霓虹闪烁,交通工具在建筑物之间穿梭,抬头可以看到巨型的立体灯牌和全息投影。 [说明:本题是一道Windows逆向题]
地面是透明的,可以看到地下深不见底,建筑破败老旧,在雨夜中显得十分深沉。
经过一番调查我发现这个空间整体是一个巨大的时钟,每天向前走一格,昼夜交替,四季更迭,上层的人们永远享受着春夏秋冬,时钟指向12,空间再次重置,一切又重新出发。
下层人们的大半辈子都在黑夜里无限循环,度过365天,他们在另一个黎明时分转向地下。
四季在这个空间里仿佛是一个闭合之环,人们害怕的不是未知, 而是提前知道自己的命运。
时间是个圈,空间是个圈,宇宙也是个圈。
圈里的人在四季轮回中无限循环,而我要怎么帮助他们?这个谜题等待我去探索。
这道题的密码学部分比较难,考查了对公钥密码学中椭圆曲线的理解,要求在理解题目算法的基础上实现点乘算法,具有一定的复杂度。
本题唯一序列号SN为:
test_KXCTF_flag{15011-45E75CD17B6411B91786C70A5D8627ED488DFC5BA-3680C3560AFC35998540EC8B4E259D93CC8EC999B}
就方程本身而言,每个name有1个key。
彩蛋(额外赠送的)进入方式:
引言:爱德华椭圆曲线上的加法循环
我们知道,最常用的模p的素数域内的椭圆曲线方程,为 Weierstrass 形式:
y^2 + a1*x*y + a3*y= x^3 + a2*x^2 + a4*x + a6 (mod p) ... (0)
2007 年,Edwards curve被引入密码学,其特点是 加法与倍加的公式统一(可以抵抗计时攻击,能量攻击等),运算效率高。
可以作图: d = 100, 10, (1), 1/10, 1/100, 0 , 1/100, -1/10, -1, -10, -100
我们想象一下(可以用wolframalpha作图看一下),d的变化(因为a=1, 所以d !=1, 否则退化为井字型四条直线):
d从大的正有理数比如100,10,到 1/10,1/100, 再变为0,然后变为负有理数 -1/100,-1/10, -1, -10, -100,
这一过程中,d*x^2*y^2 这一项的影响:
导致曲线从发散的四瓣形,收敛到单位圆,再压扁到四角星形。如果d -> 0 将退化为1个单位圆 。
2. 椭圆曲线上“加法”的一个初等比喻
给定2个点:
P1 (X1,Y1)= cos(A) + i*sin(A) , P2 (X2,Y2) = cos(B) + i*cos(B) ... (5)
以上只是从初等几何和初等复变函数的观点解释 爱德华曲线,让它形象一点,在人的脑海里动起来。此处可以参考wiki上的词条:
https://en.wikipedia.org/wiki/Edwards_curve
但是,请注意,应用到椭圆曲线加密,椭圆曲线不再具有几何图像。因为加密上用的是模素数P的整数点,是有限域内的点的集合,这些点构成一个可交换的加法群(称为阿贝尔群)。这些点在模P下才能满足方程,与原本的几何曲线上的点已经没有什么关系了。
本题的椭圆曲线方程与算法
p的取值:自然对数的底e的十进制展开,小数部分前49位,恰好是一个素数,在程序里用代码计算e的展开序列,生成这个素数。
这条曲线的点数(number of points ):
np = 7182818284590452353602871807190217533637006531716
prime_order = np/4 = 1795704571147613088400717951797554383409251632929
t = cputime()
p=7182818284590452353602874713526624977572470936999
a=2019
d=3033
R=IntegerModRing(p)
A = R(2*(a+d)) / R(a-d)
B = R(4)/R(a-d)
a1 = 0
a3 = 0
a2 = A*B%p
a4 = B*B%p
a6 = 0
set_verbose(2)
print "Edwards Curve: a*x^2 + y^2 = 1 + d*x^2*y^2 mod p "
print "p=%d" %(p)
print "a=%d" %(a)
print "d=%d" %(d)
print "Weierstrass Model:"
print "y^2 + a1*x*y + a3*y= x^3 + a2*x^2 + a4*x + a6"
print "a2 = %d" %(a2)
print "a4 = %d" %(a4)
E=EllipticCurve(GF(p),[a1,a2,a3,a4,a6])
np=E.cardinality()
print "np = %d" %(np)
order = Integer(np)
while order%2 == 0 :
order = Integer(order/2)
cof = Integer(np/order)
if order.is_prime() :
