M = (N - 1) // (2 * g) u = M // (2 * g) v = M - 2 * g * u GF = Zmod(N) x = GF.random_element() y = x ^ (2 * g) # c的范围大概与N^(0.5-2*gamma)很接近 c = bsgs(y, y ^ u, (2**(cbits-1), 2**(cbits+1)), operation='*') #(a, b, bounds, operation='*', identity=None, inverse=None, op=None) ab = u - c apb = v + 2 * g * c P.<x> = ZZ[] f = x ^ 2 - apb * x + ab a = f.roots() if a: a, b = a[0][0], a[1][0] p = 2 * g * a + 1 q = 2 * g * b + 1 assert p * q == N
from Crypto.Util.number import * print(long_to_bytes(int(pow(enc,inverse(e,(p-1)*(q-1)),N))))
#flag{a4fc2d54-0ab3-492a-a82b-762705d83cff}
apbq
题目描述:
1
I obtained several sets of ap + bq through channel measurement. Can you solve it?
#stage2 from re import findall from subprocess import check_output from itertools import *
defflatter(M): # compile https://github.com/keeganryan/flatter and put it in $PATH z = "[[" + "]\n[".join(" ".join(map(str, row)) for row in M) + "]]" ret = check_output(["flatter"], input=z.encode()) return matrix(M.nrows(), M.ncols(), map(int, findall(b"-?\\d+", ret)))
h = hint2 nums = 98 L = Matrix(ZZ, 1+nums*2, 1+nums*3) for i inrange(1+nums*2): L[i,i] = 1 for i inrange(nums): L[0,1+nums*2+i] = h[i+2] L[2*i+1,1+nums*2+i] = h[0] L[2*i+2,1+nums*2+i] = h[1] L[:,-nums:] *= 2^512 L = flatter(L)
defstep2(f): # this f is in the form of k1*a1+k2*a2+k3*a3==0 # for some reason, k1*b1+k2*b2+k3*b3==0 also holds # use LLL to find it print("=" * 40) print(f) L = matrix(f.coefficients()).T.augment(matrix.identity(3)) L[:, 0] *= n2 L = L.LLL() print(L[0]) print(L[1]) v1 = L[0] v2 = L[1] xs = [] for c1, c2 in product((-2, -1, 0, 1, 2), repeat=2): v = c1 * v1 + c2 * v2 _, x1, x2, x3 = v ifall([0 <= x <= 2**180for x in (x1, x2, x3)]): xs.append((x1, x2, x3)) # we don't know which one is correct pair of (a1, a2, a3) and (b1, b2, b3) # just try all combinations for g1, g2 in combinations(xs, 2): a1r, a2r, a3r = g1 b1r, b2r, b3r = g2 q = gcd(a2r * h[0] - a1r * h[1], n2) if1 < q < n2: p = n2 // q e = 0x10001 d = inverse_mod(e, (p - 1) * (q - 1)) m = pow(enc2, d, n2) flag = int(m).to_bytes(1024, "big").strip(b"\x00") print(p,flag) exit()
hint2 = n, e = (73566307488763122580179867626252642940955298748752818919017828624963832700766915409125057515624347299603944790342215380220728964393071261454143348878369192979087090394858108255421841966688982884778999786076287493231499536762158941790933738200959195185310223268630105090119593363464568858268074382723204344819, 65537) c = 30332590230153809507216298771130058954523332140754441956121305005101434036857592445870499808003492282406658682811671092885592290410570348283122359319554197485624784590315564056341976355615543224373344781813890901916269854242660708815123152440620383035798542275833361820196294814385622613621016771854846491244
