about 4 years ago

一個 pcap 封包,其中有一些登入紀錄。
稍微看一下其中的 javascript 會發現跟人人網登入看起來很像,然後就找到了這篇

仔細看一下 code 會發現雖然他好像有做 padding,但是在這個 code 中:

var x = new Array();
while (n > 2) { // random non-zero pad

    x[0] = 0;
    while (x[0] == 0) rng.nextBytes(x);
    //ba[--n] = x[0];

    ba[--n] = 0; // WARNING: NO PADDING HERE

}

WTF,WARNING 什麼啦...

總之在封包中還可以看到他嘗試登入了 7 次,而且這個網站還是用 e=3,所以可以用 e=3 時只要三種不同公鑰加密同一個明文就可以洩漏明文的攻擊。

require 'number-theory'
require 'openssl'
include NumberTheory

ns = [
  0xc0ee9a0e9267d408a38c11ad009cc013ec8047397cadbe81aef68929032c94e2e665afcc28031995b9f593a652910f41,
  0x98bd9bc15848d4fc9e6d45f7ed17be2b951c39a1beb94c34262d3bd4c841bea3afacb7c814a3806d5be14224384283a7,
  0xc6222103be7725ae3ab150786c0100ac424192c187d7c5c9311a09c3f871a6ba142f8db05e01c814203641a69285c55d,
  0xb5821c26739589a6f291f3f61b4833df1a1b0105202a4d70ddb2d411d999d4b55169f78d5dc3c9b8eb052a2832b218e5,
  0xc900f03ca5421a4fc73fe496d1d9298c6bd8d83d708ec4e609039ae5f163023549e3b3f31215e6c078023b86def18d3f,
  0xd069d27923ded540eadf2926f600f6ff373d0f325d2ea1de66f9c7571ecb8778fa07e2e4b23af7e614339147247754d1,
  0xc0618fdaf330901229661defee6ef221c5090138dec81f481add385d9b9f7f9927194fd79057c60e64bcfeac47332075,
]
cs = [
  0x753f1c4d3bb0f170a227c7d925695cf1b33143fe1d2d6934e4c2b0faaebaef59bdfa02e656ce7e1957835b0011723654,
  0x42d6df231b6e09acd1f4e125b8d2458e3f294f34e3240001aba82f9ffd714187cdbcbc95dcf5bb34fcaeb48dad52bfc8,
  0xa6b92bde0560bdb36609186b3dbd034c2e60fdddf97bee03cfd9ffc9fe195208901abcb4a5e45f89d08fb79e20a61aa9,
  0x5163229bc6f60167c341ce5e8009dccb7a8bca6737023623c4f398bca5c0cc5dfe6f5d0e38bf06be3de162951f6fc472,
  0x5bab7fb7f32514c4fa859e213ae96cfc659b624a5e9446ef48503f16809b8447f206152f32f43f7219654cf41bca0e88,
  0x3282d69293ee95422445eb95af6d64f7c4a85ee5f14b5b9935121185142faf822497033bb29866e409d26a8aa821d92e,
  0x3f0c66ead6290124f0ab8274f0496b5296ec9e1ebf939ac643ca3adf2c9050948ca9e1f1da8130f5755f0ba887edbbab,
]

def crt(x1, n1, x2, n2)
  return (x1 * n2 * Utils.mod_inv(n2, n1) + x2 * n1 * Utils.mod_inv(n1, n2)) % (n1 * n2)
end

def crtall(cns)
  c, n = cns[0]
  (1...cns.length).each do |i|
    c = crt(c, n, cns[i][0], cns[i][1])
    n *= cns[i][1]
  end
  return c
end

def cbrt(x)
  l, r = 1, x
  while l < r
    m = (l + r) / 2
    if m ** 3 < x
      l = m + 1
    else
      r = m
    end
  end
  return l
end

cs.zip(ns).combination(3) do |cn|
  puts cbrt(crtall(cn)).to_bn.to_s(2).inspect
end

Flag: ISG{yaya_haha_wawa_gaga_guagua}

(順道一題,因為給的 N 其實只有 384 bits,在我們的機器上兩小時內可以分解完,所以其實直接分解也是一種解法。)

← ISG2014 GIF ISG2014 Out Of Space →