Skip to main content

闲题杂记2

·3576 words·17 mins

祥云ber secret_share #

下午来推了一半就出去吃东西去了😘😘

看了wp发现只要几个步骤串起来其实不难的,可能是因为我只会炼丹吧。。。

基本加解密:

enc

$E = g^e\mod p,V=g^v\mod p\ s = v+e(h2(E||V))$

$c = m*pk^{e+v}\mod p$

r_enc:

$E_- = g^{e\times skI\times dd} , V_-=g^{v\times skI\times dd}$

$E = g^{e},V=g^{v}$

$c = m\times (EV)^{skI}\mod p =m\times (E_-V_-)^{inv(dd,p-1)}\mod p$

这里拿到dd就可以搞解密了,解dd的前提是吧encoder搞清楚

encoder当时没细看,其实变化写完了一看就很简单了

照着👴们的消元学习了

连续4次推得sk拿到随机出来的m可以得到

$mul={sk}^4\cdot dd_1\cdot dd_2\cdot dd_3\cdot dd_4%p$

$dd_i$是已知的,有些solve是域下开根

有些是神仙炫技直接 韦达定理 或者 费玛大定理

拿到单独的sk后就可以搞事情了

EV都是已知,c也已知 直接算就🆗了

solve-step1

from Crypto.Util.number import *
from icecream import *
from hashlib import sha256
from gmpy2 import *
import libnum
from pwn import *
from libnum import *
def h2(m):
    return int(sha256(m).hexdigest(), 16)

io=remote('0.0.0.0',10001)


#1
io.recvuntil('choice>')
io.sendline('1')
io.recvuntil('Please take good care of it!\n')
pk_sk=io.recvuntil('\n')[:-1].decode()[2:-1].split('L,0x')
pk,sk=int(pk_sk[0],16),int(pk_sk[1],16)

#2
io.recvuntil('choice>')
io.sendline('2')
pp, g = 0xb5655f7c97e8007baaf31716c305cf5950a935d239891c81e671c39b7b5b2544b0198a39fd13fa83830f93afb558321680713d4f6e6d7201d27256567b8f70c3, 0x85fd9ae42b57e515b7849b232fcd9575c18131235104d451eeceb991436b646d374086ca751846fdfec1ff7d4e1b9d6812355093a8227742a30361401ccc5577
group_list = [32, 64, 128, 256]
DD=1
for group in group_list:
    io.recvuntil('The cipher shared to you\n')
    cc=int(io.recvuntil('L, ')[1:-3])
    new_cipher=[cc]
    new_cipher+=eval(io.recvuntil(')\n')[:-2].decode().replace('L',''))
    c,E_,V_,s_=new_cipher

    io.recvuntil('prefix, encoder = ')
    Enc2,prefix=pre_enc=eval(io.recvuntil('\n')[:-1].decode().replace('L',''))
    prefix=int(prefix,16)
    encoder=[1,(-pow(prefix,sk,pp)) %pp]
    prefix = long_to_bytes(prefix).rjust(64, b'\x00')

    ml=[1]
    for i in range(len(Enc2)):
        ml.append((ml[-1]*encoder[-1]+Enc2[i]*(-1)**(i+1))%pp)
    r=-ml[-1]%pp
    dd = h2(prefix + long_to_bytes(r).rjust(64, b'\x00')) | 1
    DD*=dd
    d=libnum.invmod(dd,pp-1)
    tmp=E_*V_%pp
    xx=pow(tmp,d,pp)
    m=c*libnum.invmod(xx,pp)%pp
    io.send(hex(m)[2:])
io.recvuntil('You are a clever boy! Now I can share you some other information!\n0x')
mul=int(io.recvuntil('\n')[:-2],16)


ic(DD)
ic(mul)

#3
io.recvuntil('choice>')
io.sendline('3')
cc=int(io.recvuntil('L, ')[1:-3])
cipher=[cc]
cipher+=eval(io.recvuntil(')\n')[:-2].decode().replace('L',''))
ic(cipher)

solve-step2

from gmpy2 import *
io=0xb5655f7c97e8007baaf31716c305cf5950a935d239891c81e671c39b7b5b2544b0198a39fd13fa83830f93afb558321680713d4f6e6d7201d27256567b8f70c3
D=15987058835088036058838351739905403758810826722245822649290306549906899936826738229650730140126509371862930340608846190807298868677166971678478129606238898364288362139315516922003581996769819030117310508402522153899137933429897987557331966070437119010259514160059698255241259153692392463260794449949596746727
mul=7194716155235037744823597029059822446255314248196377746260315999958188811928743123657567494196521690514320209430663462342437059567384744437239548754416135
c=mul*libnum.invmod(D,io)%io
e=4
R.<x> = Zmod(io)[]
f = x ^ e- c
f = f.monic()
res1 = f.roots()
print(res1)

solve-step3

from Crypto.Util.number import *
from gmpy2 import *
pp=0xb5655f7c97e8007baaf31716c305cf5950a935d239891c81e671c39b7b5b2544b0198a39fd13fa83830f93afb558321680713d4f6e6d7201d27256567b8f70c3
sk=3415391405045794570454819264678842883406589094879440924771251075986414212665514615692960890299627279215019657097231396800926908716766924569917256830117771
cipher=[1452085683981538837849557434841689674477096081702343000869186835544808468459192026693029532721465657214194362000756249662047209552808256166535501585736401, 9299317806552199012103361766715291248186887467752322286719294121971787657296205598139365760833959784768412272593061318430853065277862724140493914797711689, 9287316455075844376168558534606543590293095721271733423230961724912040658757071778242087450272981713664977773510705690081763692753388091475741636185572383, 229110517869350912236518454062717456777603700368163296438479618211042488031942897036793380693680124455343059560507824269299022538059530971380675264277197]
c,E,V,s=cipher
xx=E*V%pp
m=c*libnum.invmod(pow(xx,sk,pp),pp)%pp
print(long_to_bytes(m))
#flag{504d0411-6707-469b-be31-9868200aca95}

学到很多

蓝帽ber final #

https://github.com/ljahum/crypto-challenges/tree/main/%E8%93%9D%E7%8C%AB2021/final/twoBytes

twobyte #

二分法

传入$C\times padding^e$

利用高位的two bytes判断$M\times padding和2^{496}$的大小关系(512-16=496)

利用二分法查找padding的值

查找约1000+次可以恢复secret

solve #

from subprocess import run
from Crypto.Util.number import long_to_bytes
from icecream import *
from pwn import *
import re

from pwnlib.util.iters import pad
def b2s(s):
    if(type(s)==str):
        return s
    else:
        return s.decode()

def CatNum(txt):
    txt = b2s(txt)
    matchObj = re.findall(r'[0-9]+', txt)
    return matchObj



def dec(n):
    print(io.recvuntil('Your choice: '))
    io.sendline('1')
    print(io.recvuntil('Your cipher: '))
    io.sendline(str(n))
    return io.recvline()[:-1]
def bigger(mid,c):
    # tmp1 = pow(mid,e,n)
    # ic(tmp1)
    tmp = (c*pow(mid,e,n))%n
    print(tmp)
    # ic(padding)
    m = dec(tmp)
    ic(m)
    if(m!=b'0000'):
        return True
    else:
        return False


io=remote('0.0.0.0',10001)
# print(io.recv(1024))
io.recvuntil('PKCS1_v1_6?(y/n)')
io.sendline('n')
e = int(CatNum(io.recvline())[0])
n = int(CatNum(io.recvline())[0])
c = int(CatNum(io.recvline())[0])
ic(e,c,n)

'''估算padding范围
padding = 1
h = 0
for i in range(512):
    tmp1 = pow(padding,e,n)
    ic(tmp1)
    tmp = (c*tmp1)%n
    print(tmp)
    ic(padding)
    m = dec(tmp)
    ic(m,i)
    if(m!=b'0000'):
        h=i
        input()
        break
    padding *= 2

