Skip to content

Commit 3453ec2

Browse files
BeBetterCoderBeBetterCoder
committed
Site updated: 2022-12-20 19:13:48
1 parent 13462de commit 3453ec2

File tree

2 files changed

+5
-3
lines changed

2 files changed

+5
-3
lines changed

2022/12/18/pwnhub冬季赛2022/index.html

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@
1717
<meta property="og:locale" content="en_US">
1818
<meta property="og:image" content="http://example.com/2022/12/18/pwnhub%E5%86%AC%E5%AD%A3%E8%B5%9B2022/1.png">
1919
<meta property="article:published_time" content="2022-12-18T01:20:47.000Z">
20-
<meta property="article:modified_time" content="2022-12-19T05:53:09.826Z">
20+
<meta property="article:modified_time" content="2022-12-20T11:12:38.551Z">
2121
<meta property="article:author" content="ZimaBlue">
2222
<meta property="article:tag" content="crypto">
2323
<meta property="article:tag" content="misc">
@@ -208,6 +208,8 @@ <h3 id="大杂烩"><a href="#大杂烩" class="headerlink" title="大杂烩"></a
208208
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">enc1 = <span class="number">98662590652068949920571979585725979127266112216583776160769090971169664292493813021843624362593669574513220457664819153878956311077379392531742253343961645534972639309537402874636739745717765969720117162780620981639015788423324884640935466801234207019510919768602974162878323777374364290185048275714332671356</span></span><br><span class="line">enc2 = <span class="number">58738699705013897273174837829098879580829898980458718341881900446701910685043213698485036350888862454440118347362218485065377354137391792039111639199258042591959084091242821874819864955504791788260187064338245516327147327866373690756260239728218244294166383516151782123688633986853602732137707507845681977204</span></span><br><span class="line">NN = <span class="number">149794788177729409820185150543033616327574456754306207341321223589733698623477041345453230785413920341465642754285280273761269552897080096162195035057667200692677841848045965505750839903359478511509753781737513122660495056746669041957643882516287304836822410136985711091802722010788615177574143908444311475347</span></span><br><span class="line"></span><br><span class="line">A = [[enc2,<span class="number">1</span>],[NN,<span class="number">0</span>]]</span><br><span class="line">L=Matrix(ZZ,A)</span><br><span class="line">tmp=L.LLL()</span><br><span class="line"><span class="built_in">print</span>(tmp)</span><br></pre></td></tr></table></figure>
209209
<p>求出d以后就可以用已知e d n的方法来分解n,最后做一个移位转字符即可。</p>
210210
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> Crypto.Util.number <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> gmpy2</span><br><span class="line"><span class="keyword">import</span> random</span><br><span class="line"></span><br><span class="line">n = <span class="number">117749279680045360245987277946945707343578937283621512842997606104123872211782263906911929773756533011817679794905642225389185861207256322349591633257348367854563703050789889773031032949742664695416275919382068347995088593380486820784360816053546651916291080971628354468517506190756456913824397593128781030749</span></span><br><span class="line">a = <span class="number">1755716071599</span></span><br><span class="line">N = <span class="number">236038564943567983056828121309828109017</span></span><br><span class="line">enc1 = <span class="number">98662590652068949920571979585725979127266112216583776160769090971169664292493813021843624362593669574513220457664819153878956311077379392531742253343961645534972639309537402874636739745717765969720117162780620981639015788423324884640935466801234207019510919768602974162878323777374364290185048275714332671356</span></span><br><span class="line">enc2 = <span class="number">58738699705013897273174837829098879580829898980458718341881900446701910685043213698485036350888862454440118347362218485065377354137391792039111639199258042591959084091242821874819864955504791788260187064338245516327147327866373690756260239728218244294166383516151782123688633986853602732137707507845681977204</span></span><br><span class="line">NN = <span class="number">149794788177729409820185150543033616327574456754306207341321223589733698623477041345453230785413920341465642754285280273761269552897080096162195035057667200692677841848045965505750839903359478511509753781737513122660495056746669041957643882516287304836822410136985711091802722010788615177574143908444311475347</span></span><br><span class="line"></span><br><span class="line">mask = <span class="number">0x3ffffffffff</span></span><br><span class="line">e_low = a</span><br><span class="line"><span class="comment">#print(e&amp;mask)</span></span><br><span class="line"><span class="built_in">print</span>(e_low.bit_length())</span><br><span class="line">X = <span class="number">996</span></span><br><span class="line">Y = <span class="number">151729833458737979764886336489671975339</span></span><br><span class="line">b = (Y ** <span class="number">2</span> - X ** <span class="number">3</span> - a * X)%N</span><br><span class="line">e = a + b * <span class="number">2</span> ** <span class="number">42</span></span><br><span class="line"></span><br><span class="line">d1 = <span