm/x509" "http_svr/config" "http_svr/models" "http_svr/utils" "math/big" "net/http" "time" ) // å 蜜è¯ä¹Š func loadCertificate (certPEM string ) error ) { //certPEM := "-----BEGIN CERTIFICATE-----\nMIIBQDCB6KADAgECAgECMAoGCCqBHM9VAYN1MBIxEDAOBgNVBAoTB1Jvb3QgQ0Ew\nHhcNMjQwNzI0MDkyMTI5WhcNMjUwNzI0MDkyMTI5WjAaMRgwFgYDVQQKEw9NeSBP\ncmdhbml6YXRpb24wWTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAASlPepwTvt5c4rF\nEsg1Mqs+Tyx/BwRkwyWqDyZd/gBFKp7veuoZnGK11c24xPOqR/eQZNW7ugsZW6eb\nLyXSsE9ooycwJTAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEw\nCgYIKoEcz1UBg3UDRwAwRAIgG4/snkgUCW819OotUWUfMOo0BzHX8KeTTUSLpIjy\nEO4CIEq6X7h3nVNeFzdtLWdy5+1MeNwsWawHU5YzITsNtqOe\n-----END CERTIFICATE-----\n" block, _ := pem.Decode([]byte (certPEM)) if block == nil || block.Type != "CERTIFICATE" { return nil , fmt.Errorf("æ æçè¯ä¹Šæ ŒåŒ" ) } return x509.ParseCertificate(block.Bytes) } // éªè¯è¯ä¹Š func validateCertificate (cert *x509.Certificate, rootCert *x509.Certificate) error { // æ£æ¥é¢åè
if cert.Issuer.CommonName != rootCert.Subject.CommonName { return fmt.Errorf("è¯ä¹Šæ ¡éªå€±èŽ¥" ) } // æ£æ¥é¢åè
ç»ç» if len (cert.Issuer.Organization) != 1 || cert.Issuer.Organization[0 ] != rootCert.Subject.Organization[0 ] { return fmt.Errorf("è¯ä¹Šæ ¡éªå€±èŽ¥" ) } // æ£æ¥é¢åè
åœå®¶ if len (cert.Issuer.Country) != 1 || cert.Issuer.Country[0 ] != rootCert.Subject.Country[0 ] { return fmt.Errorf("è¯ä¹Šæ ¡éªå€±èŽ¥" ) } // æ£æ¥æææ¥æ if time.Now().Before(cert.NotBefore) || time.Now().After(cert.NotAfter) { return fmt.Errorf("è¯ä¹Šæ ¡éªå€±èŽ¥" ) } // æ£æ¥ç»ç» if len (cert.Subject.Organization) != 1 || cert.Subject.Organization[0 ] != "ShangMiBei" { return fmt.Errorf("è¯ä¹Šæ ¡éªå€±èŽ¥" ) } // æ£æ¥ç»ç»åå
if len (cert.Subject.OrganizationalUnit) != 1 || cert.Subject.OrganizationalUnit[0 ] != "ShangMiBei2024" { return fmt.Errorf("è¯ä¹Šæ ¡éªå€±èŽ¥" ) } // æ£æ¥åœå®¶ if len (cert.Subject.Country) != 1 || cert.Subject.Country[0 ] != "CN" { return fmt.Errorf("è¯ä¹Šæ ¡éªå€±èŽ¥" ) } // å建è¯ä¹ŠéŸ roots := x509.NewCertPool() roots.AddCert(rootCert) opts := x509.VerifyOptions{ Roots: roots, CurrentTime: time.Now(), } // éªè¯è¯ä¹ŠéŸ if _, err := cert.Verify(opts); err != nil { return fmt.Errorf("è¯ä¹ŠéŸæ ¡éªå€±èŽ¥: %v" , err) } return nil } type SM2Signature struct { R, S *big.Int } // éªè¯çŸå func