def encrypt_check(_ct, _ct_l, _key1, _key2, _nonce, _ad): ct_bkl = _ct_l // BLOCKLEN aes1 = AES.new(_key1, AES.MODE_ECB) aes2 = AES.new(_key2, AES.MODE_ECB) bks1 = [aes1.encrypt(l2b((b2l(_nonce) << 32) + 2 + i, 16)) for i in range(ct_bkl)] bks2 = [aes2.encrypt(l2b((b2l(_nonce) << 32) + 2 + i, 16)) for i in range(ct_bkl)] full_ct = [0]*_ct_l ks1 = [0]*_ct_l ks2 = [0]*_ct_l for i in range(_ct_l): ks1[i] = bks1[i//16][i % 16] ks2[i] = bks2[i//16][i % 16] full_ct[i] = _ct[i//16][i % 16] plaintxt1 = xor(bytes(full_ct), bytes(ks1)) plaintxt2 = xor(bytes(full_ct), bytes(ks2)) encrypted1,tag1 = gcm_encrypt(_key1, _nonce, plaintxt1,_ad) encrypted2,tag2 = gcm_encrypt(_key2, _nonce, plaintxt2,_ad) assert encrypted1 == encrypted2 and tag1 == tag2 return encrypted1, tag1
def collide(_key1, _key2, _nonce, _plain, _ad, DEBUG=False, _blockidx=-1):
ct_l = len(_plain)
ct_bkl = ct_l // BLOCKLEN
ct_bl = 8 * ct_l
ad_bl = 8*len(_ad)
print("blocks:", ct_bkl)
print()
aes1 = AES.new(_key1, AES.MODE_ECB)
aes2 = AES.new(_key2, AES.MODE_ECB)
authkey1 = aes1.encrypt(all_zeros)
authkey2 = aes2.encrypt(all_zeros)
coeffs = getCoeffs(authkey1, authkey2, ad_bl//128 + ct_bkl+1)
pad1 = aes1.encrypt(l2b((b2l(_nonce) << 32) | 1, 16))
pad2 = aes2.encrypt(l2b((b2l(_nonce) << 32) | 1, 16))
pads = ifAdd(pad1, pad2)
keystream1 = [aes1.encrypt(l2b((b2l(_nonce) << 32) + 2 + i, 16)) for i in range(ct_bkl)]
ct = [ifAdd(_plain[16*i:16*(i+1)], keystream1[i]) for i in range(ct_bkl)]
assert len(ct) == ct_bkl
coef = binascii.hexlify(coeffs[ct_bkl+1-_blockidx])
sum_ = getSum(_ad, coeffs, pads, ct, _blockidx)
ct[_blockidx] = ifMul(l2b(getInverse(coef), 16), sum_)
encrypted, tag = encrypt_check(ct, ct_l, _key1, _key2, _nonce, _ad)
return encrypted,tag
def analysis(key, diff):
print("key: {:032x}".format(b2l(key)))
keys, sbox = expand_key(key, 16)
colorama.init()
bits = [0 for _ in range(16*8)]
sample = 5000
for s in trange(sample):
diff_sqrd = []
#diff = b2l(os.urandom(16))
x, y = b2l(os.urandom(16)), b2l(os.urandom(16))
for i in (x, y):
a = b2l(encrypt_block(l2b(i), keys, sbox, 16))
b = b2l(encrypt_block(l2b(i ^ diff), keys, sbox, 16))
diff_sqrd.append(a ^ b)
if s == 0:
print("\r{:032x}->{:032x} ".format(i, a))
print("{:032x}->{:032x} ".format(i ^ diff, b))
print("{:032x}->{:032x} ".format(diff, a ^ b))
print("-"*66)
r = diff_sqrd[0] ^ diff_sqrd[1]
if s == 0:
print("{:032x}".format(r).rjust(66, ' '))
print('\r')
#r = encrypt_block(os.urandom(16), keys, sbox, 16)
r = '{:0128b}'.format(r)
bits = [x+int(y, 2) for x, y in zip(bits, r)]
from colorama import Fore
green, yellow, red = Fore.GREEN, Fore.YELLOW, Fore.RED
reset = colorama.Style.RESET_ALL
tests = []
for x in bits:
t = binom_test(x, sample, 0.5)
x = "%.2E" % t
if len(x) > 8:
x = red+"0"*5+reset
tests.append(x)
continue
x = re.sub(r"\.|E|-|\+", "", x)
if t <= 0.1 and t >= 0.01:
x = yellow+x+reset
elif t < 0.01:
x = red+x+reset
tests.append(x)
print("\r\nProbability that each bit is equally likely 0 or 1")
print('format: XYYZZ = X.YYE-ZZ')
print('\n'.join(chunks(tests, 8, m=' '.join)))
print("Overall: ", end='')
final = binom_test(sum(bits), sample*len(bits), 0.5)
print((red if final <= 0.05 else green) + "%.4E" % final + reset)
def main():