class="number">1118051836872760710925790177974923485721434630729839917104622531599012085778805696376125398218434332515040651866857417106717899073423532829576283671587324</span></span><br><span class="line"><span class="built_in">print</span>(d1.bit_length())</span><br><span class="line">d2 = <span class="number">1490307645430319095511255010328115542702206251159139554339698072781493976926650529688007738646519638596915659784020385914262312989530894410148472995625411</span></span><br><span class="line"><span class="built_in">print</span>(d2.bit_length())</span><br><span class="line"></span><br><span class="line">d = d1 * <span class="number">2</span>**<span class="number">512</span> + d2</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">getpq</span>(<span class="params">n,e,d</span>):</span></span><br><span class="line"> <span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line"> k = e * d - <span class="number">1</span></span><br><span class="line"> g = random.randint(<span class="number">0</span>, n)</span><br><span class="line"> <span class="keyword">while</span> k%<span class="number">2</span>==<span class="number">0</span>:</span><br><span class="line"> k=k//<span class="number">2</span></span><br><span class="line"> temp=gmpy2.powmod(g,k,n)-<span class="number">1</span></span><br><span class="line"> <span class="keyword">if</span> gmpy2.gcd(temp,n)&gt;<span class="number">1</span> <span class="keyword">and</span> temp!=<span class="number">0</span>:</span><br><span class="line"> <span class="keyword">return</span> gmpy2.gcd(temp,n)</span><br><span class="line"></span><br><span class="line"><span class="comment"># https://blog.csdn.net/weixin_44110537/article/details/107869682</span></span><br><span class="line">p = getpq(n,e,d)</span><br><span class="line">q = n//p</span><br><span class="line"><span class="built_in">print</span>(p)</span><br><span class="line"><span class="built_in">print</span>(q)</span><br><span class="line"></span><br><span class="line">ph = p &gt;&gt; (<span class="number">512</span>-<span class="number">150</span>)</span><br><span class="line">qh = q &gt;&gt; (<span class="number">512</span>-<span class="number">151</span>)</span><br><span class="line"><span class="built_in">print</span>(long_to_bytes(qh))</span><br><span class="line"><span class="built_in">print</span>(long_to_bytes(ph))</span><br><span class="line"></span><br></pre></td></tr></table></figure>
211+
<h3 id="payorder"><a href="#payorder" class="headerlink" title="payorder"></a>payorder</h3><p><a target="_blank" rel="noopener" href="https://xz.aliyun.com/t/2563#toc-8">哈希长度拓展攻击</a>,最基本的构造,没有魔改。直接扔个官方wp</p>
212+
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> base64 <span class="keyword">import</span> b64decode, b64encode</span><br><span class="line"><span class="keyword">import</span> hashpumpy</span><br><span class="line"></span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line"><span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line"> io = remote(<span class="string">&#x27;47.97.127.1&#x27;</span>,<span class="number">28959</span>)</span><br><span class="line"> io.sendlineafter(<span class="string">&#x27;&gt; &#x27;</span>, <span class="string">&#x27;2&#x27;</span>)</span><br><span class="line"> io.sendlineafter(<span class="string">&#x27;Which one? &#x27;</span>, <span class="string">&#x27;9&#x27;</span>)</span><br><span class="line"> io.recvuntil(<span class="string">&#x27;Order: &#x27;</span>)</span><br><span class="line"> order = io.recvuntil(<span class="string">b&#x27;\n&#x27;</span>)[:-<span class="number">1</span>]</span><br><span class="line"> order = b64decode(order)</span><br><span class="line"> <span class="built_in">print</span>(<span class="string">&#x27;order:&#x27;</span>,order)</span><br><span class="line"> sp = order.rfind(<span class="string">b&#x27;&amp;s=&#x27;</span>)</span><br><span class="line"> sign = order[sp+<span class="number">3</span>:]</span><br><span class="line"> payment = order[:sp]</span><br><span class="line"> <span class="built_in">print</span>(sign, payment)</span><br><span class="line"></span><br><span class="line"> fhash, content = hashpumpy.hashpump(sign, payment, <span class="string">b&#x27;&amp;c=999&#x27;</span>, <span class="number">18</span>)</span><br><span class="line"> <span class="built_in">print</span>(fhash, content)</span><br><span class="line"> payload = content + <span class="string">b&#x27;&amp;s=&#x27;</span> + fhash.encode()</span><br><span class="line"> <span class="built_in">print</span>(payload)</span><br><span class="line"> payload = b64encode(payload)</span><br><span class="line"> io.sendlineafter(<span class="string">&#x27;&gt; &#x27;</span>, <span class="string">&#x27;3&#x27;</span>)</span><br><span class="line"> io.sendlineafter(<span class="string">&#x27;Order: &#x27;</span>, payload)</span><br><span class="line"> info = io.recvuntil(<span class="string">&#x27;\n&gt; &#x27;</span>)</span><br><span class="line"> <span class="keyword">if</span> <span class="string">b&#x27;Invalid Order!&#x27;</span> <span class="keyword">in</span> info:</span><br><span class="line"> io.close()</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> io.interactive()</span><br></pre></td></tr></table></figure>
211213