validateSignature (message, signature string , publicKey *sm2.PublicKey) bool , error ) { //rawSignatureHex, err := base64.StdEncoding.DecodeString(base64EncodedSignature) hexSignature, err := hex.DecodeString(signature) if err != nil { return false , fmt.Errorf("invalid signature format" ) } isValid := publicKey.Verify([]byte (message), hexSignature) if isValid { return true , nil } else { return false , fmt.Errorf("signature is invalid" ) } } // Login ç»åœ func Login (c *gin.Context, conf config.Config) // 解æ请æ±åæ° var req models.LoginReq if err := c.ShouldBind(&req); err != nil { c.JSON(http.StatusBadRequest, gin.H{"error" : err.Error()}) return } // æ ¡éªçšæ·åæ¯åŠå·²æ³šåè¿ if _, exists := models.Users[req.Username]; !exists { c.JSON(http.StatusBadRequest, gin.H{"error" : "username not exists" }) return } // æ ¡éªéæºå笊䞲æ¯åŠè¿æ randomStr, exists := conf.Cache.Get(req.Username) if !exists { c.JSON(http.StatusBadRequest, gin.H{"error" : "random string has expired" }) return } // æ ¡éªè¯ä¹Š cert, err := loadCertificate(req.Cert) if err != nil { c.JSON(http.StatusBadRequest, gin.H{"error" : err.Error()}) return } if err := validateCertificate(cert, models.RootCert); err != nil { c.JSON(http.StatusBadRequest, gin.H{"error" : err.Error()}) return } // å€ææ¯åŠæææåïŒéæºå笊䞲ççŸåèœåŠçšè¯ä¹Šäžçå
¬é¥éªçŸè¿ïŒ ecdsaPubKey, ok := cert.PublicKey.(*ecdsa.PublicKey) if !ok { c.JSON(http.StatusBadRequest, gin.H{"error" : "public key in cert is not sm2" }) return } sm2PubKey := sm2.PublicKey{ Curve: ecdsaPubKey.Curve, X: ecdsaPubKey.X, Y: ecdsaPubKey.Y, } isValid, err := validateSignature(randomStr.(string ), req.Signature, &sm2PubKey) if isValid { //c.JSON(http.StatusOK, gin.H{"msg": "success", "flag3": config.Flag3, "download_url": config.DownloadUrl}) generateToken2(c, req.Username, conf) } else { c.JSON(http.StatusBadRequest, gin.H{"error" : err.Error()}) } } // çæ什ç func generateToken2 (c *gin.Context, username string , conf config.Config) j := &utils.JWT{ SigningKey: []byte (conf.SignKey), } claims := utils.CustomClaims{ Name: username, StandardClaims: jwtgo.StandardClaims{ NotBefore: time.Now().Unix() - conf.NotBeforeTime, // çŸåçææ¶éŽ ExpiresAt: time.Now().Unix() + conf.ExpiresTime, // è¿ææ¶éŽ Issuer: conf.Issuer, // çŸåçåè¡è
}, } token, err := j.CreateToken(claims) if err != nil { c.JSON(http.StatusOK, gin.H{ "code" : 5091 , "msg" : "ç»åœå€±èŽ¥ïŒç³»ç»æ误" , }) return } // å°åœåçšæ·å¯¹åºççŒåäžçéæºå笊䞲å é€ conf.Cache.Delete(username) isAdmin := false if username == "shangmibeiadmin" { isAdmin = true } c.JSON(http.StatusOK, gin.H{ "code" : 0 , "msg" : "ç»åœæå" , "token" : token, "is_admin" : isAdmin, }) return } æ°æ®åºç®¡çç³»ç»ç®¡çåè¯ä¹Š.cerïŒ
-----BEGIN CERTIFICATE----- MIICXjCCAgWgAwIBAgIIatKGfgnOvYYwCgYIKoEcz1UBg3UwNjELMAkGA1UEBhMC Q04xEzARBgNVBAoTClNoYW5nTWlCZWkxEjAQBgNVBAMTCVNoYW5nTWlDQTAeFw0y NDA4MDUwNzUyMTdaFw0yNTEwMTAxMjAxMDFaMFUxEzARBgNVBAoTClNoYW5nTWlC ZWkxFzAVBgNVBAsTDlNoYW5nTWlCZWkyMDI0MRgwFgYDVQQDEw9zaGFuZ21pYmVp YWRtaW4xCzAJBgNVBAYTAkNOMFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEiHG2 LM9gsuJXiyo+0yDDZEVP1+3Qh+47g65eMeoUXoi0eUiGPvhehh4RaWacpVrQKJXQ qzCqkR4n1B+7ZymwXqOB3TCB2jAOBgNVHQ8BAf8EBAMCA4gwHQYDVR0lBBYwFAYI KwYBBQUHAwIGCCsGAQUFBwMBMA8GA1UdDgQIBAYBAgMEBQYwDwYDVR0jBAgwBoAE AQIDBDAuBgNVHREEJzAlgQtnaXRAZ2l0LmNvbYcEfwAAAYcQIAFIYAAAIAEAAAAA AAAAaDBXBgNVHR8EUDBOMCWgI6Ahhh9odHRwOi8vY3JsMS5leGFtcGxlLmNvbS9j YTEuY3JsMCWgI6Ahhh9odHRwOi8vY3JsMi5leGFtcGxlLmNvbS9jYTEuY3JsMAoG CCqBHM9VAYN1A0cAMEQCIEU8qEYGqgRTJPGI8YLRrpR7x3M2HzZOt377PwsnivGW AiA67pgq6qfrhKsWc/B2VUqi2t+ZlK+iAM6D+Ai7NoqYSw== -----END CERTIFICATE---- é¢ç®è¿æ¥äžä¹åæäžäžªç®æççœç«ïŒç±äºå€ç°äžäºæ以åªèœå€§èŽæè¿°äžäžå®çåèœïŒ
æäžäžªç»åœçé¢ïŒå¯ä»¥èŸå
¥çšæ·åãç§é¥ä»¥åå
¬é¥æ件ïŒåŠæèœéè¿login.goäžçææcheckå°±èœæåç»åœ è¿æäžäžªæ³šåçé¢ïŒå¯ä»¥èŸå
¥çšæ·åå裞å
¬é¥ïŒåŠæ裞å
¬é¥æ ŒåŒæ£ç¡®ïŒæå¡åšå°±äŒçšæ ¹è¯ä¹ŠåæŸäžäžªå®æŽå
¬é¥æ件ç»äœ æ们çç®æ æ¯çšâshangmibeiadminâæåç»åœïŒå°±å¯ä»¥æ¿å°flag3çåŒä»¥åflag4çæºç ã
å·²ç¥çè¿äžªè¯ä¹Šæ件æ¯äžªå
¬é¥æ件ïŒæ¥çäžäžåç°è¿äžªè¯ä¹Šççšæ·å°±æ¯âshangmibeiadminâïŒæ以åŠææ们èœç¥éä»çç§é¥çè¯å°±å¯ä»¥çŽæ¥ç»åœäºãç»åè¿äžªé¢åªæ500åè¿äžªäºå®ïŒæ第äžååºæ¯ç§é¥çžåœå°ïŒå¯ä»¥çŽæ¥çåºæ¥ïŒäœæ¯çšmitmçäº2^50æ æïŒæ以åªèœä»å
¶ä»éšåå
¥æã
çšgmsslè¿äžªå·¥å
·å¯ä»¥æ¯èŸèœ»æŸççæäžå¯¹å
¬ç§é¥è¯ä¹ŠïŒæ们åªéèŠæå
¬é¥éç裞å
¬é¥æåºæ¥ïŒç¶åèªå·±é䟿çæ䞪çšæ·åå°±å¯ä»¥æ³šåäžäžªçšæ·ïŒå¹¶åŸå°æå¡åšé¢åçå
¬é¥è¯ä¹Šã
è¿ééèŠæ³šæäžäžäžèœçŽæ¥æ³šåâshangmibeiadminâïŒå®äŒæŸç€ºå·²æ³šå
ç¶åæ¥çlogin.goå¯ä»¥åç°ä»äŒŒä¹æ ¹æ¬æ²¡æ£éªè¯ä¹Šææè
æ¯äžæ¯åçšæ·åäžæ ·ïŒæ以æçæ¥è¯Žæ¥äžæ¥çæ¥éª€åŸç®åïŒæ们åªéèŠåšçšæ·åäžæ èŸå
¥âshangmibeiadminâïŒç¶åèŸå
¥åææ们çæçå
¬ç§é¥è¯ä¹Šäžçç§é¥ïŒåèŸå
¥åææå¡åšäžåçè¯ä¹Šå°±å¯ä»¥æåç»åœã
ç¶èæ们å®åšæ¯äžçægmsslä¹è³opensslè¿äºå·¥å
