[SHCTF 校外赛道] crypto

终于都结束了，这些新生赛太漫长了。不过这个也还是有些难度的，好多整不来。抓紧时间整理一下。

week1

第1周基本是古典密码，古典和现代最大的区别是古典全靠猜，现在都是数学

立正

wl hgrfhg 4gNUx4NgQgEUb4NC64NHxZLg636V6CDBiDNUHw8HkapH :jdoi vl vlkw  ~xrb wd nrrT Y:

只给这么一段，全靠猜其中:jdoi vl vlkw猜是this is flag，于是取反转再凯撒得到

:V Qook at you~  this is flag: EmxhE8tERKAfYAZ6S636dIWuEK46ZK4yRBdNdK4uRKd4 decode it 

显然这里的EmxhE8和flag{的ZmxhZ3s=差点，那就可能是大小写数字偏移并不同，分别用 不同的偏移计算得到flag的base64

import string 
from base64 import * dic = string.ascii_uppercasefor a in dic:for d in dic:print(a,d, b64decode((a+'8t'+d).encode()))a = 'wl hgrfhg 4gNUx4NgQgEUb4NC64NHxZLg636V6CDBiDNUHw8HkapH :jdoi vl vlkw  ~xrb wd nrrT Y:'
a = a[::-1]
c = ''
for v in a:if v in string.ascii_uppercase:c += chr(ord('A') + (ord(v)-ord('A')-8)%26)elif v in string.ascii_lowercase:c += chr(ord('a') + (ord(v)-ord('a')-3)%26)elif v in string.digits:c += chr(ord('0') + (ord(v)-ord('0')-5)%10)else:c += v #':Q Look at you~  this is flag: ZmxhZ3tZMFVfTVU1N181dDRuZF91UF9yMWdIdF9uMFd9 decode it'      
#flag{Y0U_MU57_5t4nd_uP_r1gHt_n0W}

checkin

QZZ|KQbjRRS8QZRQdCYwR4_DoQ7~jyO>0t4R4__aQZQ9|Rz+k_Q!r#mR90+NR4_4NR%>ipO>0s{R90|SQhHKhRz+k^S8Q5JS5|OUQZO}CQfp*dS8P&9R8>k?QZYthRz+k_O>0#>
 

带符号的猜base64以上的，base85(不过这个需要用python的解)以后厨子可以自动，再64,32,16

flag{Th1s_1s_B4s3_3nc0d3}

残缺的md5

苑晴在路边捡到了一张纸条，上面有一串字符串：KCLWG?K8M9O3?DE?84S9
问号是被污染的部分，纸条的背面写着被污染的地方为大写字母，还给了这串字符串的md5码值：F0AF????B1F463????F7AE???B2AC4E6
请提交完整的md5码值并用flag{}包裹提交

缺仨，爆破

import string 
from hashlib import md5
dic = string.ascii_uppercase for a in dic:for b in dic:for c in dic:v = f"KCLWG{a}K8M9O3{b}DE{c}84S9"if md5(v.encode()).hexdigest()[:4] == 'f0af':print(v, md5(v.encode()).hexdigest())#KCLWGXK8M9O3KDED84S9 f0af1443b1f463eafff7aebb8b2ac4e6
#flag{F0AF1443B1F463EAFFF7AEBB8B2AC4E6}	  

凯撒大帝

都说了是凯撒了，随波一键解密

pvkq{mredsrkyxkx}  --> flag{chutihaonan}

进制

16进制转字符略

okk

Brainfuck/Ook! Obfuscation/Encoding [splitbrain.org]   OOK解码

熊斐特

通过flag头可知道密文字母是字符表反着的

uozt{zgyzhs xrksvi}
flag{atbash cipher}

黑暗之歌

⠴⡰⡭⡳⠴⡰⡭⡰⡷⡲⡢⡩⡭⡡⠯⡩⡭⡡⡺⡩⡭⡡⠳⡩⡭⡡⡺⡩⡭⡡⡶⡩⡭⡡⡶⡩⡭⡡⡲⡩⡭⡡⡺⡩⡭⡡⠯⡩⡧⡊⡢⡩⡭⡡⠯⡩⡭⡡⡺⡃⡰⠫⡋⡚⡲⡍⡋⡮⠴⡰⡭⡶⡷⡲⡢⡩⡧⡊⡢⡃⡴⡵⡋⡁⡬⡵⡋⡁⡬⡵⡋⡁⡬⡳⡋⠲⠴⡯⡃⡗⠴⡰⡭⡴⠴⡰⡭⡶⡷⡲⡢⡩⡧⡊⡢⡩⡭⡡⡺⡩⡭⡡⡺⡩⡭⡡⠳⡩⡧⡊⡢⡩⡭⡡⠯⡩⡧⡊⡢⡃⡴⡵⡋⡚⡱⠫⡋⡚⡱⠫⡋⡚⡲⠵⠲⡺⠰⠽

显然是盲文，网站解密：盲文点字加密/解密 - 一个工具箱 - 好用的在线工具都在这里！

 得到base64 :4pms4pmpwrbima/imazima3imazimavimavimarimazima/igJbima/imazCp+KZrMKn4pmvwrbigJbCtuKAluKAluKAlsK24oCW4pmt4pmvwrbigJbimazimazima3igJbima/igJbCtuKZq+KZq+KZrz0=

得到的是音符，再用音符解密：文本加密为音乐符号,可自设密码|文本在线加密解密工具

♬♩¶♯♬♭♬♫♫♪♬♯‖♯♬§♬§♯¶‖¶‖‖‖¶‖♭♯¶‖♬♬♭‖♯‖¶♫♫♯= 

迷雾重重

显然是摩斯密码

..-. .-.. .- --. ----.-- -- --- .-. ... . ..--.- .. ... ..--.- ...- . .-. -.-- ..--.- ..-. ..- -. -----.-