'''


# pad=240~260
pl = 2**200
ph = 2**496
mid= (pl+ph)//2
input()
for i in range(512):
    # tmp = m*mid
    # ic(tmp-n)
    if(bigger(mid,c)==True):
        ph=mid-1
        mid = (mid+pl)//2
    else:
        pl=mid+1
        mid  =(mid+ph)//2
    # print(mid)
    # input()
ic(mid)
n=2**496
s =n//mid
secret = long_to_bytes(s)
ic(secret)
ic(secret.hex())
print(io.recvuntil('Your choice: '))
io.sendline('2')
io.sendline(secret.hex())
sleep(0.5)
print(io.recv(1024))
b'Your choice: '
b"You know my secret? (in hex): b'flag{ba1f2511fc30423bdbb183fe33f3dd0f}'\n"
[*] Closed connection to 0.0.0.0 port 10001
  /mnt/c/U/16953/Desktop/twoBytes took  11s at  11:38:42 AM

document for 5th space2021 #

唯一以有点意思的找最短向量问题(SVP)听说一堆非预期打烂了,能找到的wp全是非预期(笑🤣 感觉不如。。。。画质

ECC #

三段ECC的套娃,一看就是找老年赛棍出的缝合题,记了没用 不记又不行

Task

print 'Try to solve the 3 ECC'

from secret import flag
from Crypto.Util.number import *
assert(flag[:5]=='flag{')
flag = flag[5:-1]
num1 = bytes_to_long(flag[:7])
num2 = bytes_to_long(flag[7:14])
num3 = bytes_to_long(flag[14:])

def ECC1(num):
    p = 146808027458411567
    A = 46056180
    B = 2316783294673
    E = EllipticCurve(GF(p),[A,B])
    P = E.random_point() 
    Q = num*P
    print E
    print 'P:',P
    print 'Q:',Q

def ECC2(num):
    p = 1256438680873352167711863680253958927079458741172412327087203
    #import random
    #A = random.randrange(389718923781273978681723687163812)
    #B = random.randrange(816378675675716537126387613131232121431231)
    A = 377999945830334462584412960368612
    B = 604811648267717218711247799143415167229480
    E = EllipticCurve(GF(p),[A,B])
    P = E.random_point() 
    Q = num*P
    print E
    print 'P:',P
    print 'Q:',Q
    factors, exponents = zip(*factor(E.order()))
    primes = [factors[i] ^ exponents[i] for i in range(len(factors))][:-1]
    print primes
    dlogs = []
    for fac in primes:
        t = int(int(P.order()) / int(fac))
        dlog = discrete_log(t*Q,t*P,operation="+")
        dlogs += [dlog]
        print("factor: "+str(fac)+", Discrete Log: "+str(dlog)) #calculates discrete logarithm for each prime order
    print num
    print crt(dlogs,primes)



def ECC3(num):
    p = 0xd3ceec4c84af8fa5f3e9af91e00cabacaaaecec3da619400e29a25abececfdc9bd678e2708a58acb1bd15370acc39c596807dab6229dca11fd3a217510258d1b
    A = 0x95fc77eb3119991a0022168c83eee7178e6c3eeaf75e0fdf1853b8ef4cb97a9058c271ee193b8b27938a07052f918c35eccb027b0b168b4e2566b247b91dc07
    B = 0x926b0e42376d112ca971569a8d3b3eda12172dfb4929aea13da7f10fb81f3b96bf1e28b4a396a1fcf38d80b463582e45d06a548e0dc0d567fc668bd119c346b2
    E = EllipticCurve(GF(p),[A,B])
    P = E.random_point() 
    Q = num*P
    print E
    print 'P:',P
    print 'Q:',Q

ECC1(num1)
print '=============='
ECC2(num2)
print '=============='
ECC3(num3)

stage1 #

很明显给的这几个数很小,用sage自带的离散对数求解三件套梭一遍得到答案

p = 146808027458411567
A = 46056180
B = 2316783294673
E = EllipticCurve(GF(p),[A,B])
P = E(119851377153561800,50725039619018388) 
Q = E(22306318711744209, 111808951703508717) 
n = discrete_log(Q, P, operation='+') 
print(n)
# 13566003730592612

stage2 #

考烂的CRT in ECC知识点

一半特征是E.order()分解出来的素因子有问题,一般特征就是前面的因子都不大,后面有一个很大的因子

同时你还可以知道n其实也不是太大,E.order()就是ECC的阶,意思就是这整个ECC的曲线上一共有多少个不同的离散的点

refer:

p = 1256438680873352167711863680253958927079458741172412327087203
a = 377999945830334462584412960368612
b = 604811648267717218711247799143415167229480
gx = 550637390822762334900354060650869238926454800955557622817950
gy = 700751312208881169841494663466728684704743091638451132521079

px = 1152079922659509908913443110457333432642379532625238229329830
py = 819973744403969324837069647827669815566569448190043645544592

E = EllipticCurve(GF(p), [a, b])
G = E(gx, gy)
n = E.order()
QA = E(px, py)

factors = list(factor(n))
m = 1
moduli = []
remainders = []

print(f"[+] Running Pohlig Hellman")
print(factors)

for i, j in factors:
    if i > 10**9:
        print(i)
        break
    mod = i**j
    g2 = G*(n//mod)
    q2 = QA*(n//mod)
    r = discrete_log(q2, g2, operation='+')
    remainders.append(r)
    moduli.append(mod)
    m *= mod


r = crt(remainders, moduli)
print(r)
# 16093767336603949
# 9-2521-

stage3 #

E.order() = p的时候 可以用一个叫做SMART攻击的操作

去年学的时候见到过,但换电脑搞没了,索性在记录一遍

p = 0xd3ceec4c84af8fa5f3e9af91e00cabacaaaecec3da619400e29a25abececfdc9bd678e2708a58acb1bd15370acc39c596807dab6229dca11fd3a217510258d1b
A = 0x95fc77eb3119991a0022168c83eee7178e6c3eeaf75e0fdf1853b8ef4cb97a9058c271ee193b8b27938a07052f918c35eccb027b0b168b4e2566b247b91dc07
B = 0x926b0e42376d112ca971569a8d3b3eda12172dfb4929aea13da7f10fb81f3b96bf1e28b4a396a1fcf38d80b463582e45d06a548e0dc0d567fc668bd119c346b2
E = EllipticCurve(GF(p),[A,B])
P = E(10121571443191913072732572831490534620810835306892634555532657696255506898960536955568544782337611042739846570602400973952350443413585203452769205144937861,8425218582467077730409837945083571362745388328043930511865174847436798990397124804357982565055918658197831123970115905304092351218676660067914209199149610)
Q = E(964864009142237137341389653756165935542611153576641370639729304570649749004810980672415306977194223081235401355646820597987366171212332294914445469010927,5162185780511783278449342529269970453734248460302908455520831950343371147566682530583160574217543701164101226640565768860451999819324219344705421407572537)
def SmartAttack(P,Q,p):
    E = P.curve()
    Eqp = EllipticCurve(Qp(p, 2), [ ZZ(t) + randint(0,p)*p for t in E.a_invariants() ])

    P_Qps = Eqp.lift_x(ZZ(P.xy()[0]), all=True)
    for P_Qp in P_Qps:
        if GF(p)(P_Qp.xy()[1]) == P.xy()[1]:
            break