·ïŒå¹¶äžäžåºçœïŒäžèœèªç±æ¥æŸæä¹äœ¿çšïŒæ以åªèœäžçŽçšhelpæ¥çæä»ä¹åæ°å¯ä»¥çšãæ们éå°çæ倧é®é¢æ¯ïŒgmsslå¿
é¡»èŠäžäžªå¯ç ïŒæèœçæsm2ç§é¥æ件ïŒèè¿äžªç§é¥æ件æ¯çšè¿äžªå¯ç å å¯è¿çïŒäœæ¯æ们æä¹æŸéœæŸäžå°æä¹è§£å¯è¿äžªç§é¥æ件并解æä»ã
è¿éè±äºåŸé¿åŸé¿æ¶éŽïŒæå犻æ¯èµç»æäžå°äžå°æ¶çæ¶åæ³äºäžäžªç¬šåæ³åºæ¥ââçŽæ¥å»æºç cæ件éé¢å å è¡æå°ç§é¥dçæ件ïŒå¹¶éæ°çŒè¯äžäžåçšè¿äžªå·¥å
·ïŒ
è¿äžªæ¹æ³åŸç¬šäœæ¯ç¡®å®ææïŒç±äºèåæç¹æ··ä¹±ïŒä¹æ³äžå€ªæž
æ¥då
·äœè¯¥æä¹æŒïŒå°±çšä»ååŸååä»ååŸå䞀ç§é¡ºåºåŸå°äž€äžªdïŒå¹¶çšæ¯åŠæ»¡è¶³P=dGè¿äžªåŒåæ¥è¿è¡æ žéªïŒæå奜æ¹æ¯æèªå·±çæçç§é¥dæåºæ¥äºïŒ
from Crypto.Util.number import *from tqdm import *a = int ("FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC" , 16 ) b = int ("28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93" , 16 ) p = int ("FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF" , 16 ) n = int ("FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123" , 16 ) x = int ("32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7" , 16 ) y = int ("BC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0" , 16 ) E = EllipticCurve(Zmod(p),[a,b]) G = E(x,y) t = "3059301306072a8648ce3d020106082a811ccf5501822d03420004ed7a7dce0e4e2e4b779f76b4ec407b8987ba5c3beba5cd454604e587fce0a17160b29510b2beb36e36470fba3ed6bd436049a0b588e931c71df6cf0b0d0e6407" x1 = int (t[-128 :-64 ], 16 ) y1 = int (t[-64 :], 16 ) P = E(x1,y1) dd = [12437958772606967559 ,9879664919779981675 ,172814172046494727 ,15816591967453487196 ] d = (dd[3 ] << (64 *3 )) + (dd[2 ] << (64 *2 )) + (dd[1 ] << (64 *1 )) + (dd[0 ] << (64 *0 )) print (d)print (hex (d))print (d*G == P)ä¹åæåæçæ¹åŒå°±å¯ä»¥ç»åœäžçœç«æ¿å°flag3以åflag4çæºç ã
flag4(1000 pts) é¢ç®ïŒ
SM4å å¯è§£å¯ä»£ç .pyïŒ
from gmssl.sm4 import CryptSM4, SM4_ENCRYPT, SM4_DECRYPTMULTIPLIER = 6364136223846793005 ADDEND = 1 MASK = 0xffffffffffffffff ITERATIONS = 1000 # ä»æ件äžè¯»åseed def read_seed (file_path ): with open (file_path, 'r' ) as file: seed = int (file.read().strip(), 16 ) print ("seed:" , hex (seed)) return seed global_seed = read_seed('seed.txt' ) def genRandom (): global global_seed # print("global_seed", hex(global_seed)) for _ in range (ITERATIONS): global_seed = (global_seed * MULTIPLIER + ADDEND) & MASK return (global_seed >> 32 ) & 0xffffffff # 16è¿å¶å笊䞲蜬bytes def HexStringToBytes (hex_str ): return bytes .fromhex(hex_str) # bytes蜬16è¿å¶å笊䞲 