212214

213215

@@ -343,7 +345,7 @@ <h3 id="大杂烩"><a href="#大杂烩" class="headerlink" title="大杂烩"></a
343345
</span>
344346
<span class="tooltip-content">
345347
<div class="toc-article">
346-
<ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#Misc"><span class="toc-number">1.</span> <span class="toc-text">Misc</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%B8%B8%E6%88%8F%E6%9D%A5%E5%92%AF"><span class="toc-number">1.1.</span> <span class="toc-text">游戏来咯</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%9D%90%E4%BA%95%E8%A7%82%E5%A4%A9"><span class="toc-number">1.2.</span> <span class="toc-text">坐井观天</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E8%AF%81%E4%B9%A6%E9%87%8C%E4%B9%9F%E6%9C%89%E7%A7%98%E5%AF%86"><span class="toc-number">1.3.</span> <span class="toc-text">证书里也有秘密</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%9E%83%E5%9C%BE%E9%82%AE%E4%BB%B6%E5%88%86%E6%9E%90"><span class="toc-number">1.4.</span> <span class="toc-text">垃圾邮件分析</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Crypto"><span class="toc-number">2.</span> <span class="toc-text">Crypto</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#ASR"><span class="toc-number">2.1.</span> <span class="toc-text">ASR</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%A4%A7%E6%9D%82%E7%83%A9"><span class="toc-number">2.2.</span> <span class="toc-text">大杂烩</span></a></li></ol></li></ol>
348+
<ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#Misc"><span class="toc-number">1.</span> <span class="toc-text">Misc</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%B8%B8%E6%88%8F%E6%9D%A5%E5%92%AF"><span class="toc-number">1.1.</span> <span class="toc-text">游戏来咯</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%9D%90%E4%BA%95%E8%A7%82%E5%A4%A9"><span class="toc-number">1.2.</span> <span class="toc-text">坐井观天</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E8%AF%81%E4%B9%A6%E9%87%8C%E4%B9%9F%E6%9C%89%E7%A7%98%E5%AF%86"><span class="toc-number">1.3.</span> <span class="toc-text">证书里也有秘密</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%9E%83%E5%9C%BE%E9%82%AE%E4%BB%B6%E5%88%86%E6%9E%90"><span class="toc-number">1.4.</span> <span class="toc-text">垃圾邮件分析</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Crypto"><span class="toc-number">2.</span> <span class="toc-text">Crypto</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#ASR"><span class="toc-number">2.1.</span> <span class="toc-text">ASR</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%A4%A7%E6%9D%82%E7%83%A9"><span class="toc-number">2.2.</span> <span class="toc-text">大杂烩</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#payorder"><span class="toc-number">2.3.</span> <span class="toc-text">payorder</span></a></li></ol></li></ol>
347349
</div>
348350
</span>
349351
</div>

content.json

Lines changed: 1 addition & 1 deletion
Large diffs are not rendered by default.

0 commit comments

Comments
 (0)