第三届黄河流域公安院校网络安全技能挑战赛
这次比赛个人25名,ban后19名
个人wp,仅供参考
初次接触博客,又快期末考试了,可能一些细节做的不好,下次一定改
Reverse
qgd
part1
是一个汇编语言,分析逻辑
0x0000000000000000: 48 89 4C 24 08 mov qword ptr [rsp + 8], rcx
0x0000000000000005: 55 push rbp
0x0000000000000006: 57 push rdi
0x0000000000000007: 48 81 EC 28 01 00 00 sub rsp, 0x128
0x000000000000000e: 48 8D 6C 24 20 lea rbp, [rsp + 0x20]
0x0000000000000013: 48 8D 0D 34 08 01 00 lea rcx, [rip + 0x10834]
0x000000000000001a: E8 96 FB FF FF call 0xfffffffffffffbb5
0x000000000000001f: 48 83 BD 20 01 00 00 00 cmp qword ptr [rbp + 0x120], 0
0x0000000000000027: 75 05 jne 0x2e
0x0000000000000029: E9 BF 00 00 00 jmp 0xed
0x000000000000002e: 48 8B 8D 20 01 00 00 mov rcx, qword ptr [rbp + 0x120]
0x0000000000000035: E8 7D F9 FF FF call 0xfffffffffffff9b7
0x000000000000003a: 48 89 45 08 mov qword ptr [rbp + 8], rax
0x000000000000003e: 48 C7 45 28 00 00 00 00 mov qword ptr [rbp + 0x28], 0
0x0000000000000046: EB 0B jmp 0x53
0x0000000000000048: 48 8B 45 28 mov rax, qword ptr [rbp + 0x28]
0x000000000000004c: 48 FF C0 inc rax
0x000000000000004f: 48 89 45 28 mov qword ptr [rbp + 0x28], rax
0x0000000000000053: 48 8B 45 08 mov rax, qword ptr [rbp + 8]
0x0000000000000057: 48 39 45 28 cmp qword ptr [rbp + 0x28], rax
0x000000000000005b: 0F 83 8C 00 00 00 jae 0xed
0x0000000000000061: 48 8B 45 28 mov rax, qword ptr [rbp + 0x28]
0x0000000000000065: 48 FF C0 inc rax
0x0000000000000068: 33 D2 xor edx, edx
0x000000000000006a: B9 02 00 00 00 mov ecx, 2
0x000000000000006f: 48 F7 F1 div rcx
0x0000000000000072: 48 8B C2 mov rax, rdx
0x0000000000000075: 48 83 F8 01 cmp rax, 1
0x0000000000000079: 75 2A jne 0xa5
0x000000000000007b: 48 8B 45 28 mov rax, qword ptr [rbp + 0x28]
0x000000000000007f: 48 8B 8D 20 01 00 00 mov rcx, qword ptr [rbp + 0x120]
0x0000000000000086: 48 03 C8 add rcx, rax
0x0000000000000089: 48 8B C1 mov rax, rcx
0x000000000000008c: 0F BE 00 movsx eax, byte ptr [rax]
0x000000000000008f: 83 F0 31 xor eax, 0x31
0x0000000000000092: 48 8B 4D 28 mov rcx, qword ptr [rbp + 0x28]
0x0000000000000096: 48 8B 95 20 01 00 00 mov rdx, qword ptr [rbp + 0x120]
0x000000000000009d: 48 03 D1 add rdx, rcx
0x00000000000000a0: 48 8B CA mov rcx, rdx
0x00000000000000a3: 88 01 mov byte ptr [rcx], al
0x00000000000000a5: 48 8B 45 28 mov rax, qword ptr [rbp + 0x28]
0x00000000000000a9: 48 FF C0 inc rax
0x00000000000000ac: 33 D2 xor edx, edx
0x00000000000000ae: B9 02 00 00 00 mov ecx, 2
0x00000000000000b3: 48 F7 F1 div rcx
0x00000000000000b6: 48 8B C2 mov rax, rdx
0x00000000000000b9: 48 85 C0 test rax, rax
0x00000000000000bc: 75 2A jne 0xe8
0x00000000000000be: 48 8B 45 28 mov rax, qword ptr [rbp + 0x28]
0x00000000000000c2: 48 8B 8D 20 01 00 00 mov rcx, qword ptr [rbp + 0x120]
0x00000000000000c9: 48 03 C8 add rcx, rax
0x00000000000000cc: 48 8B C1 mov rax, rcx
0x00000000000000cf: 0F BE 00 movsx eax, byte ptr [rax]
0x00000000000000d2: 83 F0 58 xor eax, 0x58
0x00000000000000d5: 48 8B 4D 28 mov rcx, qword ptr [rbp + 0x28]
0x00000000000000d9: 48 8B 95 20 01 00 00 mov rdx, qword ptr [rbp + 0x120]
0x00000000000000e0: 48 03 D1 add rdx, rcx
0x00000000000000e3: 48 8B CA mov rcx, rdx
0x00000000000000e6: 88 01 mov byte ptr [rcx], al
大概就是处理逻辑是一个循环,对每个字节根据索引位置执行不同的 XOR 操作:
- 如果索引是奇数(通过
div 2和检查余数是否为 1 判断),则与0x31异或 - 如果索引是偶数,则与
0x58异或
写代码亦或
encrypted_part1 = [88, 47, 80, 54, 95, 57, 90, 54, 94, 47]
def decrypt_flag(encrypted_data):
decrypted = []
for i, byte in enumerate(encrypted_data):
# 汇编中使用inc rax,所以我们需要调整索引
adjusted_index = i + 1
if adjusted_index % 2 == 1: # 奇数索引
decrypted.append(byte ^ 0x31)
else: # 偶数索引
decrypted.append(byte ^ 0x58)
return bytes(decrypted).decode('ascii')
flag_part1 = decrypt_flag(encrypted_part1)
print(f"解密后的第一部分flag: {flag_part1}")
#解密后的第一部分flag: iwannaknow
part2
先用die查看发现是打包工具: PyInstaller[modified],所以解个包先
再反编译pyc,w000这个文件名就很可疑
# Visit https://www.lddgo.net/string/pyc-compile-decompile for more information
# Version : Python 3.9
from secret import decrypt
key = bytes.fromhex('EC3700DFCD4F364EC54B19C5E7E26DEF6A25087C4FCDF4F8507A40A9019E3B48BD70129D0141A5B8F089F280F4BE6CCD')
ciphertext = b'\xd4z\'0L\x10\xca\x0b\x0b\xaa\x15\xbeK0"\xbf\xb2\xc6\x05'
cipher = decrypt(ciphertext, key)
a = bytes(input('flag呢'), 'utf-8', **('encoding',))
if a == cipher:
print('没错没错')
else:
print('不对不对')
所以再反编译一下secret.pyc:
# Visit https://www.lddgo.net/string/pyc-compile-decompile for more information
# Version : Python 3.9
def key_schedule(key = None):
S = list(range(128))
v6 = 0
for j in range(128):
v6 = (S[j] + key[j % len(key)] + v6) % 128
v6 = (v6 ^ 55) % 128
S[j] = S[v6]
S[v6] = S[j]
return S
def next_byte(state = None):
S = state['S']
state['i'] = (state['i'] + 1) % 128
state['j'] = (state['j'] + S[state['i']]) % 128
S[state['i']] = S[state['j']]
S[state['j']] = S[state['i']]
v2 = S[(S[state['i']] + S[state['j']]) % 128]
return (16 * v2 | v2 >> 4) & 255
def decrypt(ciphertext = None, key = None):
state = {
'S': key_schedule(key),
'i': 0,
'j': 0 }
plaintext = bytearray()
for byte in ciphertext:
plaintext.append(byte ^ next_byte(state))
return bytes(plaintext)
是一个rc4加密,逆向算法,写代码:
def key_schedule(key=None):
S = list(range(128))
v6 = 0
for j in range(128):
v6 = (S[j] + key[j % len(key)] + v6) % 128
v6 = (v6 ^ 55) % 128
S[j], S[v6] = S[v6], S[j]
return S
def next_byte(state=None):
S = state['S']
state['i'] = (state['i'] + 1) % 128
state['j'] = (state['j'] + S[state['i']]) % 128
S[state['i']], S[state['j']] = S[state['j']], S[state['i']]
v2 = S[(S[state['i']] + S[state['j']]) % 128]
return (16 * v2 | v2 >> 4) & 255
def decrypt(ciphertext=None, key=None):
state = {
'S': key_schedule(key),
'i': 0,
'j': 0
}
plaintext = bytearray()
for byte in ciphertext:
plaintext.append(byte ^ next_byte(state))
return bytes(plaintext)
# 给定数据
key = bytes.fromhex('EC3700DFCD4F364EC54B19C5E7E26DEF6A25087C4FCDF4F8507A40A9019E3B48BD70129D0141A5B8F089F280F4BE6CCD')
ciphertext = b'\xd4z\'0L\x10\xca\x0b\x0b\xaa\x15\xbeK0"\xbf\xb2\xc6\x05'
# 解密
plaintext = decrypt(ciphertext, key)
print("解密后的内容是:", plaintext.decode('utf-8'))
#解密后的内容是: what_DO_you_mean#@!
