almost 9 years ago
一個 pcap 封包,其中有一些登入紀錄。
稍微看一下其中的 javascript 會發現跟人人網登入看起來很像,然後就找到了這篇
仔細看一下 code 會發現雖然他好像有做 padding,但是在這個 code 中:
var x = new Array();
while (n > 2) { // random non-zero pad
x[0] = 0;
while (x[0] == 0) rng.nextBytes(x);
//ba[--n] = x[0];
ba[--n] = 0; // WARNING: NO PADDING HERE
}
WTF,WARNING 什麼啦...
總之在封包中還可以看到他嘗試登入了 7 次,而且這個網站還是用 e=3
,所以可以用 e=3
時只要三種不同公鑰加密同一個明文就可以洩漏明文的攻擊。
require 'number-theory'
require 'openssl'
include NumberTheory
ns = [
0xc0ee9a0e9267d408a38c11ad009cc013ec8047397cadbe81aef68929032c94e2e665afcc28031995b9f593a652910f41,
0x98bd9bc15848d4fc9e6d45f7ed17be2b951c39a1beb94c34262d3bd4c841bea3afacb7c814a3806d5be14224384283a7,
0xc6222103be7725ae3ab150786c0100ac424192c187d7c5c9311a09c3f871a6ba142f8db05e01c814203641a69285c55d,
0xb5821c26739589a6f291f3f61b4833df1a1b0105202a4d70ddb2d411d999d4b55169f78d5dc3c9b8eb052a2832b218e5,
0xc900f03ca5421a4fc73fe496d1d9298c6bd8d83d708ec4e609039ae5f163023549e3b3f31215e6c078023b86def18d3f,
0xd069d27923ded540eadf2926f600f6ff373d0f325d2ea1de66f9c7571ecb8778fa07e2e4b23af7e614339147247754d1,
0xc0618fdaf330901229661defee6ef221c5090138dec81f481add385d9b9f7f9927194fd79057c60e64bcfeac47332075,
]
cs = [
0x753f1c4d3bb0f170a227c7d925695cf1b33143fe1d2d6934e4c2b0faaebaef59bdfa02e656ce7e1957835b0011723654,
0x42d6df231b6e09acd1f4e125b8d2458e3f294f34e3240001aba82f9ffd714187cdbcbc95dcf5bb34fcaeb48dad52bfc8,
0xa6b92bde0560bdb36609186b3dbd034c2e60fdddf97bee03cfd9ffc9fe195208901abcb4a5e45f89d08fb79e20a61aa9,
0x5163229bc6f60167c341ce5e8009dccb7a8bca6737023623c4f398bca5c0cc5dfe6f5d0e38bf06be3de162951f6fc472,
0x5bab7fb7f32514c4fa859e213ae96cfc659b624a5e9446ef48503f16809b8447f206152f32f43f7219654cf41bca0e88,
0x3282d69293ee95422445eb95af6d64f7c4a85ee5f14b5b9935121185142faf822497033bb29866e409d26a8aa821d92e,
0x3f0c66ead6290124f0ab8274f0496b5296ec9e1ebf939ac643ca3adf2c9050948ca9e1f1da8130f5755f0ba887edbbab,
]
def crt(x1, n1, x2, n2)
return (x1 * n2 * Utils.mod_inv(n2, n1) + x2 * n1 * Utils.mod_inv(n1, n2)) % (n1 * n2)
end
def crtall(cns)
c, n = cns[0]
(1...cns.length).each do |i|
c = crt(c, n, cns[i][0], cns[i][1])
n *= cns[i][1]
end
return c
end
def cbrt(x)
l, r = 1, x
while l < r
m = (l + r) / 2
if m ** 3 < x
l = m + 1
else
r = m
end
end
return l
end
cs.zip(ns).combination(3) do |cn|
puts cbrt(crtall(cn)).to_bn.to_s(2).inspect
end
Flag: ISG{yaya_haha_wawa_gaga_guagua}
(順道一題,因為給的 N
其實只有 384 bits,在我們的機器上兩小時內可以分解完,所以其實直接分解也是一種解法。)