print "prime order(np/%d) = " %(cof)
print "%d" %(order)
t = cputime(t)
print "cpu time cost %.3f seconds" %(t)
Edwards Curve: a*x^2 + y^2 = 1 + d*x^2*y^2 mod p
p=7182818284590452353602874713526624977572470936999
a=2019
d=3033
Weierstrass Model:
y^2 + a1*x*y + a3*y= x^3 + a2*x^2 + a4*x + a6
a2 = 4484409758247046184232953793931039722585130776278
a4 = 5916368345885347562026212334888880044763786492373
np = 7182818284590452353602871807190217533637006531716
prime order(np/4) =
1795704571147613088400717951797554383409251632929
cpu time cost 0.819 seconds
射影坐标:
简要证明如下:
=> 有理变换,令 X = 1/x, Y = 1/y
=> a/X^2 + 1/Y^2 = 1 + d/(X^2*Y^2)
=> 两边同乘以 X^2*Y^2
E'(a,d): a*Y^2 + X^2 = X^2+Y^2 + d ... (a2)
所以 (a1) 与 (a2) 等价。
对这样一条曲线:
x3 = (x1*y2+y1*x2)/(1+d*x1*x2*y1*y2)
y3 = (y1*y2-a*x1*x2)/(1-d*x1*x2*y1*y2)
题目里,为了加快计算效率,采用倒置的射影坐标(X,Y,Z),Inverted coordinates。
(X^2 + a*Y^2)*Z^2 = X^2*Y^2 + d*Z^4 ...(b1) 参见 Twisted Edwards Curves pp12-13 of total page 17, Daniel J. Bernstein
(b1)的加法形式 (X3, Y3, Z3) = (X1, Y1, Z2) + (X2, Y2, Z2) , 按如下规则计算:
X3 = (X1*X2 - a*Y1*Y2) * (X1*Y1*X2*Y2 + d*Z1^2*Z2^2)
Y3 = (X1*Y2 + Y1*X2) * (X1*Y1*X2*Y2 - d*Z1^2*Z2^2)
Z3 = Z1*Z2*(X1*X2 - a*Y1*Y2)(X1*Y2 + Y1*X2)
本题的算法模型
在椭圆曲线上,已知条件:两组点,每组4个点 R1-R4, W1-W4, 再给定h1,h2, 求出:G(X,Y,Z) 满足如下关系:
3^365*[ 12*(R1+R2+R3+R4) + h1*G ] + G = 2^365 *[ 4(W1 + W2 + W3 + W4) + h2*G ] ... (12)
简而言之, 题目最终验证这样一个等式:
其中 L = 3^365*[ 12*(R1+R2+R3+R4) + h1*G ] , M = 2^365 *[ 4(W1 + W2 + W3 + W4) + h2*G ] ...(14)
用文字描述 L + G = M 这个故事:
方程(12)的解法, 用符号代替, 实际操作形同初等数学里的解一元一次方程:
m*[ 12*(R1+R2+R3+R4) + h1*G ] + G = n*[ 4*(W1+W2+W3+W4) + h2*G ] ... (15)
=> 把未知量G都移到方程的左侧,然后就得到G:
本题的参考与解答
计算Rx[i]的sha1 hash如下:
sha1-hash-hex-byte(20190204) ed8531111214bc69c1fd64adbe59ab9fb14687ed
sha1-hash-hex-byte(20190506) 1f0a0d84eafc1b108fe21c0d707f2a2ef76b6d52
sha1-hash-hex-byte(20190808) 6e2acf46fcc73564c4d84f566a558ed748fafe2e
sha1-hash-hex-byte(20191108) a4ca755463fc535192413dabf67c2c84ab86cd20
四季hash点的坐标(16进制):
W1(x,y,z) = (ed8531111214bc69c1fd64adbe59ab9fb14687ed, 272ACFA35A56FB05D605D2B2F5B40E3AC4AAE8DDB, 1)
W2(x,y,z) = (1f0a0d84eafc1b108fe21c0d707f2a2ef76b6d52, 25A64AB69A29FF329A5BE8A7AFF8199602B890DAB, 1)
W3(x,y,z) = (6e2acf46fcc73564c4d84f566a558ed748fafe2e, 3489928D307F9D8C13D00ABA0065C262ECA4683AF, 1)