    Q_Qps = Eqp.lift_x(ZZ(Q.xy()[0]), all=True)
    for Q_Qp in Q_Qps:
        if GF(p)(Q_Qp.xy()[1]) == Q.xy()[1]:
            break

    p_times_P = p*P_Qp
    p_times_Q = p*Q_Qp

    x_P,y_P = p_times_P.xy()
    x_Q,y_Q = p_times_Q.xy()

    phi_P = -(x_P/y_P)
    phi_Q = -(x_Q/y_Q)
    k = phi_Q/phi_P
    return ZZ(k)


r = SmartAttack(P, Q, p)
print(r)
# 19597596255129283097357413993866074145935170485891892
# 4a81-9957-8c3381622434

Document for 东华ber2021 #

py大赛 诸神黄昏,依旧是抽一中午午休记一下题

Thersa #

又是一个考烂的水题

src

from Crypto.Util.number import*
from hashlib import sha256
import socketserver
import signal
import string
import random
from secret import flag

table = string.ascii_letters+string.digits
flag = bytes_to_long(flag)

MENU = br'''[+] 1.Get Encrypt:
[+] 2.Exit:
'''

class Task(socketserver.BaseRequestHandler):
    def _recvall(self):
        BUFF_SIZE = 2048
        data = b''
        while True:
            part = self.request.recv(BUFF_SIZE)
            data += part
            if len(part) < BUFF_SIZE:
                break
        return data.strip()

    def send(self, msg, newline=True):
        try:
            if newline:
                msg += b'\n'
            self.request.sendall(msg)
        except:
            pass

    def recv(self, prompt=b'[-] '):
        self.send(prompt, newline=False)
        return self._recvall()

    def proof_of_work(self):
        proof = (''.join([random.choice(table)for _ in range(20)])).encode()
        sha = sha256( proof ).hexdigest().encode()
        self.send(b"[+] sha256(XXXX+" + proof[4:] + b") == " + sha )
        XXXX = self.recv(prompt = b'[+] Plz Tell Me XXXX :')
        if len(XXXX) != 4 or sha256(XXXX + proof[4:]).hexdigest().encode() != sha:
            return False
        return True

    def EncRy(self):
        p,q = getPrime(512),getPrime(512)
        n = p * q
        phi = (p - 1) * (q - 1)
        e = inverse(self.d, phi)
        c = pow(flag, e, n)
        return(e,n,c)

    def handle(self):
        signal.alarm(60)
        if not self.proof_of_work():
            return
        self.send(b"Welcome to my RSA!")
        self.d = getPrime(random.randint(435, 436))

        while 1:
            self.send(MENU)
            self.send(b"Now!What do you want to do?")
            option = self.recv()
            if option == b'1':
                self.send(str(self.EncRy()).encode())
            else:
                break

        self.request.close()

class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
    pass

class ForkedServer(socketserver.ForkingMixIn, socketserver.TCPServer):
    pass

if __name__ == "__main__":
    HOST, PORT = '0.0.0.0', 10004
    print("HOST:POST " + HOST+":" + str(PORT))
    server = ForkedServer((HOST, PORT), Task)
    server.allow_reuse_address = True
    server.serve_forever()

所有的密文都是通过 $d$ 去产生实现的,common private key 攻击

refer:

根据实际情况应该是可以获取$N$组

再照着样例

改改参数大小使其满足题目要求和论文给的范围即可

solve #
#sagemath
from Crypto.Util.number import *
from gmpy2 import iroot
e1,n1,c1=(42930516866813661342965746223080520747639541783178165319930798466029922118238472375394025163017796792784301240279788973937514266651107411418409008126879890591634663600650622272276047586523991529128830751549916767006347857754606279093837920255744001556692088644997689518547315534397835105708024032114104233381, 77791057667316752688491344909349631143733665781985333450578141862483326292146944912417154290062439390262044781769179125790833684914883275144238169619259170245799297149721759503884049470266984858779855785527134093827380541390671671421065142834758715718012985245418556303458870683285396736465075774918756943849, 27391282824232696321494182390733866553767929957526280387298565758936575846502788790274502139115326807546265156509536800727262991966913839267428385697513824611497066201158201419561518562486879276509945503450941372856450148181065616319630297566761526958666976256485612007573889257294374864202830099675167224618)
e2,n2,c2=(19018427406275508266725318182604693048036959850117857989040747866263767206396699322550948080332092809132375761217132996919018670944100226583113345224541762253472497934634295339952030040768111601599444464038423922436192382234875739639531699502158126381323466372283051777517214602215819494796932567681821951661, 79650072081042322662491093415989067423342888043380140123956989961183485888095357404757819859263343837741065918473041502132392064045360290315160760995892876549211580451883428599900857896989098491504167023490425266678783550124590746460833416198860457961338080633882718390420924183342764921882749848062331837157, 47371054845953307458071281584547821822800567401012561479295024891414125620585367467768382853051493673297474227621983913977611690329004811247719468085248653560735761224575841708898687339051979667968682445741679494814049520035089826802489552786717808162007554429409373562206869161512981004103668781786261071642)
e3,n3,c3=(56543738058355787650458463296434379628548490866377456720748305513368031407432713681493384526759984858874833739323541806113831186630548095096957902346105190080635673052132358289744367039154224900185478860894300958278206372821874050674031918453348499825234769506256225325221089605204424199863739802675837768205, 79745878045239534073349506401894614077391259818245570439963094062152853043757431813193065050329923218395626939202508409314449221246402655169069682907439636880572885333431797158404833511447487493689075229003167933950464179409482597295179818105362744282535280033320439360295379327350145598779754591726149053127, 8406272869509814810291187732784177513812310985481896410437026715571367365909106171597609902128681517191154832846694541582315046341089395251486352127008536629880180333790535980063006233315170237788757595367545197059456798192233574190206607791108247915315239293315856045620536743732064060419019383653017754432)
e4,n4,c4=(7084543689346197121827870073257673792657047196994323608218552636377497641605010832530473677981880825830062575269956770329035892637961925305684535520357897676757195804280616332451896105146968442795337854851958165225390355543144975973394614878012047483478453541789213191489356453542050105788672267671186622349, 84193779290507365404703859402732143439109001210124769414375603074891153195964512465635919253078833439745459555371587096356222637979782540883867956964113419688015746698472168356238337484900265019835855499846392509934587316309130977694018626484013012355408173625138875013785514921191427955103949196185104270953, 57188209081624431651145335231083235968076151504975133709205719008833316979899965113559550632823577949531094733328627686996343950189156687337540064474041791342122016380351392782138752676861412964076387375179224936788921872659232295048921383561342206164767267043862968315447568792822076799329961025512641107246)
e5,n5,c5=(42832642928335275352734567465034497040617823999922718556444541540637575945318881858516365030723712293566938969239323128990546490351954020139702168583195387467822779475617077682710213996418869245088581793014583647801408719774140042233362914483058594181044708264940880873371340427513033621237883600041744259821, 100914764703986796503524746926824107407478498950896766954709765945739896574588237451261683044947676026816706250675210414995572771552251740398776761522312876711308663303631592599847201703544166011694904414367791567937596616962437750298179607007543994344224571625128530174980427056520743554240699599606017732453, 21119798060505043638458066841637396779462197838711219768901795233508035124251444985142140372296435557972489164083922904128749582124708137219016012302886951596946166275929450048887248788479585841059063956921630092232393741155010454512377332292347344811575552765907485744387780176768333870372377008256136186807)
e6,n6,c6=(92302858091592048530164341892874939881833483518095068563859833484262743798872223903571012516471302801063982503961657026303472815350321491051234131656128422061238653211376015684800612577226731646341043305151595034538237258802687294046312571159904343739248977644957644677771388548256577367489970379574172464797, 117679207537303828303181692131284163456980142622326819854887578740836701695007074712199364783113450072522001526705110176578644797269399966145551464701075583136732122232247312391436901027876012971338176518412247421456590394727819899354372288058334724615114926953982773216858342784870874502568283116049857599697, 694728970163274338952272545132120395722399912878027385515433411574332882874655233664187165540396449753083157039600465154030742189987900065124001404191085619372639241055402339355981737758090185934672051842827196968679043511560501886410676350912217561099905662581686696249610217183042166978654689061472935255)
e7,n7,c7=(107958832210740007280315466139290077026935359625782760172740000594364460869128124940009236566874443252250812468875065019322671201219651761405497245501179554045401769228061173131905805679002507830926816675819378142336365243119257538909791638758850962854709130774816448647965771903108760260693930942445832581613, 124514631670412396955583333186310036282392256402221528788219590875160132086163249366732298557562280446982290995056571347900001555142302304165284003543211879382117786568833925378625035366897845326134848510307881296792070242801270087606140027163068970890264029919788362871312210162525628755395528824620664275981, 122802204066940916090785459557228909264312462241661083272739613123469038467287559936112649653314041478655145859464338716094314561339632033669065696677349425900229495594900454878607113262204411164149182327233978867883052370242620750529133958835635598563284037235210030872798337887481034016325891031269539006959)
e8,n8,c8=(93032879096884833976354856506992993862316449685244948137669996162571278621479404733170084750947866321488473290655001676203288675188640293830346141700535957251408373865922564197265494466697836691672035371673758770683433485891640334014710181418750508413205768593981082149070901287189919968858883490943111987181, 126814261604881133528727989048158217150888497288150533655112145843950045425282139821602599229665745129453799945609742281626549287640177663087578340721569938344685390347348772958990014616194819409373556039354672378457009008450988307789399181204535224407248419395946571885338535639198634359608298711433536942733, 95330490027741440826424434337219961367405797139516869535055648011514837588374299753114991801669135223731470401046346436845011624597842223950760050976711965720535288001750040424144530196787933771814541562581236974965361143703635725068380670591839954283253531181890717506164459934317393787888216914582168459996)
sqrn8=iroot(n8,2)[0]
M=[
    [sqrn8,e1,e2,e3,e4,e5,e6,e7,e8],
    [0,-n1,0,0,0,0,0,0,0],
    [0,0,-n2,0,0,0,0,0,0],
    [0,0,0,-n3,0,0,0,0,0],
    [0,0,0,0,-n4,0,0,0,0],
    [0,0,0,0,0,-n5,0,0,0],
    [0,0,0,0,0,0,-n6,0,0],
    [0,0,0,0,0,0,0,-n7,0],
    [0,0,0,0,0,0,0,0,-n8]
]
M=matrix(ZZ,M)
M=M.LLL()
if M[0][0]<0:
    M=-M
d,t1=M[0][0]//sqrn8,M[0][1]
k1=(d*e1-t1)//n1
s1=(t1-1)//k1-1
var('x')
F=x^2-s1*x+n1
p,q=F.roots()[0][0],F.roots()[1][0]
p,q=abs(p),abs(q)
d=inverse_mod(Integer(e1),(Integer(p)-1)*(Integer(q)-1))
print(long_to_bytes(pow(c1,d,n1)))
#b'flag{338f4482-4f11-496c-a0d7-b06df53f79c5}'