难言的遗憾

电报码中文  电报码在线翻译（国际摩尔斯电码及中文电码） - 千千秀字

000111310008133175592422205314327609650071810649

小兔子可爱捏

带密码的加盐类

U2FsdGVkX1/lKCKZm7Nw9xHLMrKHsbGQuFJU5QeUdASq3Ulcrcv9

puzzleSolver

[*] FBE执行完毕, 明文如下:

Rc4Decrypt: b'\xe8s\xa1\x1b\xea\xd2\xeb>\x84\x0f\xaco\xe0iI!\x14\xf9\xe5[\xc4\xbe\xfd'

RabbitDecrypt: b'flag{i_love_technology}'

Rabbit2Decrypt: b'Au,\x16\x0c\xcbz\xd6H}\xe6\x86\xec\xe2\xe1\xc7\xad\xf4\xe7"\x87d\xce'

电信诈骗

#你好，我是秦始皇，我并没有死，我得到了长生不老药，但是药效有副作用，现在才醒。我刚花了一年在互联网上了解现在的时代，现在我要利用我地宫第四行第七列的无敌兵马俑军队卷土重来，但是我需要启动资金，vivo50作为启动资金，待我横扫天下，封你为大将军，赏你黄金万两！050f000a7e407151537802540b747176075178027552756d0256726262627c

从给出的提示应该是rot47 然后xor 50

a = bytes.fromhex('050f000a7e407151537802540b747176075178027552756d0256726262627c')
b = xor(b'2', a) #xor 50
#rot47
flag{Cr42y_7hursd4y_v1v0_5o!!!}

what is m

只用了bytes_to_long再用long_to_bytes回去就行了

from Crypto.Util.number import bytes_to_long
from secret import flagm = bytes_to_long(flag)
print("m =",m)# m = 7130439814057451234695775379926130082900059400844397142290673193355771803771881034799138892855846752495222756063903171606896511750369873549037743921052936152710997094795530508070507702804861

really_ez_rsa

rsa入门

from Crypto.Util.number import getPrime, bytes_to_longe = 65537
m = b''p = getPrime(128)
q = getPrime(128)
n = p * q
m = bytes_to_long(m)
c = pow(m, e, n)print("p =", p)
print("q =", q)
print("c =", c)
print("e =", e)p = 217873395548207236847876059475581824463
q = 185617189161086060278518214521453878483
c = 6170206647205994850964798055359827998224330552323068751708721001188295410644
e = 65537
long_to_bytes(int(pow(c,inverse_mod(e,(p-1)*(q-1)),p*q)))

week2

XOR

RSA给了p xor q 常规爆破题

n = 20810298530643139779725379335557687960281905096107101411585220918672653323875234344540342801651123667553812866458790076971583539529404583369246005781146655852295475940942005806084842620601383912513102861245275690036363402134681262533947475193408594967684453091957401932685922178406769578067946779033282889429596341714417295489842047781388337010440309434639274398589029236213499110100040841426995862849012466514170374143655264739023758914247116354182164550612494432327931655944868705959874670536031052370968354394583880324756639698871918124498442308334232127034553164826483441746719644515097123067550594588348951855987
c = 15294238831055894095745317706739204020319929545635634316996804750424242996533741450795483290384329104330090410419090776738963732127756947425265305276394058773237118310164375814515488333015347737716139073947021972607133348357843542310589577847859875065651579863803460777883480006078771792286205582765870786584904810922437581419555823588531402681156158991972023042592179567351862630979979989132957073962160946903567157184627177910380657091234027709595863061642453096671316307805667922247180282486325569430449985678954185611299166777141304330040782500340791721548519463552822293017606441987565074653579432972931432057376
e = 65537
#p⊕q
gift = 66138689143868607947630785415331461127626263390302506173955100963855136134289233949354345883327245336547595357625259526618623795152771487180400409991587378085305813144661971099363267511657121911410275002816755637490837422852032755234403225128695875574749525003296342076268760708900752562579555935703659615570PR.<x> = PolynomialRing(Zmod(N))
ok = False
def pq_xor(tp,tq,idx):global ok if ok:return if (tp+1)*(tq+1) == N:print(tp)print(tq)ok = Truereturn if tp*tq>N:return if (tp+(2<<idx))*(tq+(2<<idx))<N:return if idx<=400:try:f = tp + x rr = f.monic().small_roots(X=2^400, beta=0.4)if rr != []:print(rr)print(tp)print('p = ',f(rr[0]))ok = Truereturnexcept:passreturnidx -=1b = (gift >>idx)&1one = 1<<idx if b==0:pq_xor(tp,tq,idx)    pq_xor(tp+one,tq+one,idx)    else:   #1pq_xor(tp+one,tq,idx)pq_xor(tp,tq+one,idx)#N.nbits()=2048 gift.nbits()=1023  p,q的1024位为1
tp = 1<<1023
tq = 1<<1023
pq_xor(tp,tq,1023)p =  170986832479534233007906048950464510414382588164533889416767650420928742690929190093999799507883047422413122991286355305384227808800633111611572663168246588357071419165779511128259447564377245832827901688451015954867004306626552500789867499455455629032408110167560346510245108938981288797349665759162752876911
m = pow(c, invert(e, p-1),p)
long_to_bytes(m)
#flag{7428fbd7-639b-11ee-b51b-64d69af3cb76}

