寒假刷题记录

寒假刷题记录

1/16

[MRCTF2020]babyRSA

import sympy
import random
from gmpy2 import gcd, invert
from Crypto.Util.number import getPrime, isPrime, getRandomNBitInteger, bytes_to_long, long_to_bytes
from z3 import *
flag = b"MRCTF{xxxx}"
base = 65537


def GCD(A):
    B = 1
    for i in range(1, len(A)):
        B = gcd(A[i-1], A[i])
    return B


def gen_p():
    P = [0 for i in range(17)]
    P[0] = getPrime(128)
    for i in range(1, 17):
        P[i] = sympy.nextprime(P[i-1])
    print("P_p :", P[9])
    n = 1
    for i in range(17):
        n *= P[i]
    p = getPrime(1024)
    factor = pow(p, base, n)
    print("P_factor :", factor)
    return sympy.nextprime(p)


def gen_q():
    sub_Q = getPrime(1024)
    Q_1 = getPrime(1024)
    Q_2 = getPrime(1024)
    Q = sub_Q ** Q_2 % Q_1
    print("Q_1: ", Q_1)
    print("Q_2: ", Q_2)
    print("sub_Q: ", sub_Q)
    return sympy.nextprime(Q)


if __name__ == "__main__":
    _E = base
    _P = gen_p()
    _Q = gen_q()
    assert (gcd(_E, (_P - 1) * (_Q - 1)) == 1)
    _M = bytes_to_long(flag)
    _C = pow(_M, _E, _P * _Q)
    print("Ciphertext = ", _C)
'''
P_p : 206027926847308612719677572554991143421
P_factor : 213671742765908980787116579976289600595864704574134469173111790965233629909513884704158446946409910475727584342641848597858942209151114627306286393390259700239698869487469080881267182803062488043469138252786381822646126962323295676431679988602406971858136496624861228526070581338082202663895710929460596143281673761666804565161435963957655012011051936180536581488499059517946308650135300428672486819645279969693519039407892941672784362868653243632727928279698588177694171797254644864554162848696210763681197279758130811723700154618280764123396312330032986093579531909363210692564988076206283296967165522152288770019720928264542910922693728918198338839
Q_1:  103766439849465588084625049495793857634556517064563488433148224524638105971161051763127718438062862548184814747601299494052813662851459740127499557785398714481909461631996020048315790167967699932967974484481209879664173009585231469785141628982021847883945871201430155071257803163523612863113967495969578605521
Q_2:  151010734276916939790591461278981486442548035032350797306496105136358723586953123484087860176438629843688462671681777513652947555325607414858514566053513243083627810686084890261120641161987614435114887565491866120507844566210561620503961205851409386041194326728437073995372322433035153519757017396063066469743
sub_Q:  168992529793593315757895995101430241994953638330919314800130536809801824971112039572562389449584350643924391984800978193707795909956472992631004290479273525116959461856227262232600089176950810729475058260332177626961286009876630340945093629959302803189668904123890991069113826241497783666995751391361028949651
Ciphertext =  1709187240516367141460862187749451047644094885791761673574674330840842792189795049968394122216854491757922647656430908587059997070488674220330847871811836724541907666983042376216411561826640060734307013458794925025684062804589439843027290282034999617915124231838524593607080377300985152179828199569474241678651559771763395596697140206072537688129790126472053987391538280007082203006348029125729650207661362371936196789562658458778312533505938858959644541233578654340925901963957980047639114170033936570060250438906130591377904182111622236567507022711176457301476543461600524993045300728432815672077399879668276471832
'''

题目中的def GCD()似乎是P用没有的 亏我研究半天

第一步解出p,是一串连续的质数并给出了其中的第10个(一共17个)只要用sympy的prevprime和nextprime可以很轻松的得到这17个质数然后算n,φ,d,解出p再nextprime

第二步解出q,已经给出了q的运算方法但是按照Q = sub_Q ** Q_2 % Q_1的方式是无法在短时间解出来的所以使用pow方法结果是一样的

随后直接解出flag 这么简单的题目就不要看本fw的脚本了吧

[网鼎杯 2020 青龙组]you_raise_me_up

是一道考察离散对数的题目(没错就是我不会)

题目本身没有难点所以就简述一下知识点:

​ 离散对数问题:已知g的x次方模p等于h,g h p已知求x,可以使用x=sympy.discrete_log(p,h,g)

[UTCTF2020]basic-crypto

是道ex人的古典密码但我还是写了

第一步二进制转十进制然后ASCII码转字符

第二步base64(无换表)

第三步维吉尼亚在线破解https://www.guballa.de/vigenere-solver

第四步字符替换在线破解quipqiup - cryptoquip and cryptogram solver

下次一定直接跳(

[HDCTF2019]together

这是一道简单的共模攻击的题目但是本fw还是花了好长时间才完成

因为公钥文件私钥文件flagenc啥的实在是太为难我了(bushi

下面是一些openssl的东西

提取公钥文件信息:openssl rsa -pubin -text -modulus -in warmup -in pubkey.pem

生成私钥文件:python rsatool.py -o private.pem -e xxx-p xxx -q xxx

用private.pem文件 解密 flag.enc文件:openssl rsautl -decrypt -in flag.enc -inkey private.pem