由于:最终flag格式:flag{part1flag/part2flag}
故flag{iwannaknow/what_DO_you_mean#@!}
Victory Melody
主函数:
v4 = malloc(0x50C);
memset(v4, 0, 0x50C);
memcpy(v4 + 268, &unk_14001D000, 0x33); //
也就是说,这个解释器的指令数据是在内存地址 unk_14001D000,共 0x33 = 51 字节。
2. %7s 是传给 sub_14001109B 的参数(格式化字符串),而不是数据本身。
说明 sub_14001109B("%7s", a1 + 3) 是在向 a1+3 中写入用户输入,格式最多 7 个字节。
主要就是得到用户输入的%7s,现在找v4的逻辑
在unk_14001D000得到:
0x20,0x10,0x5B,0x20,0x11,0x58,0x20,0x12,0x56,0x20,0x13,0x6E,0x20,0x14,0x11,0x20,0x15,0x4E,0x20,0x16,0x0,0x40,0x11,0x21,0x10,0x0,0x30,0x10,0x1,0x30,0x10,0x2,0x30,0x10,0x3,0x30,0x10,0x4,0x30,0x10,0x5,0x30,0x10,0x6,0x30,0x10,0x7,0x30,0x50,0x10,0x7
0x20,0x10,0x5B, // [0] 写入 0x5B 到 offset=0x10 (a1+0x10) 处
0x20,0x11,0x58, // [3] 写入 0x58 到 offset=0x11
0x20,0x12,0x56, // [6] 写入 0x56 到 offset=0x12
0x20,0x13,0x6E, // [9] 写入 0x6E 到 offset=0x13
0x20,0x14,0x11, // ...
0x20,0x15,0x4E,
0x20,0x16,0x00,
0x40, // [21] 调用 sub_14001109B("%7s", a1+3),读取用户输入到 a1+3
0x11,0x21, // [22] 寄存器 B = 0x21
0x10,0x00, // [24] 寄存器 A = 0
0x30, // [26] XOR (a1[0] = 0) ^= B (0x21)
0x10,0x01, // A = 1
0x30, // [29] XOR a1[0] ^= B
0x10,0x02,
0x30,
0x10,0x03,
0x30,
0x10,0x04,
0x30,
0x10,0x05,
0x30,
0x10,0x06,
0x30,
0x10,0x07,
0x30, // 上述共对 offset=0~7 的每个字节做异或
0x50,0x10,0x07 // [50] memcmp(a1+3, a1+0x10, 7)
内存布局如下:
a1 + 0x10 ← 这里先写入了 7 个字节(通过 0x20 指令)
a1 + 3 ← 用户输入的缓冲区,通过 scanf("%7s", ...)
-
a1 + 0x10 ~ 0x16写入:[0x10] = 0x5B [0x11] = 0x58 [0x12] = 0x56 [0x13] = 0x6E [0x14] = 0x11 [0x15] = 0x4E [0x16] = 0x00 -
用户输入写入
a1+3(最大 7 字节); -
把 B 寄存器设为
0x21; -
对输入缓冲区
a1+3 + offset从 offset = 0 到 7:buffer[offset] ^= 0x21 -
最终将 异或后的用户输入 与
[0x10 ~ 0x17]比较:memcmp(输入^0x21, 预设数据)
写解密部分:
data = [0x5B, 0x58, 0x56, 0x6E, 0x11, 0x4E, 0x00]
user_input = [b ^ 0x21 for b in data]
print(bytes(user_input))
#b'zywO0o!'
