Nicholaz99/fault-box-solver.py

## fault-box-solver.py
import socketserver
import random
import signal
import time
import gmpy2
from pwn import *
from Crypto.Util.number import *
from itertools import product

context.log_level = 'error'

def s2n(s):
    return bytes_to_long(bytearray(s, 'latin-1'))

def n2s(n):
    return long_to_bytes(n).decode('latin-1')

def gen_fake(r, e, n):
    arr = []
    for i in range(1500):
        fake_flag = 'fake_flag{%s}' % (('%X' % i).rjust(32, '0'))
        enc_fake_flag = pow(s2n(fake_flag), e, n)
        arr.append(enc_fake_flag)
    return arr

e = 0x10001
r = remote("crypto.chal.csaw.io", 1001)

# Retrieving N value
r.recvuntil("encrypt\n====================================\n")
r.sendline('4')
r.recvuntil("data:")
r.sendline(n2s(2))
enc1 = int(r.recvuntil("\n"), 16)

r.recvuntil("encrypt\n====================================\n")
r.sendline('4')
r.recvuntil("data:")
r.sendline(n2s(3))
enc2 = int(r.recvuntil("\n"), 16)

r.recvuntil("encrypt\n====================================\n")
r.sendline('4')
r.recvuntil("data:")
r.sendline(n2s(5))
enc3 = int(r.recvuntil("\n"), 16)

r.recvuntil("encrypt\n====================================\n")
r.sendline('4')
r.recvuntil("data:")
r.sendline(n2s(7))
enc4 = int(r.recvuntil("\n"), 16)

# To prevent if the gcd result is not n but n*gcd(k1, k2)
n = gmpy2.gcd(gmpy2.gcd(2**e - enc1, 3**e - enc2), gmpy2.gcd(5**e - enc3, 7**e - enc4))
print "[+] n:", n

# get the encrypted real flag
r.recvuntil("encrypt\n====================================\n")
r.sendline('1')
c = int(r.recvuntil("\n"), 16)
print "[+] c:", c

# Retrieving the factor of n
r.recvuntil("encrypt\n====================================\n")
r.sendline('3')
enc_fake_flag_test = int(r.recvuntil("\n"), 16)

fake_flags = gen_fake(r, e, n)
for i, enc_fake_flag in enumerate(fake_flags):
    p = gmpy2.gcd(enc_fake_flag_test - enc_fake_flag, n)
    if (p > 1):
        print "[+] p:", p
        q = n/p
        phi = (p-1) * (q-1)
        d = inverse(e, phi)
        print "[+] Flag:", n2s(pow(c, d, n))
        break
	import socketserver
	import random
	import signal
	import time
	import gmpy2
	from pwn import *
	from Crypto.Util.number import *
	from itertools import product

	context.log_level = 'error'

	def s2n(s):
	return bytes_to_long(bytearray(s, 'latin-1'))

	def n2s(n):
	return long_to_bytes(n).decode('latin-1')

	def gen_fake(r, e, n):
	arr = []
	for i in range(1500):
	fake_flag = 'fake_flag{%s}' % (('%X' % i).rjust(32, '0'))
	enc_fake_flag = pow(s2n(fake_flag), e, n)
	arr.append(enc_fake_flag)
	return arr

	e = 0x10001
	r = remote("crypto.chal.csaw.io", 1001)

	# Retrieving N value
	r.recvuntil("encrypt\n====================================\n")
	r.sendline('4')
	r.recvuntil("data:")
	r.sendline(n2s(2))
	enc1 = int(r.recvuntil("\n"), 16)

	r.recvuntil("encrypt\n====================================\n")
	r.sendline('4')
	r.recvuntil("data:")
	r.sendline(n2s(3))
	enc2 = int(r.recvuntil("\n"), 16)

	r.recvuntil("encrypt\n====================================\n")
	r.sendline('4')
	r.recvuntil("data:")
	r.sendline(n2s(5))
	enc3 = int(r.recvuntil("\n"), 16)

	r.recvuntil("encrypt\n====================================\n")
	r.sendline('4')
	r.recvuntil("data:")
	r.sendline(n2s(7))
	enc4 = int(r.recvuntil("\n"), 16)

	# To prevent if the gcd result is not n but n*gcd(k1, k2)
	n = gmpy2.gcd(gmpy2.gcd(2e - enc1, 3e - enc2), gmpy2.gcd(5e - enc3, 7e - enc4))
	print "[+] n:", n

	# get the encrypted real flag
	r.recvuntil("encrypt\n====================================\n")
	r.sendline('1')
	c = int(r.recvuntil("\n"), 16)
	print "[+] c:", c

	# Retrieving the factor of n
	r.recvuntil("encrypt\n====================================\n")
	r.sendline('3')
	enc_fake_flag_test = int(r.recvuntil("\n"), 16)

	fake_flags = gen_fake(r, e, n)
	for i, enc_fake_flag in enumerate(fake_flags):
	p = gmpy2.gcd(enc_fake_flag_test - enc_fake_flag, n)
	if (p > 1):
	print "[+] p:", p
	q = n/p
	phi = (p-1) * (q-1)
	d = inverse(e, phi)
	print "[+] Flag:", n2s(pow(c, d, n))
	break