W4(x,y,z) = (a4ca755463fc535192413dabf67c2c84ab86cd20, 109F4C008A5E1BD1C3427796889230722A4AC40EB, 1)
G = 4 * invmod(m*h1 - n*h2 + 1, np) * [n(W1+W2+W3+W4) - 3*m(R1+R2+R3+R4)]
简化之: 记 k = 4 * invmod(m*h1 - n*h2 + 1, np) mod np , T = n(W1+W2+W3+W4) - 3*m(R1+R2+R3+R4)。
所有量已知,可以求得T(Tx,Ty,Tz):
Tx= 45541CE1CAE581BA6A21204F2611D05B1B9299CEC , Ty= 2DD8AFD9115FE66385D4B356A31A1EB3C13E30B5D , Tz= 1
k是与h1,h2有关的数值(用户名的hash运算得出),意味着一个用户名对应一个k。
我们再来看这个方程:
(X^2 + a*Y^2)*Z^2 = X^2*Y^2 + d*Z^4 ...(b1)
这里要特别注意射影坐标的线性关系,因为爱德华曲线是齐次的,(x,y,z) 与(kx,ky,kz) 是同一个点。
G(x,y, 1) = G(Z*X, Z*Y, Z) , for any Z = [1, P-1] , 对(X,Y)固定,Z可以取P-1种可能。
以name = test为例子,题目取
head = "KXCTF2019Q4_Crackme_by_Readyu_四季之歌"
name = "test"
full = "KXCTF2019Q4_Crackme_by_Readyu_四季之歌_test"
对应3个hash:
checksum 用如下代码生成:
unsigned int checksum = 0x10000;
for(i = 0; i < 20; i++)
{
checksum += (unsigned int) H1[i];
checksum += (unsigned int) H2[i];
checksum += (unsigned int) H3[i];
}if(checksum % 2019 != 0)
checksum += 2019;
if(checksum % 3033 != 0)
checksum += 3033;
if(checksum % 365 != 0)
checksum += 365;delta = (Gx + Gy + H3) % (2019+3033+365);
Gz = checksum + delta
在本题中:给定name,可以得出:
因为椭圆曲线点的运算涉及到大整数乘法,取模等运算,用文字描述不太方便,我这里给出了keygen的源代码。
详细运算过程,参加 附件里的 edwards_keygen.cpp
补充说明:(彩蛋)
如果进入彩蛋模式,可解锁用户名。
文档(已上传):
013_Twisted Edwards Curves-20080313.pdf
本题解题思路由辣鸡战队战队 xym 提供:
v162_P = 0x4EA28B61F4C3B12B0B544814578629410ECCF55A7
def Add_Rol(a1):
P = v162_P
a1 = a1 % P
if a1 < 0:
a1 += P
if a1 % 2:
a1 += P
a1 = a1 / 2
return a1 % P
def sub_404860(a1, a2, a3, a4, a5, a6):
P = v162_P
# v61 = a1 * a5
# v60 = a2 * a4
# v59 = a3 * a6
# v58 = a1 * a4 + a2 * a5 #(a1 + a2) * (a4 + a5) - v60 - v61
# v57 = v60 - 0x7E3 * v61
# v56 = v60 * v61
# v55 = 0xBD9 * v59 * v59
# v64 = v59 * v57 * v58
v64 = (0x7E3 + 0xBD9) * a3 * a6 * (a2 * a4 - 0x7E3 * a1 * a5) * (a1 * a4 + a2 * a5) #(0x7E3 * v64 + 0xBD9 * v64)
out3 = ((v64 % P + P) % P) * 2
#v63 = (v56 - v55) * v58
v63 = (0x7E3 + 0xBD9) * (a2 * a4 * a1 * a5 - 0xBD9 * a3 * a6 * a3 * a6) * (a1 * a4 + a2 * a5)#(0x7E3 * v63 + 0xBD9 * v63)
out2 = ((v63 % P + P) % P) * 2
#v62 = (v55 + v56) * v57
