CryptoCTF easy

2023

suction

题目描述：

from Crypto.Util.number import *
from flag import flagdef keygen(nbit, r):while True:p, q = [getPrime(nbit) for _ in '__']e, n = getPrime(16), p * qphi = (p - 1) * (q - 1)if GCD(e, phi) == 1:N = bin(n)[2:-r]E = bin(e)[2:-r]PKEY = N + Epkey = (n, e)return PKEY, pkeydef encrypt(msg, pkey, r):m = bytes_to_long(msg)n, e = pkeyc = pow(m, e, n)C = bin(c)[2:-r]return Cr, nbit = 8, 128
PKEY, pkey = keygen(nbit, r)
print(f'PKEY = {int(PKEY, 2)}')
FLAG = flag.lstrip(b'CCTF{').rstrip(b'}')
enc = encrypt(FLAG, pkey, r)
print(f'enc = {int(enc, 2)}')

题目分析：
给出了n,e,c且每个都是少最后8bit
n - 256bit，e - 16bit，由于都比较小，可直接爆破出来
n这里用factor()分解，若最后分解得到的是两个数，并且都是128bit，那么p,q,n都可以确定了
n出来了那之后再爆e和c，256 * 256，也不大，最后通过得到的flag是否都为可打印字符来判断flag是否正确

from Crypto.Util.number import *
from gmpy2 import *
PKEY = 55208723145458976481271800608918815438075571763947979755496510859604544396672
ENC = 127194641882350916936065994389482700479720132804140137082316257506737630761 << 8
n_ = int(bin(PKEY)[2:-8],2) << 8
e_ = int(bin(PKEY)[-8:],2) << 8# for i in range(45,256):
#     print(i)
#     n = n_ + i
#     if n % 2 == 0:
#         continue
#     a = factor(n)
#     if len(a) == 2:
#         print(n,a,i) # 69n = 55208723145458976481271800608918815438075571763947979755496510859604544396613 
p = 188473222069998143349386719941755726311
q = 292926085409388790329114797826820624883
phi = (p - 1) * (q - 1)
for i in range(256):e = e_ + iif not isPrime(e):continuefor j in range(256):c = ENC + jd = inverse(e,phi)m = pow(c,d,n)flag = long_to_bytes(int(m))if flag.isascii():print(flag)
# CCTF{6oRYGy&Dc$G2ZS}  

Blue Office

题目描述：

import binascii
from secret import seed, flagdef gen_seed(s):i, j, k = 0, len(s), 0while i < j:k = k + ord(s[i])i += 1i = 0while i < j:if (i % 2) != 0:k = k - (ord(s[i]) * (j - i + 1))else:k = k + (ord(s[i]) * (j - i + 1))k = k % 2147483647i += 1k = (k * j) % 2147483647return kdef reseed(s):return s * 214013 + 2531011def encrypt(s, msg):assert s <= 2 ** 32c, d = 0, senc, l = b'', len(msg)while c < l:d = reseed(d)enc += (msg[c] ^ ((d >> 16) & 0xff)).to_bytes(1, 'big')c += 1return encenc = encrypt(seed, flag)
print(f'enc = {binascii.hexlify(enc)}')

题目分析：
gen_seed()压根没用到呀，感觉是用来耗时间的，有些人喜欢顺着看下来，看完之后才发现这串没用，但时间也过去了。所以还是从加密那里看起吧。
步入正题
主要在下面两串
d = reseed(d)
enc += (msg[c] ^ ((d >> 16) & 0xff)).to_bytes(1, 'big')
第一串LCG，第二串flag的其中一个字节和d的第16-24位（1个字节）异或。assert s <= 2 ** 32表明s应该在32位左右，但我们只需用到24位，所以可以把这个运算看成GF(2 ** 24)下的运算，flag的格式固定CCTF{}，故通过异或运算可以得到seed的第16-24位，还16位未知，不大直接爆破，之后flag也就出来了

import binascii
enc = 'b0cb631639f8a5ab20ff7385926383f89a71bbc4ed2d57142e05f39d434fce'
enc = binascii.unhexlify(enc)
flag = b'CCTF{'def reseed(s):return s * 214013 + 2531011def encrypt(s, msg):assert s <= 2 ** 32c, d = 0, senc, l = b'', len(msg)while c < l:d = reseed(d)enc += (msg[c] ^ ((d >> 16) & 0xff)).to_bytes(1, 'big')c += 1return encs1 = (enc[0] ^ flag[0]) << 16for i in range(2 ** 16):seed = s1 + iflag = encrypt(seed,enc[1:])if b'CTF' in flag:print(flag)
# CCTF{__B4ck_0r!F1c3__C1pHeR_!!}

2022

Baphomet

题目描述：

from base64 import b64encode
from flag import flagdef encrypt(msg):ba = b64encode(msg.encode('utf-8'))baph, key = '', ''for b in ba.decode('utf-8'):if b.islower():baph += b.upper()key += '0'else:baph += b.lower()key += '1'baph = baph.encode('utf-8')key = int(key, 2).to_bytes(len(key) // 8, 'big')enc = b''for i in range(len(baph)):enc += (baph[i] ^ key[i % len(key)]).to_bytes(1, 'big')return encenc = encrypt(flag)
f = open('flag.enc', 'wb')
f.write(enc)
f.close()

题目分析：
密文长度为48，说明key长度为6（字节）
又CCTF{有40bit，大于6 * 6（base64以6字节分组加密）
故可知baph前6位q0nurN，与密文前6位异或得到key
key和密文都知道，异或便可得到完整flag

未完待续…