d3ctf-LFSR

​ 由于异或的可逆性和相消性,推到可以得到message的前34位就是myResult的1-35位,而剩余30位未知,就可以利用矩阵方程组来解。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
from Crypto.Util.number import *
from sage.all import *
from functools import reduce

def xor(a,b):
    return a^b

def right_reduce(a,b):
    return reduce(xor,[ a[i]&b[i] for i in range(len(a))])

mask = '1010010000001000000010001001010010100100000010000000100010010100'
xor_output = '00100110001000110001101010101001001'
and_output = '01111101111010111000010010111001101'
message = ''
#可以证明,message的前34位就是xor_output的1-34位
for i in range(1,35):
    message += str(int(xor_output[i]))

and_output=and_output[:-5]
#矩阵方程等号左边系数矩阵
r_and=[int(i) for i in and_output]
r_xor=[int(i) for i in xor_output[1:35]]
A = [int(i) for i in mask[34:]]
AA = []
for i in range(30):
    A = [int(i) for i in mask[(34-i):(64-i)]]
    AA.append(A)
print(AA)
AA=matrix(GF(2),AA)

r = []
for i in range(30):
    a = [r_xor[j] for j in range(i,34)]
    b = [int(mask[k]) for k in range(0,34-i)]
    if i == 0:
        c = [0]
        d = [0]
    else:
        c = [r_and[l] for l in range(0,i)]
        d = [int(mask[p]) for p in range(63,63-i,-1)]
    r.append(right_reduce(a,b) ^ right_reduce(c,d) ^ r_and[i])

rr =  vector(GF(2),r)
print(rr)
ans = AA.solve_right(rr)
print(ans)

ans = list(ans)
low_bit = ''
for i in ans:
    low_bit += str(i)
message = message + low_bit
print(long_to_bytes(int(message,2)))
#LF5Rsuk!

扫一扫,分享到微信

微信分享二维码
本站总访问量: 总访客次数:

tag:

梦想是成为全栈佬并养一只猫