ezmath

PRNG题先求参

from Crypto.Util.number import *
from random import *
p = getPrime(128)
seed = randint(2, p - 1)class prng:n = pa,b = [randint(2, p - 1) for _ in range(2)]def __init__(self,seed):self.state = seeddef next(self):self.state = (self.state * self.a + self.b) % self.nreturn self.statedef main():gen = prng(seed)s = [seed]s.append(gen.next())s.append(gen.next())s.append(gen.next())s.append(gen.next())s.append(gen.next())s.append(gen.next())f = open("output.txt",'w')json.dump(s,f)f.close()flag = "flag{"+str(gen.next())+"}"return flag
main()#prng求参
out = [288530505749272642500730917886204398531, 63547143998110685331032679758907988154, 15151206512028268617888756820805603406, 268092204209244869520724955865278855216, 261067075335188593563542448889694952077, 138067838531633886698552659065694918861, 201319433320428898153580935653793106657]P.<a,b>=PolynomialRing(ZZ)
F = [a*out[i-1]+b - out[i] for i in range(1, len(out))]
I = Ideal(F).groebner_basis()
print(I)
# 求解参数a b n
res=[x.constant_coefficient() for x in I]
n = res[2]
a = -res[0]%n
b = -res[1]%n
n,a,b = 312769358113056565136009929613710078319,40963964079686917005166446559117876093,11856650155037935400579201826386146297next = (a*out[-1]+b)%n#flag{302184756857257140159769321021979097116}

ez_rsa

第1部分n由小因子组成可直接分解，第2部分是显然是共模攻击，不过这里明显c比较小，试着直接开13次成功

# from flag import flag
from Crypto.Util.number import getPrime, bytes_to_long
from math import prod
import libnumwith open("flag.txt","rb") as f:flag = f.read().strip()m = int.from_bytes(flag[:19],"big")
m1 = int.from_bytes(flag[19:],"big")e = 65537primes = [getPrime(64) for i in range(32)]
n = prod(primes)
c = pow(m,e,n)
print("c =",c)
print("n =",n)p = libnum.generate_prime(1024)
q = libnum.generate_prime(1024)
e1 = 13
e2 = 15
n1 = p * q
c1 = pow(m1, e1, n1)
c2 = pow(m1, e2, n1)
print("n1 =", n1)
print("e1 =", e1)
print("c1 =", c1)
print("n2 =", n1)
print("e2 =", e2)
print("c2 =", c2)c = 28535916699190273475273097091422420145718978597126134891571109006456944397344856577421369324831702083810238921719657496747722337086131545474384253288151783029981352196506749672783866527948391034258269669654392993063423671431837882584570973320095601407578443348352802850496429240170710269529489900871208384711844617081275862971410246759090936379744946527813691945129059991795202769186014306943707223831130752782380563227353615164053563120572722464543812139164048342504963081408349934180883607554389607335607410546630525512019818062185681153477671373000186961748278118124044645584490544698827467815360888525822167
n = 114107341297408283801468814470303963122122556489590451040619457052827864984505912502462030175984161431709841571908269123131659496812467145870607611968843929870716066046232009282431653653484798819370087696248364531531706249180822839879862098012984590503284615395588919199545142177727328844260380842155437987767067800740569616584597507776426572206990858918111272636507821551592564540694671795374831548677720629329358177802890287837056940407030212276399942462042866947423728888561392653713356355778914658317507319575084393752755452971007289968044006561357799908892371839922838486713582082980752194204224263283004373
e = 65537
#n可分解
fac = [11777892065426651999,9261040693807289549,9356350172425710359,14198042938738648387,10270880245559150279,16651625235320957803,10203735303764112277,10126802520926958821,17075632607344331131,15774106340553595249,16340211116882594287,15616762946597906161,16880270107514803247,10635881647150245973,15622487550947237203,10436802938040427139,13498192768855092449,11502613740816749197,10621161426185076191,13618885037077024279,10986943768724409089,16946507762934111301, 9281508366366115669,11964584391817142269,13428970346605599557,10040612110882504553,9723861249937499279,10100522426677320149,12712357180113548549,14147604789494386003,17088379813205887661,11718181938374860349]
phi = prod([i-1 for i in fac])
m = pow(c, invert(e,phi), n)
long_to_bytes(int(m))
#flag{05929ec9778ed739d94ee1a77b742714}n1 = 21235204662158833223664424963408105101885570855652885953922511758363954474947609854216589644512813634294435585894296340005122907229365513346971631594453999584706013889403572150499529308966742992668850443386284277210686717652643585324255759216699733045642544284406720854291604837774882256435503827543483289606177965628162259184958789025311291796067574924595051311298594432767265114154138693108465671184854794167878031822162731921299518989845784744659944947091213703810190708463199067553747177712259911724424547999547534441790125049383068377243727588278432796727885216967953646999183906479537750330738956233695342750567
e1 = 13
c1 = 5640630966585093229374938575158853304507369792931959909038819773057666482368490365383634362421839045569190487785222799103423460816096797210546343809620912249021763787314569982909943181390882015170344954037813745251119237402775124991005154299085147091159741067430623420349690886728161235034687649593258746455165172528681627568611599473627285223154284756417744280966157271904828156564067870877521824545300153084830020169048653830385763172792698591998191641849931039720453035065355411394516308865955772746815765864888631258825704788352584540380169938419618543124830541663995097651872542381
n2 = 21235204662158833223664424963408105101885570855652885953922511758363954474947609854216589644512813634294435585894296340005122907229365513346971631594453999584706013889403572150499529308966742992668850443386284277210686717652643585324255759216699733045642544284406720854291604837774882256435503827543483289606177965628162259184958789025311291796067574924595051311298594432767265114154138693108465671184854794167878031822162731921299518989845784744659944947091213703810190708463199067553747177712259911724424547999547534441790125049383068377243727588278432796727885216967953646999183906479537750330738956233695342750567
e2 = 15
c2 = 5481001445755770090420425478456880914921441486935672376394423326451811448703288166341447356603281843336826624725965666634194700496514262129376916108926167953996689011980280761368893884042609095616407660087448963015169181749124738976578495911295096014725354350167650232970262765851074146687931181216305972147994236689422572940877763047930111954798962097847426932730342258169023809341164876019161104439561164839132092594444017039073155506935768658830659965630065643619399324102814118128802834719820426253836317043818687888302054465994498115387703382090351794495827905499417861507007863378916334790750453883661675063377#设后部分也是19字节长 19*8*13 = 1976 < 2048
iroot(c1,13)
#(mpz(1142337509697915945204216120802149852473537661), True)
m = iroot(c1,13)[0]
long_to_bytes(m)
b'39d94ee1a77b742714}'
#39d94ee1a77b742714}

e?