c = 3082489874584540355861976440154957444349802968606358209180310319846045010290428219945114844043901302597650924982910286231671337430936664185809669066762817535499514756463968189674472801536320141026694560204079394058935377378137004712487812117718010360346278762378192809353855702825349327607244514852447790414426389507325928721778099789473656709278135098915643867190345991798884214391389207351837734104494534915592459046635480167584016281186038004020937047971991512996625468347184973943467542720967761335734799148698672931984386755418194996569343120441376243026639952906891084792796113007934063427372263145841708494015
e = 65537
n = 4835750187736017002199910402633824276307631898091000077771942652114774929553132338780864979244300002934950340799255707706719068807452407480611171357191437808195657961280485410190950021251938036710663784185407986885413060120305830667265752106891991907683349203859430029804970061705163529856022394765039070626284349963490115392327176993981111921903099443600754324722527818078282290124479202829123212555658572674854964849787146566576353289029751920324001899153487870430173605050309512383603908334958874100463419711909679461073160404554664143408055364570826428967757690953156967295496007885336849722190950712736684455537
factor_list = fermat_factorization(n)
print(factor_list)
[X1, Y1] = factor_list[0]
[X2, Y2] = factor_list[1]
assert X1 * Y1 == n
assert X2 * Y2 == n
#p1 = GCD(X1, X2)
#p2 = X1 / p1
#q1 = GCD(Y1, Y2)
#q2 = Y1 / q1
p1 = GCD(X1,X2)
q1 = X1//p1
p2 = GCD(Y1,Y2)
q2 = Y1//p2
phi = (p1 - 1) * (q1 - 1) * (p2 - 1) * (q2 - 1)
d = inverse(e, phi)
flag = l2b(pow(c, d, n))
print(flag)
def main():
c = 5333020300559057627358629150444779517927607675346073210522985591749203153560945527905471617055390862832090724275674301850841328746015818539999254106959583022492771703624475944141387595460858005483478153896882057074736219148307775833908988111821196571444363406298895482129627722808797729608415039516568435053064741173178431954979628184113077609472474158501321140759120865933591449468716625271915315192237652960416609140093720936411488882176262245872088399590046010317722025560167003681009206835834580085250672176381127010208394234527481235534697123574687573506314887709574961111534684456158044614521548036760981001130
e = 65537
n = 7661893861079288704612324056824281971553256849386803241531603299789846141029329254547934930958439426559413588181586850979797598156981380154181904473913556755982046171992133300178070732688527462379925496142741944410278173915503007594075131197019636352126219973024134086516300904590025630353490746964989205729428932590318185431652353310237407006739807162337887502047657095011822728581616805184689818928930804574318013115689430260450572839060904176023480504876807310962105063058782417722431654669730509157358979892491644691833798706704808468441748166558510311296180338934849110001861689206816856832238128874896790516637
factor_list = fermat_factorization(n)
print(factor_list)
[X1, Y1] = factor_list[0]
[X2, Y2] = factor_list[1]
assert X1 * Y1 == n
assert X2 * Y2 == n
#p1 = GCD(X1, X2)
#p2 = X1 / p1
#q1 = GCD(Y1, Y2)
#q2 = Y1 / q1
p1 = GCD(X1, X2)
q1 = X1 / p1
p2 = GCD(Y1, Y2)
q2 = Y1 / p2
phi = (p1 - 1) * (q1 - 1) * (p2 - 1) * (q2 - 1)
d = inverse(e, phi)
flag = l2b(pow(c, d, n))
print(flag)
def apply_sbox_inv_key(b, key, block_size):
#fix keys
key = [b2l(l2b(x)*block_size) for x in key]
#extract upper and lower halfs
uh, c = b & int('f0'*block_size, 16), b & int('0f'*block_size, 16)
uh = uh ^ (c << 4)
return conditional_apply(uh, c, key, block_size)