import hashlib
print("flag{" + hashlib.md5(b"zywO0o!").hexdigest() + "}")
#flag{ccd5cace2d47f2fc8b3a7c632f5f7b49}
Misc
small_challenge
看到图片像二维码。我binwalk一下,得到一个压缩包和另一张png。想到了iscc的双图亦或
是一个datamatrix码,扫码解的
<E:8E?W^Z<=tEZ)=lP6n>;.Tg>q@+!/6=B)/6_%hLg*.rH<gLN
base85:UV!W_X_YZ,U,Y∈[0,9], V,W,X,Z∈[A,z]
这个是爆破的掩码条件,我写了一个脚本生成字典:
import string
import itertools
def generate_dictionary(output_file):
# 定义字符集
digits = '0123456789' # U和Y的取值范围
chars = string.ascii_letters # V,W,X,Z的取值范围
# 打开文件准备写入
with open(output_file, 'w') as f:
# 生成所有可能的组合
for u in digits:
for v in chars:
for w in chars:
for x in chars:
for y in digits:
for z in chars:
# 构建符合格式的字符串
password = f"{u}{v}!{w}_{x}_{y}{z}"
# 写入文件
f.write(password + '\n')
print(f"字典文件已生成: {output_file}")
if __name__ == "__main__":
output_file = "dictionary.txt"
generate_dictionary(output_file)
有一说一,字典文件7.49G。。。
开始爆破
密码:9h!Y_a_8D,用时1分35秒
打开压缩包得到答案
flag{It3_s0_3@syIlIlIIlIllI}
数学天才
手搓得到295425423
又因为试炼二:为师不想要死,为师喜欢$。
把4换成$得到密码。
得到
DJ?ELtbo`0+o8F0Eb2G9dPN
rot47比较有嫌疑
得到flag{R3@1_M@th_g3niu5!},flag{R8@6_M@th_g8niu0!}
试了一下是flag{R3@1_M@th_g3niu5!}
Crypto
Lattice
丢给ai整理题目信息:
问题描述
我们有以下信息:
格密码参数和生成:
参数:q = 127, n = 3, N = int(1.1 * n * np.log(q))(大约为 15),sigma = 1.0。
gen(q, n, N, sigma) 函数生成一个矩阵 P 和秘密向量 s。
s 的形式是 [1, t1, t2, t3],其中 t 是随机整数。
P 是一个 N x (n+1) 的矩阵,形式为 [b | -A],其中 b = A * t + e(e 是小误差)。
enc(P, M, q) 函数使用 P 和消息 M 生成密文 C。
M 是二进制消息(prep(hint) 将字符串转换为二进制数组)。
C 的每一行是 P.T * r + floor(q/2) * Z * M 的结果,其中 r 是随机二进制向量,Z 是单位矩阵的第一列。
已知数据:
P 是一个 15x4 的矩阵。
C 是一个 200x4 的矩阵(可能是 hint 的二进制编码,长度为 200)。
leak 是一个浮点数。
key 是一个 16 字节的 AES 密钥。
encrypted 是 AES-CBC 加密的 flag。
目标:
解密密文 encrypted 得到 flag。
需要恢复 key 或直接解密。
解决思路
理解格密码的加密过程:
P 和 s 满足 P * s = e(因为 P = [b | -A],s = [1, t],b = A * t + e)。
enc 函数中,C[i] = P.T * r + floor(q/2) * Z * M[i]。
因为 Z 是单位矩阵的第一列,Z * M[i] 是 [M[i], 0, 0, 0]。
所以 C[i] 的形式是 P.T * r + [floor(q/2)*M[i], 0, 0, 0]。
解密时,可以计算 C[i] * s:
C[i] * s = r.T * P * s + floor(q/2) * M[i] * s[0] = r.T * e + floor(q/2) * M[i]。
因为 e 是小误差,r 是二进制向量,r.T * e 的值较小。
s[0] = 1,所以 C[i] * s ≈ floor(q/2) * M[i]。
可以通过 C[i] * s 的值判断 M[i]:
如果 C[i] * s 接近 0,M[i] = 0。
如果 C[i] * s 接近 floor(q/2),M[i] = 1。
恢复秘密向量 s:
已知 P * s = e,且 e 是小向量。
这是一个 LWE(Learning With Errors)问题,可以通过格基归约(如 LLL)求解。
构造格:
格基为 [P | I] 和 [q * I | 0] 的组合。
目标向量是 (e, s)。
使用 LLL 找到短向量,可能是 (e, s)。
解密 hint:
恢复 s 后,可以计算 C[i] * s 判断 M[i]。
将 M 从二进制转换为字符串,得到 hint。
利用 hint 恢复 key:
hint 可能与 key 相关,或者直接是 key 的某种编码。
leak 可能是 key 的某种信息(如浮点数表示)。
解密 encrypted:
使用 key 和 AES-CBC 解密 encrypted 得到 flag。
具体步骤
1. 恢复 s 从 P
P 是一个 15x4 的矩阵,形式为 [b | -A]。
s 是 [1, t1, t2, t3],满足 P * s = e。
构造格:
格基为 [P | I | 0; q * I | 0 | 0](大小为 (15+4) x (4+15))。
目标向量是 (s, e)。
使用 LLL 找到短向量,其中前 4 个分量可能是 s。
2. 解密 C 得到 hint
对于每个 C[i],计算 C[i] * s。
如果 C[i] * s % q 接近 0,M[i] = 0;如果接近 63(floor(127/2)),M[i] = 1。
将 M 转换为字节,然后转换为字符串。
3. 恢复 key
hint 可能是 key 的某种表示,或者 leak 与 key 相关。
例如,leak 可能是 key 的浮点数表示,或者 hint 包含 key 的信息。
4. 解密 encrypted
使用 key 和 AES-CBC 解密 encrypted。
我们可以将 P * s ≈ e 转化为一个约束问题,其中 e 是小误差,s 是未知向量。我们可以尝试让 P * s 的值尽可能小(因为 e 是小误差)。
from z3 import *
import numpy as np
def recover_s_with_z3(P, q):
N, n = len(P), len(P[0])
s = [Int(f's_{i}') for i in range(n)]
e = [Int(f'e_{i}') for i in range(N)]
solver = Solver()
# Add constraints: P * s = e mod q
for i in range(N):
lhs = sum(P[i][j] * s[j] for j in range(n))
solver.add(lhs % q == e[i] % q)
# Add smallness constraints on e (assuming e is small)
for i in range(N):
solver.add(e[i] >= -5, e[i] <= 5) # Adjust bounds based on sigma
# Also add constraints on s (e.g., s[0] = 1)
solver.add(s[0] == 1) # From the problem description, s[0] = 1
# Try to solve
if solver.check() == sat:
model = solver.model()
s_recovered = [model.eval(s[i]).as_long() for i in range(n)]
e_recovered = [model.eval(e[i]).as_long() for i in range(N)]
return s_recovered, e_recovered
else:
raise ValueError("Failed to recover s with z3")
# Given data
q = 127
P = [[87, -27, -52, -29], [57, -41, -24, -60], [76, -17, -55, -37], [75, -46, -33, -21], [121, -55, -33, -34], [47, -4, -34, -45], [112, -33, -44, -16], [74, -44, -5, -25], [20, -21, -16, -49], [89, -21, -54, -24], [18, -23, -53, -1], [35, -40, -4, -29], [105, -54, -2, -8], [44, -24, -43, -36], [111, -15, -15, -54]]
# Recover s
s_recovered, e_recovered = recover_s_with_z3(P, q)
print("Recovered s:", s_recovered)
print("Recovered e:", e_recovered)
得到
Recovered s: [1, 26, 24, 54]