e和phi有公因子2，先解出e//2的m再开根号

p= 70724362259337647663584082414795381346569735601816096923682814277857463878289
q= 114427188167532721707398034034072867253267857672869034942206947096293901917007
e= 1314
c= 4308122681135507736058122041934864039713319497673888928736468819190185301630702240416683093700232966794026900978699666246019059398861283337865339404916304m2 = pow(c, invert(e//2, (p-1)*(q-1)), p*q)>>> m2
mpz(1775318360179864378624277748331165796280824461853426513283863916662928311120204842695157660663163224199957292247552592476585297161)
>>> iroot(m2,2)
(mpz(42134526936704349079532070253042512071437224483290059738614559869), True)
>>> m = iroot(m2,2)[0]
>>> long_to_bytes(m)
b'flag{This_e_is_real_or_not}'

factorizing_n

分解n的时候发现n是p**5，直接解

n = 226515252384227990547287743140613580056836242860947832749754689048997071950972581790210817523352001702907675581567498443649554801433663166425134375454937126656357069687274036935331269594383360450823787099121079436459236734336130768046337169817940540921822023269188752420603975467384377614321048859304185067329741055517464271746238143742661897809442359331215501438861121047081117632626097939097519866099140569819965948998542652908170134545593659233229897003698175558888336706474178958535138595687148003367152624421106553412886263257022809480187410133186189435436294593588009551451899398811758511878324326255293307347560753524372663257044426744744426759970254203341706284024734042826158828749144322843934985927079504722440497388146240627249465363931951790326885478025237643
c = 52409805591744226507807531465616894934028463651864630447934395956954575834603756391651746535033902964658694070544877880970130028487381287088425209448038533705903737694267359561133766799228825599943891152463160326583722749586721691729062524310148743637505134465210906856660867852927837112666513674858029892207902196213784902541173835447263733760225682942461048573387925463479672527491229113710629340960375692432470493054415657845868577650170648157402682163577152288432313996310562452677399267755695644659367792066311336521698894993982901657735586844358679888210537898629281625526455444811591386493005341435516094660429968084363084301878446471676122069724608083578102382181382107225473535696274374370868301830807644939881080301668756603163431000745972823980427048672732291
e = 65537fac = [11776588228599764849559519654482976956833367474471407292255776713760090338489966385328569279135095351660161277221351884258247731394014018172166064062551483,11776588228599764849559519654482976956833367474471407292255776713760090338489966385328569279135095351660161277221351884258247731394014018172166064062551483,11776588228599764849559519654482976956833367474471407292255776713760090338489966385328569279135095351660161277221351884258247731394014018172166064062551483,11776588228599764849559519654482976956833367474471407292255776713760090338489966385328569279135095351660161277221351884258247731394014018172166064062551483,11776588228599764849559519654482976956833367474471407292255776713760090338489966385328569279135095351660161277221351884258247731394014018172166064062551483]
from math import prod phi = fac[0]**4*(fac[0]-1)
m = pow(c, invert(e,phi), n)
long_to_bytes(int(m))
#flag{1f95f530f85b940db810fc917607ee22}

哈希猫

给了一堆hash值，一个个爆破

import hashlib
from secret import flagassert flag[:5] == "flag{"
assert flag[-1:] == "}"
flag = flag[5:-1]
assert len(flag) == 43print(hashlib.sha512(flag[0:2].encode()).hexdigest())
print(hashlib.md5(flag[2:5].encode()).hexdigest())
print(hashlib.sha512(flag[5:7].encode()).hexdigest())
print(hashlib.md5(flag[7:10].encode()).hexdigest())
print(hashlib.sha384(flag[10:12].encode()).hexdigest())
print(hashlib.sha384(flag[12:14].encode()).hexdigest())
print(hashlib.sha256(flag[14:16].encode()).hexdigest())
print(hashlib.sha256(flag[16:18].encode()).hexdigest())
print(hashlib.sha384(flag[18:20].encode()).hexdigest())
print(hashlib.sha224(flag[20:22].encode()).hexdigest())
print(hashlib.sha224(flag[22:24].encode()).hexdigest())
print(hashlib.sha1(flag[24:27].encode()).hexdigest())
print(hashlib.md5(flag[27:30].encode()).hexdigest())
print(hashlib.md5(flag[30:33].encode()).hexdigest())
print(hashlib.sha512(flag[33:35].encode()).hexdigest())
print(hashlib.sha384(flag[35:37].encode()).hexdigest())
print(hashlib.sha384(flag[37:39].encode()).hexdigest())
print(hashlib.sha256(flag[39:41].encode()).hexdigest())
print(hashlib.md5(flag[41:43].encode()).hexdigest())

