Dall=list(map(int,open('data3.txt','r').readlines())) from Crypto.Util.number import * from random import * from tqdm import * n=1250 D=Dall[:n] rng=Random() defgetRows(rng): #这一部分根据题目实际编写,必须和题目实际比特获取顺序和方式完全一致,且确保比特数大于19937,并且请注意zfill。 row=[] for i inrange(n): row+=list(map(int, (bin(rng.getrandbits(16))[2:].zfill(16)))) return row M=[] for i in tqdm_notebook(range(19968)):#这一部分为固定套路 state = [0]*624 temp = "0"*i + "1"*1 + "0"*(19968-1-i) for j inrange(624): state[j] = int(temp[32*j:32*j+32],2) rng.setstate((3,tuple(state+[624]),None)) #这个setstate也是固定格式,已于2025.1.21测试 M.append(getRows(rng)) M=Matrix(GF(2),M) y=[] for i inrange(n): y+=list(map(int, (bin(D[i])[2:].zfill(16)))) y=vector(GF(2),y) s=M.solve_left(y) #print(s) G=[] for i inrange(624): C=0 for j inrange(32): C<<=1 C|=int(s[32*i+j]) G.append(C) import random RNG1 = random.Random() for i inrange(624): G[i]=int(G[i]) RNG1.setstate((int(3),tuple(G+[int(624)]),None))
print([RNG1.getrandbits(16) for _ inrange(75)]) print(D[:75])
1.[TPCTF]RandomlizedRandom
先看看题目:
1 2 3 4 5 6 7 8
# FROM python:3 import random withopen("flag.txt","rb") as f: flag=f.read() for i inrange(2**64): print(random.getrandbits(32)+flag[random.getrandbits(32)%len(flag)]) input()
交互次数很多,并且就是简单的 getrandbits(32),很明显的MT特征。
但这边是 getrandbits(32)+flag[getrandbits(32)%len(flag)],也就是说,这边 getrandbits(32) 的结果是带误差的,其误差就是flag的值。但由于flag每个字符不超过 $127$,因此可以认为得到的所有 $32$ 位数字中,其高 $8$ bit 是准确的。
我们可以先收集一波数据。这边为了保险,收集了 $10000$ 个。但其实用不了那么多。
1 2 3 4 5 6 7 8
from pwn import * from tqdm import * sh=remote('1.95.57.127',3001) withopen('datarecv002.txt','w') as f: for i in tqdm_notebook(range(10000)): x=int(sh.recvline(keepends=False)) f.write(str(x)+'\n') sh.sendline(b'A')
接着构造矩阵,由于题目中给出的数字是先取一个,再丢一个的,因此我们这边也要按照题目的过程来:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
from random import * n=4992 defgetRows(rng): #这一部分根据题目实际编写,必须和题目实际比特获取顺序和方式完全一致,且确保比特数大于19937,并且请注意zfill。 row=[] for i inrange(n): row+=list(map(int, (bin(rng.getrandbits(32)>>24)[2:].zfill(8)))) _=rng.getrandbits(32) return row M=[] for i in tqdm_notebook(range(19968)):#这一部分为固定套路 state = [0]*624 temp = "0"*i + "1"*1 + "0"*(19968-1-i) for j inrange(624): state[j] = int(temp[32*j:32*j+32],2) rng.setstate((3,tuple(state+[624]),None)) #这个setstate也是固定格式,已于2025.1.21测试 M.append(getRows(rng)) M=Matrix(GF(2),M) save(M,'matrix308')
D=open('datarecv001.txt','r').readlines() for i inrange(10000): D[i]=int(D[i]) n=4992 M=load('matrix308.sobj') y=[] for i inrange(n): y+=list(map(int, (bin(D[i]>>24)[2:].zfill(8)))) y=vector(GF(2),y) s=M.solve_left(y) G=[] for i inrange(624): C=0 for j inrange(32): C<<=1 C|=int(s[32*i+j]) G.append(C) import random RNG1 = random.Random() for i inrange(624): G[i]=int(G[i]) RNG1.setstate((int(3),tuple(G+[int(624)]),None))