Recovered e: [0, 1, -1, 1, 0, -1, 1, 0, 0, -1, -1, 0, -1, 0, 1]
然后解aes但是我hint没出不知道是不是非预期。
完整代码:
from z3 import *
import numpy as np
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
def recover_s_with_z3(P, q):
N, n = len(P), len(P[0])
s = [Int(f's_{i}') for i in range(n)]
e = [Int(f'e_{i}') for i in range(N)]
solver = Solver()
# Constraint 1: P * s = e mod q
for i in range(N):
lhs = sum(P[i][j] * s[j] for j in range(n))
solver.add(lhs % q == e[i] % q)
# Constraint 2: s[0] = 1 (from the problem description)
solver.add(s[0] == 1)
# Constraint 3: s[i] in [0, q-1] for all i
for i in range(n):
solver.add(s[i] >= 0, s[i] < q)
# Constraint 4: e[i] is small (e[i] in [-1, 0, 1])
for i in range(N):
solver.add(e[i] >= -1, e[i] <= 1)
# Try to solve
if solver.check() == sat:
model = solver.model()
s_recovered = [model.eval(s[i]).as_long() for i in range(n)]
e_recovered = [model.eval(e[i]).as_long() for i in range(N)]
return s_recovered, e_recovered
else:
raise ValueError("Failed to recover s with z3")
def decrypt(C, s, q):
M = []
threshold = q // 2
for c in C:
val = sum(c[i] * s[i] for i in range(len(s))) % q
M.append(1 if val >= threshold else 0)
return M
def binary_to_bytes(bits):
bytes_list = []
for i in range(0, len(bits), 8):
byte = bits[i:i+8]
if len(byte) < 8:
break
byte_str = ''.join(map(str, byte))
bytes_list.append(int(byte_str, 2))
return bytes(bytes_list)
# Given data
q = 127
P = [[87, -27, -52, -29], [57, -41, -24, -60], [76, -17, -55, -37], [75, -46, -33, -21], [121, -55, -33, -34], [47, -4, -34, -45], [112, -33, -44, -16], [74, -44, -5, -25], [20, -21, -16, -49], [89, -21, -54, -24], [18, -23, -53, -1], [35, -40, -4, -29], [105, -54, -2, -8], [44, -24, -43, -36], [111, -15, -15, -54]]
C=[[24, 75, 81, 85], [24, 14, 85, 102], [115, 1, 5, 21], [58, 118, 104, 77], [65, 42, 101, 103], [33, 38, 50, 67], [7, 81, 38, 58], [117, 101, 54, 11], [44, 29, 81, 8], [59, 114, 70, 121], [62, 13, 9, 105], [11, 43, 97, 23], [39, 82, 75, 97], [122, 113, 14, 30], [70, 102, 116, 5], [58, 44, 61, 20], [73, 119, 59, 28], [119, 68, 57, 122], [61, 91, 83, 44], [103, 29, 1, 73], [47, 60, 120, 125], [17, 126, 14, 21], [104, 8, 78, 123], [72, 121, 54, 74], [48, 104, 49, 66], [72, 56, 27, 69], [34, 110, 41, 54], [33, 54, 74, 44], [70, 65, 11, 113], [122, 3, 69, 35], [58, 7, 39, 64], [59, 106, 49, 66], [77, 92, 87, 92], [95, 21, 96, 83], [67, 55, 30, 73], [99, 54, 18, 90], [101, 102, 126, 107], [81, 46, 104, 83], [38, 24, 94, 60], [114, 105, 76, 97], [22, 115, 20, 67], [40, 72, 110, 65], [111, 92, 106, 117], [5, 123, 21, 96], [41, 14, 23, 114], [113, 75, 43, 65], [56, 3, 61, 48], [40, 101, 16, 114], [42, 84, 95, 13], [36, 110, 91, 107], [4, 13, 60, 74], [24, 80, 125, 76], [123, 26, 27, 119], [31, 87, 6, 123], [61, 106, 73, 120], [66, 10, 36, 65], [91, 38, 46, 9], [121, 20, 106, 48], [123, 21, 78, 27], [22, 74, 55, 110], [47, 49, 118, 76], [30, 10, 16, 118], [43, 19, 52, 61], [100, 9, 37, 35], [20, 102, 111, 94], [116, 63, 55, 43], [13, 110, 42, 14], [46, 65, 71, 28], [82, 5, 76, 74], [86, 34, 117, 84], [28, 44, 82, 50], [76, 79, 77, 11], [68, 39, 51, 89], [83, 93, 95, 2], [54, 108, 101, 82], [99, 90, 122, 37], [16, 92, 79, 12], [67, 86, 24, 36], [80, 94, 106, 59], [50, 56, 95, 98], [33, 68, 89, 40], [74, 124, 14, 82], [88, 93, 54, 93], [51, 17, 124, 31], [17, 17, 45, 35], [113, 71, 76, 44], [48, 6, 120, 4], [36, 91, 108, 11], [2, 41, 58, 72], [42, 59, 51, 81], [73, 22, 79, 27], [85, 35, 29, 98], [76, 76, 37, 22], [82, 29, 42, 27], [75, 114, 37, 106], [40, 69, 53, 73], [39, 44, 33, 121], [94, 85, 92, 54], [91, 77, 124, 46], [108, 31, 101, 84], [35, 33, 97, 45], [99, 32, 17, 14], [1, 66, 11, 35], [78, 100, 95, 81], [73, 49, 14, 37], [70, 9, 107, 2], [84, 98, 92, 62], [123, 87, 87, 110], [3, 81, 111, 28], [20, 2, 91, 37], [93, 101, 77, 93], [27, 16, 31, 105], [95, 81, 87, 17], [10, 103, 21, 102], [81, 57, 118, 82], [15, 92, 60, 71], [16, 84, 126, 49], [35, 26, 2, 120], [70, 86, 45, 9], [29, 8, 40, 66], [99, 77, 14, 9], [12, 70, 50, 52], [21, 21, 85, 54], [91, 94, 100, 85], [9, 42, 47, 14], [117, 55, 17, 99], [53, 45, 4, 72], [49, 10, 27, 121], [108, 61, 73, 42], [121, 42, 41, 71], [49, 63, 50, 117], [5, 78, 24, 101], [0, 117, 21, 46], [90, 43, 47, 32], [74, 85, 118, 84], [13, 73, 18, 66], [95, 24, 120, 18], [94, 21, 111, 34], [66, 68, 80, 21], [102, 49, 57, 55], [25, 85, 107, 98], [8, 18, 