hv = ['f3dc242bd42a8cbb4cc0f0f5d770f54b5e0f5473bef389ec8d0f6fed7d5532ce1a5bad31f9121b07c10f925099887ba335b079a546db2bf9e8cb40186abca8b5','2ccdb2015049d76ccefcc9bc9df1bfe9','092ca0da5f25c595eae6cc725dc12ae75889a639d205733223cb9cfaeaa702a521971e57f768079b03d53c8f092bb2c597cc3adb4a98224a144c5d62461beb52','14e940d7e2b82dbbe27a08813b7cbb1d','5bf9859e59e1c81748f63e0ce663f76f5c494b37da01de2c375a851eac00053fd550d777dad95bb90e77474ae2fcf89e','f370fe8f432e0de9440ef9c1f98b8b3e6ff4e748e79673bf556361dde9bf99606be041d244e447d4881639969fa541d2','d478e626a6959e31e22a61451c13d639699877b187e44505f89c98b686c6d845','d32a29b4a83ca5eef3e0d1983db8f61e5d2208c876892ff120d790080433a4ba','3e1d845490a0fa282de47c746e3cab40067620722a222634a164582c17672534c36eda6f1cc7c9b3b3e170f9aeaa8ecb','379e9548414e1a56aaf2d1e62b4bdcd8305fc705a31f00da4bb89312','5598556fc00e3641a3a9fa69182e7f6a8107c9148f248b92a51f1a77','446e2787acde609c9908273b1f727422afa691ba','ff186448736f67c8790388b678c682f6','ee0d387df8b1b937ed03a23848d68c53','d8754279bd2410ee9bb0d9c57da0122ff1313a2094e31fa5b6fecc1158c28379465cf9af176e8b974e022081d59300da11af54ea2b7ffefcec99a2d90990060e','34d69a8fd2da685be602c82ca99ebaa6430e52b70a2530066064d3feb6c2c5e236268b3a30d3d68661a7404275196c3d','0f19ad7a3aa8b92ddc3a4828f57b540c3d3e34b9dfee263462e6a83c22d19cbcbf65a86f25e9124e7cf8488622071693','76a8277347f52530e1cf979175a178980b3a180d176165c985d85f7e142f1eed','14ef8abfe3ae0194a39de558fbcfa765']from hashlib import sha512, md5, sha384, sha256, sha224, sha1
import stringsdic = string.printable
flag = ''
#print(hashlib.sha512(flag[0:2].encode()).hexdigest())
for v1 in dic:for v2 in dic:if sha512((v1+v2).encode()).hexdigest() == hv[0]:flag += v1+v2print(flag)break#print(hashlib.md5(flag[2:5].encode()).hexdigest())
for v1 in dic:for v2 in dic:for v3 in dic:if md5((v1+v2+v3).encode()).hexdigest() == hv[1]:flag += v1+v2+v3print(flag)break#print(hashlib.sha512(flag[5:7].encode()).hexdigest())
for v1 in dic:for v2 in dic:if sha512((v1+v2).encode()).hexdigest() == hv[2]:flag += v1+v2print(flag)break#print(hashlib.md5(flag[7:10].encode()).hexdigest())
for v1 in dic:for v2 in dic:for v3 in dic:if md5((v1+v2+v3).encode()).hexdigest() == hv[3]:flag += v1+v2+v3print(flag)break#print(hashlib.sha384(flag[10:12].encode()).hexdigest())
for v1 in dic:for v2 in dic:if sha384((v1+v2).encode()).hexdigest() == hv[4]:flag += v1+v2print(flag)break#YOU'vE_cOm3_
#print(hashlib.sha384(flag[12:14].encode()).hexdigest())
for v1 in dic:for v2 in dic:if sha384((v1+v2).encode()).hexdigest() == hv[5]:flag += v1+v2print(flag)break#print(hashlib.sha256(flag[14:16].encode()).hexdigest())
for v1 in dic:for v2 in dic:if sha256((v1+v2).encode()).hexdigest() == hv[6]:flag += v1+v2print(flag)break#print(hashlib.sha256(flag[16:18].encode()).hexdigest())
for v1 in dic:for v2 in dic:if sha256((v1+v2).encode()).hexdigest() == hv[7]:flag += v1+v2print(flag)break#print(hashlib.sha384(flag[18:20].encode()).hexdigest())
for v1 in dic:for v2 in dic:if sha384((v1+v2).encode()).hexdigest() == hv[8]:flag += v1+v2print(flag)break#print(hashlib.sha224(flag[20:22].encode()).hexdigest())
for v1 in dic:for v2 in dic:if sha224((v1+v2).encode()).hexdigest() == hv[9]:flag += v1+v2print(flag)break#YOU'vE_cOm3_t0_uNDeR57
#print(hashlib.sha224(flag[22:24].encode()).hexdigest())
for v1 in dic:for v2 in dic:if sha224((v1+v2).encode()).hexdigest() == hv[10]:flag += v1+v2print(flag)break#YOU'vE_cOm3_t0_uNDeR574n
#print(hashlib.sha1(flag[24:27].encode()).hexdigest())
for v1 in dic:for v2 in dic:for v3 in dic:if sha1((v1+v2+v3).encode()).hexdigest() == hv[11]:flag += v1+v2+v3print(flag)break#print(hashlib.md5(flag[27:30].encode()).hexdigest())
for v1 in dic:for v2 in dic:for v3 in dic:if md5((v1+v2+v3).encode()).hexdigest() == hv[12]:flag += v1+v2+v3print(flag)break#print(hashlib.md5(flag[30:33].encode()).hexdigest())
for v1 in dic:for v2 in dic:for v3 in dic:if md5((v1+v2+v3).encode()).hexdigest() == hv[13]:flag += v1+v2+v3print(flag)break#YOU'vE_cOm3_t0_uNDeR574nD_HaSH_28
#print(hashlib.sha512(flag[33:35].encode()).hexdigest())
for v1 in dic:for v2 in dic:if sha512((v1+v2).encode()).hexdigest() == hv[14]:flag += v1+v2print(flag)break#print(hashlib.sha384(flag[35:37].encode()).hexdigest())
for v1 in dic:for v2 in dic:if sha384((v1+v2).encode()).hexdigest() == hv[15]:flag += v1+v2print(flag)break#print(hashlib.sha384(flag[37:39].encode()).hexdigest())
for v1 in dic:for v2 in dic:if sha384((v1+v2).encode()).hexdigest() == hv[16]:flag += v1+v2print(flag)break#print(hashlib.sha256(flag[39:41].encode()).hexdigest())
for v1 in dic:for v2 in dic:if sha256((v1+v2).encode()).hexdigest() == hv[17]:flag += v1+v2print(flag)break#print(hashlib.md5(flag[41:43].encode()).hexdigest())
for v1 in dic:for v2 in dic:if md5((v1+v2).encode()).hexdigest() == hv[18]:flag += v1+v2print(flag)break#YOU'vE_cOm3_t0_uNDeR574nD_HaSH_281e8c4Db35b

week3

Classical Master 未完成

e=3

给了N,e,c并且N由3个因子组成，每个都是一个M进制数。

from Crypto.Util.number import *
import random
from secret import flagM = 2**54
k = 6def gen_prime(M, k):while True:prime = sum([random.getrandbits(16) * M**i for i in range(k)])if isPrime(prime) and (prime-1) % 3 == 0:return primep, q, r = [gen_prime(M, k) for i in range(3)]
N = p * q * r
e = 3
m = bytes_to_long(flag)
c = pow(m, e, N)
print(f'N = {N}')
print(f'c = {c}')