A=[] B=[] F=[] for i inrange(10000): a=RNG1.getrandbits(32) b=RNG1.getrandbits(32) f=D[i]-a A.append(a) B.append(b) F.append(f) defcheck(L): arr=[0]*L for i inrange(10000): cur=arr[B[i]%L] if(cur-F[i] and cur): return0 elif(not cur): arr[B[i]%L]=F[i] return1 for i inrange(23,99): if(check(i)): print(i) defmake(L): arr=[0]*L for i inrange(10000): arr[B[i]%L]=F[i] returnbytes(arr) print(make(29)) #b'TPCTF{Ez_MTI9937_pr3d1cTi0n}\n'
2.[SUCTF2025]SUPoly
题目看着很简单,并且鸡块Blog中也已经有了WP,这边复现一下!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
from Crypto.Util.number import * from hashlib import md5 from secret import flag import signal
PR.<x> = PolynomialRing(Zmod(0xfffffffffffffffffffffffffffffffe)) SUPOLY = PR.random_element(10) gift = [] for i inrange(bytes_to_long(b"SU")): f = PR.random_element(10) gift.append([int((f*SUPOLY)(j)) & 0xfffor j inrange(10)]) print("🎁 :", gift)
from random import * from tqdm import* import numpy as np defgetRows(rng): row=np.zeros(21333,dtype='uint8') rng.getrandbits(128*11) for i inrange(21333): _a=rng.getrandbits(128*10) row[i]=(rng.getrandbits(128)&1) return row M=[] rng=Random() for i in tqdm_notebook(range(19968)):#这一部分为固定套路,具体原因已经写在注释中了 state = [0]*624 temp = "0"*i + "1"*1 + "0"*(19968-1-i) for j inrange(624): state[j] = int(temp[32*j:32*j+32],2) rng.setstate((3,tuple(state+[624]),None)) #这个setstate也是固定格式,已于2025.1.21测试 M.append(getRows(rng)) M=Matrix(GF(2),M) save(M,'mat111') save(M[[0]+list(range(32,19968)),:19937]**-1,'Minv')
Minv=load('Minv.sobj').T from pwn import * from hashlib import md5 sh=remote('node6.anna.nssctf.cn',21966) sh.recvuntil(b':') D=eval(sh.recvline()) v=[D[i][0]&1for i inrange(21333)]
if(1in v): v = vector(GF(2), v[:19937]) v=Minv*v v=list(v) v=[v[0]]+[0]*31+v[1:] vstr = "".join(list(map(str, v))) state = [] for i inrange(624): state.append(int(vstr[32*i:32*i+32],2)) RNG1 = random.Random() RNG1.setstate((3,tuple(state+[624]),None)) s = [RNG1.getrandbits(128) for i inrange(11)][::-1] sh.recvuntil(b"Show me :)") sh.sendline(str(md5(str(s).encode()).hexdigest()).encode()) print(sh.recvall(timeout=7)) else: print('fail') sh.close() #b'\xf0\x9f\x9a\xa9 : NSSCTF{f614f081-ddec-4579-88e2-fdc29183bdc3}\n'
3.[CATCTF]Random_game
又是很短的题目:
1 2 3 4 5 6 7 8 9
from Crypto.Util.number import * from secret import flag from random import * gift = b"".join(long_to_bytes((pow(getrandbits(4), 2*i, 17) & 0xf) ^ getrandbits(8), 1) for i inrange(4567)) m = list(flag) for i inrange(2024): shuffle(m) print("gift =", bytes_to_long(gift)) print("c = '" + "".join(list(map(chr,m))) + "'")