88, 12], [18, 6, 86, 82], [18, 91, 126, 115], [26, 11, 30, 35], [88, 78, 76, 74], [51, 75, 76, 15], [60, 24, 72, 27], [91, 72, 44, 104], [84, 113, 39, 116], [41, 83, 91, 74], [84, 17, 94, 119], [46, 95, 85, 5], [109, 58, 71, 42], [126, 29, 114, 73], [27, 70, 7, 125], [121, 66, 97, 111], [8, 21, 10, 57], [15, 62, 65, 8], [101, 79, 32, 74], [69, 42, 38, 58], [65, 81, 72, 16], [20, 81, 1, 126], [91, 111, 69, 33], [56, 84, 65, 66], [47, 78, 43, 100], [43, 90, 80, 25], [46, 55, 10, 60], [116, 110, 49, 116], [72, 115, 38, 104], [79, 43, 74, 106], [86, 113, 84, 76], [102, 2, 119, 3], [126, 25, 83, 44], [37, 83, 46, 40], [13, 75, 101, 101], [76, 93, 3, 63], [69, 9, 84, 37], [103, 47, 106, 80], [72, 104, 85, 19], [124, 118, 34, 81], [57, 25, 52, 119], [44, 56, 63, 90], [123, 46, 124, 31], [19, 116, 23, 77], [126, 78, 37, 93], [34, 95, 43, 98], [37, 90, 32, 97], [106, 8, 80, 8], [90, 5, 113, 68], [99, 40, 39, 18], [90, 37, 48, 45], [56, 13, 76, 6], [68, 33, 52, 102], [62, 45, 29, 123], [100, 21, 73, 92], [92, 18, 118, 23], [84, 86, 42, 83], [107, 8, 71, 52], [114, 106, 78, 85], [10, 120, 115, 119], [27, 49, 124, 16], [65, 40, 48, 37], [69, 42, 8, 29], [35, 39, 55, 102], [58, 19, 41, 75], [17, 2, 113, 12], [8, 34, 72, 75], [91, 32, 19, 52], [62, 50, 109, 78], [9, 115, 35, 50], [42, 83, 78, 41], [34, 94, 97, 58], [56, 73, 25, 115], [55, 12, 16, 86], [97, 95, 30, 92], [47, 105, 70, 68], [50, 18, 51, 23], [46, 57, 80, 29], [4, 66, 123, 24], [55, 53, 26, 36], [71, 59, 104, 91], [94, 3, 1, 34], [57, 8, 85, 102], [89, 73, 115, 25], [13, 38, 81, 76], [104, 30, 81, 104], [55, 101, 95, 101], [69, 65, 5, 11], [123, 105, 84, 125], [38, 110, 4, 28], [112, 115, 92, 71], [90, 120, 112, 39], [50, 18, 107, 71], [95, 63, 118, 93], [93, 111, 59, 55], [17, 15, 2, 88], [78, 126, 37, 12], [56, 112, 53, 12], [65, 34, 82, 100], [9, 94, 72, 99], [78, 76, 43, 91], [7, 88, 107, 31], [43, 91, 97, 4], [113, 112, 36, 15], [8, 97, 23, 84], [65, 92, 31, 63], [54, 38, 119, 103], [89, 50, 57, 50], [61, 37, 87, 0], [21, 35, 44, 22], [20, 32, 95, 116], [10, 94, 103, 84], [59, 29, 7, 50], [98, 33, 87, 33], [7, 96, 36, 67], [85, 10, 35, 98], [65, 49, 19, 62], [56, 67, 14, 91], [30, 49, 111, 77], [121, 49, 108, 119], [89, 67, 115, 69], [65, 8, 0, 82], [117, 57, 117, 23], [23, 38, 2, 98], [60, 28, 94, 93], [23, 65, 8, 114], [121, 105, 122, 40], [120, 12, 21, 112], [55, 51, 2, 77], [48, 41, 113, 62], [66, 82, 117, 119], [4, 15, 5, 21], [41, 14, 12, 80], [23, 61, 106, 16], [23, 53, 122, 68], [6, 54, 5, 101], [69, 49, 7, 79], [17, 70, 64, 88], [103, 30, 76, 31], [108, 82, 90, 109], [55, 56, 113, 37], [93, 99, 126, 44], [1, 46, 105, 124], [55, 54, 35, 115], [0, 89, 53, 97], [67, 111, 107, 80], [92, 122, 40, 64], [75, 2, 126, 118], [90, 84, 43, 74], [101, 69, 60, 17], [104, 10, 4, 122], [94, 4, 115, 91], [15, 11, 111, 105], [9, 7, 32, 101], [77, 18, 55, 56], [66, 7, 117, 108], [116, 121, 33, 66], [32, 41, 83, 125], [60, 52, 70, 58], [125, 54, 93, 15], [70, 19, 10, 58], [83, 94, 61, 126], [95, 85, 80, 44], [25, 89, 117, 74], [12, 17, 63, 87], [118, 80, 96, 26], [6, 97, 79, 38], [97, 3, 107, 95], [7, 82, 106, 92], [83, 100, 119, 95], [81, 26, 99, 56], [25, 60, 51, 122], [56, 18, 22, 84], [9, 72, 107, 114], [80, 97, 92, 52], [108, 47, 58, 46], [9, 47, 7, 47], [115, 68, 91, 7], [14, 120, 87, 122], [97, 15, 40, 79], [5, 92, 85, 93], [4, 97, 73, 63], [25, 22, 92, 108], [88, 4, 34, 86], [0, 43, 21, 57], [67, 90, 36, 50], [15, 126, 37, 12], [92, 73, 96, 71], [76, 107, 27, 115], [79, 8, 68, 55], [38, 12, 120, 126], [54, 46, 7, 69], [72, 114, 93, 60], [59, 98, 27, 102], [50, 76, 87, 19], [77, 107, 29, 40], [36, 73, 21, 123], [36, 89, 82, 74], [24, 73, 118, 86], [58, 89, 115, 106], [12, 27, 33, 72], [28, 94, 21, 26], [0, 79, 48, 110], [72, 62, 82, 57], [65, 84, 114, 97], [80, 68, 52, 52], [119, 35, 103, 101], [10, 67, 68, 69], [101, 17, 54, 40], [98, 46, 21, 42], [30, 39, 56, 118], [27, 33, 77, 114], [66, 74, 61, 63], [23, 13, 14, 47], [88, 30, 122, 119], [15, 58, 55, 52], [56, 27, 47, 45], [119, 95, 59, 14], [84, 69, 5, 83], [21, 35, 39, 36], [10, 92, 68, 17], [79, 67, 111, 38], [36, 1, 4, 117], [117, 30, 5, 7], [112, 15, 115, 123], [54, 47, 18, 93], [102, 111, 3, 68], [91, 91, 5, 44], [123, 118, 57, 32], [12, 121, 31, 103], [114, 52, 105, 12], [100, 28, 117, 102], [51, 42, 12, 124], [47, 1, 42, 47], [28, 3, 22, 100], [103, 