原题连接:https://ctf.njupt.edu.cn/545.html
    直接上脚本,反正原理也不懂

    1. from pwn import *
    2. from Crypto.Util.number import *
    3. from gmssl import func, sm2
    5. import server
    7. r = remote("129.211.59.129", 20001)
    9. # context.log_level = 'debug'
    11. pk = int(r.recvline().split(b":")[1].decode(), 16)
    12. pks = int(r.recvline().split(b":")[1].decode(), 16)
    13. log.info(f"pk: {pk}")
    14. log.info(f"pks: {pks}")
    16. backdoor = b'0'*128 + b'1'
    17. r.sendlineafter(b"op: ", b"sign")
    18. r.sendlineafter(b"backdoor:", backdoor)
    19. sks = int(r.recvline(), 16)
    21. n = 115792089210356248756420345214020892766061623724957744567843809356293439045923
    23. # pks = (sk + 1) * sks ^ -1
    25. sk = inverse(pks * sks, n) - 1
    26. log.info(f"sk: {sk}")
    28. data = b'Hello, Welcome to ISCC2021!'
    29. e = int(data.hex(), 16)
    31. k = 2
    32. tsm2 = server.TSM2('0xdeadbeaf')
    33. P1_P2 = tsm2._kg(k, server.G)
    34. R = int(P1_P2[:64], 16) + e
    36. s = inverse(1+sk, n) * (k - R*sk) % n
    38. r.sendlineafter(b"op: ", b"verify")
    39. r.sendlineafter(b"msg:", data)
    40. r.sendlineafter(b"sign:", hex(R)[2:].zfill(64) + hex(s)[2:].zfill(64))
    42. r.interactive()

    拿到flag
    变异的SM2 - 图1