对于M进制可以直接用sage来分解

e = 3
N = 3298593732762513945346583663585189774036688951059270517149719979434109398447628726951796006700754759352430339647168415338320547665794785951232342902233013221132246450312038122695046634624323814318286314664160113738299465643128504110932989263063331290006313
c = 869489491924953293290699796392271834401780578884556874640489836779925847562085802848542382525324081900560761299059365684697233025590164192409062717942292142906458498707677300694595072310705415037345581289469698221468377159605973403471463296806900975548438
M = 2**54
k = 6poly = sum(e * x^i for i,e in enumerate(Integer(N).digits(M)))  #不要设置x
(pp,_),(pq,_),(pr,_) = poly.factor_list()#p,q,r = 103574226729554375480512668967949133854292403117507474988278388756193462602107352821951, 47963432552002818180880760250824590058982930733941748241661938238195705638187268342813, 663998156522471100999941798165706402858681862228017448075268472245282758965006970051

 然后是这个3的问题，因为每个因子-1都含因子3，所以用AMM算法对每个因子取3次方根，再求CRT

#与e都有公因子,求CRT
res = []
for v in [p,q,r]:P.<x> = Zmod(v)[]f = x^e - cf = f.monic()res.append(f.roots())from itertools import product
from Crypto.Util.number import long_to_bytesp,q,r = int(p),int(q),int(r)
for i,j,k in product(*res):m = CRT_list([int(i[0]), int(j[0]), int(k[0])],[p,q,r])flag = long_to_bytes(int(m))print(flag)if b'flag' in flag:print(flag)break
#flag{e1b7d2c2-e265-11eb-b693-98fa9b5bc5fe}

撤退！

flag分两部分，分别加密。

from Crypto.Util.number import *flag = *******
p = getPrime(1024)
q = getPrime(1024)
n = p * qhb = len(flag)//2
hb1 = bytes_to_long(flag[:hb])
hb2 = bytes_to_long(flag[hb:])
D = 117
x = *******
y = *******
assert x**2 - D * y**2 == 1
enc1 = pow(334 * n ** 2 + 1, hb1, n ** 3)
enc2 = pow(y * n + 1, hb2, n ** 3)
print(n)
print(enc1)
print(enc2)

第1部分因为模是n**3所以，展开式子后所有ｎ**3以上的项全部为0所以得到下式,由于显然hb1比n要小,所以可以将结果直接除得到hb1

enc == hb1*334*n**2 + 1 mod n**3 

n = 22970461944771505344360312103272646796516672838005008112295760406393062653512719537671401409823031480497512491850701737384621917068068328814717390355072928714618936469722031401433712342846780800586803218279291870162605299119904016959036663767093191710796830156169925350938267584422752300171293262391805105435418210827517225439398971437884496416502510866914857269951072184669675339439115587325754431761172634305242650221404868035624879538862880516438147301289746375407945908866907822940285764276956194031840381838253923392794376568293056359058519233175242523219646628321609305890926063856400793680641992567798104042179
c1 = 26380574883568223071748995929433720836641856899148821439556557592284999544802260386919172895274884666117488851000353221957579311943624258651646692068406462392980585841604755021251430357273933800209194484692955106014890051223465745443628784077844452303995642424661442978294757109040081050794398646640530714904683097650259060507908334791761124660725589404056356987726993518057050112725483482660202442987346646160168856264312557595890710521723067518303906942469282527855551751244126251698491010628369012024332666619702895796133780038584346428759785302542637171018926824843416176876077558936427399803328577151066597396550597352625005028261156114571696860700477410270949916316951150072218466374341394892405947793726872954497972795793421222424616005278493704125169150432275472846871295341469911428057621028515874978272004775903906188556908968810828510069826724631700523623584802605889173266453916347583720706846630531082266742377818663000322817114065116737931523412220137972079139507877669106470150742546914051556747087768279286696519700220233815812834114117581332234344024169109786527295900675653245014343393093832478814567179131966404207553408747774003319241150221488231674711614902743345516888975702483348011349617017294004761259419165663633915672647187482242462163420462987034240805524991
c2 = 21190674872507845600786632640969893237129139877891071648594239906632201421611954626926407751780936578853046780585253060958265549804784845192757301417173404074965693840282568701968464564320290763073618132775799910356101999797720378313304899173154753858674284071499775857913937184713024788245068426198878834805943703426673512761178072458895973672088230653246356764681418231485563287856188079274727706554037799748595877069143254516390328019381867648697880975670688337068196993846986940286056873616919629721264139576692806770826129279380704466982862393203486037890448173834315360975464927583664991534571518159777852793416869350127023692816051992183670690315184731534611966603509867722931839839084915943647295195314171688904055674915382434841320612108023531722571519492067471405656160804893645713608592561788743509876384862097871840094582513721456962354498561006793609200187065931433827465455037397503619844768415369973322759940610358415184510344945559838007474725413347675347453443583610217539704055467297318282309867987435252614428856515259899385689971172417660178761139941056839133998928898528744331662995956041897599276732929020537698559927654297185422925737241274711904687894411308774527520523946951208805307060323875839353707549772052299847176824964552693112658495961070555882583739017417359463576705453026824255338859618053086622031941#enc1 = hb1*334*n^2 + 1 mod n^3 
hb1 = (c1 - 1)//334//n**2 
long_to_bytes(hb1)
#b'flag{6c6eb27a-061b-ba'