BlockEncrypt #

原文给了个pyc,但是复盘就懒得解包了捏

src

from Crypto.Util.number import*
from Crypto.Cipher import AES
from secret import flag
from my_encrypt import block_encrypt
from hashlib import sha256
import socketserver
import signal
import string
import random
import os

table = string.ascii_letters+string.digits

MENU = br'''[+] 1.Encrypt the Flag:
[+] 2.Encrypt your Plaintext:
[+] 3.Exit:
'''

def pad(m):
    padlen = 16 - len(m) % 16
    return m + padlen * bytes([padlen])

def xor(msg1,msg2):
    assert len(msg1)==len(msg2)
    return long_to_bytes(bytes_to_long(msg1)^bytes_to_long(msg2))

class Task(socketserver.BaseRequestHandler):
    def _recvall(self):
        BUFF_SIZE = 2048
        data = b''
        while True:
            part = self.request.recv(BUFF_SIZE)
            data += part
            if len(part) < BUFF_SIZE:
                break
        return data.strip()

    def send(self, msg, newline=True):
        try:
            if newline:
                msg += b'\n'
            self.request.sendall(msg)
        except:
            pass

    def recv(self, prompt=b'[-] '):
        self.send(prompt, newline=False)
        return self._recvall()

    def proof_of_work(self):
        proof = (''.join([random.choice(table)for _ in range(20)])).encode()
        sha = sha256( proof ).hexdigest().encode()
        self.send(b"[+] sha256(XXXX+" + proof[4:] + b") == " + sha )
        XXXX = self.recv(prompt = b'[+] Plz Tell Me XXXX :')
        if len(XXXX) != 4 or sha256(XXXX + proof[4:]).hexdigest().encode() != sha:
            return False
        return True


    def enc_msg(self,msg):
        return block_encrypt(pad(msg),self.key,self.ivv)

    def handle(self):
        signal.alarm(50)
        if not self.proof_of_work():
            return
        self.ivv = os.urandom(16)
        self.key = os.urandom(16)
        while 1:
            self.send(MENU,newline = False)
            option = self.recv()

            if (option == b'1'):
                self.send(b"My Encrypted flag is:")
                self.send(self.enc_msg(flag))

            elif option == b'2':
                self.send(b"Give me Your Plain & I'll give you the Cipher.")
                plaintext = self.recv()
                self.send(b'PlainText:' + plaintext + b'\nCipherText:' + self.enc_msg(plaintext))
            else:
                break
        self.send(b"\n[.]Down the Connection.")
        self.request.close()

class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
    pass

class ForkedServer(socketserver.ForkingMixIn, socketserver.TCPServer):
    pass

if __name__ == "__main__":
    HOST, PORT = '0.0.0.0', 10004
    print("HOST:POST " + HOST+":" + str(PORT))
    server = ForkedServer((HOST, PORT), Task)
    server.allow_reuse_address = True
    server.serve_forever()

api my_encrypt.py

from Crypto.Util.number import *
Sbox = (
    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
    0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
    0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
    0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
    0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
    0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
    0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
    0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
    0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
    0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
    0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16,
)

InvSbox = (
    0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
    0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
    0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
    0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
    0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
    0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
    0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
    0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
    0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
    0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
    0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
    0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
    0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
    0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
    0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
    0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D,
)

xc = lambda a: (((a << 1) ^ 0x1B) & 0xFF) if (a & 0x80) else (a << 1)

R = (
    0x00, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40,
    0x80, 0x1B, 0x36, 0x6C, 0xD8, 0xAB, 0x4D, 0x9A,
    0x2F, 0x5E, 0xBC, 0x63, 0xC6, 0x97, 0x35, 0x6A,
    0xD4, 0xB3, 0x7D, 0xFA, 0xEF, 0xC5, 0x91, 0x39,
)

def t2m(text):
    text = bytes_to_long(text)
    matrix = []
    for i in range(16):
        byte = (text >> (8 * (15 - i))) & 0xFF
        if i % 4 == 0:
            matrix.append([byte])
        else:
            matrix[i // 4].append(byte)
    return matrix


def m2t(matrix):
    text = 0
    for i in range(4):
        for j in range(4):
            text |= (matrix[i][j] << (120 - 8 * (4 * i + j)))
    return long_to_bytes(text)


class myAES:
    def __init__(self, MasterKey):
        self.ChangeKey(MasterKey)

    def ChangeKey(self, MasterKey):
        self.RoundKeys = t2m(MasterKey)
        # print self.RoundKeys

        for i in range(4, 4 * 11):
            self.RoundKeys.append([])
            if i % 4 == 0:
                byte = self.RoundKeys[i - 4][0]        \
                     ^ Sbox[self.RoundKeys[i - 1][1]]  \
                     ^ R[i // 4]
                self.RoundKeys[i].append(byte)

                for j in range(1, 4):
                    byte = self.RoundKeys[i - 4][j]    \
                         ^ Sbox[self.RoundKeys[i - 1][(j + 1) % 4]]
                    self.RoundKeys[i].append(byte)
            else:
                for j in range(4):
                    byte = self.RoundKeys[i - 4][j]    \
                         ^ self.RoundKeys[i - 1][j]
                    self.RoundKeys[i].append(byte)