v62 = (0x7E3 + 0xBD9) * (0xBD9 * a3 * a6 * a3 * a6 + a2 * a4 * a1 * a5) * (a2 * a4 - 0x7E3 * a1 * a5) #(0x7E3 * v62 + 0xBD9 * v62)
out1 = ((v62 % P + P) % P) * 2
return out1, out2, out3
def sub_404E90(sha3,sha1,sha2,k3,k2,const0x13D00,inputadd):
v163 = [0 for i in range(4)]
v167 = [0 for i in range(4)]
v168 = [0 for i in range(4)]
v164 = [0 for i in range(4)]
v165 = [0 for i in range(4)]
v166 = [0 for i in range(4)]
v163[0] = 0x0294F20E7B5DC2D408E4D05A35FACEB13D3DCF5C69 * 2 * 1 * inputadd * sha1
v163[1] = 0x006458A8D5AEEE40A2C95B667FC705F19112E17397 * 2 * 2 * inputadd * sha1
v163[2] = 0x0330A0818BC327794D974BA7AA8070AB6917482491 * 2 * 3 * inputadd * sha1
v163[3] = 0x02F5AE3DEC2A4D95E9E01A2B6D9F226162BBE2B3AD * 2 * 4 * inputadd * sha1
v167[0] = 0x20190204 * 2 * 1 * inputadd * sha1
v167[1] = 0x20190506 * 2 * 2 * inputadd * sha1
v167[2] = 0x20190808 * 2 * 3 * inputadd * sha1
v167[3] = 0x20191108 * 2 * 4 * inputadd * sha1
v168[0] = 1 * 2 * 1 * inputadd * sha1
v168[1] = 1 * 2 * 2 * inputadd * sha1
v168[2] = 1 * 2 * 3 * inputadd * sha1
v168[3] = 1 * 2 * 4 * inputadd * sha1
v164[0] = 0x1DB0A6222242978D383FAC95B7CB3573F628D0FDA * inputadd * sha2
v164[1] = 0x7C283613ABF06C423F887035C1FCA8BBDDADB548 * inputadd * sha2
v164[2] = 0x29500DBA9ECAB405C9D11DC067E01590BB5E1F514 * inputadd * sha2
v164[3] = 0x52653AAA31FE29A8C9209ED5FB3E164255C366900 * inputadd * sha2
v165[0] = 0x4E559F46B4ADF60BAC0BA565EB681C758955D1BB6 * inputadd * sha2
v165[1] = 0x96992ADA68A7FCCA696FA29EBFE066580AE2436AC * inputadd * sha2
v165[2] = 0x13B396F4F22FDB14876E0405C02628E518BDA7161A * inputadd * sha2
v165[3] = 0x84FA600452F0DE8E1A13BCB444918391525620758 * inputadd * sha2
v166[0] = 2 * 1 * inputadd * sha2
v166[1] = 2 * 2 * inputadd * sha2
v166[2] = 2 * 3 * inputadd * sha2
v166[3] = 2 * 4 * inputadd * sha2
v139 = sha3 * k3
v136 = sha3 * k2
v135 = sha3 * const0x13D00
v158 = sha1 * k3
v157 = sha1 * k2
v160 = sha1 * const0x13D00
v150 = sha2 * k3
v149 = sha2 * k2
v152 = sha2 * const0x13D00
P = v162_P
# v128 = sha1 % (sha1%0x7E3 + 0x16D)
v43 = 0x439
v44 = 0x4B7
for i in range(v43):
(v158, v157, v160) = sub_404860(v136, v139, v135, v158, v157, v160)
v139 = Add_Rol(v139)
v136 = Add_Rol(v136)
v135 = Add_Rol(v135)
for i in range(v44):