 同样的方法得到hb2*y 这个y是佩尔方程的一个解.虽然佩尔方程有无数解,但一般这里就用其一也就够了.

hb2 = (c2%n**2-1)//ndef solve_pell(N, numTry = 100):cf = continued_fraction(sqrt(N))   for i in range(numTry):denom = cf.denominator(i)numer = cf.numerator(i)        if numer^2 - N * denom^2 == 1:return numer, denom    return None, Nonedef gen_pell(D):x, y = solve_pell(D)xs = [x]ys = [y]while True:yield xs[-1], ys[-1]x_i = xs[0] * xs[-1] + D * ys[0] * ys[-1]y_i = xs[0] * ys[-1] + ys[0] * xs[-1]xs.append(x_i)ys.append(y_i)for (x,y) in gen_pell(117):if hb2%y == 0:print(y,long_to_bytes(int(hb2//y)))if y>0x10000000:break #  flag{6c6eb27a-061b-baf4-4cae26-5a609588ce}

好好好！

给了e,dp,n,c和一个残缺的表

#***EGK*MAPZ**3TISLXYHW*B4*R*6CQV
e=65537
dp=89183181604123417010894108474901628410408206538085478807758137668201829058797702838603939730356798163745078443656032825128645105954284119126609502005130005399692420386460970318283171848176434285488698019425286328269756591931253074416895028845240978211030365697435579850343911269163064228581083838914477473793
n=17133884272385326910236146208723169235592379139078245324256146697759098524213354087333170410075813764497353656874360657828668202585141557095326829141561993608634568037533128091918704136052835609732443342167341276983343070200953604216445186924411131823487594273213380078485528148801722039459601896275130691200206027353715109606722659553700867073796386669768748305283547862565020499794358571741903375812063001390288166187510171105241363677243530996160649133253643422391688399573703498726489248479978887237752214015456924632092625018668632234215462091314384917176427670194819828555385014264912614752917792278216214856001
c=7297673446200396117470312266735704951424121735299327785232249350567349180167473433806232931862684106388722088953786183522191592452252650217579986150373463901393038386627370305688040315665037164819432754099421229466379901436696822022518438390977543864543590936753547325597766614648063328562516667604171990354928485383191174966274941678597887943784661684719053108281896697098991347034225406718530599672101743303723470910913422462764406680309933367328977341637394665138995676573466380198978810546689819954949832833954061771415463198737542769848298258925680570823701939997224167603657418270886620562332895947413332492672

从外形上猜测为base32变表,这个是需要爆破的表,差9个字节,规模不大.

在已知dp的情况下 e*dp = 1 mod p-1 => e*dp = 1 + k*(p-1) 这里k<e直接爆破

for i in range(2, e):if (e*dp - 1)%i == 0:p = (e*dp-1)//i +1if gcd(p,n) != 1:print(p)breakq = n//p 
m = long_to_bytes(pow(c,invert(e,(p-1)*(q-1)), n))
m = m.decode()
#b'7U25DUJJ7USYATEN5SREOFFG5NY57FPS77U5DFPY54JEG3NYKWSYA3YD5CXYTTNW53QS===='  

 对于结果可以很容易看到是base32结合前边的码表,确认为base32变表爆破

tmp = '***EGK*MAPZ**3TISLXYHW*B4*R*6CQV'
tab = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'
last = ''
for i in tab:if i not in tmp:last += i #'DFJNOU257'
import itertools
for v in itertools.permutations(last, 9):ncode = v[0]+v[1]+v[2]+'EGK'+v[3]+'MAPZ'+v[4]+v[5]+'3TISLXYHW'+v[6]+'B4'+v[7]+'R'+v[8]+'6CQV'tran = str.maketrans(ncode,tab)flag = m.translate(tran)if b'flag' in b32decode(flag):print(b32decode(flag))#flag{fa48a440-d0ff-0c2a-366243-a46b7e7853}     

easyrsa

给了n1,n2,c和两个leak,c是由n1加密来的,n1的因子p1是由n2加密的leak2,leak1是n2两个因子的和去掉400位.

from Crypto.Util.number import *
from flag import flagp1 = getPrime(512)
q1 = getPrime(512)
n1 = p1 * q1e = 65537p2 = getPrime(1024)
q2 = getPrime(1024)
n2 = p2 * q2leak1 = (p2+q2) >> 400
leak2 = (p1 & ((1 << 350) - 1)) >> 5enc = pow(leak2,e,n2)
c = pow(bytes_to_long(flag),e,n1)
f = open(f'output.txt','w')
f.write(f'n1 = {n1}\n')
f.write(f'n2 = {n2}\n')
f.write(f'leak1 = {leak1}\n')
f.write(f'enc = {enc}\n')
f.write(f'c = {c}')
f.close()