        # print self.RoundKeys

    def encrypt(self, plaintext):
        self.plain_state = t2m(plaintext)

        self.__add_round_key(self.plain_state, self.RoundKeys[:4])

        for i in range(1, 10):
            self.__round_encrypt(self.plain_state, self.RoundKeys[4 * i : 4 * (i + 1)])

        self.__sub_bytes(self.plain_state)
        self.__shift_rows(self.plain_state)
        self.__sub_bytes(self.plain_state)
        self.__add_round_key(self.plain_state, self.RoundKeys[40:])

        return m2t(self.plain_state)

    def __add_round_key(self, s, k):
        for i in range(4):
            for j in range(4):
                s[i][j] ^= k[i][j]

    def __round_encrypt(self, state_matrix, key_matrix):
        self.__sub_bytes(state_matrix)
        self.__shift_rows(state_matrix)
        self.__mix_columns(state_matrix)
        self.__add_round_key(state_matrix, key_matrix)

    def __sub_bytes(self, s):
        for i in range(4):
            for j in range(4):
                s[i][j] = Sbox[s[i][j]]

    def __shift_rows(self, s):
        s[0][1], s[1][1], s[2][1], s[3][1] = s[1][1], s[2][1], s[3][1], s[0][1]
        s[0][2], s[1][2], s[2][2], s[3][2] = s[2][2], s[3][2], s[0][2], s[1][2]
        s[0][3], s[1][3], s[2][3], s[3][3] = s[3][3], s[0][3], s[1][3], s[2][3]

    def __mix_single_column(self, a):
        # please see Sec 4.1.2 in The Design of Rijndael
        t = a[0] ^ a[1] ^ a[2] ^ a[3]
        u = a[0]
        a[0] ^= t ^ xc(a[0] ^ a[1])
        a[1] ^= t ^ xc(a[1] ^ a[2])
        a[2] ^= t ^ xc(a[2] ^ a[3])
        a[3] ^= t ^ xc(a[3] ^ u)

    def __mix_columns(self, s):
        for i in range(4):
            self.__mix_single_column(s[i])

def xor(a,b):
    assert len(a) == len(b)
    tmp = []
    for i in range(len(a)):
        tmp.append(a[i]^b[i])
    return bytes(tmp)

def exchange_plain(plaintext):
    new_plain = []
    for i in plaintext:
        new_plain.append(i<<1)
    new_plain = bytes(new_plain)
    return new_plain

def block_encrypt(plaintext,key,iv):
    aes = myAES(key)
    block = len(plaintext)//16
    new_plain = exchange_plain(plaintext)
    cipher = b''
    for i in range(block):
        iv = aes.encrypt(iv) 
        cipher += xor(iv,new_plain[16*i:16*i+16])
    return cipher

这道题,给出的块加密使用的 key 和 iv 都是在初始化阶段内容中就已经固定了的,在一次连接之中不会更改

连上去可以获得flag的密文,那么如果是CFB或者OFB模式的加密那么该题违反了一次一密的(OTP)原则

对于密钥流复用,我们一点点试就可以了

OFB

CFB

总的来说,都是

的形式

solve #
from pwn import *
from Crypto.Util.number import *
from hashlib import sha256
import string
from pwnlib.util.iters import mbruteforce

table = string.ascii_letters+string.digits
def pow():
    io.recvuntil("XXXX+")
    suffix = io.recv(16).decode("utf8")
    io.recvuntil("== ")
    cipher = io.recvline().strip().decode("utf8")
    proof = mbruteforce(lambda x: sha256((x + suffix).encode()).hexdigest() ==
                        cipher, table, length=4, method='fixed')
    io.sendlineafter("XXXX :", proof) 

def pad(m):
    padlen = 16 - len(m) % 16
    return m + padlen * bytes([padlen])

def enc(plaintext):
    print(io.recvuntil(b'[-]').decode())
    io.sendline(b"2")
    print(io.recvuntil(b'[-] ').decode())
    io.sendline(plaintext)
    io.recvuntil(b"CipherText:")
    c = io.recvuntil(b'[+]')[:-4]
    return c

def xor(msg1,msg2):
    assert len(msg1)==len(msg2)
    return long_to_bytes(bytes_to_long(msg1)^bytes_to_long(msg2))

if __name__ == "__main__":
    io = remote("127.0.0.1",10004)
    pow()
    print(io.recvuntil(b'[-] ').decode())
    io.sendline(b"1")
    print(io.recvuntil(b"My Encrypted flag is:").decode())
    c = io.recvuntil(b'[+]')[1:-4]

    cipherlen = len(c) - 1
    fakeplain = cipherlen * b'\x01'
    blocksize = cipherlen//16
    newcipher = enc(fakeplain)
    fakeplain = pad(fakeplain)
    new_plain = []
    for i in fakeplain:
        new_plain.append((i)<<1)
    new_plain = bytes(new_plain)
    s = (xor(new_plain,newcipher[:]))

    fakeplain2 = (xor(s,c))
    new_plain = []
    for i in fakeplain2:
        new_plain.append((i)>>1)
    new_plain = bytes(new_plain)
    print(new_plain)

MyCryptoSystem #

阿巴阿巴,摸了,一中午时间搞不定捏,下午还要上机

from Crypto.Util.number import*
import random
from secret import flag
from hashlib import sha256
import socketserver
import signal
import string

def trans_flag(flag):
    new_flag = []
    for i in range(6):
        new_flag.append(bytes_to_long(flag[i*7:i*7+7]))
    return new_flag

kbits = 1024
table = string.ascii_letters+string.digits
flag = trans_flag(flag)

def Setup(kbits):
    p_bit = kbits//2
    q_bit = kbits - p_bit
    while 1:
        p = getPrime(p_bit)
        p_tmp = (p-1)//2
        if isPrime(p_tmp):
            break
    while 1:
        q = getPrime(q_bit)
        q_tmp = (q-1)//2
        if isPrime(q_tmp):
            break
    N = p*q
    while 1:
        g = random.randrange(N*N)
        if (pow(g,p_tmp * q_tmp,N*N) - 1)%N == 0 and  (pow(g,p_tmp * q_tmp,N*N) - 1)//N >= 1 and (pow(g,p_tmp * q_tmp,N*N) - 1)//N <= N - 1:
            break
    public = (N,g)
    return public,p

def KeyGen(public):
    N,g = public
    a = random.randrange(N*N)
    h = pow(g,a,N*N)

    pk = h
    sk = a 

    return pk,sk

def Encrypt(public,pk,m):
    N,g = public
    r = random.randrange(N*N)
    A = pow(g,r,N*N)
    B = (pow(pk,r,N*N) * (1 + m * N)) % (N * N)
    return A,B

def Add(public,dataCipher1,dataCipher2):
    N = public[0]
    A1,B1 = dataCipher1
    A2,B2 = dataCipher2