from Crypto.Util.number import long_to_bytes from random import * D=long_to_bytes(gift) y=[] for i inrange(4567): x=D[i] if(i%8==0): y+=list(map(int, (bin(x^^1)[2:].zfill(8)))) else: y+=list(map(int, (bin(x>>4)[2:].zfill(4)))) y=vector(GF(2),y) s=M.solve_left(y) G=[] for i inrange(624): C=0 for j inrange(32): C<<=1 C|=int(s[32*i+j]) G.append(C) RNG1 = Random() for i inrange(624): G[i]=int(G[i]) RNG1.setstate((int(3),tuple(G+[int(624)]),None)) #ValueError: matrix equation has no solutions
from tqdm import * from random import * defgetRows(rng): row=[] for i inrange(4567): x=rng.getrandbits(4) x=rng.getrandbits(8) if(i%8==0): row+=list(map(int, (bin(x>>1)[2:].zfill(7)))) else: row+=list(map(int, (bin(x>>4)[2:].zfill(4)))) return row rng=Random() M=[] for i in tqdm_notebook(range(19968)):#这一部分为固定套路 state = [0]*624 temp = "0"*i + "1"*1 + "0"*(19968-1-i) for j inrange(624): state[j] = int(temp[32*j:32*j+32],2) rng.setstate((3,tuple(state+[624]),None)) #这个setstate也是固定格式,已于2025.1.21测试 M.append(getRows(rng)) M=Matrix(GF(2),M) save(M,'catrandom3')
M=load('catrandom3.sobj') gift= c= from Crypto.Util.number import long_to_bytes from random import * D=long_to_bytes(gift) y=[] for i inrange(4567): x=D[i] if(i%8==0): y+=list(map(int, (bin(x>>1)[2:].zfill(7)))) else: y+=list(map(int, (bin(x>>4)[2:].zfill(4)))) y=vector(GF(2),y) s=M.solve_left(y) G=[] for i inrange(624): C=0 for j inrange(32): C<<=1 C|=int(s[32*i+j]) G.append(C) RNG1 = Random() for i inrange(624): G[i]=int(G[i]) RNG1.setstate((int(3),tuple(G+[int(624)]),None)) for i inrange(4567): RNG1.getrandbits(4) RNG1.getrandbits(8) x = [i for i inrange(len(c))] for i inrange(2024): RNG1.shuffle(x) s=[None]*len(c) for i inrange(len(c)): s[x[i]]=c[i] print(''.join(s)) #catctf{_Shuf|fl3_s|hUFf1e_UnsHUff|L3_unsH|ufF1E_}
from pwn import * from random import * from mttools import * sh=process(['python3','localtest.py']) sh.recvuntil(b'msg:') sh.sendline(b'00'*2480) sh.recvuntil(b'ct:') recv=sh.recvline(keepends=False).strip() print(recv) print(len(recv)//2) sh.sendline(b'1') F=MT19937() D=[] for i inrange(624): di=recv[i*8:i*8+8] di=(int(di[6:8],16)<<24)+(int(di[4:6],16)<<16)+(int(di[2:4],16)<<8)+(int(di[0:2],16)) D.append(di) F.setstate(D) from tqdm import * for T in tqdm(range(127)): sh.recvuntil(b'msg:') sh.sendline(b'00'*4) test=[F.getstate()for i inrange(7)][3:] #print(test) sh.recvuntil(b'ct:') D=[] recv=sh.recvline(keepends=False).strip() for i inrange(4): di=recv[i*8:i*8+8] di=(int(di[6:8],16)<<24)+(int(di[4:6],16)<<16)+(int(di[2:4],16)<<8)+(int(di[0:2],16)) D.append(di) #print(D) if(D==test): sh.sendline(b'1') else: sh.sendline(b'0') print(sh.recvall(timeout=6)) #b'[+] Congrats! \xf0\x9f\x9a\xa9 flag{71e3453c-5edb-4ef2-bb51-6c9a5f3b782b}\n'