105, 119, 24], [101, 59, 13, 78], [79, 36, 61, 54], [11, 46, 75, 116], [31, 73, 118, 0], [92, 32, 0, 124], [77, 85, 25, 90], [29, 21, 74, 7], [3, 66, 11, 8], [112, 91, 50, 53], [45, 113, 99, 123], [35, 65, 85, 22], [108, 99, 42, 1], [103, 113, 116, 72], [125, 74, 112, 24], [75, 79, 80, 12], [83, 44, 94, 86], [64, 20, 0, 8], [104, 126, 31, 120], [85, 75, 61, 74], [36, 93, 36, 102], [70, 54, 101, 83], [90, 46, 109, 83], [112, 126, 114, 23], [16, 123, 97, 62], [118, 86, 108, 53], [99, 18, 2, 18], [103, 3, 38, 8], [99, 49, 123, 81], [37, 75, 89, 53], [34, 77, 27, 122], [29, 8, 40, 66], [119, 13, 64, 83], [4, 108, 116, 121], [49, 87, 1, 92], [15, 63, 80, 62], [27, 81, 100, 83], [7, 90, 16, 0], [13, 50, 61, 65], [51, 64, 76, 5], [55, 100, 106, 66], [52, 102, 105, 2], [49, 34, 89, 116], [24, 55, 11, 27], [91, 48, 73, 38], [27, 5, 1, 126], [66, 55, 80, 19], [52, 118, 104, 43], [36, 1, 111, 60], [65, 4, 34, 17], [54, 22, 0, 39], [52, 30, 64, 62], [26, 40, 32, 86], [93, 71, 41, 47], [77, 23, 15, 9], [11, 20, 51, 31], [64, 50, 37, 50], [17, 49, 80, 37], [119, 115, 115, 50], [20, 86, 27, 5], [101, 65, 17, 78], [56, 25, 125, 56], [16, 118, 2, 96], [114, 108, 69, 121], [14, 37, 76, 101], [113, 124, 121, 82], [43, 120, 35, 94], [82, 67, 23, 43], [9, 79, 47, 122], [39, 28, 110, 31], [35, 48, 27, 16], [72, 8, 115, 66], [54, 46, 122, 19], [77, 77, 30, 74], [58, 63, 81, 96], [6, 122, 75, 63], [115, 31, 119, 110], [82, 86, 89, 1], [79, 100, 6, 110], [117, 67, 15, 13], [4, 15, 63, 0], [106, 108, 122, 107], [34, 72, 0, 114], [20, 0, 32, 56], [121, 104, 66, 3], [86, 28, 76, 84], [85, 9, 60, 45], [95, 80, 78, 65], [39, 85, 50, 49], [42, 103, 36, 90], [70, 99, 116, 117], [34, 15, 40, 52], [24, 49, 19, 31], [98, 90, 95, 89], [63, 45, 40, 77], [114, 14, 30, 106], [10, 35, 116, 9], [103, 111, 112, 16], [71, 112, 71, 32], [77, 31, 105, 64], [84, 87, 24, 67], [1, 27, 123, 57], [104, 29, 87, 123], [110, 39, 67, 7], [28, 70, 108, 113], [96, 9, 101, 36], [13, 28, 6, 13], [69, 81, 89, 26], [79, 113, 77, 91], [112, 62, 104, 117], [109, 95, 55, 83], [78, 68, 98, 14], [73, 79, 96, 12], [108, 39, 97, 49], [27, 111, 106, 100], [82, 70, 9, 36], [48, 31, 90, 70], [99, 92, 45, 35], [55, 100, 31, 37], [75, 17, 69, 35], [12, 38, 119, 112], [103, 34, 63, 76], [26, 19, 91, 111], [74, 122, 12, 78], [64, 117, 16, 60], [2, 97, 122, 106], [62, 79, 56, 30], [71, 47, 13, 22], [38, 78, 116, 16], [87, 28, 94, 76], [77, 126, 94, 116], [83, 46, 104, 90], [5, 95, 13, 26], [47, 10, 46, 115], [82, 19, 91, 70], [111, 72, 49, 65], [18, 103, 59, 72], [17, 37, 56, 24], [19, 120, 24, 64], [28, 40, 11, 20], [18, 19, 80, 62], [37, 11, 74, 14], [109, 97, 75, 72], [116, 65, 52, 121], [95, 63, 82, 122], [88, 93, 54, 93], [77, 30, 65, 121], [99, 121, 42, 87], [62, 52, 44, 6], [79, 60, 55, 4], [96, 64, 6, 20], [94, 114, 90, 8], [123, 98, 29, 27], [116, 84, 31, 80], [9, 77, 45, 45], [120, 33, 63, 15], [51, 44, 66, 25], [2, 46, 72, 94], [107, 113, 50, 46], [115, 64, 126, 85], [64, 10, 28, 78], [84, 112, 64, 103], [59, 114, 15, 82], [65, 122, 104, 89], [113, 122, 21, 11], [69, 106, 19, 78], [42, 93, 125, 0], [7, 123, 82, 70], [103, 114, 62, 92], [15, 30, 78, 114], [4, 78, 111, 60], [40, 80, 34, 55], [3, 87, 120, 27], [122, 64, 3, 122], [24, 49, 31, 81], [26, 43, 100, 19], [52, 78, 2, 97], [116, 45, 15, 33], [21, 119, 92, 86], [28, 118, 71, 24], [106, 15, 0, 79], [36, 4, 52, 73], [22, 43, 8, 60], [96, 22, 9, 100], [19, 64, 26, 96], [97, 61, 22, 39], [6, 112, 76, 38], [58, 6, 97, 94], [103, 87, 87, 101], [17, 49, 80, 37], [117, 33, 26, 8], [59, 108, 78, 91], [113, 28, 30, 44], [119, 78, 72, 20], [49, 101, 77, 2], [26, 18, 35, 7], [34, 38, 99, 37], [45, 52, 90, 27], [108, 31, 118, 67], [3, 37, 29, 88], [111, 96, 12, 111], [91, 111, 106, 100], [52, 78, 117, 80], [14, 51, 87, 0], [1, 52, 116, 1], [117, 2, 33, 48], [57, 0, 48, 34], [59, 14, 84, 63], [82, 83, 8, 82], [58, 100, 32, 33], [75, 29, 112, 103], [0, 49, 45, 54], [94, 9, 51, 110], [54, 61, 27, 47], [88, 89, 23, 37], [73, 43, 0, 32], [123, 6, 35, 78], [73, 72, 119, 64], [81, 46, 11, 102], [42, 124, 47, 8], [50, 66, 3, 40], [116, 7, 51, 20], [47, 112, 99, 7], [42, 37, 86, 89], [18, 74, 78, 101], [57, 85, 75, 7], [26, 90, 35, 10], [72, 126, 10, 77], [55, 12, 5, 78], [37, 87, 85, 96], [91, 9, 114, 68], [79, 76, 44, 20], [84, 52, 63, 56], [95, 9, 22, 117], [96, 38, 50, 67], [43, 114, 45, 