def apply_sbox(b: int, key: list, block_size: int = 16):
#fix keys
key = [b2l(l2b(x)*block_size) for x in key]
#extract upper and lower halfs
uh, lh = b & int('f0'*block_size, 16), b & int('0f'*block_size, 16)
c = lh | (lh << 4)
return conditional_apply(uh, c, key, block_size)
def decrypt(self, e, privkey):
e, privkey = self.S(e), self.S(privkey)
temp = map(Integer, list(privkey * e))
temp = [t - self.q if t > self.q // _sage_const_2 else t for t in temp]
temp = [t % self.p for t in temp]
pt_encoded = [t - self.p if t > self.p // _sage_const_2 else t for t in temp]
pt = l2b(self.decode(pt_encoded))
return pt
def getKS(key, nonce, bCount, initCount=0): # initCount = 2 for GCM, 0 for CTR
aesECB = AES.new(key, AES.MODE_ECB)
stream = b"".join([
aesECB.encrypt(l2b((nonce << 32) + initCount + i, 16))
for i in range(bCount + 1)
])
assert len(stream) == 16 * (bCount + 1)
return stream
def check(n):
sys.stdout.write('\rMODULUS: {:x} '.format(n))
resp = requests.get('http://127.0.0.1:5000/?cmd={}'.format(
b64enc(l2b(n)).decode()))
if 'Ciphertext too large' in resp.text:
return True
if 'Ciphertext with incorrect length' in resp.text:
return True
return False
def getSum(_ad, _coeffs, _pads, _ct, _idx): ct_bl = 8 * len(_ct) * 16 ct_bkl = len(_ct) ad_bl = 8*len(_ad) sum_ = ad_sum(_ad, _coeffs, ad_bl//128 + ct_bkl + 1) lenblock = l2b(ad_bl, 8) + l2b(ct_bl, 8) lenblock_term = ifMul(_coeffs[1], lenblock) sum_ = ifAdd(sum_, lenblock_term) sum_ = ifAdd(sum_, _pads) for i in range(len(_ct)): if not i == _idx: block = _ct[i] coeff = _coeffs[ct_bkl+1-i] sum_ = ifAdd(sum_, ifMul(block, coeff)) return sum_
def substitute(self, b):
assert len(b) % self.BOX_SIZE == 0
res = list()
blocks = self.nsplit(b, self.BOX_SIZE)
for i in range(len(blocks)):
block = blocks[i]
inBOX = b2l(self.bitarray_to_bytes(block, 1))
val = self.SBox[inBOX]
res += self.bytes_to_bitarray(l2b(val), 8)
return res
def expand_key(key: bytes, num_keys: int = 7):
random.seed(b2l(key))
sbox_key = gen_box_key(num_keys)
keys = b''
for i in range(num_keys):
keys += encrypt_block(
key,
l2b(i).rjust(len(key), b'\x00')*num_keys,
sbox_key,
len(key)
)
return keys, sbox_key
def dec(t):
mp = modular_sqrt(t, p)
mq = modular_sqrt(t, q)
_, yp, yq = egcd(p, q)
r = (yp * p * mq + yq * q * mp) % n
s = (yp * p * mq - yq * q * mp) % n
ms = [r, s, n - r, n - s]
for m in ms:
if check(m):
flag = l2b(m)
assert flag == "d4rk{r3p3t1t1v3_r4b1n_1s_th4_w0rs7_3vaaaaaar!}code"
print(flag)
exit()
for m in ms:
dec(m)
def dec(t):
mp = modular_sqrt(t, p)
mq = modular_sqrt(t, q)
_, yp, yq = egcd(p, q)
r = (yp * p * mq + yq * q * mp) % n
s = (yp * p * mq - yq * q * mp) % n
ms = [r, s, n - r, n - s]
for m in ms:
if check(m):
flag = l2b(m)
print(flag)
raw_input()
exit()
for m in ms:
dec(m)
def getInverse(_coef):
global invert_data
print("Coef to be inverted: %s" % b2a(_coef), end = '')
if _coef in INVERTS:
print(" (already computed)")
inverse = INVERTS[_coef]
else:
print(" (not present)")
print("Inverting the coefficient (takes a few mins)...")
inverse = ifInvert(binascii.unhexlify(_coef))
a, b = repr(_coef)[2:-1], repr(binascii.hexlify(l2b(inverse, 16)))[2:-1]
print("New invert:", a, b)
with open(invertsfn, "w") as f:
invert_data += ["\n%s %s" % (a, b)]
f.write("".join(invert_data))
return inverse
def getCoeffs(_H1, _H2, _pows, DEBUG=False):
print("Computing", _pows, "coefficients.")
