def pub2vkey(pub):
key = pub[2:]
l = len(key)
assert l == 128, "key length wrong: %i" % l
x = int(key[:int(l / 2)], 16)
y = int(key[int(l / 2):], 16)
return fpoint.Point(x, y, curve=fcurve.secp256k1)
def verify(self, payload, user_id, r, s):
canonical_payload = json.dumps(payload,
sort_keys=True,
separators=(',', ':'))
pub_key_x = '0x' + user_id[2:]
hex_int = int(pub_key_x, 16)
return ecdsa.verify(
(int(r, 16), int(s, 16)),
canonical_payload,
point.Point(hex_int, (self.uncompressed_keys[pub_key_x]),
curve.secp256k1),
curve=curve.secp256k1)
def point_decode_from(curve, buffer):
# https://github.com/cryptocoinjs/ecurve/blob/master/lib/point.js#L213
typpe = int.from_bytes(bytes(buffer)[:1], byteorder='big', signed=False)
compressed = typpe != 4
byte_length = math.floor((curve.p.bit_length() + 7) / 8)
x = buffer[1:1 + byte_length]
int_x = int(x.hex(), 16)
if compressed:
if not len(buffer) == byte_length + 1:
raise InvalidSignatureException('Invalid sequence length')
if not (typpe == 0x02 or typpe == 0x03):
raise InvalidSignatureException('Invalid sequence tag')
is_odd = typpe == 0x03
y = curve_point_from_x(curve, is_odd, int_x)
else:
if not len(buffer) == byte_length + byte_length + 1:
raise InvalidSignatureException('Invalid sequence length')
y = buffer[1 + byte_length:]
return point.Point(int_x, y, curve)
def decode_public(pub_key: bytes) -> point.Point:
try:
if len(pub_key) == 33:
# compressed format
y_odd = pub_key[0:1] == SECP256K1_TAG_PUBKEY_ODD
x = int.from_bytes(pub_key[1:], "big")
y_y = pow(x, 3) + CURVE.a * x + CURVE.b
y = mod_sqrt(y_y, CURVE.p, y_odd)
elif len(pub_key) == 65:
tag = pub_key[0:1]
assert tag == SECP256K1_TAG_PUBKEY_UNCOMPRESSED
x = int.from_bytes(pub_key[1:ENCODED_SIZE + 1], "big")
y = int.from_bytes(pub_key[ENCODED_SIZE + 1:], "big")
else:
raise NotImplementedError
return point.Point(x, y, CURVE)
except:
raise ValueError("The public key could not be parsed or is invalid")
def verified(args, ip):
try:
name = args['name']
timestamp = long(args['timestamp'])
max_nonce = get_max_nonce(name)
if timestamp <= max_nonce:
return False
r = long(args['r'])
s = long(args['s'])
pub_key = get_pub_key(name)
if pub_key == None:
return False
x, y, curvenum, _ = pub_key
pub_key = None
if curvenum == 256:
pub_key = point.Point(x=long(x), y=long(y), curve=curve.P256)
update_max_nonce(name, ip, timestamp)
message = sha("I {} am verified to trade at {}".format(name, timestamp)).hexdigest()
return ecdsa.verify((r, s), message, pub_key, hashfunc=sha)
except Exception as e:
return str(e)
#!/usr/bin/python
import hashlib, binascii, base64
from fastecdsa import keys, curve, point
from Crypto.Cipher import AES
import queue
import threading
import time
import sys
x = 0xc58966d17da18c7f019c881e187c608fcb5010ef36fba4a199e7b382a088072f
y = 0xd91b949eaf992c464d3e0d09c45b173b121d53097a9d47c25220c0b4beb943c
PUBLIC_KEY = point.Point(x, y, curve.P256)
PASSWORD_QUEUE = queue.Queue()
def tryPassword(pw):
privKey = hashlib.sha256(pw).digest()
pubKey = keys.get_public_key(int.from_bytes(privKey, "big"), curve.P256)
if pubKey != PUBLIC_KEY:
return False
print("Found possible password:"******"Hy97Xwv97vpwGn21finVvZj5pK/BvBjscf6vffm1po0=")
try:
decrypted = cipher.decrypt(encrypted)
print(decrypted.decode('utf-8'))
def deserialize(self):
self.digital_signature=(int(self.digital_signature[0]),int(self.digital_signature[1]))
self.public_key=point.Point(int(self.public_key[0]),int(self.public_key[1]))
def extract_points_from_str(self, strPoint):
x = strPoint.split('\n')[0][3:]
y = strPoint.split('\n')[1][3:]
return point.Point(int(x, 16), int(y, 16))
h = int(res, 16)
hh = q + h
p.sendline("1")
p.recvuntil("hash (hex): ")
p.sendline(hex(hh)[2:])
res = p.recvuntil("4- Exit").decode().split(")")[0].split("(")[1].split(", ")
r = int(res[0])
s = int(res[1])
print(r, s, h)
rx = r
ry = sympy.sqrt_mod((rx * rx + E.a) * rx + E.b, E.p)
R1 = point.Point(rx, ry, curve=E)
R2 = point.Point(rx, -ry % E.p, curve=E)
P1 = int(gmpy2.invert(r, q)) * (s * R1 - h * E.G)
P2 = int(gmpy2.invert(r, q)) * (s * R2 - h * E.G)
keys = [P1, P2]
print("Searching...")