######################################################################################### recover A,B using orthogonal Lattice L = block_matrix(ZZ,[ [1,Matrix(ZZ,hint2).T], ]) L = L.LLL()
M = [] for i in L: if(i[-1] == 0): M.append(i[:-1]) M = Matrix(ZZ,M)
Ker = M.right_kernel().basis() Ker = Matrix(ZZ, Ker) AB = Ker.LLL()
B = list(map(abs, AB[1])) A = [i+j for i,j inzip(AB[0], B)]
######################################################################################### recover p,q p = GCD(n, hint2[0]*B[1]-hint2[1]*B[0]) q = n // p print(long_to_bytes(int(pow(c, inverse(e,(p-1)*(q-1)), n))))
brute = 2 for i inrange(2^brute): for j inrange(2^brute): L = Matrix(ZZ, [ [1,0,0,2^brute*c1], [0,1,0,2^brute*c2], [0,0,2^(512-brute),c1*i+c2*j-c1*c2], [0,0,0,n3] ]) L[:,-1:] *= n3 res = L.LLL()[0]
p = 2^brute*abs(res[0])+i if(n3 % p == 0): print(p)
import re import random from secrets import flag print(f'Can you weight a 128 bits number in 21 steps') pattern = r'([AB]|\d+)=([AB]|\d+)(\+|\-|\*|//|<<|>>|&|\^|%)([AB]|\d+)'
command = input().strip() assert command[-1] == ';' assertall([re.fullmatch(pattern, i) for i in command[:-1].split(';')])
step = 21 for i in command[:-1].split(';'): t = i.translate(str.maketrans('', '', '=AB0123456789')) if t in ['>>', '<<', '+', '-', '&', '^']: step -= 1 elif t in ['*', '/', '%']: step -= 3 if step < 0:exit()
success = 0 w = lambda x: sum([int(i) for i inlist(bin(x)[2:])]) for _ inrange(100): A = random.randrange(0, 2**128) wa = w(A) B = 0 try : exec("global A; global B;" + command) except : exit() if A == wa: success += 1
from Crypto.Util.number import * from pwn import *
defpopcountRE(A): B = 0 B = A >> 1 B = B & 113427455640312821154458202477256070485 A = A - B #x -= (x >> 1) & 0x55555555555555555555555555555555 B = A >> 2 B = B & 68056473384187692692674921486353642291 A = A & 68056473384187692692674921486353642291 A = A + B #x = (x & 0x33333333333333333333333333333333) + ((x >> 2) & 0x33333333333333333333333333333333) B = A >> 4 A = A + B A = A & 20016609818878733144904388672456953615 #x = (x + (x >> 4)) & 0x0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f A = A * 1334440654591915542993625911497130241 A = A & 340282366920938463463374607431768211455 A = A >> 120 #return ((x * 0x01010101010101010101010101010101) & 0xffffffffffffffffffffffffffffffff) >> 120 return A
sh = remote("47.94.195.201", 38958) sh.recvuntil(b'Can you weight a 128 bits number in 21 steps') sh.sendline(command.encode()) print(sh.recvline()) print(sh.recvline())
#flag{you_can_weight_it_in_21_steps!}
traditional_game
题目描述:
1
Since you've made it here, let's now play a Traditional Game from 1997.