    A = (A1*A2)%(N*N)
    B = (B1*B2)%(N*N)

    return (A,B)

def hint(p):
    _p = getPrime(2048)
    _q = getPrime(2048)
    n = _p*_q
    e = 0x10001
    s = getPrime(300)
    tmp = (160 * s ** 5 - 4999 * s ** 4 + 3 * s ** 3 +1)

    phi = (_p-1)*(_q-1)
    d = inverse(e,phi)
    k = (_p-s)*d
    enc = pow(p,e,n)
    return (tmp,k,enc,n)

class Task(socketserver.BaseRequestHandler):
    def _recvall(self):
        BUFF_SIZE = 2048
        data = b''
        while True:
            part = self.request.recv(BUFF_SIZE)
            data += part
            if len(part) < BUFF_SIZE:
                break
        return data.strip()

    def send(self, msg, newline=True):
        try:
            if newline:
                msg += b'\n'
            self.request.sendall(msg)
        except:
            pass

    def recv(self, prompt=b'SERVER <INPUT>: '):
        self.send(prompt, newline=False)
        return self._recvall()

    def proof_of_work(self):
        proof = (''.join([random.choice(table)for _ in range(20)])).encode()
        sha = sha256(proof).hexdigest().encode()
        self.send(b"[+] sha256(XXXX+" + proof[4:] + b") == " + sha )
        XXXX = self.recv(prompt = b'[+] Plz Tell Me XXXX :')
        if len(XXXX) != 4 or sha256(XXXX + proof[4:]).hexdigest().encode() != sha:
            return False
        return True

    def handle(self):
        proof = self.proof_of_work()
        if not proof:
            self.request.close()


        public,p = Setup(kbits)
        signal.alarm(60)
        pk = []

        for i in range(6):
            pki,ski = KeyGen(public)
            pk.append(pki)

        msg = [123,456,789,123,456,789]
        CipherPair = []
        for i in range(len(pk)):
            TMP = Encrypt(public,pk[i],msg[i])
            CipherPair.append(((TMP),pk[i]))

        CipherDate = []
        for i in range(len(pk)):
            CipherDate.append(Add(public,Encrypt(public,pk[i],flag[i]),CipherPair[i][0]))

        self.send(b'What do you want to get?\n[1]pk_list\n[2]public_parameters\n[3]hint_for_p\n[4]EncRypt_Flag\n[5]exit')
        while 1:
            option = self.recv()
            if option == b'1':
                self.send(b"[~]My pk_list is:")
                self.send(str(pk).encode())
            elif option == b'2':
                self.send(b"[~]My public_parameters is")
                self.send(str(public).encode())
            elif option == b'3':
                self.send(b"[~]My hint for p is")
                self.send(str(hint(p)).encode())
            elif option == b'4':
                self.send(b'[~]What you want is the flag!')
                self.send(str(CipherDate).encode())
            else:
                break
        self.request.close()

class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
    pass

class ForkedServer(socketserver.ForkingMixIn, socketserver.TCPServer):
    pass

if __name__ == "__main__":
    HOST, PORT = '0.0.0.0', 10004
    print("HOST:POST " + HOST+":" + str(PORT))
    server = ForkedServer((HOST, PORT), Task)
    server.allow_reuse_address = True
    server.serve_forever()

Refer:

有点全同态的意思,思路应该都差不多,老年人审不动代码了

solve #
from Crypto.Util.number import *



pk = [
    9903345546233406345274390216048265052622725595643911382459514293327907995763783433147838863218937316798528321748709369866569364258411991106643258574989572698239199587284255395798614346448471824851838611865337708256660691836153845389605039594319342717738584309592542607252862142218328138475660803285763968213588394528744053027073152049126506763299065229583353619501424333169829170062395149103651329694449221315641100954836434060049710046515370320763518422757259232374856682888632529561315692561552616649850830047862626833700857587886906774837245010908976175065773850953572418920037258016988361625314499467080329947834,
    4657987514327931382586065476207522772971258290989872695879544239943902837884205892985114988879105147508471426477725785278489578603238865417098282642677702682558515261983265111905752045094339807685437631424315910160691213278435428566562930439156460282707569924593158395598671318460018264391187530476992919637306573650359751555942532258246978276100316266002757890715569420913869805217560217134510519346377418614486773028307378572957516734818473041775035754849881665094508458497419054187487268190726118233936603633638471145845999136306136647043157332984411178327008942140608992928610672350874409133847619495978691003983,
    7152622146034039999102209659831462740324099991262599130951339134800860469219385611290178799376661722659467449321426175020317292072406471009110088250342445514154276439873731324377138630287652938447079493334481729733399579524933508791782450534231737861241986084043058279901605377263189163625776405289654862504323255599291057684909554237875294477643638400289810490222526085038484864459087125794097728967487662164428457600296095735630725252693027342870722549061819169935860921269104894144054734690002817578317664544134682313233240526480877455943937633095468303194749422586696801627436494347930469704062764072900721232548,
    7109779273286288048422281478804269058000170220987326969272411328526909689353334022202761918717633450003773894926300727763953889207715377450335730309751197006520012868095728483075579533219462901668068782447412894870775590238751905671507645068125478347626639590964901574834959983618787306511470121467436989932815779239653115530532446769723177935466135060247074247928491194578344816554353261469294754488631361381078861128074887053925809483235131348049560238616364665057176559180859329509474653282715138146826654691223610824931487517489362866512293278790312452574896436150893275394629547641444721163364866744442609573336,
    7013605482466599504215631908713721046317718409278569099893184473489373835086487268247053290346460889649268221380299871646123742986014194382973645546664516341392101622320165115690109134132599946593167293726028899310932600936819760645652261283663993530694302054668286992858073658208217032520244670566118947000884035935625925585375773268470663092328626392488631056760673984746371429897537785286259074077658212766702133795429225879795772702881120673021514373788313589716773325607907621831363437568961397189016495389255827603389591886876630344786847409531508107276526897772978948736479662903818836257353212222762336597842,
    4806721251332604936583783100910738385093145269860713974606137000339320309313718310646996553451884286724915427107907524634556622320710583584822842418207893426969244662819580085418538670391877263926570368207843244161385729568080850388644996006667177570562488502257438937466251161234759102309530753153103743200173924429409773543762996308591888655566867525229785743476821619151400424309747726050575041627943897750153111818448811385038416912000573298056564339492261814303206364521764204436008885844987333383021967216866126804296346352232953195581868834806336897980493190883504556027965801104592918053461903544343499793148]

pp = (
116058145608385674276672702733893672956917357809340972538570485852695265863484647565483969096692688010826897645583250179342948573711209724577479990992353280882942137887382013678270315267433526273541196683333653359064888776962783810251136593744944176853011420616507243827538789682910216231628628642669601620197,
1323504804693605855191327443760086345281649229726269111925168787721095025354939523351093646120270955977932471982770625541648435290075746193431150770845139326096348863253122005228642568047448855041631516254485716898369011414099219540232164217042223770732057949218835774974444493789502265425791610604673305652047727570396368311258661773456561780033017199975954989495183950216887552362300470021672023164588797459958072321188375419124464113413271301788579119298216918506641731413551008233009777669881314925772595092716344426679130709454192219868031884699258375512868095144714176573965706489293593500326194562659653969458)