def BytesToHexString (byte_seq ): return byte_seq.hex () def genSM4KeyOrIV (): return HexStringToBytes('' .join(f'{genRandom():08x} ' for _ in range (4 ))) def SM4Encrypt (data_bytes, key_bytes, iv_bytes ): sm4 = CryptSM4() sm4.set_key(key_bytes, SM4_ENCRYPT) return sm4.crypt_cbc(iv_bytes, data_bytes) def SM4Decrypt (cipher_bytes, key_bytes, iv_bytes ): sm4 = CryptSM4() sm4.set_key(key_bytes, SM4_DECRYPT) return sm4.crypt_cbc(iv_bytes, cipher_bytes) print ("############ SM4 Cryptographic Services Start... ###################" )iv_bytes = genSM4KeyOrIV() print ("iv hex:" , BytesToHexString(iv_bytes))key_bytes = genSM4KeyOrIV() print ("key hex:" , BytesToHexString(key_bytes))# ä»test.pcapng读åæ°æ®å¹¶å å¯ with open ('test.pcapng' , 'rb' ) as f1: plain1_bytes = f1.read() cipher1_bytes = SM4Encrypt(plain1_bytes,key_bytes,iv_bytes) # åå¯ææ°æ®å°cipherText.dat with open ('cipherText.dat' , 'wb' ) as f2: f2.write(cipher1_bytes) # ä»cipherText.dat读å¯ææ°æ® with open ('cipherText.dat' , 'rb' ) as f3: cipher2_bytes = f3.read() plain2_bytes = SM4Decrypt(cipher2_bytes,key_bytes,iv_bytes) # 解å¯å¯æ并å°ææåå
¥å°plainText.pcapng(å«flag4) with open ('plainText.pcapng' , 'wb' ) as f4: f4.write(plain2_bytes) æ»ç»çååçŸåæµéå
å å¯äœ¿çšçiv.txtïŒ
90fc5cf2e2f47488a257fd51e0ae615 ç»äºæ¯äžäžªpythonå å¯äºïŒåæ亲åãé¢ç®äž»èŠæµçšæ¯ïŒ
读åseed.txtæ件åŸå°åå§seed çšgenSM4KeyOrIVåœæ°è¿ç»çæ16åèçivåkey 读åäžäžªæµéå
æ件ïŒå¹¶çšivãkey对æµéå
æ件è¿è¡SM4å å¯ ç»åºå¯ææ件以åivïŒèŠæ±è¿åæµéå
æå€æªçå°æ¹åªå¯èœåšgenSM4KeyOrIVåœæ°éïŒæ¥çäžäžåç°å
¶æ¯è¿ç»è°çšå次genRandomåœæ°å¹¶æŒæ¥èæïŒègenRandomåœæ°æ¯ïŒ
def genRandom (): global global_seed # print("global_seed", hex(global_seed)) for _ in range (ITERATIONS): global_seed = (global_seed * MULTIPLIER + ADDEND) & MASK return (global_seed >> 32 ) & 0xffffffff å¯ä»¥çåºè¿æ¯äžäžªLCGè¿çšïŒå
¶äŒè¿åseedè¿ä»£äžå次ä¹åçé«32äœã
æ们ç¥éIVïŒä¹å°±æ¯æ们ç¥éè¿ç»å次è¿ä»£äžå次ä¹åçseedé«äœïŒè¿å°±åæäºäžäžªç®åçHNPé®é¢ãç±äºLCGè¿ä»£è¿çšå¯ä»¥å䞺åŠäžç©éµä¹æ³ïŒ
æ以äžå次è¿ä»£ä¹å°±æ¯ïŒ
对äºé¢ç®æ¥è¯Žæ¯å·²ç¥é«32äœïŒé£ä¹ä»¥IVç第äžäžªåç»å第äºäžªåç»äžºäŸïŒåŒåå°±å¯ä»¥åæïŒ
æ以对IVææè¿ç»ç䞀ç»çšç¬¬äžè¡å¯¹åºç线æ§çåŒïŒå°±å¯ä»¥æé®é¢èœ¬åæè§çºŠäœ32äœçHNPé®é¢äºïŒåŸå°ææäœäœä¹åå°±å¯ä»¥ååè¿ä»£åŸå°keyïŒä»èæ¢å€æµéå
ã
expïŒ
get xlïŒ