print( "[+] Now, you have permission to access the privkey!") print(f"[+] privkey is: ({d_},{blind}).") print(f"[+] encrypt token is: {rsa.encrypt(bytes_to_long(token))}")
guess_token = bytes.fromhex(input("[-] guess token:")) if guess_token == token: print("[+] correct token, here is your flag:",flag) else: print("[-] wrong token")
################################################################################# gen data p = getPrime(512) q = getPrime(512) e = getPrime(128) n = p * q phi = (p - 1) * (q - 1) d = pow(e, -1, phi) blind_bit = 40 unknown_bit = 365 if blind_bit isnotNoneand unknown_bit isnotNone: blind = getPrime(blind_bit) d_ = ((int(d >> unknown_bit) // blind * blind) << unknown_bit) + int(d % blind)
################################################################################# get k,dh,dl k = (e*d_ - 1) // n + 1 dh = (d_ >> unknown_bit) // blind dl = d_ % blind
################################################################################# LLL M = e*(2^unknown_bit*blind*dh+dl) - k*(n+1) - 1 K = 2^(513-unknown_bit) L = matrix(ZZ,[ [K,0,e*blind], [0,1,k], [0,0,M] ]) L[:,-1:] *= M L = L.LLL() L[:,:1] /= K
from Crypto.Util.number import * from tqdm import *
################################################################################# data n, e = 85326799303014496026064371730108772674311332235197622668632563161991602151711567135121280447576711444698674128128361298108919951648223986067215747231280671858955299505770967232491254103263536714363392698361887554304255293991522369123049450389169430042203506125207632731477059899911948136482137033584148217327, 254105853966712863308295955275449077351 d_, blind = 21378651607895524021279554589638483737491146093477974150650211288463988209605132503571807152155799637952833578907915487652394101057156932695702372344185513500134378667094923442647974423915643213700386663283702204046537471425141802799603607927835879677131664511051343930330150649244588933823965535065854996174,1033378191583 c = 53742732129028328063112055299975805421399396945032126712022723372351554830940247890238890674346304685771599765645061449905866414886468887177488826724343823941484173305683401484367061591100780027467534437239106132736115748345075082986831034406103970493456683245813494600511020286115561513979129441895596164513
################################################################################# get k,dh,dl blind_bit = 40 unknown_bit = 365 k = (e*d_ - 1) // n + 1 dh = (d_ >> unknown_bit) // blind dl = d_ % blind
################################################################################# LLL M = e*(2^unknown_bit*blind*dh+dl) - k*(n+1) - 1 K = 2^(513-unknown_bit) L = matrix(ZZ,[ [K,0,e*blind], [0,1,k], [0,0,M] ]) L[:,-1:] *= M L = L.LLL() L[:,:1] /= K pqh = L[1][1] // (e*blind) * (e*blind) pql = L[1][1] % (e*blind)
################################################################################# copper ############################################### get ph PR.<x> = PolynomialRing(RealField(1000)) f = x*(pqh-x) - n ph = int(f.roots()[0][0]) // (e*blind) * (e*blind) ############################################### get pl R.<x> = PolynomialRing(Zmod(e)) fe = x*(pql-x) - n rese = fe.roots()
from sage.allimport * from sage.rings.finite_rings.hom_finite_field import FiniteFieldHomomorphism_generic from Crypto.Util.number import * from base64 import b64encode from random import * from secret import flag import signal
