-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathsolve.py
90 lines (59 loc) · 2.22 KB
/
solve.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#!/usr/bin/env python3
from utils import generate_graph
from pwn import process, remote, sys
from networkx.algorithms.isomorphism.tree_isomorphism import tree_isomorphism
def get_process():
if len(sys.argv) == 1:
return process(['python3', 'server copy.py'])
host, port = sys.argv[1], sys.argv[2]
io = remote(host, port)
io.sendlineafter(b'Flag for cryptoGRAPHy 2: ', b'SEKAI{3ff1c13nt_GES_4_Shortest-Path-Queries-_-}')
return io
io = get_process()
io.sendlineafter(b'> Option: ', b'1')
io.recvuntil(b'[*] Edges: ')
G = generate_graph(eval(io.recvline().decode()))
io.sendlineafter(b'> Option: ', b'2')
io.recvline()
queries = []
while True:
line = io.recvline().decode()[:-1]
if 'MENU' in line:
break
tok, res = map(bytes.fromhex, line.split(' '))
queries.append({
'token': tok[:32].hex(),
'tok': [tok[i:i+32].hex() for i in range(32, len(tok), 32)],
'res': [res[i:i+32].hex() for i in range(0, len(res), 32)]
})
toks_0 = [q['token'] for q in queries if len(q['tok']) == 0]
mappings = {}
def define_tree(queries):
nodes = [q['token'] for q in queries]
edges = set()
for node in nodes:
for q in queries:
if len(q['tok']) and q['tok'][0] == node:
edges.add((node, q['token']))
GG = generate_graph(edges)
isomorphism = tree_isomorphism(GG, G)
for enc, node in isomorphism:
mappings[enc] = node
for tok in toks_0:
define_tree([q for q in queries if tok in q['tok'] or tok == q['token']])
io.sendlineafter(b'> Option: ', b'3')
round_prog = io.progress('Round')
for r in range(10):
round_prog.status(f'{r + 1} / 10')
io.recvuntil(b'[*] Token: ')
token = bytes.fromhex(io.recvline().decode())
io.recvuntil(b'[*] Query Response: ')
res = bytes.fromhex(io.recvline().decode())
keys = [token.hex()] + [res[i:i+32].hex() for i in range(0, len(res) // 2, 32)]
shortest_path = []
for key in keys:
shortest_path.append(mappings[key])
io.sendlineafter(b'> Original query: ', ' '.join(map(str, shortest_path)).encode())
round_prog.success('10 / 10')
print(io.recv().decode().strip())
# SEKAI{Full_QR_Attack_is_not_easy_https://eprint.iacr.org/2022/838.pdf}