(v150, v149, v152) = sub_404860(v136, v139, v135, v150, v149, v152)
v139 = Add_Rol(v139)
v136 = Add_Rol(v136)
v135 = Add_Rol(v135)
for i in range(12):
v167[i % 4] = (v167[i % 4] * v43) % P
v163[i % 4] = (v163[i % 4] * v43) % P
v168[i % 4] = (v168[i % 4] * v43) % P
v158 = v158 * 0x7E3
v157 = v157 * 0x7E3
v160 = v160 * 0x7E3
(v158, v157, v160) = sub_404860(v163[0], v167[0], v168[0], v158, v157, v160)
(v158, v157, v160) = sub_404860(v163[1], v167[1], v168[1], v158, v157, v160)
(v158, v157, v160) = sub_404860(v163[2], v167[2], v168[2], v158, v157, v160)
(v158, v157, v160) = sub_404860(v163[3], v167[3], v168[3], v158, v157, v160)
for i in range(4):
v164[i] = (v164[i] * v44) % P
v165[i] = (v165[i] * v44) % P
v166[i] = (v166[i] * v44) % P
v150 = v150 * 0xBD9
v149 = v149 * 0xBD9
v152 = v152 * 0xBD9
(v150, v149, v152) = sub_404860(v165[0], v164[0], v166[0], v150, v149, v152)
(v150, v149, v152) = sub_404860(v165[1], v164[1], v166[1], v150, v149, v152)
(v150, v149, v152) = sub_404860(v165[2], v164[2], v166[2], v150, v149, v152)
(v150, v149, v152) = sub_404860(v165[3], v164[3], v166[3], v150, v149, v152)
for i in range(365):
(v134, v133, v132) = sub_404860(v157, v158, v160, v158, v157, v160)
v158 = Add_Rol(v158)
v157 = Add_Rol(v157)
v160 = Add_Rol(v160)
(v158, v157, v160) = sub_404860(v133, v134, v132, v158, v157, v160)
v158 = Add_Rol(v158)
v157 = Add_Rol(v157)
v160 = Add_Rol(v160)
(v150, v149, v152) = sub_404860(v149, v150, v152, v150, v149, v152)
v150 = Add_Rol(v150)
v149 = Add_Rol(v149)
v152 = Add_Rol(v152)
v157 = v157 * 0x7E3
v158 = v158 * 0x7E3
v160 = v160 * 0x7E3
v137 = ((v158**2 + v157**2*0x7E3) * v160**2) % P
v138 = (v158**2 * v157**2 + v160**2*0xBD9*v160**2) % P
print "assret(v137 == v138) ",Hex(v137 - v138)
print Hex(v137)
print Hex(v138)
v150 = v150 * 0xBD9
v149 = v149 * 0xBD9
v152 = v152 * 0xBD9
v137 = ((v150**2 + v149**2*0x7E3) * v152**2) % P
v138 = (v150**2 * v149**2 + v152**2*0xBD9*v152**2) % P
print "assret(v137 == v138) ",Hex(v137 - v138)
print Hex(v137)
print Hex(v138)
v134 = v139*0x7E3 * (v158+v157+v160)
v133 = v136*0x7E3 * (v158+v157+v160)
v132 = v135*0x7E3 * (v158+v157+v160)
v134 = Add_Rol(v134)
v133 = Add_Rol(v133)
v132 = Add_Rol(v132)