defgenerate_irreducible_polynomial(R, n): whileTrue: f = R.random_element(degree=n) while f.degree() != n: f = R.random_element(degree=n) if f.is_irreducible(): return f
defgenerate_sparse_irreducible_polynomial(R, n): x = R.gen() whileTrue: g = sum(choice([-1, 0, 1]) * x**i for i inrange(randint(1, n//2 + 1))) if (x**n + g + 1).is_irreducible(): return x**n + g + 1
defrandom_polynomial(R, n, beta): returnsum(randrange(-beta, beta) * R.gen()**i for i inrange(randint(0, n))) + R.gen()**n
win_count = 0 for _ inrange(chance): opt = randint(0, 1) if opt: As = [phi(random_polynomial(k1,n,beta)) for i inrange(polyns)] else: As = [k2.random_element() for i inrange(polyns)] for i inrange(polyns): print(f"As[{i}]: {encode(As[i],q).decode()}")
T1 = time.time() As = [phi(random_polynomial(k1,n,beta)) for i inrange(polyns)] T2 = time.time() As = [k2.random_element() for i inrange(polyns)] T3 = time.time()
defgenerate_sparse_irreducible_polynomial(R, n): x = R.gen() whileTrue: g = sum(choice([-1, 0, 1]) * x**i for i inrange(randint(1, n//2 + 1))) if (x**n + g + 1).is_irreducible(): return x**n + g + 1
from sage.allimport * from sage.rings.finite_rings.hom_finite_field import FiniteFieldHomomorphism_generic from Crypto.Util.number import * from base64 import * from pwn import * import itertools, tqdm
defqary_trans_to_int(x, q): returnsum([int(x[i]) * q**i for i inrange(len(x))])
defgenerate_irreducible_polynomial(R, n): whileTrue: f = R.random_element(degree=n) while f.degree() != n: f = R.random_element(degree=n) if f.is_irreducible(): return f
defgenerate_sparse_irreducible_polynomial(R, n): x = R.gen() whileTrue: g = sum(choice([-1, 0, 1]) * x**i for i inrange(randint(1, n//2 + 1))) if (x**n + g + 1).is_irreducible(): return x**n + g + 1
try: Gs = #预计算过的列表 Gs = Gs[:100] except: Gs = list() for l inrange(10): for g in tqdm.tqdm(itertools.product([-1, 0, 1], repeat=l+1)): g = sum(g[i]*x**i for i inrange(l+1)) g = x**n + g + 1 if g.is_irreducible(): Gs.append(g) print(f"{Gs = }")
whileTrue: sh = remote("47.94.151.65", 32787) sh.recvuntil(b"F:") res = sh.recvline().strip().decode() F = int_trans_to_qary_trans(bytes_to_long(b64decode(res)), q) assert encode(R(F), q) == res.encode() F = R(F) k2, (b, ) = GF(q**n, name = 'b', modulus = F).objgens()
Cs = list() for G in tqdm.tqdm(Gs): k1, (a, ) = GF(q**n, name = 'a', modulus = G).objgens() phi = FiniteFieldHomomorphism_generic(Hom(k1, k2)) core = phi(a) C = matrix(GF(q), [(core**i).list() for i inrange(n)]) Cs.append(C)
defdecision(As, C): As = matrix(GF(q), [A.list() for A in As]) try: fs = C.solve_left(As) cnt = sum([f.list().count(0) for f in fs]) returnint(cnt > 20) except: return0
nowC = None cnt = 0 for i in tqdm.trange(111): As = [] sh.recvuntil(b"As[0]: ") As.append(R(int_trans_to_qary_trans(bytes_to_long(b64decode(sh.recvline().strip().decode())), q))) sh.recvuntil(b"As[1]: ") As.append(R(int_trans_to_qary_trans(bytes_to_long(b64decode(sh.recvline().strip().decode())), q))) sh.recvuntil(b"As[2]: ") As.append(R(int_trans_to_qary_trans(bytes_to_long(b64decode(sh.recvline().strip().decode())), q))) ###################################################################### Decision here opt = 0 if nowC: opt = decision(As, nowC) else: for C in Cs: opt = decision(As, C) if opt: nowC = C break
