ctfshow 1024杯
1024_trick
from Crypto.Util.number import getPrime, bytes_to_long
from gmpy2 import gcd, invert
from secret import flag
def gen(x, y):
while True:
k = getPrime(1024)
if gcd(x * y - x - y + 1, k) == 1 and gcd(x * y - x - y + 1, k + 1024) == 1:
return k
p = getPrime(1024)
q = getPrime(1024)
d = gen(p, q)
e1 = invert(d, (p - 1) * (q - 1))
e2 = invert(d + 1024, (p - 1) * (q - 1))
n = p * q
c = pow(flag, e1, n)
out = open('output', 'w')
out.write(str(n)+'\n')
out.write(str(e1)+'\n')
out.write(str(e2)+'\n')
out.write(str(c)+'\n')
简单同余推导
e1d≡1 mod(phi)
e2(d+1024)≡1 mod(phi)
=>e1(e2-1-1024)≡1 mod(phi)
=>e1(1-1024e2)≡e2 mod(phi)
=>(me1)(1024e2-1) ≡me2 mod(n)
∵gcd(e1,e2)=1 接下来转化为共模攻击即可
看wp发现一种更好的做法
代码如下:
from Crypto.Util.number import long_to_bytes
import sys
sys.setrecursionlimit(1000000)
def exgcd(a,b):
if b==0:return 1,0
x,y=exgcd(b,a%b)
return y,x-a//b*y
n=28247956190796077548821036165832051095182478841343849341201099128819479182033196745888916043527789810068912335285845353736774484336851382817061906161464410813261565043154569983001168979661397673033159029064565590415202266364668996185387927547647414609049665701634943970073424680262167057713264162243044242199992525550717430218592937779319306804366853371496949090902097569447358748738601201092248706444400984549491240349808244847814292328867056531536176757195282237815281620345660712787511847864860157060561247341926472934445937054346872777130907776700747053879719058858665504682167737096909091658310703848714995507087
e1=14729696809459508716385569304221898763069627997586157384420106315856541102841676901689428248411442723122274238893709627729613555080244422116252212813081403190521848377387091820856797688344508117977167198575999802122072100976783815485227448685251402928453641606244138534312889639695831020684859444038879931443306689809413522781182634833029742866760422550903997471974167552388516014202843112478278655370138693696356621310668692751596233613748393311787483393850367208650431878268345462622307080790201460993914739555030933412223443727451306619192444521947087311524606746672804056939248534450817019868870802552074243882377
e2=10907651584541464409470494737289836122935666586931706055595902003883184928824627549246585826596861981965927482456455737073705999708471130440398909870554351524288791148142553288839156753336551721274021596567766812030470532876231205718107266170708315964229471470530690537533600851746463150957473253899821019421342552091338365357017748742821451767352420328276163005698272017204771807428933429417340619373269170581813206653190286582334483827342338454461627946086922006705360281421384249860374825149668002500611584152958000206147344275567898096476692898681393229095674001876869497249423498186867190630700665116613171171985
c1=14151986355027540236877811729876734276410473157789551074684191809631364271052357249861862424614207635605041553420473293592242919606316628442514124449901660763278200999279517540020047022360186952956318844301844675024175636253509419780669989143178706203706350138854046573467948881219084764605132312446701967740275650109903208220772228525117766500225573404421894020148747991820530966508849170593946661068452445685905577771836515980941955814291933511646362511812580324895180140431064196870852032763940873198931010750588123937360585160510295014722360134758829576304291022740315244570633962516612490451736612193602659033973
c2=pow(c1,1024*e2-1,n)
x1,x2=exgcd(e1,e2)
m=pow(c1,x1,n)*pow(c2,-x2,n)%n
print(long_to_bytes(m))
1024_密码系统
# -*- coding:utf-8 -*-
# Author:airrudder
from Crypto.Cipher import DES
from binascii import b2a_hex, a2b_hex
from secret import FLAG,KEY,HINT
from itertools import *
import random
def Encode_1024sys(data,key):
data_list = [data[i:i+8] for i in range(0,len(data),8)]
k1 = DES.new(key.encode(), DES.MODE_ECB)
k2 = DES.new(key[::-1].encode(), DES.MODE_ECB)
data_res = ''
for i in range(0,len(data_list)):
k = random.choice([k1,k2])
c = k.encrypt(data_list[i].encode())
data_res += b2a_hex(c).decode()
return data_res
def Encode_1024(data,key):
len_data=len(data)
choices = cycle('1024')
while len_data%8!=0:
data += next(choices)
len_data=len(data)
data_res = Encode_1024sys(data,key)
data_out = hex(int(data_res,16)**12 + random.randint(10**1023,10**1024))[2:]
return data_out
def main():
menu = '''
1. Encode
2. Verify your FLAG
3. Exit
'''
try:
while True:
print(menu)
choice = input("> ")
if choice == "1":
msg=input("Please input your msg: ")
data_out = Encode_1024(msg+FLAG,KEY)
print("hex(Encode_1024(msg+flag)) is :",data_out)
elif choice == "2":
yourFLAG = input('Please input your FLAG: ')
if yourFLAG == FLAG:
print(HINT)
else:
print('1024, nonono..., come on!!!')