由于已知和,可以直接用算子q2 = leak1-p2 ;n2==p2*(leak1-p2) 求出

n1 = 105813626754830369767796578799226643889033227412658130226893708851110720416468059965713264658478299377654212587044247669928410442281831382577490105352633718272894531572352233211881056495752193201866649055622358234888531194346296702453105176147272971386928767457928148705433435309063146652094354833396307613911
n2 = 20369481027961668058257949652346266097405331865071244844827896944882851755421021125005038786750268341013032202394581223828526073179263634639721089663050687773353438686984875196973012077948955566738301337866191557952973517042420660699281973702694965572488938789954679350791243570953680441483360036599350550534192027759384675611155970913348616382186229565994100357427843446265863186624731991521034305958565644266001622849342042747046352413268149901263629515623929619659379883036239511300563910486156582808698915297257307692017642458823600500445082987244477251123335410633989767118317681371314078169733374888688620813839
leak1 = 110733171993470709195465104383246525062178362778220972191726705114514369848757940664883819735824778128179586221599072975207093223575285541338555960658178287486722693023393688158120847028382
enc = 3724360314735337348015983350518926695244720487101059718828225257324872465291143851090607580822961202894850524395217010317254775500983396154162166500198523991652838543842978138662752717532358799622372813160573374563924704242911344052149200174619645796187521459916955545794017698320367273671936314947729523150627463505338870024421481261166504454532278895870561732979282672259730923724762173494886613682487373643406390205027508946750313076817576295795818790961232101069994823561840743308871216879655652136743807002025483269687509388947008928281179566366429525183899914275273098400627187051739816901887290337980735995613
c = 38127787578353827234498259231834082660893046004292279030517959465543348558091033172704284501791369355347078715874056471582324178524957666710131669794646539355849074198396968523041568909435662208846480656877184197877122598569708545477705274221697660270808685794034776172296500330563270867517390911486555286886#书籍 p+q前400位，分解 
RF = RealField(2048) #2048位精度实数
X = polygen(RF)
f = X*((leak1<<400)-X) -n2 
P_high = int(f.roots()[1][0])
#P_high = (P<<410)>>410    #未知部分400位,但会有进位影响
PR.<x> = PolynomialRing(Zmod(n2))
f1 = x + P_high 
x0 = f1.small_roots(X=2^410, beta=0.4)[0]
P = f1(x0)
print(n2%P)
p2 = 151399048655298148018688323609718705920605086712318698086250277971491481779504840614471253946764630599745412866850500656954922361816231030123945084396794404269982437117950486373905356265950808460057643971210951709676705550508291196476405125057071271317182732652055355984683359771176148502822187125614565868259
q2 = n2//p2
leak2 = pow(enc,inverse_mod(e, (p2-1)*(q2-1)),n2)
#leak2 = 22334810767801800995021872014176778873829048161801414909315794486047873481911273730826962574216771288781

得到的leak2是p1的低250位,最后差5位爆破

#已知p低位250
for i in range(1<<5):P.<x> = PolynomialRing(Zmod(n1))f = x*2^350 + (leak2<<5) + i a = f.monic().small_roots(X=2^165, beta=0.4)if a != []:print(a)p1 = int(f(a[0]))breakp1 = 11239391699442192016394616757221620834717629054697859972076207292592548525033647125013001671320452447403380966370885392089905799108483165855335320142731687
q1 = n1//p1 
flag = pow(c, inverse_mod(e, (p1-1)*(q1-1)),n1)
long_to_bytes(int(flag))
#flag{9995eae8acaac286c7b72e50e5258dc3}

ECC

这是个LCG+ECC的题,LCG给了3个值,往前数60个是ECC的模.

from Crypto.Util.number import bytes_to_long ,getPrime
from random import randint
from secret import flag , p, A, B
class LCG:def __init__(self, seed, multiplier, increment, modulus):self.state = seedself.multiplier = multiplierself.increment = incrementself.modulus = modulusdef round(self):self.state = (self.state * self.multiplier + self.increment) % self.modulusreturn self.stateLcG = LCG(p, A, B, getPrime(300))
hint = []
rounds = randint(9,999)
for i in range(rounds):hint.append(LcG.round())print('N =', LcG.modulus)
print('hint =', hint[rounds-3:])
print('rounds =',rounds)m = bytes_to_long(flag)
E = EllipticCurve(GF(p),[A,B])
P = E.random_point() 
Q = m*Pprint ('P:',P)
print ('Q:',Q)

先利用3个值求出LCG的参数用groebner基,再向前用矩阵快速幂求出p

N = 1622996210275495524415546207165111555461818617760928404877658588675495944260654951864283379 
hint = [713639579049060812852333231550562069742588135637306914756167956397882885703208543969455666, 1412425807767988172193658731165227963492352540089638244974790464316609610824614257502352192, 903815200254202468724285503874489144090795387999581087079208549575693265029736671535102206]
rounds = 63# P:(7481989061375947278244526545749845482078382398176888016051779076876133332062 : 57031893761619747497472816866393779317793294007089207619093276377523439028275 : 1)
# Q:(79841674941577756246978777606456268236393494145560479454284566061677742019041 : 87857173094842296317733623233803453998634160281458363114524499136715249901460 : 1)#LCG 3点求参
c1,c2,c3 = hint
P.<a,b>=PolynomialRing(Zmod(N))
f1 = a*c1+b - c2
f2 = a*c2+b - c3
F = [f1,f2]
ideal = Ideal(F)
I = ideal.groebner_basis()
print(I)
# 求解参数a b n
res=[x.constant_coefficient() for x in I]
a = -res[0]%N
b = -res[1]%N#         |a 0|^61
# (p,1) * |b 1|   = (c1,1)
M = matrix(GF(N), [[a,0],[b,1]])
C = vector(GF(N), [c1,1])
v = (M^61).solve_left(C)
p = v[0]
p = 91720173941422125335466921700213991383508377854521057423162397714341988797837

最后这一步给了提示 E.order() == p  所以用smart方法

E = EllipticCurve(GF(p),[a,b])
P = E(7481989061375947278244526545749845482078382398176888016051779076876133332062 , 57031893761619747497472816866393779317793294007089207619093276377523439028275)
Q = E(79841674941577756246978777606456268236393494145560479454284566061677742019041 , 87857173094842296317733623233803453998634160281458363114524499136715249901460)
#smartattack
#E.order() == 91720173941422125335466921700213991383508377854521057423162397714341988797837 == p 
m = SmartAttack(P,Q)
#706900059474724368227785304595240799804416697714111300227783044841951101
long_to_bytes(m)
b'flag{7HAtS_e4SyeST_3Cc_EfcT9O}'