56], [94, 21, 74, 107], [92, 82, 81, 71], [40, 10, 10, 90], [20, 18, 15, 56], [72, 2, 30, 22], [50, 31, 123, 20], [85, 40, 115, 115], [93, 1, 48, 47], [111, 118, 45, 34], [9, 122, 37, 121], [60, 27, 77, 41], [122, 38, 22, 39], [115, 66, 74, 126], [77, 67, 90, 78], [96, 3, 53, 52], [5, 26, 120, 101], [45, 100, 72, 6], [106, 56, 87, 77], [52, 68, 102, 95], [1, 13, 36, 33], [58, 27, 35, 8], [52, 5, 38, 35], [102, 82, 63, 47], [24, 71, 119, 43], [11, 36, 90, 13], [11, 93, 27, 23], [4, 107, 26, 125], [85, 9, 5, 13], [116, 25, 55, 119], [73, 82, 73, 2], [40, 123, 77, 41], [10, 98, 51, 111], [23, 79, 120, 54], [56, 18, 22, 84], [61, 115, 51, 109], [33, 5, 12, 121], [8, 81, 35, 70], [22, 39, 103, 2], [38, 74, 66, 126], [83, 20, 117, 85], [8, 32, 91, 98], [37, 31, 94, 119], [7, 30, 45, 43], [68, 16, 124, 97], [86, 124, 37, 21], [29, 101, 15, 30], [27, 31, 52, 45], [47, 37, 102, 3], [117, 49, 54, 89], [48, 94, 126, 66], [42, 115, 63, 104], [14, 74, 6, 112], [68, 125, 4, 5], [66, 3, 78, 52], [108, 33, 6, 77], [77, 99, 16, 52], [61, 78, 73, 70], [108, 106, 124, 0], [23, 35, 119, 118], [125, 124, 37, 65], [69, 30, 61, 110], [77, 10, 120, 118], [53, 121, 24, 30], [87, 32, 29, 63], [54, 64, 1, 3], [16, 59, 104, 25], [30, 6, 59, 102], [43, 120, 35, 94], [89, 13, 69, 39], [87, 78, 100, 14], [83, 17, 14, 4], [24, 49, 31, 81], [73, 32, 72, 10], [0, 22, 61, 54], [81, 42, 70, 13], [108, 56, 52, 2], [25, 99, 116, 72], [66, 23, 18, 102], [121, 115, 47, 12], [96, 37, 123, 48], [64, 69, 4, 39], [78, 38, 124, 31], [27, 69, 10, 70], [5, 29, 2, 85], [30, 45, 56, 7], [31, 25, 120, 61], [36, 89, 89, 118], [98, 63, 18, 21], [121, 83, 36, 57], [60, 5, 86, 17], [121, 55, 117, 58], [12, 96, 4, 27], [119, 63, 124, 37], [96, 27, 45, 91], [42, 119, 8, 103], [104, 42, 68, 37], [104, 55, 41, 38], [120, 3, 50, 87], [120, 121, 20, 67], [58, 123, 50, 28], [103, 62, 58, 20], [97, 27, 89, 102], [7, 51, 56, 108], [73, 60, 10, 77], [56, 72, 103, 69], [101, 89, 18, 66], [115, 35, 80, 36], [98, 103, 39, 63], [29, 126, 67, 76], [27, 97, 15, 79], [36, 6, 17, 90], [126, 54, 101, 42], [115, 66, 74, 126], [78, 80, 62, 83], [60, 11, 31, 88], [16, 73, 108, 13]]
# Recover s
s_recovered, e_recovered = recover_s_with_z3(P, q)
print("Recovered s:", s_recovered)
print("Recovered e:", e_recovered)
# Decrypt C to get hint
M = decrypt(C, s_recovered, q)
hint_bytes = binary_to_bytes(M)
hint = hint_bytes.decode('latin-1') # or 'utf-8' if applicable
print("Hint:", hint)
# Decrypt the encrypted flag (assuming key is given)
key = b'\x8fj\x94\x98-\x1fd\xd5\x89\xbe\xa9*Tu\x90\xb7'
encrypted = b'\x9fT@\xbc\x82\x8esQ\x1e\xd8\x1d\xdb\x9b\xb4\xf8rU\xc8\xa0\xcb\xaf H\xa9.\x04\x1e\xd2\x92\x1f\x0fBja-\x965x\xa8@\xc9x\xf9\xaf\x87\xd1\xa5}\xfc\x1b\xe0#\xc3m\xc9\x8973\x1c\x1f\x13\x8f\xb2a\xae\xa9]\xb9\xc2\xe8\x83A\x80\x13g\xc9a\x1c<\x8a\x9c&\xd9\xbd\x06\xef\xba9\xb0\x03\x9f\x022\xc9\x13\x9a\xffXPG\xc6o\xc0\xeaV7)XG9L\x84N7U\xe3Wn0G\x8e\xd3\x04(\n\x08\xb9\x17\xe6\xf1\xaa\xb7\x8a@$\x16\x13\x06A\x00\xc9Z\xdf\x7fQ\xc9\x08\xb4\xf3P\xfcpe\xe2\xeb\x96\x0e(-\xde\x17\xd1\x01\x1c_\x82\x8b\x9fw\xc8\x86\xfbw\xb5\xf7\xd0\xc8\x1784\xe3?\x00\x0b.)\xb7\xbc\x8e{\xe0\xae\x8d$\x0f\x19\'\xb6\xee@d\x00\xd9\x84\x8c\x0e\xa3,\xc6a\xa3\xba*1\xfd<\xfd\x18\xd6\x9e\x8c4\x8e#\xfd\xbd&0R\xeddE,\xed\xb6\x1e\x00\x11\xa6K\xd3\x1dT\x8c5\x8e\x00\xea\x10\xe9\'u"B#\xa1#\xd8\xe3\xf5j\xbc\x94M\xda\xe3\xcb*\xf0W1\xa0\x80\x1d\xfc\xbfo\x01?(da\r\xb6\x86\xd0\x90\x88Z\xa1`B\x89\x89\x89\xb3v\xa5\xf0\xe0\x0c\x8e\xcc+P\xfc\xfd#\x83\xe9\x93\x96\n\xf2\xa5\xfb\xc3\xc5\xaa\x9e\x89\x93\xb6\xf5\xea\x8c%NY\xc3\x0eR\xfas\xa1\x13\xf2/*\xce\x8b_:_r\xeb\xbe\x0b\x8a\x8c\x97\x7f|m}\xae\xa9I\x95\xcc\xe7\x80\xa5yC4\x1f5\xa4P\xc5\xbf.\xf9V\xe8|\xbb\xc3\xcb\x98&\'JB\x99\x94\xc0\r$\x0b\xbe48u\xeb\xca\xa1\xfbb\xd8_R\x97\x8e\xaeI\xfc\xc2\xb2\xd2#@\xec\x16\xf1\xd7eCQ\x1cO\x13\xca\xb5\xd3\x1a\xb1\xf1_D\x80\x06\xa5\xbe\xbev\xbd\xd6\xbb\x9a\xc9x\x9cf:\xcb>\xa2\xe1\xcad\xde]aw\xa0\xdc\xb2\xb3{+\x85\x8d\x8b\xc5\rT\xcc\xd9X\xd5\x9b\r<\x99m\xb8b6s\xbfp\x0eo~\xe9&\xb2{\xbe\xee\x93\xd2N1\\\x94\x968IWO7\xcb\xb6e\x80\xf7\x9air\xb2~\x17\x1cF\x0f\x82T]RBX\xdex\x13\x85\xfa\xcd-\xce\xdc\xe4\xe5^\x99u\xb5\x01\xd0-\xc3C\xcd\xc4y6\xb7\x9d|L1\xe74\xf7\x8cH\xe9\xa9\xfav\n\xec;\xf2\xa2w\xfb\x13_b\r)z!\xa3\xc8\xa8\xc2\xd2\x10\x00\x11\x11\r\xb2&\xfb\x04&\x84">x6l[\x06n>\xa0\xbe\x9c`\xa7\x9e\xe0\xfb\x85\x91\xc4,\xcf\xac\xe11@a\xed3@\xfd}\x8e\xfaTp\xcb7\xe7\xbf\xd4\xe0~b\xd9\xe0<\xba\x81\xd4"e\xfc\x939|j#0H\x86\xf8\x0b\x03\xd2\xe8\xf5\xe55\xdc\xc8\x06\\\xb7)\xcc\x9b\'\xf12'
