0verflowme/ecdsa_sol_tenablectf.sage

## ecdsa_sol_tenablectf.sage
from binascii import unhexlify
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad

r= 50394691958404671760038142322836584427075094292966481588111912351250929073849
s1= 26685296872928422980209331126861228951100823826633336689685109679472227918891
s2= 40762052781056121604891649645502377037837029273276315084687606790921202237960

msg1,msg2 = 777971358777664237997807487843929900983351335441289679035928005996851307115,91840683637030200077344423945857298017410109326488651848157059631440788354195

order= 115792089210356248762697446949407573529996955224135760342422259061068512044369

s1_inv = inverse_mod(s1,order)
s2_inv = inverse_mod(s2,order)

matrix = Matrix([[order, 0, 0, 0], [0, order, 0, 0],
                                [r*s1_inv, r*s2_inv, (2**129) / order, 0],
                                [msg1*s1_inv, msg2*s2_inv, 0, 2**129]])
print("LLL started")
new_matrix = matrix.LLL()
r_inv = inverse_mod(r,order)
print("LLL done")
kek = []
nonces = []
for row in new_matrix:
    potential_nonce_1 = row[0]
    if potential_nonce_1 < 2**127 and potential_nonce_1 > 0:
        nonce = potential_nonce_1

potential_priv_key = (r_inv * ((nonce * s1) - msg1))%order
# print(potential_priv_key)
secret = potential_priv_key

# for nonce in nonces:
#       if nonce < 2**127 and nonce > 0:
#               print("feasible nonce :",nonce)
#               only_nonce = nonce

# potential_priv_key = (r_inv * ((only_nonce * s1) - msg1)) % order
print("Secret and Nonce",secret,nonce)
def decrypt(aes_key):
        ct = b'f3ccfd5877ec7eb886d5f9372e97224c43f4412ca8eaeb567f9b20dd5e0aabd5' #b'f3ccfd5877ec7eb886d5f9372e97224c43f4412ca8eaeb567f9b20dd5e0aabd5'
        ct = unhexlify(ct)
        IV = b'\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0'
        cipher = AES.new(aes_key, AES.MODE_CBC, IV)
        return(cipher.decrypt(ct))

# for i in kek:
aes_key = int(secret).to_bytes(64, byteorder='little')[0:16]
if b'flag' in decrypt(aes_key):
        print(unpad(decrypt(aes_key),16))
	from binascii import unhexlify
	from Crypto.Cipher import AES
	from Crypto.Util.Padding import unpad

	r= 50394691958404671760038142322836584427075094292966481588111912351250929073849
	s1= 26685296872928422980209331126861228951100823826633336689685109679472227918891
	s2= 40762052781056121604891649645502377037837029273276315084687606790921202237960

	msg1,msg2 = 777971358777664237997807487843929900983351335441289679035928005996851307115,91840683637030200077344423945857298017410109326488651848157059631440788354195

	order= 115792089210356248762697446949407573529996955224135760342422259061068512044369

	s1_inv = inverse_mod(s1,order)
	s2_inv = inverse_mod(s2,order)

	matrix = Matrix([[order, 0, 0, 0], [0, order, 0, 0],
	[rs1_inv, rs2_inv, (2**129) / order, 0],
	[msg1s1_inv, msg2s2_inv, 0, 2**129]])
	print("LLL started")
	new_matrix = matrix.LLL()
	r_inv = inverse_mod(r,order)
	print("LLL done")
	kek = []
	nonces = []
	for row in new_matrix:
	potential_nonce_1 = row[0]
	if potential_nonce_1 < 2**127 and potential_nonce_1 > 0:
	nonce = potential_nonce_1

	potential_priv_key = (r_inv * ((nonce * s1) - msg1))%order
	# print(potential_priv_key)
	secret = potential_priv_key

	# for nonce in nonces:
	# if nonce < 2**127 and nonce > 0:
	# print("feasible nonce :",nonce)
	# only_nonce = nonce

	# potential_priv_key = (r_inv * ((only_nonce * s1) - msg1)) % order
	print("Secret and Nonce",secret,nonce)
	def decrypt(aes_key):
	ct = b'f3ccfd5877ec7eb886d5f9372e97224c43f4412ca8eaeb567f9b20dd5e0aabd5' #b'f3ccfd5877ec7eb886d5f9372e97224c43f4412ca8eaeb567f9b20dd5e0aabd5'
	ct = unhexlify(ct)
	IV = b'\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0'
	cipher = AES.new(aes_key, AES.MODE_CBC, IV)
	return(cipher.decrypt(ct))

	# for i in kek:
	aes_key = int(secret).to_bytes(64, byteorder='little')[0:16]
	if b'flag' in decrypt(aes_key):
	print(unpad(decrypt(aes_key),16))