HITCON 2018 - Lost Key (Crypto)
#-*- coding:utf-8 -*- | |
from sock import Sock | |
from libnum import invmod, n2s, s2n, gcd | |
f = Sock("18.179.251.168 21700") | |
f.read_until("flag!") | |
f.read_line() | |
ENC = int(f.read_line().strip(), 16) | |
print "ENC = 0x%X" % ENC | |
NQ = [0, 0] | |
def oracle_enc(x): | |
NQ[0] += 1 | |
print "oracle enc" | |
f.send_line("A") | |
f.send_line(n2s(x).encode("hex")) | |
f.read_until("input:") | |
return int(f.read_line().strip(), 16) | |
def oracle_dec(y): | |
NQ[1] += 1 | |
print "oracle dec" | |
f.send_line("B") | |
f.send_line(n2s(y).encode("hex")) | |
f.read_until("input:") | |
return int(f.read_line().strip(), 16) | |
n = 0 | |
a = 2 | |
e = oracle_enc(a) | |
while gcd(n, 614889782588491410) > 1: | |
ee = oracle_enc(a**2) | |
n = gcd(n, ee - e**2) | |
e, a = ee, a**2 | |
print n | |
pt8 = oracle_dec(ENC) | |
E28 = oracle_enc(2**8) | |
in8 = invmod(n % 2**8, 2**8) | |
t = 1 | |
tc = 1 | |
k = 0 | |
itr = 0 | |
for i in xrange(128): | |
print i | |
t = t * 2**8 | |
tc = tc * E28 % n | |
k = k * 2**8 | |
res = oracle_dec(ENC * tc % n) | |
klow = (t - k * pt8 - res) * in8 % 2**8 | |
k += klow | |
pt = k * n / t + 1 # ceil | |
print `n2s(pt)` | |
# hitcon{1east_4ign1f1cant_BYTE_0racle_is_m0re_pow3rfu1!} | |
print "Queries:", NQ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment