WHUCTF2025暑假新生赛(四)

WHUCTF2025暑假新生赛

CRYPTO

ezAES

Symmetry is beautifu
附件源码如下:

点击查看代码 
from random import Random
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
#from secret import flag

key = Random(2025).randbytes(16)

print(AES.new(key, AES.MODE_CBC, iv=flag[9:25]).encrypt(pad(flag, 16)).hex())

# 11b647e76cf8a478fcf52ee715be37eb032abc11d8a760d3531d3832e0bc140bc66d8471903acfd9b8672a22aa88d5c3e03af366f2d7a5b52dd2ffa0d7a1db3a

是个比较简单的AES问题,可以先倒过来异或求出明文部分的P1,P2,P3,接下来求解P0,先将P0,P1,P2,P3拼接,之后计算前16字节,有P[i] = iv[i] ^ mid[0][i],而我们知道iv = flag[9:25],所以iv[i] = P[i+9],那么P[i] = P[i+9] ^ mid[0][i],从P[15]求起,到P[0]结束,得到flag,代码如下:

点击查看代码 
from random import Random
from Crypto.Cipher import AES
c_hex = '11b647e76cf8a478fcf52ee715be37eb032abc11d8a760d3531d3832e0bc140bc66d8471903acfd9b8672a22aa88d5c3e03af366f2d7a5b52dd2ffa0d7a1db3a'
c = bytes.fromhex(c_hex)
key = Random(2025).randbytes(16)
# 拆分密文为4个16字节块(C0, C1, C2, C3)
C = [c[i*16 : (i+1)*16] for i in range(4)]
# 用ECB模式解密每个密文块,得到mid[i] = D_k(C[i])
aes_ecb = AES.new(key, AES.MODE_ECB)
mid = [aes_ecb.decrypt(blk) for blk in C]
# 计算已知明文块P1、P2、P3
P1 = bytes([C[0][j] ^ mid[1][j] for j in range(16)])  # P1 = D(C1) ^ C0
P2 = bytes([C[1][j] ^ mid[2][j] for j in range(16)])  # P2 = D(C2) ^ C1
P3 = bytes([C[2][j] ^ mid[3][j] for j in range(16)])  # P3 = D(C3) ^ C2
P = [0] * 64
# 填充已知的P1、P2、P3
for i in range(16):
    P[16 + i] = P1[i]  # P1对应索引16-31
    P[32 + i] = P2[i]  # P2对应索引32-47
    P[48 + i] = P3[i]  # P3对应索引48-63
# 倒推求解P0(索引0-15):利用P[i] = mid[0][i] ^ P[9+i]
# 从i=15开始(因为9+15=24属于P1,已知),逐步推到i=0
for i in range(15, -1, -1):
    P[i] = mid[0][i] ^ P[9 + i]
flag = bytes(P)
print(flag)

#WHUCTF{b1a6labl4@#$%_Enjoy_th3_Fun_0f_y0ur_AESSSS_5ymm3try!}

MatrixRSA

这也能RSA吗?
附件源码如下:

点击查看代码 
# Sage 10.6
import os
from Crypto.Util.number import *
from secret import flag
ext_len = (4 - len(flag) % 4) % 4  
flag += os.urandom(ext_len)       

def my_rsa_encrypt():
    p = getPrime(512)
    q = getPrime(512)
    n = p * q
    data = []
    for i in range(0, len(flag), len(flag)//4):
        data.append(bytes_to_long(flag[i:i+len(flag) // 4]))
    print(data)
    M = Matrix(Zmod(n), [data[i:i+2] for i in range(0, len(data), 2)])
    print(M)
    e = 65537
    C = M ** e
    print("p =", p)
    print("n =", n)
    return C

C = my_rsa_encrypt()
print("C =", C)

# p = 10242329278883101442921883206413617798222688052883372747307362707210958717802464844435967143122230352270648783154008471366403133081371750250861826677988929
# n = 70572102042694992996602966855591701870029200893739849514358656269528448528219547969491401387414331690842214232921489889989513522931258875177548520258431874818503343121706315424501818177364762419097987677760678597341192255308301871336240808452078329791297332888707901425232293294989775593804120820884417793341
# C = [ 8224867617331644878574980950958179343398088965110714405604114255007220006856130063589542915387311076607251889643209731605096798039361111186535374830028337645260055352504733299900218812360406726003808405714711578792538876292963763588806301414056662574117364810584586040943233267945825275560835620769014703832 35799721262101418478395378597615216353540843805032221650686623485815778437138667050909569140120549974627197767785751478572411835015122182373996382724626662016597942794047695162007246092638230053881037769809454028074655281564313201909035220445568103392789826372356225284379676529336777203160698609284798004264]
#     [41034969529483419396616527866738566104198741588822395891129319064878102744607915694184396307130241672456749983484856909979310047924122876287330479809342826484524466658367848374267605528284643308595716798121374986843805749689761573050626781887118005969704206749236770114793684957300832510773052912549373360646  8333716949862828746943715656377684657825814488036190280626148922317824746791631775517567167543041828013826398968348234050133009383488891038509810592816918374744465834766877761507113891134472291826710596285353851031825507253543876954904627948167272582542934229112424434715738622481925605779358957813507049246]

MatrixRSA,找了篇文章,论文复现:A Matrix Extension of the RSA Cryptosystem,里面介绍的很不错。
对于phi的取值,可以仔细看看,exp:

点击查看代码 
#sage10.6
from sage.all import *
from Crypto.Util.number import *
p = 10242329278883101442921883206413617798222688052883372747307362707210958717802464844435967143122230352270648783154008471366403133081371750250861826677988929
n = 70572102042694992996602966855591701870029200893739849514358656269528448528219547969491401387414331690842214232921489889989513522931258875177548520258431874818503343121706315424501818177364762419097987677760678597341192255308301871336240808452078329791297332888707901425232293294989775593804120820884417793341
q = n//p
e = 65537
phi = (p*p-1)*(q*q-1)*(p*p-p)*(q*q-q)
#phi = (p*p-1)*(q*q-1)
d = inverse(e, phi)
C = [ [8224867617331644878574980950958179343398088965110714405604114255007220006856130063589542915387311076607251889643209731605096798039361111186535374830028337645260055352504733299900218812360406726003808405714711578792538876292963763588806301414056662574117364810584586040943233267945825275560835620769014703832,35799721262101418478395378597615216353540843805032221650686623485815778437138667050909569140120549974627197767785751478572411835015122182373996382724626662016597942794047695162007246092638230053881037769809454028074655281564313201909035220445568103392789826372356225284379676529336777203160698609284798004264]
     ,[41034969529483419396616527866738566104198741588822395891129319064878102744607915694184396307130241672456749983484856909979310047924122876287330479809342826484524466658367848374267605528284643308595716798121374986843805749689761573050626781887118005969704206749236770114793684957300832510773052912549373360646,8333716949862828746943715656377684657825814488036190280626148922317824746791631775517567167543041828013826398968348234050133009383488891038509810592816918374744465834766877761507113891134472291826710596285353851031825507253543876954904627948167272582542934229112424434715738622481925605779358957813507049246]]
C = Matrix(Zmod(n),C)
C = C**d
flag = b''.join(long_to_bytes(int(x)) for row in C for x in row)
print(flag.decode('utf-8'))

'''
# p = 10242329278883101442921883206413617798222688052883372747307362707210958717802464844435967143122230352270648783154008471366403133081371750250861826677988929
# n = 70572102042694992996602966855591701870029200893739849514358656269528448528219547969491401387414331690842214232921489889989513522931258875177548520258431874818503343121706315424501818177364762419097987677760678597341192255308301871336240808452078329791297332888707901425232293294989775593804120820884417793341
# C = [ 8224867617331644878574980950958179343398088965110714405604114255007220006856130063589542915387311076607251889643209731605096798039361111186535374830028337645260055352504733299900218812360406726003808405714711578792538876292963763588806301414056662574117364810584586040943233267945825275560835620769014703832 35799721262101418478395378597615216353540843805032221650686623485815778437138667050909569140120549974627197767785751478572411835015122182373996382724626662016597942794047695162007246092638230053881037769809454028074655281564313201909035220445568103392789826372356225284379676529336777203160698609284798004264]
#     [41034969529483419396616527866738566104198741588822395891129319064878102744607915694184396307130241672456749983484856909979310047924122876287330479809342826484524466658367848374267605528284643308595716798121374986843805749689761573050626781887118005969704206749236770114793684957300832510773052912549373360646  8333716949862828746943715656377684657825814488036190280626148922317824746791631775517567167543041828013826398968348234050133009383488891038509810592816918374744465834766877761507113891134472291826710596285353851031825507253543876954904627948167272582542934229112424434715738622481925605779358957813507049246]
'''

#WHUCTF{Good_y0U_Kn0w_M4tr1x_RSA_W311!!!}
posted @ 2025-08-28 10:41  球球夺笋!  阅读(4)  评论(0)    收藏  举报