retval = [l2b(1, 16), ifAdd(_H1,_H2)]
prev_H1 = _H1
prev_H2 = _H2
for i in range(2, _pows+1):
prev_H1 = ifMul(prev_H1, _H1)
prev_H2 = ifMul(prev_H2, _H2)
retval.append(ifAdd(prev_H1, prev_H2))
# sanity check
assert retval[1] == ifAdd(_H1, _H2)
assert retval[2] == ifAddL(ifSquare(_H1), ifSquare(_H2))
assert retval[3] == ifAddL(ifCube(_H1), ifCube(_H2))
return retval
def decrypt_round(
c: bytes,
key: bytes, sbox_inv: bytes,
block_size: int
):
m, key = b2l(c), b2l(key)
#non-linear addition
m = (m - int('01'*block_size*4, 2)) % (1 << (block_size*8))
#shuffle
mask = int('f0'*block_size, 16)
uh, lh = m & mask, m & (mask >> 4)
m = uh | ror(lh, 8*7, block_size*8)
#sbox
m = apply_sbox_inv_key(m, sbox_inv, block_size)
#key
m ^= key
return l2b(m)
def main():
factor_list = fermat_factorization(n)
[X1, Y1] = factor_list[0]
[X2, Y2] = factor_list[1]
assert X1 * Y1 == n
assert X2 * Y2 == n
p1 = GCD(X1, X2)
p2 = X1 / p1
q1 = GCD(Y1, Y2)
q2 = Y1 / q1
phi = (p1 - 1) * (q1 - 1) * (p2 - 1) * (q2 - 1)
d = inverse(e, phi)
flag = l2b(pow(c, d, n))
assert flag == "ISITDTU{C0ngratu1ati0ns_Attack_RSA_Multi_prim3!!!!}"
print(flag)
def encrypt_round(
m: bytes,
key: bytes, sbox_key: bytes,
block_size: int
):
logger.debug("%032x, %032x, %08x", b2l(m), b2l(key), b2l(sbox_key))
#format inputs
c, key = b2l(m), b2l(key)
#mix in the key
c ^= key
#apply sbox
c = apply_sbox(c, sbox_key)
#lower halfs shuffle
m = int('f0'*block_size, 16)
uh, lh = c & m, c & (m >> 4)
c = uh | rol(lh, 8*7, block_size*8)
#c = uh | rol(lh, 8*(round_num+1), block_size*8)
#non-linear addition to every byte
c += int('01010101'*(block_size), 2)
c = c & int('ff'*block_size, 16)
#format result
return l2b(c)
args = parser.parse_args()
fnmix = args.polyglot
fnpoc = args.output
key1, key2 = args.keys
ad = args.additional_data
blockidx = args.block_index
nonce = args.nonce
key1 = pad16(unhextry(key1)).encode()
key2 = pad16(unhextry(key2)).encode()
assert not key1 == key2
noncei = int(nonce)
nonceb = l2b(int(nonce),12)
ad = unhextry(ad).encode()
ad = pad(ad, BLOCKLEN)
# fnmix should come from Mitra and
# has a naming convention like "P(14-89)-ID3v2[Zip].4d01e2fb.mp3.zip"
swaps = [int(i, 16) for i in fnmix[fnmix.find("(") + 1:fnmix.find(")")].split("-")]
exts = fnmix[-9:].split(".")[-2:]
with open(fnmix, "rb") as file:
dIn = file.read()
dIn = pad(dIn, BLOCKLEN) # the padding will break with formats not supporting appended data
assert len(dIn) % 16 == 0
bCount = len(dIn) // 16
def find_shortest_vector(matrix):
for col in matrix.columns():
if col[0] == 0 and is_target_value(col[1:]):
return col
else:
continue
pub = eval(open("pubkey.txt", "r").read())
c = int(open("ciphertext.txt", "r").read())
m = create_matrix(pub, c)
lllm = m.transpose().LLL().transpose()
shortest_vector = find_shortest_vector(lllm)
print shortest_vector
x = ""
for v in shortest_vector[1:]:
if v == 1:
x += "1"
elif v == -1:
x += "0"
flag = l2b(int(x[::-1], 2))
print flag
# lenstra_and_lovasz_liked_lattices
from config import c, n, t, z, factors
from Crypto.Util.number import long_to_bytes as l2b
from operator import mul
# factor by factordb
assert n == reduce(mul, factors)
phin = reduce(mul, [p - 1 for p in factors])
l = pow(2, pow(2, t, phin), n)
m = c ^ l ^ z
flag = l2b(m)
assert flag == "CCTF{_______________________________________________Happy_Birthday_LCS______________________________________________}"