elif choice == "3":
print("Bye!")
return
else:
print("Invalid choice!")
continue
except:
print('error')
if __name__ == "__main__":
main()
ECB模式的经典攻击的一个魔改 https://www.jianshu.com/p/8aef410a2eae
注意到 (c12+random)<(c+1)12
故直接对接收信息开12次方取整即为加密信息
后面就是按照这个攻击方式写代码了,要修改的一个地方是有两个key,随机选择一种加密,于是在爆破的时候要多循环几次确保不会出现由于key不同无法筛出明文的情况
开头先随便输入确定明文长度为38
代码如下:
from pwn import *
from string import printable
import gmpy2
p=remote('pwn.challenge.ctf.show',28165)
list=printable
payload=''
k=0
pad=['','1024102','102410','10241','1024','102','10','1']
def check(m):
t=k//8
if t==0:
m1=m[:16]
m2=m[-(t+1)*16:]
else:
m1=m[:16]
m2=m[-(t+1)*16:-t*16]
if m1==m2:
return 1
else:
return 0
def repeated():
p.recvuntil('> ')
p.sendline('1')
payload1= j + payload + pad[len(j + payload) % 8] + 'a' * (len(payload) + 1) + 'aa'
p.recvuntil('msg: ')
p.sendline(payload1)
p.recvuntil('is : ')
ic = p.recvuntil('\n')[:-1]
c = int(gmpy2.iroot(int(ic, 16), 12)[0])
m = hex(c)[2:]
return check(m)
for i in range(38):
print(i)
for j in list:
a=0
a+=repeated()
a+=repeated()
a+=repeated()
a+=repeated()
a+=repeated()
a+=repeated()
a+=repeated()
print(a)
if a>0:
payload=j+payload
k+=1
break
print(payload)
p.interactive()
提交后服务器反馈:wow! You get the FLAG, but flag is not this, please pay attention to the number 10248
还需对你所提交的信息进行云影解密
a = "44414440122401244401404424404421440414"
a = a.split("0")
flag = ''
for i in range(0, len(a)):
str = a[i]
sum = 0
for i in str:
sum += int(i)
flag += chr(sum+64)
print(flag)
1024_麻辣兔头第七锅
<TH CTIW yhty,fEDLINhh ae oEAODeufv sLuRNEnmoeahinA P ar nobdOEin cdueaFNn oo lrt D ennedtiEtvenq yoNhe eud,nCenpcae E tetlcao>Csoe lnno,pdsad u l tr srietaetust ht hce teiteh bomoh oe neppfcdw uroiitcrimstoasnesh uucso wsii lahetpnvnis leeoc oec thwfseth h shetiHaserhcana ,ehpdrp p oaLiiolnamnridwpegt sesait lsncoo .ia ftfzla hli sNeanbsamggout { nmut8iderocts e 5s a t6 wmahdphone4oind awcg sbeh oe3r tfpesh ad eNr8i aa4nPttf oui8swroeueenbcr'.7hssWd e2foG bofohcr do7mt l3,hed6 en 7a tt2seih8 ate1trls4oteed h 5t,tt}h hrTeteuhmhmta e,hts s hsa tae tolpdo lae s rcbesaeecen uetsrm ee rl meftos-hspeetevs cieltd i erktnieotgl ,hyt t htsteh,o a otGep ofiavfnleeilrco ntnmm seet nnho tefasi r rmea a rSnceakr fieienantdtsy et rdiae tnqeuduqt iueHradael ps,ap mittonhhneaagstt s M.tte hhnPee,ry u ddaeerrneic veei,nn dgio nwtdehedee idbr,y jwtuihsletli rpd oiCwcreteraastt eof rrt ohwmai ttt hhG eoc vecerortnnasmieennn ttu sno afll oitnehgne a ebgsloteva ebRrlinigeshdht.eshd,a tst hhwoahutel ndae mvnoeonrtg abtnehy e csfheoa rnamgr eeod f L fiGoforev elringmhetn ta nbde ctormaenss ideenstt rcuacutsievse; oafn dt haecsceo rednidnsg,l yi ta lils etxhpee rRiiegnhcte ohfa st hseh oPweno,p lteh atto maalntkeirn do ra rteo maobroel idsihs piots,e da ntdo tsou fifnesrt,i twuhtiel en eewv iGlosv earrnem esnutf,f elraaybilneg, itthsa n to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object, evinces a design to reduce them under absolute Despotism, it is their ri
提示了栅栏我们又发现密文里面含{ },于是在其附近按一定间隔的找齐flag即可
flag{8c56d4ab3ed84f8eb7d2bc73672814d5}
浙公网安备 33010602011771号