###################################################################### Decision here sh.recvuntil(b"Guess the option[0/1]: ") sh.sendline(str(opt).encode()) res = sh.recvline() # print(opt, res) ifb'Wrong'in res: cnt += 1 if cnt > 5: sh.close() print("not this time") break else: print(sh.recvline()) print(sh.recvline()) sh.interactive()
As = [phi(random_polynomial(k1,n,beta)) for i inrange(polyns)] print([min(i.trace(), q-i.trace()) for i in As]) As = [k2.random_element() for i inrange(polyns)] print([min(i.trace(), q-i.trace()) for i in As])
from flag import M, q, a, b, select import hashlib from hashlib import sha256 from Crypto.Util.number import * from Crypto.Cipher import AES import sys import ecdsa from Crypto.Util.Padding import pad, unpad from ecdsa.ellipticcurve import CurveFp,Point from math import ceil import os import random import string
flag = b'qwb{kLeMjJw_HBPtoHsVhnnxZdvtGjomivNDUI_vMRhZHrfKlCZ6HlGAeXRV_gQ8i117nGhzEMr0Zk_YTl1wftSskpX4JLnryE9Mhl96cPTWorGCl_R6nD33bcx1AYflag_leak}' assertlen(flag) == 136
BANNER = ''' GGGGG OOOOO DDDDD DDDDD GGGGG AAA MM MM EEEEEEE GG OO OO DD D DD D GG AAAAA MMM MMM EE GG GGG OO OO DD D DD D GG GGG A A MM MM MM EEEEE GG GG OO OO DD D DD D GG GG AAAAA MM MM EE GGGGGGG OOOOO DDDDD DDDDD GGGGGGG A A MM MM EEEEEEE '''
NNN = [] defdie(*args): pr(*args) quit()
defpr(*args): s = " ".join(map(str, args)) sys.stdout.write(s + "\n") sys.stdout.flush()
defsc(): return sys.stdin.buffer.readline()
defRng(k): ran = random.getrandbits(k) NNN.append(ran) return ran
defADD(num): NUM = 0 for i inrange(num): NUM += Rng(32) return NUM
defsecure_choice(sequence): ifnot sequence: returnNone randbelow = 0 for i, x inenumerate(sequence): randbelow += 1 if os.urandom(1)[0] < (1 << 8) * randbelow // len(sequence): return x
defxDBLADD(P, Q, PQ, q, a, b): (X1, Z1), (X2, Z2), (X3, Z3) = PQ, P, Q X4 = (X2**2 - a * Z2**2) ** 2 - 8 * b * X2 * Z2**3 Z4 = 4 * (X2 * Z2 * (X2**2 + a * Z2**2) + b * Z2**4) X5 = Z1 * ((X2 * X3 - a * Z2 * Z3) ** 2 - 4 * b * Z2 * Z3 * (X2 * Z3 + X3 * Z2)) Z5 = X1 * (X2 * Z3 - X3 * Z2) ** 2 X4, Z4, X5, Z5 = (c % q for c in (X4, Z4, X5, Z5)) return (X4, Z4), (X5, Z5)
defxMUL(P, k, q, a, b): Q, R = (1, 0), P for i inreversed(range(k.bit_length() + 1)): if k >> i & 1: R, Q = Q, R Q, R = xDBLADD(Q, R, P, q, a, b) if k >> i & 1: R, Q = Q, R return Q
defshout(x, d, q, a, b): P = (x,1) Q = xMUL(P, d, q, a, b) return Q[0] * pow(Q[1], -1, q) % q
defgenerate_random_string(length): characters = string.ascii_letters + string.digits random_string = ''.join(secure_choice(characters) for i inrange(length)) return random_string
defmain(): pr(BANNER) pr('WELCOME TO THIS SIMPLE GAME!!!') ASSERT = proof_of_work() ifnot ASSERT: die("Not right proof of work")
pr('Now we will start our formal GAME!!!') pr('===== First 1💪: =====') pr('Enter an integer as the parameter p for Curve: y^2 = x^3+12x+17 (mod p) and 250<p.bit_length()') p1 = int(sc()) ifnot250<=p1.bit_length(): die('Wrong length!') curve = CurveFp(p1, 12, 17,1) pr(curve) pr('Please Enter a random_point G:') G_t = sc().split(b' ') Gx,Gy = int(G_t[0]),int(G_t[1]) ifnot curve.contains_point(Gx,Gy): die('This point is outside the curve') G = Point(curve,Gx,Gy)
for i inrange(500): ECDU = ECCDu(curve,G) m = 'My secret is a random saying of phrase,As below :' + generate_random_string(119) Number = ECDU.Random_key(1344) c = Number^bytes_to_long(m.encode()) pr(f'c = {c}') pr(f'P = {int(ECDU.P.x()), int(ECDU.P.y())}') pr(f'Q = {int(ECDU.Q.x()), int(ECDU.Q.y())}')