print(flag)
args = parser.parse_args()
fnmix = args.polyglot
fnpoc = args.output
key1, key2 = args.keys
ad = args.additional_data
blockidx = args.block_index
nonce = args.nonce
key1 = pad16(unhextry(key1)).encode()
key2 = pad16(unhextry(key2)).encode()
assert not key1 == key2
noncei = int(nonce)
nonceb = l2b(int(nonce), 12)
ad = unhextry(ad).encode()
ad = pad(ad, BLOCKLEN)
# fnmix should come from Mitra and
# has a naming convention like "P(14-89)-ID3v2[Zip].4d01e2fb.mp3.zip"
swaps = [
int(i, 16)
for i in fnmix[fnmix.find("(") + 1:fnmix.find(")")].split("-")
]
exts = fnmix[-9:].split(".")[-2:]
with open(fnmix, "rb") as file:
dIn = file.read()
def BruteNonce(fn):
def ifMul(_a1, _a2): old_product = gf_2_128_mul(b2l(_a1),b2l(_a2)) return l2b(old_product, 16)
def ifAdd(_a1, _a2): return l2b(b2l(_a1) ^ b2l(_a2), 16)
def ifAddL(_a1,_a2): return l2b(_a1 ^ _a2, 16)
# SCTF{You_really_
p.interactive()
elif stage == 2:
p = remote('saltydsa.eatpwnnosleep.com', 12345)
p.recvuntil('1) register 2) login 3) exit\n')
p.sendline('1')
p.recvuntil('name as hex encoded string.\n')
p.sendline(hexlify(TMP_ID))
p.recvuntil('Plz keep it secret.\n')
r0, s0 = map(int, p.recvline().strip().split())
# salt + 'A'*36 + md5(x)
# k = s^-1 * (m + xr)
md5_status = l2b(int(Integer(s0).inverse(server1['q']) *
(Integer(b2l(md5(TMP_ID).digest())) + server1['x'] * Integer(r0)) %
server1['q']))
# 8a6ed196cf0342aed5e65039ef6b92e7
# use https://github.com/s1fr0/md5-tunneling
print hexlify(md5_status)
status_arr = [
u32(md5_status[0:4]),
u32(md5_status[4:8]),
u32(md5_status[8:12]),
u32(md5_status[12:16]),
]
print ' '.join(map(lambda n: '0x%08x' % n, status_arr))
elif stage == 3:
blkIns.transactions[0]
# tsc = sc.TriggerSmartContract()
# tsc.ParseFromString(blkIns.transactions[0].raw_data.contract[0].parameter.value)
blockDB = plyvel.DB("/data2/20210425/output-directory/database/block")
blockIt = blockDB.iterator()
k, v = next(blockIt)
print(k)
print(v)
print(binascii.hexlify(k))
vs = Tron_pb2.Block()
vs.ParseFromString(v)
# blockIndexDB = plyvel.DB("/data2/20210425/output-directory/database/block-index")
v = blockIndexDB.get(l2b(20000000))
print(v)
print(binascii.hexlify(v))
myBlock = blockDB.get(v)
print(v)
import core.contract.balance_contract_pb2 as balance_contract
c1 = balance_contract.TransferContract()
c1.ParseFromString(vs.transactions[1].raw_data.contract[0].parameter.value)
import core.contract.asset_issue_contract_pb2 as asset_issue_contract
c2 = asset_issue_contract.TransferAssetContract()
c2.ParseFromString(vs.transactions[2].raw_data.contract[0].parameter.value)
from Crypto.Util.number import long_to_bytes as l2b
import pickle
val = pickle.load(open('enc.pickle', 'rb'))
def atk(val, nbit):
A = Matrix(ZZ, nbit + _sage_const_1, nbit + _sage_const_1)
for i in range(nbit):
A[i, i] = _sage_const_2
A[i, nbit] = val['pbkey'][i]
A[nbit, i] = _sage_const_1
A[nbit, nbit] = val['cip']
return A.LLL()
nbit = len(val['pbkey'])
res = atk(val, nbit)
for i in range(nbit):
if all([
j in range(-_sage_const_2, _sage_const_2)
for j in res[i][_sage_const_1:-_sage_const_1]
]):
print(res[i])
msg = int(
''.join([
'1' if i <= -_sage_const_1 else '0'
for i in res[i][:-_sage_const_1][::-_sage_const_1]
]), _sage_const_2)
print(l2b(msg))