c = "90fc5cf2e2f47488a257fd51e0ae615b" MULTIPLIER = 6364136223846793005 ADDEND = 1 MASK = 0xffffffffffffffff + 1 ITERATIONS = 1000 t1,t2,t3,t4 = c[:8 ],c[8 :16 ],c[16 :24 ],c[24 :32 ] res = [t1,t2,t3,t4] t = [int (i,16 ) for i in res] ################################################## M = Matrix(Zmod(MASK),[ [MULTIPLIER,1 ], [0 ,1 ] ]) Mn = M^ITERATIONS a,b = Mn[0 ] a,b = int (a),int (b) nums = 4 L = Matrix(ZZ,2 *nums,2 *nums) for i in range (nums+1 ): L[i,i] = 1 for i in range (nums-1 ): L[i,nums+i+1 ] = a L[i+1 ,nums+i+1 ] = -1 c = a*2 ^32 *t[i] - 2 ^32 *t[i+1 ] + b L[nums,nums+i+1 ] = c L[nums,nums] = 2 ^32 for i in range (nums-1 ): L[-i-1 ,-i-1 ] = MASK L[:,-(nums-1 ):] *= MASK res = L.LLL()[0 ][:4 ] print (res)decryptïŒ
from gmssl.sm4 import CryptSM4, SM4_ENCRYPT, SM4_DECRYPTMULTIPLIER = 6364136223846793005 ADDEND = 1 MASK = 0xffffffffffffffff ITERATIONS = 1000 global_seed = 0 # TODO iv_high = 0xe0ae615b iv_low = 187714221 iv_last = (iv_high << 32 ) + iv_low global_seed = iv_last def genRandom (): global global_seed # print("global_seed", hex(global_seed)) for _ in range (ITERATIONS): global_seed = (global_seed * MULTIPLIER + ADDEND) & MASK return (global_seed >> 32 ) & 0xffffffff # 16è¿å¶å笊䞲蜬bytes def HexStringToBytes (hex_str ): return bytes .fromhex(hex_str) # bytes蜬16è¿å¶å笊䞲 def BytesToHexString (byte_seq ): return byte_seq.hex () def genSM4KeyOrIV (): return HexStringToBytes('' .join(f'{genRandom():08x} ' for _ in range (4 ))) def SM4Encrypt (data_bytes, key_bytes, iv_bytes ): sm4 = CryptSM4() sm4.set_key(key_bytes, SM4_ENCRYPT) return sm4.crypt_cbc(iv_bytes, data_bytes) def SM4Decrypt (cipher_bytes, key_bytes, iv_bytes ): sm4 = CryptSM4() sm4.set_key(key_bytes, SM4_DECRYPT) return sm4.crypt_cbc(iv_bytes, cipher_bytes) iv_bytes = HexStringToBytes("90fc5cf2e2f47488a257fd51e0ae615b" ) key_bytes = genSM4KeyOrIV() print (key_bytes)with open ("æ»ç»çååçŸåæµéå
ïŒå å¯åçæ件ïŒ.dat" , "rb" ) as fp: cipher_bytes = fp.read() plain_bytes = SM4Decrypt(cipher_bytes, key_bytes, iv_bytes) with open ("plainText.pcapng" , "wb" ) as fp: fp.write(plain_bytes) ç¶åå°±å¯ä»¥åšæµéå
éæŸå°flag4ã
æç»ææ * åšæ¯èµè¿æ¯äžå°ååéçæ¶åïŒæ们éææé©å°äº€äžflag4ïŒå®å
šæ²¡ææ¶éŽçæç»ææäºïŒå æ€åªèœèµåå€ç°äžäžã
flag4çæµéå
è·èžªTCPæµïŒå¯ä»¥çå°éé¢æ以äžå
容ïŒ
é€äºflag4å€ïŒå©äžçæ°æ®åŸæŸç¶æ¯åflag2çååçŸåæå
³çïŒèçžæ¯äºflag2æ¥è¯ŽïŒè¿éå€ç»äºäžäžªclient_signå段çåŒïŒåå倎çç.jsæ件å¯ä»¥åç°è¿æ¯clientSign2åœæ°çè¿ååŒïŒå