gift= c= import random from tqdm import * n=50000 defgetRows(rng): #这一部分根据题目实际编写,必须和题目实际比特获取顺序和方式完全一致,且确保比特数大于19937,并且请注意zfill。 row=[] for i inrange(n): a=rng.getrandbits(5) b=rng.getrandbits(31) if(gift[i]&0x40000000): row+=list(map(int, (bin(31)[2:].zfill(5)))) row+=list(map(int, (bin(b)[2:].zfill(31)))) return row M=[] rng=random.Random() for i in tqdm_notebook(range(19968)):#这一部分为固定套路 state = [0]*624 temp = "0"*i + "1"*1 + "0"*(19968-1-i) for j inrange(624): state[j] = int(temp[32*j:32*j+32],2) rng.setstate((3,tuple(state+[624]),None)) #这个setstate也是固定格式,已于2025.1.21测试 M.append(getRows(rng)) M=Matrix(GF(2),M) y=[] tot=0 for i inrange(n): if(gift[i]&0x40000000): y+=list(map(int, (bin(31)[2:].zfill(5)))) y+=list(map(int, (bin(gift[i])[2:].zfill(31)))) tot+=1 y=vector(GF(2),y) s=M.solve_left(y) #print(s) G=[] for i inrange(624): C=0 for j inrange(32): C<<=1 C|=int(s[32*i+j]) G.append(C) import random RNG1 = random.Random() for i inrange(624): G[i]=int(G[i]) RNG1.setstate((int(3),tuple(G+[int(624)]),None)) from Crypto.Util.number import * for i inrange(50000): RNG1.getrandbits(5) RNG1.getrandbits(31) K=RNG1.getrandbits(500) C=bytes_to_long(c) print(long_to_bytes(C^^K)) #b'NSSCTF{Bec4us3_0f_LinearXD!!}'
# !/usr/bin/env python from hashlib import sha256 import socketserver import os import sys import random import signal import string from hashlib import sha256 from mypad import * from datetime import * from Crypto.Cipher import AES from random import * from Crypto.Util.number import *
classTask(socketserver.BaseRequestHandler): def_recvall(self): BUFF_SIZE = 2048 data = b'' whileTrue: part = self.request.recv(BUFF_SIZE) data += part iflen(part) < BUFF_SIZE: break return data.strip()
from flag import M, q, a, b, select import hashlib from hashlib import sha256 from Crypto.Util.number import * from Crypto.Cipher import AES import sys import ecdsa from Crypto.Util.Padding import pad, unpad from ecdsa.ellipticcurve import CurveFp,Point from math import ceil import os import random import string
flag = b'qwb{kLeMjJw_HBPtoHsVhnnxZdvtGjomivNDUI_vMRhZHrfKlCZ6HlGAeXRV_gQ8i117nGhzEMr0Zk_YTl1wftSskpX4JLnryE9Mhl96cPTWorGCl_R6nD33bcx1AYflag_leak}' assertlen(flag) == 136
BANNER = ''' GGGGG OOOOO DDDDD DDDDD GGGGG AAA MM MM EEEEEEE GG OO OO DD D DD D GG AAAAA MMM MMM EE GG GGG OO OO DD D DD D GG GGG A A MM MM MM EEEEE GG GG OO OO DD D DD D GG GG AAAAA MM MM EE GGGGGGG OOOOO DDDDD DDDDD GGGGGGG A A MM MM EEEEEEE '''
NNN = [] defdie(*args): pr(*args) quit()
defpr(*args): s = " ".join(map(str, args)) sys.stdout.write(s + "\n") sys.stdout.flush()
defsc(): return sys.stdin.buffer.readline()
defRng(k): ran = random.getrandbits(k) NNN.append(ran) return ran
defADD(num): NUM = 0 for i inrange(num): NUM += Rng(32) return NUM