(v158, v157, v160) = sub_404860(v133, v134, v132, v158, v157, v160)
v158 = Add_Rol(v158)
v157 = Add_Rol(v157)
v160 = Add_Rol(v160)
v137 = ((v158*v152 - (v150*v160)%P)*0x7E3)%P #(v158*v152)%P == (v150*v160)%P
v138 = ((v157*v152 - (v149*v160)%P)*0xBD9)%P #(v157*v152)%P == (v149*v160)%P
print "assret(v137 == 0) ",Hex(v137)
print "assret(v138 == 0) ",Hex(v138)
sha1 = 0xac7fc2865d908c75fc6698c3b0aaa9cb89515185
sha2 = 0xa94a8fe5ccb19ba61c4c0873d391e987982fbbd3
sha3 = 0x047e8e0068522d9d32c36b28279759d657072e0d
key1 = 0x6789
key2 = 0xABCDEF223456789
key3 = 0xABCDE
sub_404E90(sha3, sha1, sha2, key3, key2, 0x13D00, 0x2507A)
v162_P = 0x4EA28B61F4C3B12B0B544814578629410ECCF55A7
Const_0x7e3 = 0x7e3
Const_0xBD9 = 0xbd9
v163 = [0 for i in range(4)]
v167 = [0 for i in range(4)]
v168 = [0 for i in range(4)]
v164 = [0 for i in range(4)]
v165 = [0 for i in range(4)]
v166 = [0 for i in range(4)]
v163[0] = 0x0294F20E7B5DC2D408E4D05A35FACEB13D3DCF5C69
v163[1] = 0x006458A8D5AEEE40A2C95B667FC705F19112E17397
v163[2] = 0x0330A0818BC327794D974BA7AA8070AB6917482491
v163[3] = 0x02F5AE3DEC2A4D95E9E01A2B6D9F226162BBE2B3AD
v167[0] = 0x20190204
v167[1] = 0x20190506
v167[2] = 0x20190808
v167[3] = 0x20191108
v168[0] = 1
v168[1] = 1
v168[2] = 1
v168[3] = 1
v164[0] = 0x1DB0A6222242978D383FAC95B7CB3573F628D0FDA
v164[1] = 0x7C283613ABF06C423F887035C1FCA8BBDDADB548
v164[2] = 0x29500DBA9ECAB405C9D11DC067E01590BB5E1F514
v164[3] = 0x52653AAA31FE29A8C9209ED5FB3E164255C366900
v165[0] = 0x4E559F46B4ADF60BAC0BA565EB681C758955D1BB6
v165[1] = 0x96992ADA68A7FCCA696FA29EBFE066580AE2436AC
v165[2] = 0x13B396F4F22FDB14876E0405C02628E518BDA7161A
v165[3] = 0x84FA600452F0DE8E1A13BCB444918391525620758
v166[0] = 2 * 1
v166[1] = 2 * 2
v166[2] = 2 * 3
v166[3] = 2 * 4
def sub_404860(a1, a2, a3, a4, a5, a6):
P = v162_P
v64 = a3 * a6 * (a2 * a4 - Const_0x7e3 * a1 * a5) * (a1 * a4 + a2 * a5)
out3 = v64 % P
v63 = (a2 * a4 * a1 * a5 - Const_0xBD9 * a3 * a6 * a3 * a6) * (a1 * a4 + a2 * a5)
out2 = v63 % P
v62 = (Const_0xBD9 * a3 * a6 * a3 * a6 + a2 * a4 * a1 * a5) * (a2 * a4 - Const_0x7e3 * a1 * a5)
out1 = v62 % P
return out1, out2, out3
def sub_404E90(sha3, sha1, sha2, k3, k2, const0x13D00):
v139 = k3
v136 = k2
v135 = const0x13D00