hint = (
3304509274524412540171264358124119088833800976282457766193314963305873033161330887473610701496331727440513718090072303043520886293193462950873554113640228240224124433475441227891344247665419958809785016703063382485354461032693344779418991821542568461754389960108428352247981608899460343162110878318981398514231521555009134803445563830931241367613010673484820004826742929263786069863767135614670210943375086531462135790577385826251711826956133897596282243,
18673552355026493682367993197594041685105912554496204006071318337433750748484198918999006603609070236946794406646857929858271667161159821948643461587573309938436022907905563675893493544137760269437082632764159499720652999895637785568626919233056222688894682434212287149137672927486675552931963662505820165969260332655913416992181107410361559298420835898842186213690962374197086970672645328840383254461784517784780864111625152257285743741377246185357414383169045966336855033328995108673937471012241768717137091699706888762787881023600876751379445077298974464957282953933633278819938276469242913645327826899280730378510831893678633686326067596094217688170054369461965105625780401612104533404625397536763720217428564215968405635508712008844542236283094192295732557282230905545840906632840009978007258478459365608215939033972105748737935689371789627988971740974016203717802975023788606268882962377491740960659808878888064715022917962036921078185337788188828827560750328462479969002281238743276353625438159553170772284740537095985838278172254013674247239470266176189688697125522141751881011405920598024214587381076120444370591846992414608682429746316750727122762979926721420808841162691202812455865023677898835926775902048207423004038897059826740331422462081975344727266724533279470011913633242411494155377901129954948980432938310133971389286531625924644619420043095791394754413875398146297583377962248627741212161303069981941569866944074879499723223751021923981415814664672164190239644127148353124450639473123151046004159881650568067549888897471830276776633029695063826990630398201263925250452965401918712445937288291276956166559477365872979519731483611497593803953363019529897948397338298832801417548743615088306206142876669755008937934689940302481383802561001644113621155496827135409662730409037898943078891337579488375518035794171905834626304322444694,
539377906599424907526632843166406186887994388288395247025677144511569324590324166349932358956945530482435011767601209547968477063774490960749034860906510588252104413420941733125967525475043221168756505292522601577057218771125772685733296338522363178984864495675414130791619818890366370557675326005258390297594292831359088537078656773489065102417473480178237120474398129190736614740095486323803477825764714579797487965970125462158351531803287630303556152941144529035877182222332859272963419562743124506553238333107168737543087680258179370723432262945716883858929178735267308369044505783745182741491958523354179513018857096826520453169699127158441377257448188678204993164831215068755599442400473937072589097943431330269080643575456825957862621837176273757555174664101928305295704140917190943907845610548594061039034810294061809981907459259888820996892671481897701236041260611950043463091395858960542584227353654109383849840291308218862529006542917504664716472128390359084763925098770711610788290622962907016008535400120027033905191127470206070423441540259944787758643369312060605925413027755134600754634776476816867075412026307691016441255799159826836710912465972283668124709418672925573497481469507767821018983331413830308225249670213,
771303616051246597362775631900799039403496855240545309388039239713515343324730245355385505175052264662225716867664932661179695239976689945202466354113882887785256123500397817446363928952385349720106805723398880158118530637817328419529810918253166105130572407675868533684722690701263027695057884781572005203710380389492337464706322197156332747141737567696942141557244601594450697569317561198633787265360908016943129048658517482780709873483395196165037089762085272676446233125576546801464300403172738727818739368290767604363354842370759828029956787539488976004277286939183192793995718557020159731981638723547110532088324527518198313950639459543804840939790334808699633063597436840087738271170775240338399829681169080915374347348793605099404690101311868508864356243014172245954247143538079675646203655046049549064125322505821306915855626027754226417532505315799505040998439588290594143118470042253509832524845224911601112190904726230912309817509408264025187673852524716993402306088622806621715736676790401579697069312650629611634465456687035568440558258548547180371086392877863527742881461641884074483579391836421145981167932451527973965904138695962954324595990655760219255358121458470950021891974378425618763709685740211924807012197107)

enc = [(
       2370749863764972469554987128423083132152741020419238456792199956271338793369703079791129095737616003377516787283096306824061503011677428843457108641844447745003806414353879288703818779487783955229942181920152588250200669054504452218107095850722768505991162394104886525200011421355381962826397885692150120244491531539377531866284584252422892309748011247515811550244392155248279678705299157537079588584781118082321447337527598026964754363320992168148072800954886229060629354492679636656754286873086972322060862979794720152370297379178231399705112629407022082772459000129648242752712149593022848240307229599933472326639,
       10629950550426941565735942536153612126197075426453505801699488530948416427388341145614894540703007927177589576195791501426919155687969896393612899952331105630117997308653329395856690066181874393591881894453952869877799692000865157650370029152823033681542597277374455515630326185288969181207049278972424924124917280845385999799481752211943822401232496627640731964698440335637339531240277243009697942776518858825759945763928468912578631650445582450477310960248021693355312415701840017992455266308763927053090663891585787512051382596977251121622452266044626384323834901483016613229807405392686302206337745279574799725645),
       (
       8542751637884684025319786450527032227009617479414394231919844939217652338788161470233642473581019170622701720476025009092989013870995959272934965586486840055645006446711683509118553167874426553788648476906001713844361905026951473754320948536863270405442355445689090656080870055731787592798342434870295612231106938988844575221665180789028833163353823895142662603464032381483430210539747595577423739584974097527545540375158029450966706494122549444092584635666880572007044982041658609028110690639268383842637227465891773307663549588908675683344647203385483408274703330184009244117626337442195205480475459017506908378382,
       2085464782488608613105478863522869688839446373807422195811803331689394753034371063243583106866586343146531749675569189096780488423721634377236415215284877254947163786418624603900665408073101524722245655198842608618980378770280851746286699343613279939871217219082251933210754404379200901319663736745457626874556188300478654812086483681270689360875895659386846755725802972602048228910282786705793739781283712745503244516889112081931069096299064296710777871729670616642875966694256394184177030901697579198250012643883583860976015695050327069588050903408271139834868592068346344594302367420008530215145642134089913952557),
       (
       543379651794527156062094782615415987126871620097692229765839746265851208613317355119559668303271787419759988860329095755697435256473567826557245034346459936922682845797773645705160147104133662578144309856704479439289163136941011188877597285072682519886521870892631481613475471998069980876386882958669921110348676779465364405081731380722964576478311374454355160040908216697066270729949487583602342578399647457482050413820300137877454944632271598565235769295077747277719043188373569056439162575396512455806377433545271124528925620470920962892894249748487897779327141712239684724085201311734710383690195147053140764504,
       9600165348259661124956404845736396858100519318389925868606888916984643985895386306780982368751778369806274791090833545087200109007614498245855188283074902307949807130479277113285297867794858711826951638363843607817932591111690370962454818512651391989642966123695165335863937606726713692914497273424773388437855020945354376617719527751214041931945111308814001172921038464366498230491013737383072831557104712383544399543012036163649490354003100371174810574006002644174234692655781715586368884960284084967731443156537638580405037295061504085273546300354900099908765784319131236423563368794213970198902823051776517828468),
       (
       12720343660076569556039596264810303540914689089267418571274368608634502718903963112327879610372603745751539474798195515336467050718375929419345733113911528358484167664963503186841785910027555371478552531495995844268225519704711001985099721356627657840167984002486330570582837406734000720783811150194191002449217705383562675444044945162334756814642251675950438968558499867686939667519299824614533209923956050684477257790445925094911660288187792056096062118083793213147868094394231992192383502108218624286840281922749640371120549106693515481691153295118333950838764473539401082016498358430567956598359917829161043821923,
       4650323688588415339019928507804235509220831574748530492223503896814273549337012004014746825250262647080845945994043124954184595880222369378843745537963920765086225346591138786702843017155046291724096922328898328762663213011679875702138741764070774196464897663069143841855764208571026489169132412285776494336297720866132075198429444247196211613036311318314879852868477516679485900845328688901789016225902686170650744766395837690968708316279220636380532088975733777486547226356583429833361452246099636637189734339178241917792021598852161212173979461617456855465936599590284629977902176162000058610035695794065634100639),
       (
       10396423324897848835409665024677718748748275152542630135546271217978894933756975222671676528440868558146062940715117417453570039212594054647284966702987699660365789971324359154387594924406035801798108650969994651017387528389546784219757728821861009799685768626296589321049051322128571853402725165039936147958562122051637969655142188175452657583158785607562742670990899569674380956330989338377933120635140041105086765896268409172931140656723857868697634702294188534131288843222666037473712998513917783662683841747851217148640555307904431378526795971269753578248986461126093686958140302691940282614769028716224500465400,
       10798504168395710787960812876356437285934683803323132830688595372752190494161652829029608445088132125185307268912072641282834290673164295328663953059468256952098951333672231933874502144395072869385220758235319321235155734059642693343763727507971442564909780155636668388696682838764136330992117816596893267196341561066485523081399699619635261170621994915700709742698285689917591029680117943213992352450943218840907244087863115086611479482597679053688944172466634936583338987025301834861645019455669785648445946091342899676952875789185642046350945969242055986671135076879652075682156184614411942863144182851932824842223),
       (
       6024146563091378683361400585005798994618396955430739256202274414470382614885386935565909835642987305321627688396325616582250978022048902486972239421247523958404794423154859667551329588342537025329667423441363580369169495567970964773693968820126919761419804174567010888728316915168649562127178777376355308064502139123147221947023574172487891669271681846950161748490575086030511122210151190204591379378553678990922119342011478603434071107786918375396663987961758147555293906382425151887060043190720507983485158382548174693081995619844700045348077449835099793967697120736717935383288578127456179213311919161151155174824,
       4870502348403192237841744837214583690478227756212766589818598939047582028006298907136620265317438054467335452744116591470143951540556270271380332391795537714716300381577136060628725987549313679113315820130730138650199102902669460738279230412746309056896412027404174717090688033608047192772110096729558448093593198119502746076283713950634532742154889796648667924689635484547336377813437723995975643927939980093528839639771421922806898920769585362627963378567719717948703184928020874906392869582921471386283254630748177578173599118834216729254666298122543633678959357415931927763356558249437476070464496258411089399963)]