defsecure_choice(sequence): ifnot sequence: returnNone randbelow = 0 for i, x inenumerate(sequence): randbelow += 1 if os.urandom(1)[0] < (1 << 8) * randbelow // len(sequence): return x
defxDBLADD(P, Q, PQ, q, a, b): (X1, Z1), (X2, Z2), (X3, Z3) = PQ, P, Q X4 = (X2**2 - a * Z2**2) ** 2 - 8 * b * X2 * Z2**3 Z4 = 4 * (X2 * Z2 * (X2**2 + a * Z2**2) + b * Z2**4) X5 = Z1 * ((X2 * X3 - a * Z2 * Z3) ** 2 - 4 * b * Z2 * Z3 * (X2 * Z3 + X3 * Z2)) Z5 = X1 * (X2 * Z3 - X3 * Z2) ** 2 X4, Z4, X5, Z5 = (c % q for c in (X4, Z4, X5, Z5)) return (X4, Z4), (X5, Z5)
defxMUL(P, k, q, a, b): Q, R = (1, 0), P for i inreversed(range(k.bit_length() + 1)): if k >> i & 1: R, Q = Q, R Q, R = xDBLADD(Q, R, P, q, a, b) if k >> i & 1: R, Q = Q, R return Q
defshout(x, d, q, a, b): P = (x,1) Q = xMUL(P, d, q, a, b) return Q[0] * pow(Q[1], -1, q) % q
defgenerate_random_string(length): characters = string.ascii_letters + string.digits random_string = ''.join(secure_choice(characters) for i inrange(length)) return random_string
defmain(): pr(BANNER) pr('WELCOME TO THIS SIMPLE GAME!!!') ASSERT = 1#( proof_of_work() ) #Simplified for local test. ifnot ASSERT: die("Not right proof of work")
pr('Now we will start our formal GAME!!!') pr('===== First 1💪: =====') pr('Enter an integer as the parameter p for Curve: y^2 = x^3+12x+17 (mod p) and 250<p.bit_length()') p1 = int(sc()) ifnot250<=p1.bit_length(): die('Wrong length!') curve = CurveFp(p1, 12, 17,1) pr(curve) pr('Please Enter a random_point G:') G_t = sc().split(b' ') Gx,Gy = int(G_t[0]),int(G_t[1]) ifnot curve.contains_point(Gx,Gy): die('This point is outside the curve') G = Point(curve,Gx,Gy)
for i inrange(500): ECDU = ECCDu(curve,G) m = 'My secret is a random saying of phrase,As below :' + generate_random_string(119) Number = ECDU.Random_key(1344) c = Number^bytes_to_long(m.encode()) pr(f'c = {c}') pr(f'P = {int(ECDU.P.x()), int(ECDU.P.y())}') pr(f'Q = {int(ECDU.Q.x()), int(ECDU.Q.y())}')
pr('Enter m:') m_en = sc().rstrip(b'\n') if m_en != m.encode(): die('This is not the right m,Please try again') else: pr('Right m!!!') pr('Bingo!') new_state,new_state1 = ADD(136),ADD(50)
random.seed(new_state)
pr('===== Second 2💪: =====') curve1 = CurveFp(q,a,b,1) pr(f'{int(curve1.p()),int(curve1.a()),int(curve1.b())}')
pr("Enter a number that does not exceed 1500") number = int(sc())
pr(f'You only have {number} chances to try') success = 0 for i inrange(number): Gx = secure_choice(select) R = Rng(25) pr('Gx = ',Gx) pr('Px = ',shout(Gx, R, q, a, b)) R_n = int(sc().rstrip(b'\n')) if R_n != R: pr(f'Wrong number!!!,Here is your right number {R}') else: pr('GGood!') success += 1
pr('Now we will start our formal GAME!!!') pr('===== First 1💪: =====') pr('Enter an integer as the parameter p for Curve: y^2 = x^3+12x+17 (mod p) and 250<p.bit_length()') p1 = int(sc()) ifnot250<=p1.bit_length(): die('Wrong length!') curve = CurveFp(p1, 12, 17,1) pr(curve) pr('Please Enter a random_point G:') G_t = sc().split(b' ') Gx,Gy = int(G_t[0]),int(G_t[1]) ifnot curve.contains_point(Gx,Gy): die('This point is outside the curve') G = Point(curve,Gx,Gy)
for i inrange(500): ECDU = ECCDu(curve,G) m = 'My secret is a random saying of phrase,As below :' + generate_random_string(119) Number = ECDU.Random_key(1344) c = Number^bytes_to_long(m.encode()) pr(f'c = {c}') pr(f'P = {int(ECDU.P.x()), int(ECDU.P.y())}') pr(f'Q = {int(ECDU.Q.x()), int(ECDU.Q.y())}')
pr('Enter m:') m_en = sc().rstrip(b'\n') if m_en != m.encode(): die('This is not the right m,Please try again') else: pr('Right m!!!') pr('Bingo!') new_state,new_state1 = ADD(136),ADD(50)
pr('===== Second 2💪: =====') curve1 = CurveFp(q,a,b,1) pr(f'{int(curve1.p()),int(curve1.a()),int(curve1.b())}')
pr("Enter a number that does not exceed 1500") number = int(sc())
pr(f'You only have {number} chances to try') success = 0 for i inrange(number): Gx = secure_choice(select) R = Rng(25) pr('Gx = ',Gx) pr('Px = ',shout(Gx, R, q, a, b)) R_n = int(sc().rstrip(b'\n')) if R_n != R: pr(f'Wrong number!!!,Here is your right number {R}') else: pr('GGood!') success += 1
defxDBLADD(P, Q, PQ, q, a, b): (X1, Z1), (X2, Z2), (X3, Z3) = PQ, P, Q X4 = (X2**2 - a * Z2**2) ** 2 - 8 * b * X2 * Z2**3 Z4 = 4 * (X2 * Z2 * (X2**2 + a * Z2**2) + b * Z2**4) X5 = Z1 * ((X2 * X3 - a * Z2 * Z3) ** 2 - 4 * b * Z2 * Z3 * (X2 * Z3 + X3 * Z2)) Z5 = X1 * (X2 * Z3 - X3 * Z2) ** 2 X4, Z4, X5, Z5 = (c % q for c in (X4, Z4, X5, Z5)) return (X4, Z4), (X5, Z5)
defxMUL(P, k, q, a, b): Q, R = (1, 0), P for i inreversed(range(k.bit_length() + 1)): if k >> i & 1: R, Q = Q, R Q, R = xDBLADD(Q, R, P, q, a, b) if k >> i & 1: R, Q = Q, R return Q
defshout(x, d, q, a, b): P = (x,1) Q = xMUL(P, d, q, a, b) return Q[0] * pow(Q[1], -1, q) % q
nSample=1266 sh.sendline(str(nSample).encode()) sh.recvline() import mttools F=mttools.MT19937() F.setstate(R32s[:500]+[0]*124) newstate1=0 for i inrange(12): F.getstate() newstate1=sum([F.getstate() for _ inrange(50)])
# with open('debugclient','w') as fffp: # fffp.write(str(newstate1)+'\n') # fffp.write(str(R32s))
defecBSGS(G,H): D=dict() P=E(0) G2=G*5793 for i inrange(5793): D[P]=i P+=G2 Htmp=H for i inrange(5793): u=D.get(Htmp,None) if(u): return u*5793+i Htmp-=G return -1
import random defgetRows(rng): row=[] for i inrange(nSample): row+=list(map(int, (bin(rng.getrandbits(25))[2:].zfill(25)))) return row rng=random.Random() M=[] for i in tqdm(range(19968)):#这一部分为固定套路,具体原因已经写在注释中了 state = [0]*624 temp = "0"*i + "1"*1 + "0"*(19968-1-i) for j inrange(624): state[j] = int(temp[32*j:32*j+32],2) rng.setstate((3,tuple(state+[624]),None)) #这个setstate也是固定格式,已于2025.1.21测试 M.append(getRows(rng)) M=Matrix(GF(2),M) print("r(M)=",M.rank()) y=[] for i inrange(nSample): y+=list(map(int, (bin(D[i])[2:].zfill(25)))) y=vector(GF(2),y) s=M.solve_left(y) G=[] for i inrange(624): C=0 for j inrange(32): C<<=1 C|=int(s[32*i+j]) G.append(C) RNG1 = random.Random() for i inrange(624): G[i]=int(G[i]) RNG1.setstate((int(3),tuple(G+[int(624)]),None)) A32=[RNG1.getrandbits(32) for i inrange(2000)] A=sum(A32)
#python 3 from pwn import * from Crypto.Util.number import * from hashlib import * from sage.allimport * context.log_level='debug' defgetyanzhengma(s16,s64): table='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890' for ch1 in table: for ch2 in table: for ch3 in table: for ch4 in table: if(sha256((ch1+ch2+ch3+ch4+s16).encode()).hexdigest()==s64): return ch1+ch2+ch3+ch4 return'aaaa' # sh=process(['python3','task37.py']) sh=remote("node7.anna.nssctf.cn",23842) sh.recvuntil(b'+') recv=sh.recvline().decode().strip().split('==') s16=recv[0][:-2] s64=recv[1][1:-1] print(s16,s64) yanzhengma=getyanzhengma(s16,s64) sh.sendline(yanzhengma.encode()) for i inrange(3): sh.recvline()
nSample=1266 sh.sendline(str(nSample).encode()) sh.recvline() import mttools F=mttools.MT19937() F.setstate(R32s[:500]+[0]*124) newstate1=0 for i inrange(12): F.getstate() newstate1=sum([F.getstate() for _ inrange(50)])
defecBSGS(G,H): D=dict() P=E(0) G2=G*5793 for i inrange(5793): D[P]=i P+=G2 Htmp=H for i inrange(5793): u=D.get(Htmp,None) if(u): return u*5793+i Htmp-=G return -1
for i in tqdm(range(realSample)): sh.recvuntil(b'=') Gx=int(sh.recvline()) sh.recvuntil(b'=') Px=int(sh.recvline()) G=E.lift_x(ZZ(Gx)) P=E.lift_x(ZZ(Px)) d=ecBSGS(G,P) if(d+1): sh.sendline(str(d).encode()) D.append(int(d)) else: P=-P d=ecBSGS(G,P) if(d+1): sh.sendline(str(d).encode()) D.append(int(d)) else: print('fail') exit(0) for i in tqdm(range(realSample,nSample)): sh.recvuntil(b'=') Gx=int(sh.recvline()) sh.recvuntil(b'=') Px=int(sh.recvline()) sh.sendline(b'99999999999999') sh.recvuntil(b'right number') v=sh.recvline(keepends=False) D.append(int(v)) print(len(D))
#=========IF YOU DO NOT HAVE GF2BV, REPLACE THE CODE BELOW TO THE LAST CODE BLOCK IN 7x04 CHAPTER. from gf2bv import LinearSystem from gf2bv.crypto.mt import MT19937 defgf2bv_mt19937(bs, out): lin = LinearSystem([32] * 624) mt = lin.gens()
rng = MT19937(mt) zeros = [rng.getrandbits(bs) ^ int(o) for o in out] + [mt[0] ^ int(0x80000000)] sol = lin.solve_one(zeros)
rng = MT19937(sol) pyrand = rng.to_python_random() return pyrand rng2=gf2bv_mt19937(25,D) A32=[rng2.getrandbits(32) for i inrange(2000)] A=sum(A32)