¶æµçšäžºïŒ
åšclientSign1çè¿çšéäŒçæäžäžªéæºæ°k1ïŒæ»¡è¶³ïŒ äŒ å
¥æªç¥ççšæ·ç§é¥d1ïŒä»¥åå·²ç¥çs2ãs3ãr 计ç®sïŒ å¯ä»¥çåºs1ãsççæçåŒå
¶å®åå«å°±æ¯å
³äºd1ãk1ç䞀䞪åéçæ¹çšïŒæ以就å¯ä»¥è§£åºd1äºãèæ们çç®çæ¯äŒªé äžäžªçŸåïŒè§£åºd1ä¹åèµ°äžéååçŸåçæµçšå°±å¥œäºïŒèªç¶ä¹å°±æ²¡æéŸåºŠã
没æ亀äºéšåäºïŒäœå¯ä»¥çšd1èç³»ç䞀䞪ç¹æ¥æ£éªd1çæ£ç¡®æ§
expïŒ
from Crypto.Util.number import *a = int ("FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC" , 16 ) b = int ("28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93" , 16 ) p = int ("FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF" , 16 ) n = int ("FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123" , 16 ) x = int ("32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7" , 16 ) y = int ("BC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0" , 16 ) E = EllipticCurve(Zmod(p),[a,b]) G = E(x,y) ################################################################################# res q1x = "125fd6eb66351ca49073a6e55be1fa40cfd6662f80452a6bcea3b25bd69b6b26" q1y = "79a9748598cc2886b09fa856b9806b8789b8a719f6a969e2f08da35ea997bc5d" e = "eaf0adee014bd35a12180bbc99292e3acf895203aa97f8dbbb760da04da844f6" r1 = "125fd6eb66351ca49073a6e55be1fa40cfd6662f80452a6bcea3b25bd69b6b26" s1 = "47baaef61c7a3c4c239fc2634ec25a2059d937026c6e0b72df1463fbba5b3a05" p1x = "4c84b1cf8e9255c9385c07c2bf3426a9497d49e2b33c328ab02c4aed8b021bad" p1y = "8a3e40da9d3423f27be30eebb2e4e11999e565be0def197fe1bcf4f6b724b471" r = "8A6BB033033E79683E81FE36D6394262D451A3DB9D1A0C489D51543D22E67BC4" s2 = "B54A6668F644EC08D925552D45F66E348762B460693E7A68CBB0FDF38327DB45" s3 = "B50FAE013594F79192898FF7FC0A84D931B1EC56EF9174159023ACF1C708180D" s = "cb524f49515c9a7387210ddcdbf1f32aad1c8806f01a362c62a5d6a5466da158" tt = [e,p1x,p1y,q1x,q1y,r1,s1,r,s2,s3,s] e,p1x,p1y,q1x,q1y,r1,s1,r,s2,s3,s = [int (i,16 ) for i in tt] P1 = E(p1x,p1y) Q1 = E(q1x,q1y) ################################################################################# solve d1 PR.<k1,d1> = PolynomialRing(Zmod(n)) f1 = (s1*k1 - e)*d1 - r1 f2 = d1*k1*s2 + d1*s3 - r - s res = f1.sylvester_matrix(f2, k1).det().univariate_polynomial().monic().roots() d1 = int (res[1 ][0 ]) print (d1*P1 == G) æè
from sage.all import *
æ¥æºïŒ https://tangcuxiaojikuai.xyz/post/6452f9a0.html
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
