Last active
September 8, 2021 18:07
-
-
Save 0verflowme/5e31d2e18829494451d512edb9925653 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from binascii import unhexlify | |
from Crypto.Cipher import AES | |
from Crypto.Util.Padding import unpad | |
r= 50394691958404671760038142322836584427075094292966481588111912351250929073849 | |
s1= 26685296872928422980209331126861228951100823826633336689685109679472227918891 | |
s2= 40762052781056121604891649645502377037837029273276315084687606790921202237960 | |
msg1,msg2 = 777971358777664237997807487843929900983351335441289679035928005996851307115,91840683637030200077344423945857298017410109326488651848157059631440788354195 | |
order= 115792089210356248762697446949407573529996955224135760342422259061068512044369 | |
s1_inv = inverse_mod(s1,order) | |
s2_inv = inverse_mod(s2,order) | |
matrix = Matrix([[order, 0, 0, 0], [0, order, 0, 0], | |
[r*s1_inv, r*s2_inv, (2**129) / order, 0], | |
[msg1*s1_inv, msg2*s2_inv, 0, 2**129]]) | |
print("LLL started") | |
new_matrix = matrix.LLL() | |
r_inv = inverse_mod(r,order) | |
print("LLL done") | |
kek = [] | |
nonces = [] | |
for row in new_matrix: | |
potential_nonce_1 = row[0] | |
if potential_nonce_1 < 2**127 and potential_nonce_1 > 0: | |
nonce = potential_nonce_1 | |
potential_priv_key = (r_inv * ((nonce * s1) - msg1))%order | |
# print(potential_priv_key) | |
secret = potential_priv_key | |
# for nonce in nonces: | |
# if nonce < 2**127 and nonce > 0: | |
# print("feasible nonce :",nonce) | |
# only_nonce = nonce | |
# potential_priv_key = (r_inv * ((only_nonce * s1) - msg1)) % order | |
print("Secret and Nonce",secret,nonce) | |
def decrypt(aes_key): | |
ct = b'f3ccfd5877ec7eb886d5f9372e97224c43f4412ca8eaeb567f9b20dd5e0aabd5' #b'f3ccfd5877ec7eb886d5f9372e97224c43f4412ca8eaeb567f9b20dd5e0aabd5' | |
ct = unhexlify(ct) | |
IV = b'\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0' | |
cipher = AES.new(aes_key, AES.MODE_CBC, IV) | |
return(cipher.decrypt(ct)) | |
# for i in kek: | |
aes_key = int(secret).to_bytes(64, byteorder='little')[0:16] | |
if b'flag' in decrypt(aes_key): | |
print(unpad(decrypt(aes_key),16)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment