h = mpz(sha1("Welcome to KanXue CTF 2018")) % p = 2ABB294436DE91F4
ecdsa_verify(h, r, s)
.text:00405D30 jal x_verify_sign
公钥R
.text:004066EC bal epoint_set
.rodata:00436FD8 g_R
epoint_set中根据y的计算方式可知是椭圆曲线
y=(x^3+ax+b)^((p+1)/4) % p
因为p是素数, 所以 x^p % p = x
y^4=(x^3+ax+b)^((p+1)) % p=(x^3+ax+b)^2 % p
y^2=(x^3+ax+b) % p
计算h
.text:004066F8 la $v0, aWelcomeToKanxu # "Welcome to KanXue CTF 2018"
.text:00406714 bal sha1
.text:00406760 bal mpz_init_set_str
.text:004067D8 bal mpz_mod
验证签名
.text:00406974 bal ecdsa_verify
u = h/s
.text:00405638 bal mpz_invert
.text:0040566C bal mpz_mod
.text:0040569C bal mpz_mul
.text:004056D4 bal mpz_mod
w = r/s
.text:00405704 bal mpz_mul
.text:0040573C bal mpz_mod
u*G
.text:00405774 bal ecurve_mult
w*R
.text:004057A0 bal ecurve_mult
v = u * G + w * R mod n
v == r
.text:004057C8 bal ecurve_add
.text:004057F4 bal mpz_cmp
根据
R = d*G 穷举私钥d, 得到d: F377F
#include <miracl.h>
void test_d()
{
big a = mirvar(0);
big b = mirvar(0);
big p = mirvar(0);
cinstr(a, "348020E40410F914");
cinstr(b, "22BB96DE83B3EB71");
cinstr(p, "8D5B53DD2E70FC93");
ecurve_init(a, b, p, MR_AFFINE);
big G_x = mirvar(0);
big G_y = mirvar(0);
cinstr(G_x, "1323f564d7976e65");
cinstr(G_y, "2A193D3E7A6B1E29");
epoint* G = epoint_init();
if (!epoint_set(G_x, G_y, 0, G))
{
return;
}
big R_x = mirvar(0);
cinstr(R_x, "3ed6cee8b10a0da1");
big d = mirvar(0);
big x = mirvar(0);
epoint* ep = epoint_init();
char tmp[256];
for (DWORD64 i = 0x1; i < 0x8d5b53dd4b7d51eb; i++)
{
sprintf(tmp, "%016I64x", i);
cinstr(d, tmp);
ecurve_mult(d, G, ep);
epoint_get(ep, x, x);
if (compare(x, R_x) == 0)
{
print_big(d); // F377F
break;
}
}
}
计算sign
h:
2ABB294436DE91F4
r: 3f43ed6ff36724ca
d: F377F
k:
4CC5EFB37CA431A2
n: 8d5b53dd4b7d51eb
s = (h + rd)/k mod n
得到s: 56e16038e692b5d7
void test_sign()
{
big n = mirvar(0);
big d = mirvar(0);
big h = mirvar(0);
big k = mirvar(0);
big k_inv = mirvar(0);
big r = mirvar(0);
cinstr(n, "8d5b53dd4b7d51eb");
cinstr(d, "0F377F");
cinstr(h, "2ABB294436DE91F4");
cinstr(k, "4CC5EFB37CA431A2");
invert(k, n, k_inv);
cinstr(r, "3f43ed6ff36724ca");
multiply(r, d, r);
add(r, h, r);
multiply(r, k_inv, r);
divide(r, n, n);
print_big(r);
}