v158 = k3
v157 = k2
v160 = const0x13D00
v150 = k3
v149 = k2
v152 = const0x13D00
P = v162_P
for i in range(0x439):
(v158, v157, v160) = sub_404860(v136, v139, v135, v158, v157, v160)
for i in range(0x4B7):
(v150, v149, v152) = sub_404860(v136, v139, v135, v150, v149, v152)
for i in range(12):
(v158, v157, v160) = sub_404860(v163[0], v167[0], v168[0], v158, v157, v160)
(v158, v157, v160) = sub_404860(v163[1], v167[1], v168[1], v158, v157, v160)
(v158, v157, v160) = sub_404860(v163[2], v167[2], v168[2], v158, v157, v160)
(v158, v157, v160) = sub_404860(v163[3], v167[3], v168[3], v158, v157, v160)
for i in range(4):
(v150, v149, v152) = sub_404860(v165[0], v164[0], v166[0], v150, v149, v152)
(v150, v149, v152) = sub_404860(v165[1], v164[1], v166[1], v150, v149, v152)
(v150, v149, v152) = sub_404860(v165[2], v164[2], v166[2], v150, v149, v152)
(v150, v149, v152) = sub_404860(v165[3], v164[3], v166[3], v150, v149, v152)
for i in range(365):
(tmpv134, tmpv133, tmpv132) = sub_404860(v157, v158, v160, v158, v157, v160)
(v158, v157, v160) = sub_404860(tmpv133, tmpv134, tmpv132, v158, v157, v160)
(v150, v149, v152) = sub_404860(v149, v150, v152, v150, v149, v152)
print 'v150', Hex(v150)
print 'v149', Hex(v149)
print 'v152', Hex(v152)
tmp1 = ((v158 ** 2 + v157 ** 2 * Const_0x7e3) * v160 ** 2) % P
tmp2 = (v158 ** 2 * v157 ** 2 + v160 ** 2 * Const_0xBD9 * v160 ** 2) % P
print "assret(tmp1 == tmp2) ", Hex(tmp1 - tmp2)
print Hex(tmp1)
print Hex(tmp2)
tmp1 = ((v150 ** 2 + v149 ** 2 * Const_0x7e3) * v152 ** 2) % P
tmp2 = (v150 ** 2 * v149 ** 2 + v152 ** 2 * Const_0xBD9 * v152 ** 2) % P
print "assret(tmp1 == tmp2) ", Hex(tmp1 - tmp2)
print Hex(tmp1)
print Hex(tmp2)
tmp1 = ((v158 * v152 - (v150 * v160) % P) * Const_0x7e3) % P
tmp2 = ((v157 * v152 - (v149 * v160) % P) * Const_0xBD9) % P
print "assret(tmp1 == 0) ", Hex(tmp1)
print "assret(tmp2 == 0) ", Hex(tmp2)
sub_404E90(sha3, sha1, sha2, key3, key2, 0x13D00)
【上海第五空间信息科技研究院】(简称:第五空间)是经上海市社会组织管理局批准成立,上海市科协作为业务主管部门的新型研发机构,由翼盾智能科技创始人积聚社会力量发起成立,立足科技事业,支撑国家战略,开展科技研究,推进协同创新。
【杭州安恒信息技术股份有限公司】(简称:安恒信息)成立于2007年,科创板股票代码:688023,一直专注于网络信息安全领域,公司主营业务为网络信息安全产品的研发、生产及销售,并为客户提供专业的网络信息安全服务。公司的产品及服务涉及应用安全、大数据安全、云安全、物联网安全、工业控制安全及工业互联网安全等领域。