flag = None
for i in tqdm(range(m)):
for j in range(len(keys)):
if keys[j].x in table:
d = None
e = gmpy2.powmod(base, i * m + table[keys[j].x], q)
eG = int(e) * E.G
if P1 == eG or P2 == eG:
def do_some_work(p):
res = p.recvline()
p2 = process(res, shell=True)
token = p2.recvline().split(b" ")[2]
p.sendline(token)
E = curve.P256
q1 = 2 * 2 * 2 * 2 * 3 * 71 * 131 * 373 * 3407
q2 = 17449 * 38189 * 187019741 * 622491383 * 1002328039319 * 2624747550333869278416773953
q = q1 * q2 + 1
# Solver with baby step giant step:
m = math.ceil(math.sqrt(q1))
table = {}
base = pow(7, q2, q)
if os.path.isfile('/app/ec_table'):
with open("/app/ec_table", "rb") as f:
table = pickle.load(f)
else:
t = 1
print("Creating table...")
for j in range(m):
table[(t * E.G).x] = j
t = t * base % q
with open("/app/ec_table", "wb") as f:
pickle.dump(table, f)
v = gmpy2.powmod(base, -m, q)
res = p.recvuntil("4- Exit")
p.sendline("3")
p.recvuntil("password: "******"123")
res = p.recvuntil("4- Exit").decode().split("...")[0].split("Signing ")[1]
h = int(res, 16)
hh = q + h
p.sendline("1")
p.recvuntil("hash (hex): ")
p.sendline(hex(hh)[2:])
res = p.recvuntil("4- Exit").decode().split(")")[0].split("(")[1].split(
", ")
r = int(res[0])
s = int(res[1])
print(r, s, h)
rx = r
ry = sympy.sqrt_mod((rx * rx + E.a) * rx + E.b, E.p)
R1 = point.Point(rx, ry, curve=E)
R2 = point.Point(rx, -ry % E.p, curve=E)
P1 = int(gmpy2.invert(r, q)) * (s * R1 - h * E.G)
P2 = int(gmpy2.invert(r, q)) * (s * R2 - h * E.G)
keys = [P1, P2]
print("Searching...")
flag = None
for i in range(m):
print('progress: {}/{}'.format(i, m))
for j in range(len(keys)):
if keys[j].x in table:
d = None
e = gmpy2.powmod(base, i * m + table[keys[j].x], q)
eG = int(e) * E.G
if P1 == eG or P2 == eG:
print("Found", e)
d = e
else:
if -P1 == eG or -P2 == eG:
f = -e % q
print("Found", f)
d = f
if d:
u = gmpy2.invert(s, q) * (r * d + h) % q
sol1 = gmpy2.invert(u, q)
sol2 = -sol1 % q
print(sol1, sol2)
for sol in [sol1, sol2]:
p.sendline("3")
p.recvuntil("password: "******"OK!")
p.sendline("4")
res = p.recvuntil("Bye!")
return flag.decode()