pr('Enter m:') m_en = sc().rstrip(b'\n') if m_en != m.encode(): die('This is not the right m,Please try again') else: pr('Right m!!!') pr('Bingo!') new_state,new_state1 = ADD(136),ADD(50) random.seed(new_state)
pr('===== Second 2💪: =====') curve1 = CurveFp(q,a,b,1) pr(f'{int(curve1.p()),int(curve1.a()),int(curve1.b())}')
pr("Enter a number that does not exceed 1500") number = int(sc())
pr(f'You only have {number} chances to try') success = 0 for i inrange(number): Gx = secure_choice(select) R = Rng(25) pr('Gx = ',Gx) pr('Px = ',shout(Gx, R, q, a, b)) R_n = int(sc().rstrip(b'\n')) if R_n != R: pr(f'Wrong number!!!,Here is your right number {R}') else: pr('GGood!') success += 1
sh.recvuntil(b'sha256(XXXX+') suffix = sh.recv(16) sh.recvuntil(b') == ') pre = sh.recvline().strip().decode()[:-1] for prefix in tqdm.tqdm(itertools.product(string.ascii_letters + string.digits, repeat=4)): prefix = ''.join(prefix).encode() if hashlib.sha256(prefix+suffix).hexdigest() == pre: sh.sendlineafter(b'Give me XXXX: ', prefix) break return
deffunc1(): global out1 defpart1(P, Q, c): d = 65537 known = b'My secret is a random saying of phrase,As below :' + b'\x00'*119 m = bytes_to_long(known) ^^ c prefix = bytes_to_long(long_to_bytes(m, len(known))[:len(known)-119])<<(119*8) number = ceil(1344/250) outs = [(prefix>>(i*250)) % 2**250for i inrange(number)][::-1] # ls0, s1, hs2, ... t1 = outs[1] ht2 = outs[2] for k inrange(2**10): s1 = ZZ(t1 + k*2**250) try: sQ = E.lift_x(s1) s2 = int((d*sQ).xy()[0]) t2 = int((s2*Q).xy()[0]) % 2**250 if ((t2|ht2) == t2) and ((t2&ht2) == ht2): break except Exception as e: continue else: raise Exception("not this time") state = s2 outs = outs[:2] for i inrange(number-2): t = int((state*Q).xy()[0]) state = int((state*P).xy()[0]) outs.append(t % 2**250) out = 0 for t in outs: out = (out<<250) + (t) m = long_to_bytes(out ^^ c) return m p = 76837912973221323002483668912067151296065917149894557283725838853584131795679 E = EllipticCurve(GF(p), [12, 17]) n = 76837912973221323002483668912067151296162675561982794479768589266782793320165 Gx, Gy = (50815842720719088866452690975886010078415234799217383820996108469852859980668, 21844377630643101592426006459110255155148432904632255524120741447151662349886) rrr = 3689513 * 6432902579 * 999652676767686311 * 815669308181510359025276279 G = E(Gx, Gy) from tqdm import trange sh.sendlineafter(b'Enter an integer as the parameter p for Curve: y^2 = x^3+12x+17 (mod p) and 250<p.bit_length()', str(p).encode()) sh.sendlineafter(b'Please Enter a random_point G:', f"{Gx}{Gy}".encode()) for _ in trange(500): sh.recvuntil(b'c = ') c = int(sh.recvline()) sh.recvuntil(b'P = ') P = E(eval(sh.recvline())) sh.recvuntil(b'Q = ') Q = E(eval(sh.recvline())) m = part1(P, Q, c) out1.append(int((rrr*Q).log(rrr*G))) sh.sendlineafter(b'Enter m:\n', m) return
sh = remote(*"47.93.99.173 26698".split()) proof(sh) out1 = [] func1()
defxDBLADD(P, Q, PQ, q, a, b): (X1, Z1), (X2, Z2), (X3, Z3) = PQ, P, Q X4 = (X2**2 - a * Z2**2) ** 2 - 8 * b * X2 * Z2**3 Z4 = 4 * (X2 * Z2 * (X2**2 + a * Z2**2) + b * Z2**4) X5 = Z1 * ((X2 * X3 - a * Z2 * Z3) ** 2 - 4 * b * Z2 * Z3 * (X2 * Z3 + X3 * Z2)) Z5 = X1 * (X2 * Z3 - X3 * Z2) ** 2 X4, Z4, X5, Z5 = (c % q for c in (X4, Z4, X5, Z5)) return (X4, Z4), (X5, Z5)
