x = SecureRandom.random_bytes(6) puts 'Robot test' puts "prefix: #{[x].pack('m0')}" r = gets.strip.unpack('m0')[0] r = Digest::SHA1.digest(x + r) # We want the digest to begin with 23 bits of zero. # [0..15] unless r.start_with?("\0\0") puts 'FAIL! GO AWAY!' exit end c = r[2].ord r, s = c / 2, c % 2 # r: [16..22], s: [23] unless r == 0 puts 'FAIL! GO AWAY!' exit end print'Good job! '
很简单的证明, 为了减小跑这部分脚本的时间, 把倒数2-5行注释了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
x = SecureRandom.random_bytes(6) puts 'Robot test' puts "prefix: #{[x].pack('m0')}" r = gets.strip.unpack('m0')[0] r = Digest::SHA1.digest(x + r) # We want the digest to begin with 23 bits of zero. # [0..15] unless r.start_with?("\0\0") puts 'FAIL! GO AWAY!' exit end c = r[2].ord r, s = c / 2, c % 2 # r: [16..22], s: [23] # unless r == 0 # puts 'FAIL! GO AWAY!' # exit # end print'Good job! '
from multiprocessing import Pool as ThreadPool from Crypto.Util.number import long_to_bytes, bytes_to_long from proof import proof import hashlib from pwn import *
context.log_level = "CRITICAL" pool = ThreadPool(2) pp = 285370232948523998980902649176998223002378361587332218493775786752826166161423082436982297888443231240619463576886971476889906175870272573060319231258784649665194518832695848032181036303102119334432612172767710672560390596241136280678425624046988433310588364872005613290545811367950034187020564546262381876467
defguess_password(password): for x in xrange(len(password)): if password[x] != None: continue for gn in xrange(1, 17): g_num = pow(bytes_to_long(hashlib.sha512(str(gn)).digest()), 2, pp) p1 = remote("127.0.0.1", 10001) p2 = remote("127.0.0.1", 10001) p1.readuntil("prefix: ") p2.readuntil("prefix: ") prefix1 = p1.readline().decode('base64') prefix2 = p2.readline().decode('base64') solve1, solve2 = pool.map(proof, [prefix1, prefix2]) p1.sendline(solve1.encode('base64').strip()) p2.sendline(solve2.encode('base64').strip()) diff_num1 = 0 diff_num2 = 0 for y in xrange(len(password)): p1.readuntil("Server send ") p2.readuntil("Server send ") tmp_num1 = p1.readline().strip() tmp_num2 = p2.readline().strip() if y == x: p1.sendline(str(g_num)) p2.sendline(str(g_num)) diff_num1 = bytes_to_long(hashlib.sha512(tmp_num1).digest()) diff_num2 = bytes_to_long(hashlib.sha512(tmp_num2).digest()) else: p1.sendline(tmp_num2) p2.sendline(tmp_num1) p1.readuntil("Flag is (of course after encryption :D): ") p2.readuntil("Flag is (of course after encryption :D): ")
defgetflag(password): p = remote("127.0.0.1", 10001) p.readuntil("prefix: ") prefix = p.readline().decode('base64') solve = proof(prefix) p.sendline(solve.encode('base64').strip()) tmp_num = [] for x in password: send_num = pow(bytes_to_long(hashlib.sha512(str(x)).digest()), 2, pp) p.readuntil("Server send ") tmp_num.append(p.readline().strip()) p.sendline(str(send_num))
p.readuntil("Flag is (of course after encryption :D): ") enc_flag = int(p.readline().strip()) flag = enc_flag for x in tmp_num: flag ^= bytes_to_long(hashlib.sha512(x).digest()) print long_to_bytes(flag)