L3HCTF

EzECDSA

太恐怖了吧，这个我task放在本地跑CPU都直接占满？？？

好多知识要恶补。题目意思比较简单了，ECDSA椭圆曲线签名，而且知道100个nonce的低8位

看la佬的博客上上面有篇链接指向的文章说，泄漏每个nonce的低位就可以攻击ECDSA

看不懂论文，所以只能在github上疯狂搜代码，终于找到了这位师傅的

https://github.com/bitlogik/lattice-attack

这个师傅是通过json传递数据，稍微改一下就好，bitlogik师傅的代码要用sage运行，用到了fpylll，提供LLL，BKZ等矩阵运算

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from hashlib import sha256
from string import ascii_letters, digits
from pwn import *
from itertools import product
from re import findall

table = ascii_letters + digits
# context.log_level = 'debug'


class Solve():
    def __init__(self):
        # self.sh = remote('127.0.0.1', 23333)
        self.sh = remote('121.36.197.254', 9999)
        self.pk = (0, 0)
        self.dA = 0
        self.r, self.s, self.kp, self.hash = [[] for _ in range(4)]

    def proof_of_work(self):
        # sha256(XXXX+EiHCHlPjoO2PnV2Z) == c4f17d1f76f7f11f75349dcd84f51b6e615aa756271841558ec8dda57e274959
        # Give me XXXX:
        proof = self.sh.recvuntil(b'Give me XXXX:')
        tail = proof[12:28].decode()
        _hash = proof[33:97].decode()
        for i in product(table, repeat=4):
            head = ''.join(i)
            t = sha256((head + tail).encode()).hexdigest()
            if t == _hash:
                self.sh.sendline(head.encode())
                break

    def solve_param(self):
        self.pk = self.sh.recvline().decode()
        self.pk = list(map(int, findall(r"\d+", self.pk)))

    def solve_flag(self):
        self.sh.sendlineafter(b'Give me dA\n', str(self.dA).encode())
        flag = self.sh.recvline()
        print(flag)

    def solve_rskphash(self, _msg):
        # r = 52048392139623372592078752615260846843189290463527724311126948642962323725543
        # s = 109433217428494848625070143495220795563459361957459040433009455008946372438244
        # kp = 4
        # hash = 7233656426779106235949203295872203792378863493827336253291317784541539210508
        self.sh.sendlineafter(b'Give me your message:\n', _msg)
        _r = int(self.sh.recvline().decode()[4:-1])
        _s = int(self.sh.recvline().decode()[4:-1])
        _kp = int(self.sh.recvline().decode()[4:-1])
        _hash = int(self.sh.recvline().decode()[7:-1])
        self.r.append(_r), self.s.append(_s), self.kp.append(_kp), self.hash.append(_hash)

    def solve(self):
        self.proof_of_work()
        self.solve_param()

        _param = []
        for i in range(100):
            self.solve_rskphash(b'4XWi11')
            _param.append({"r": self.r[i], "s": self.s[i], "kp": self.kp[i], "hash": self.hash[i]})

        print(_param)
        print(self.pk)
        self.sh.interactive()


if __name__ == '__main__':
    solution = Solve()
    solution.solve()

然后把得到的两个列表丢进去，手动交互一下

干出这道直接冲到第九

p0o0w

什么玩意就又Crypto手开始逆向了