defxMUL(P, k, q, a, b): Q, R = (1, 0), P for i inreversed(range(k.bit_length() + 1)): if k >> i & 1: R, Q = Q, R Q, R = xDBLADD(Q, R, P, q, a, b) if k >> i & 1: R, Q = Q, R return Q
defshout(x, d, q, a, b): P = (x,1) Q = xMUL(P, d, q, a, b) return Q[0] * pow(Q[1], -1, q) % q
####################################################################################################### part2 MT 25 import random from gf2bv import LinearSystem from gf2bv.crypto.mt import MT19937 from tqdm import *
defmt19937(bs, out): lin = LinearSystem([32] * 624) mt = lin.gens()
rng = MT19937(mt) zeros = [rng.getrandbits(bs) ^^ int(o) for o in out] + [mt[0] ^^ int(0x80000000)] sol = lin.solve_one(zeros)
################################################################################## test if(0): nums = 1300 random.seed(int(3142)) out = [random.getrandbits(25) for i inrange(nums)] RNG = mt19937(25, out) STATE = RNG.getstate()[1][:-1] temp = [RNG.getrandbits(25) for i inrange(nums)] #iter for i inrange(1000): assert RNG.getrandbits(25) == random.getrandbits(25)
################################################################################## use if(1): sh.recvuntil(b"Enter a number that does not exceed 1500") nums = 1300 sh.sendline(b"2000") print(sh.recvline())
out2 = [] for i in trange(nums): sh.sendline(b"1") sh.recvuntil(b"Wrong number!!!,Here is your right number ") out2.append(int(sh.recvline().strip().decode())) RNG = mt19937(25, out2) temp = [RNG.getrandbits(25) for i inrange(nums)] #iter for i in trange(2000-nums): sh.sendline(str(RNG.getrandbits(25)).encode()) sh.recvuntil(b'GGood!')
from hashlib import sha256 from Crypto.Util.number import * from Crypto.Cipher import AES from Crypto.Util.Padding import pad, unpad from mt19937predictor import MT19937Predictor
flag = b'qwb{kLeMjJw_HBPtoHsVhnnxZdvtGjomivNDUI_vMRhZHrfKlCZ6HlGAeXRV_gQ8i117nGhzEMr0Zk_YTl1wftSskpX4JLnryE9Mhl96cPTWorGCl_R6nD33bcx1AYflag_leak}'
iv_num = 0 for i inrange(2000): iv_num += RNG1.getrandbits(32)
predictor1 = MT19937Predictor() for i inrange(500): predictor1.setrandbits(out1[i], 32) for i inrange(124): predictor1.setrandbits(0, 32) for i inrange(136-124): predictor1.getrandbits(32)
key = 0 for i inrange(50): key += predictor1.getrandbits(32)
evaluator.add_inplace(ciphertext12, ciphertext_b) evaluator.apply_galois_inplace(ciphertext12, elt, galois_keys) evaluator.negate_inplace(ciphertext12) evaluator.add_inplace(ciphertext13, ciphertext12) evaluator.multiply_inplace(ciphertext13, ciphertext12) evaluator.multiply_inplace(ciphertext13, ciphertext12) evaluator.multiply_inplace(ciphertext11, ciphertext13) poly = sealapi.Plaintext(gen_polynomial([pow(g, n-i, p) % p for i inrange(n)])) evaluator.multiply_plain_inplace(ciphertext11, poly) evaluator.negate_inplace(ciphertext11) evaluator.add_inplace(ciphertext, ciphertext11)
ciphertext.save("app/computation")
f = open("app/computation", "rb") msg = base64.b64encode(f.read()).decode() f.close()
############################################################################################ check sh.recvuntil(b"Give Me Your Choice:") sh.sendline(b"2") sh.recvuntil(b"Give Me Your Position:") sh.sendline(b"0") sh.recvuntil(b"Give Me Your Computation") sh.sendline(msg.encode()) sh.recvline()
res = sh.recvline().strip().decode() if("Incorret"notin res): print(res) break