iv = encrypted[:16]
ciphertext = encrypted[16:]
cipher = AES.new(key=key, mode=AES.MODE_CBC, iv=iv)
decrypted = unpad(cipher.decrypt(ciphertext), 16)
print("Decrypted flag:", decrypted.decode())
得到的结果是
Recovered s: [1, 26, 24, 54]
Recovered e: [0, 1, -1, 1, 0, -1, 1, 0, 0, -1, -1, 0, -1, 0, 1]
Hint: ¬ö¬8xº^
HI+*þNÆêµ]@FÜx\«ðßͼ¹l@ÙÌ^g@c¬(ÿKâÜKêfÙÓÛÛ;Lò÷¢´ZùY"ôDÚßo
x
Decrypted flag: lag{6ef25d1e-bb76-8e53-dbc4-1e56585f9aa9}
将不可打印字符删掉得到:
得到:lag{6ef25d1e-bb76-8e53-dbc4-1e56585f9aa9}
补全:flag{6ef25d1e-bb76-8e53-dbc4-1e56585f9aa9}
更正:
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
key = b'\x8fj\x94\x98-\x1fd\xd5\x89\xbe\xa9*Tu\x90\xb7'
encrypted = b'\x9fT@\xbc\x82\x8esQ\x1e\xd8\x1d\xdb\x9b\xb4\xf8rU\xc8\xa0\xcb\xaf H\xa9.\x04\x1e\xd2\x92\x1f\x0fBja-\x965x\xa8@\xc9x\xf9\xaf\x87\xd1\xa5}\xfc\x1b\xe0#\xc3m\xc9\x8973\x1c\x1f\x13\x8f\xb2a\xae\xa9]\xb9\xc2\xe8\x83A\x80\x13g\xc9a\x1c<\x8a\x9c&\xd9\xbd\x06\xef\xba9\xb0\x03\x9f\x022\xc9\x13\x9a\xffXPG\xc6o\xc0\xeaV7)XG9L\x84N7U\xe3Wn0G\x8e\xd3\x04(\n\x08\xb9\x17\xe6\xf1\xaa\xb7\x8a@$\x16\x13\x06A\x00\xc9Z\xdf\x7fQ\xc9\x08\xb4\xf3P\xfcpe\xe2\xeb\x96\x0e(-\xde\x17\xd1\x01\x1c_\x82\x8b\x9fw\xc8\x86\xfbw\xb5\xf7\xd0\xc8\x1784\xe3?\x00\x0b.)\xb7\xbc\x8e{\xe0\xae\x8d$\x0f\x19\'\xb6\xee@d\x00\xd9\x84\x8c\x0e\xa3,\xc6a\xa3\xba*1\xfd<\xfd\x18\xd6\x9e\x8c4\x8e#\xfd\xbd&0R\xeddE,\xed\xb6\x1e\x00\x11\xa6K\xd3\x1dT\x8c5\x8e\x00\xea\x10\xe9\'u"B#\xa1#\xd8\xe3\xf5j\xbc\x94M\xda\xe3\xcb*\xf0W1\xa0\x80\x1d\xfc\xbfo\x01?(da\r\xb6\x86\xd0\x90\x88Z\xa1`B\x89\x89\x89\xb3v\xa5\xf0\xe0\x0c\x8e\xcc+P\xfc\xfd#\x83\xe9\x93\x96\n\xf2\xa5\xfb\xc3\xc5\xaa\x9e\x89\x93\xb6\xf5\xea\x8c%NY\xc3\x0eR\xfas\xa1\x13\xf2/*\xce\x8b_:_r\xeb\xbe\x0b\x8a\x8c\x97\x7f|m}\xae\xa9I\x95\xcc\xe7\x80\xa5yC4\x1f5\xa4P\xc5\xbf.\xf9V\xe8|\xbb\xc3\xcb\x98&\'JB\x99\x94\xc0\r$\x0b\xbe48u\xeb\xca\xa1\xfbb\xd8_R\x97\x8e\xaeI\xfc\xc2\xb2\xd2#@\xec\x16\xf1\xd7eCQ\x1cO\x13\xca\xb5\xd3\x1a\xb1\xf1_D\x80\x06\xa5\xbe\xbev\xbd\xd6\xbb\x9a\xc9x\x9cf:\xcb>\xa2\xe1\xcad\xde]aw\xa0\xdc\xb2\xb3{+\x85\x8d\x8b\xc5\rT\xcc\xd9X\xd5\x9b\r<\x99m\xb8b6s\xbfp\x0eo~\xe9&\xb2{\xbe\xee\x93\xd2N1\\\x94\x968IWO7\xcb\xb6e\x80\xf7\x9air\xb2~\x17\x1cF\x0f\x82T]RBX\xdex\x13\x85\xfa\xcd-\xce\xdc\xe4\xe5^\x99u\xb5\x01\xd0-\xc3C\xcd\xc4y6\xb7\x9d|L1\xe74\xf7\x8cH\xe9\xa9\xfav\n\xec;\xf2\xa2w\xfb\x13_b\r)z!\xa3\xc8\xa8\xc2\xd2\x10\x00\x11\x11\r\xb2&\xfb\x04&\x84">x6l[\x06n>\xa0\xbe\x9c`\xa7\x9e\xe0\xfb\x85\x91\xc4,\xcf\xac\xe11@a\xed3@\xfd}\x8e\xfaTp\xcb7\xe7\xbf\xd4\xe0~b\xd9\xe0<\xba\x81\xd4"e\xfc\x939|j#0H\x86\xf8\x0b\x03\xd2\xe8\xf5\xe55\xdc\xc8\x06\\\xb7)\xcc\x9b\'\xf12'
iv = encrypted[:16]
ciphertext = encrypted[16:]
cipher = AES.new(key=key, mode=AES.MODE_CBC, iv=iv)
decrypted = unpad(cipher.decrypt(ciphertext), 16)
print("Decrypted flag:", decrypted.decode())
非预期直接出
sandwitch
很像SHCTF的padding题,那道题是单padding,这道题是双padding,原理都是coppersmith出。
参考https://blog.csdn.net/qq_74350234/article/details/143270283,就是beta(β)的取值依据:936/1024≈0.9
from Crypto.Util.number import *
import libnum
n = 130210658110511504736422597261591182174531847806532340762131145212035478695205314931974421838392310731226415266775095601890938846830080329061111533796518633011922277343217149648494987341818402753017296362015915834670450122261511337212801488239810623226740266516836721952886027130703886460578247562781194524199
c = 58274335440051115211211273605191310114692293785750437685473044454042062899661976407492451518086227780147882738264722645944582899451063113444881286175099872016956825274378613983870549046907444680021237171113596116147511706486372974792692071549068969896395366667516390709069131700584308236332248449116109156503
e = 0x3
pad1 = b'easy_problem'
pad2 = b'How_to_solve_it'
flag_len = 39
a = bytes_to_long(pad1)
b = bytes_to_long(pad2)
PR.<x> = PolynomialRing(Zmod(n))
f = (a * 256^(flag_len + len(pad2)) + x * 256^len(pad2) + b)^e - c
f = f.monic()
roots = f.small_roots(X=2 ** (39 * 8), beta=0.915, epsilon=)
if roots:
flag = libnum.n2s(int(roots[0]))
print("Flag:", flag)
else:
print("No roots found")
最后epsilon参数调整到0.03才出。
Flag: b'flag{A_C0pper5mi1tH_4Ues7iOn_SplIt_Pad}'
PPc
001
我主要是看20250519152440.png这张照片:
133****0181出现的次数最多,就填上去了。
flag{133****0181}
问卷
flag{Sdpcsecnbnbnb}
浙公网安备 33010602011771号