l = 0
r = 1 << 300

while True:
    s = (l + r) // 2
    x = (160 * s ** 5 - 4999 * s ** 4 + 3 * s ** 3 + 1) - hint[0]
    if x > 0:
        r = s
    elif x < 0:
        l = s
    else:
        break

_p = GCD(pow(2, hint[1] * 65537 + s - 1, hint[3]) - 1, hint[3])
_q = hint[3] // _p
d = inverse(65537, (_p - 1) * (_q - 1))
p = pow(hint[2], d, hint[3])
n = pp[0]
q = n // p
k = (p - 1) * (q - 1) // 4
g = (pow(pp[1], k, n * n) - 1) // n
msg = [123, 456, 789, 123, 456, 789]
flag = b''

for i in range(6):
    y = (pow(pk[i], k, n * n) - 1) // n
    x = y * inverse(g, n) % n
    m = pow(enc[i][1], k, n * n) * pow(enc[i][0], -k * x, n * n)
    f = ((m - 1) // n * inverse(k, n) - msg[i]) % n
    flag += long_to_bytes(f)

print(flag)

fermat’s revenge #

小数学题

重新模p,需要对指数变形

对上式和n求gcd即可。

from Crypto.Util.number import *

n = 17329555687339057933030881774167606066714011664369940819755094697939414110116183129515036417930928381309923593306884879686961969722610261114896200690291299753284120079351636102685226435454462581742248968732979816910255384339882675593423385529925794918175056364069416358095759362865710837992174966213332948216626442765218056059227797575954980861175262821459941222980957749720949816909119263643425681517545937122980872133309062049836920463547302193585676588711888598357927574729648088370609421283416559346827315399049239357814820660913395553316721927867556418628117971385375472454118148999848258824753064992040468588511
c = 2834445728359401954509180010018035151637121735110411504246937217024301211768483790406570069340718976013805438660602396212488675995602673107853878297024467687865600759709655334014269938893756460638324659859693599161639448736859952750381592192404889795107146077421499823006298655812398359841137631684363428490100792619658995661630533920917942659455792050032138051272224911869438429703875012535681896010735974555495618216882831524578648074539796556404193333636537331833807459066576022732553707927018332334884641370339471969967359580724737784159811992637384360752274204462169330081579501038904830207691558009918736480389
hint = 2528640120640884291705022551567142949735065756834488816429783990402901687493207894594113717734719036126087363828359113769238235697788243950392064194097056579105620723640796253143555383311882778423540515270957452851097267592400001145658904042191937942341842865936546187498072576943297002184798413336701918670376291021190387536660070933700475110660304652647893127663882847145502396993549034428649569475467365756381857116208029508389607872560487325166953770793357700419069480517845456083758105937644350450559733949764193599564499133714282286339445501435278957250603141596679797055178139335763901195697988437542180256184
p = GCD(hint-pow(1011, n, n), n)
q = n//p
d = inverse(65537, (p-1)*(q-1))
print(long_to_bytes(pow(c, d, n)))

'flag{1d2f28834ecbd1983b62d30f4723476e}'

第二届美团ctf预赛romeo #

操作系统终于考完了,抽空看了下这个完全没有营养的线上赛

from Crypto.Util.number import*
from Crypto.Cipher import AES
from secret import msg,password,flag
import socketserver
import signal
assert len(msg) == 32
assert len(password) == 8

def padding(msg):
    return msg + bytes([0 for i in range((16 - len(msg))%16)])

class Task(socketserver.BaseRequestHandler):
    def _recvall(self):
        BUFF_SIZE = 2048
        data = b''
        while True:
            part = self.request.recv(BUFF_SIZE)
            data += part
            if len(part) < BUFF_SIZE:
                break
        return data.strip()

    def send(self, msg, newline=True):
        try:
            if newline:
                msg += b'\n'
            self.request.sendall(msg)       
        except:
            pass

    def recv(self):
        return self._recvall()

    def login(self):
        right_num = 0
        while 1:
            self.send(b'[~]Please input your password:')
            str1 = self.recv().strip()[:8]
            print(str1)
            print(password)
            true_num = 0
            for i in range(len(password)):
                if str1[i] != password[i]:
                    login = False
                    self.send(b'False!')
                    break
                else:
                    true_num = i + 1 

                if right_num > true_num:
                    continue
                else:
                    right_num = true_num

                if true_num == len(password):
                    login = True
                check = b''
                for i in range(0x2000):
                    check = self.aes.encrypt(padding(check[:-1] + str1[:i+1]))

            if login == True:
                self.send(b"Login Success")
                return True,check[:16]
            
        return False

    def handle(self):
        signal.alarm(100)
        self.aes = AES.new(padding(password),AES.MODE_ECB)
        _,final_check = self.login()
        if _ == 1:
            这个assert完全没有什么鸟用
            # assert msg.decode() == final_check.hex()
            self.send(b'Good Morning Master!')
            self.send(flag)
            
class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
    pass

class ForkedServer(socketserver.ForkingMixIn, socketserver.TCPServer):
    pass

if __name__ == "__main__":
    HOST, PORT = '0.0.0.0', 10001
    print("HOST:POST " + HOST+":" + str(PORT))
    server = ForkedServer((HOST, PORT), Task)
    server.allow_reuse_address = True
    server.serve_forever()

一位位爆破密码

通过range(0x2000)的高耗时来判断当前正在判断的位数

from pwn import *
from time import time
import string
#io = remote("127.0.0.1", 9999)
io = remote("0.0.0.0", 10001)
CHARSET = string.printable
pre = ""

for _ in range(8):
    print(_)
    t = 0
    now = ""
    for i in CHARSET[:]:
        io.recvuntil(b":")
        print(pre + i + "0")
        io.sendline((pre + i + "0").encode())
        
        start = time()
        # 等待 "False!"
        io.recvuntil(b"!")
        end = time()
        
        # 出现错误的时间大于上一次出现错误的时间
        # 证明当前字符才对了,正确的序列又变长了一位
        if (end - start) > t:
            now = i
            t = end - start
        print(end - start)
    print()
    print(t)
    #exit()
    pre = pre + now
    print(pre)
io.interactive()

最后拿到passwd了nc上去输入拿到flag