但这不是这道题目搞我心态的地方(因为起码知道在哪找

搞我心态的是我竟然对一个base64加密之后的flag文件束手无策(正文开始

打开myflag1可以看到里面是明显的base64编码

bytes_to_long(base64.b64decode(s))得到10进制的或者base64.b64decode(s).hex()得到16进制的

我纯纯nt

1.17

[WUSTCTF2020]情书

过于简单,略

坏蛋是雷宾

rabin算法是rsa的一种衍生算法,其 p,q % 4 == 3, \(c = pow(m, 2, n)\)

解密过程如下,会得到四个明文,如果没有其他信息无法确定哪个是正确的

import gmpy2  

c = 162853095  # 密文 c  
p = 49123             # 分解后的素数 p  
q = 10663             # 分解后的素数 q  
n = p*q                                                 # 公钥 N  

# 根据中国剩余定理求解相应明文  
r = pow(c,(p+1)//4,p)  
s = pow(c,(q+1)//4,q)  
a = gmpy2.invert(p,q)  
b = gmpy2.invert(q,p)  
x =(a*p*s+b*q*r)%n  
y =(a*p*s-b*q*r)%n  

# 打印明文  
print(x%n)  
print((-x)%n)  
print(y%n)  
print((-y)%n)

在本题中找到二进制符合题目的解10010011100100100101010110001然后去掉最后6个校验位再转成十进制md5

[WUSTCTF2020]dp_leaking_1s_very_d@angerous

一道基础的dp泄露攻击 (终于可以把一篇远古时期写的不知道往哪里贴的放上来了)

\(dp=d mod (p-1)\)

\(dp*e=ed mod (p-1)\)

\(ed = k1(p-1) +dp *e\)

\(ed ≡1 mod (p-1)(q-1)\)

\(k1(p-1) + dp*e = 1 mod (p-1)(q-1)\)

\(k1(p-1) + dp*e = k2(p-1)(q-1) + 1\)

\(dp*e = k2[(q-1)-k1] * (p-1) + 1\)

\(x = k2[(q-1)-k1]\)

\(dp * e = x * (p-1) + 1\)

因为\(dp<(p-1)\), 所以\(x<e\)

遍历\(x\)\(1\)\(e\)

from Crypto.Util.number import*
e = 
n = 
dp = 
c = 
for i in range(1,65538):
    if (dp*e-1)%i == 0:
        if n%(((dp*e-1)//i)+1)==0:
            p=((dp*e-1)//i)+1
            q=n//(((dp*e-1)//i)+1)
            phi = (p-1)*(q-1)
            d=inverse(e,phi)
m=pow(c,d,n)
print(long_to_bytes(m))

ps:这个题目名字好像就是flag捏(

[BJDCTF2020]Polybius

好像是道古典密码捏

题目名字就是这个密码然后懒狗直接找了wp(

emmm没啥好说的不是很难就写个脚本列举出aeiou排列顺序和替换i/j然后找出有意义的序列

[NPUCTF2020]EzRSA

一道神奇的题目(

先看题目

from gmpy2 import lcm , powmod , invert , gcd , mpz
from Crypto.Util.number import getPrime
from sympy import nextprime
from random import randint
p = getPrime(1024)
q = getPrime(1024)
n = p * q
gift = lcm(p - 1 , q - 1)
e = 54722
flag = b'NPUCTF{******************}'
m = int.from_bytes(flag , 'big')
c = powmod(m , e , n)
print('n: ' , n)
print('gift: ' , gift)
print('c: ' , c)
#输出略(

\(gift\)\((p-1)\)\((q-1)\)的最小公倍数,其比特位为2045

而$ φ \(的比特位应为2048位,所以应有\)φ = gift * i\(其中\) i ∈ ( 4 , 8 ) $

爆破一下\(i\)就好了,但是开始算的时候发现\(e\)不是一个质数,\(e = 27361 * 2\)

那么就按\(e = 27361\)计算之后再对m开方

from Crypto.Util.number import*
import gmpy2
'''
n=
gift=
c=
'''
e=54722//2
for i in range(4,9):
	phi=gift*i
	d=inverse(e,phi)
	m=pow(c,d,n)
	m,_=gmpy2.iroot(m,2)
	m=long_to_bytes(m)
	print(m)

这时候奇妙的事情增加了,我发现这5次都输出了相同的值(也就是flag

于是我把\(i\)设定为\(1\)也就是直接把\(gift\)当成\(φ\)用居然也得到了相同的答案。最后我发现无论\(i\)为何数都可以得到相同的明文(\(d\)不相同)

由于对rsa的原理并没有理解的非常透彻,本fw决定放弃解释并向huangx求助

实际上\(lcm(p-1, q-1)\)\(φ\)的最简形式(但是我不知道怎么证明)

至于为什么i取任意值都可以达到呢

借这个机会先重新再整理一遍rsa解密推导过程

\[c^d\ ≡\ m(mod\ n)\ \ >>\ \ (m^e-kn)^d≡m(mod\ n)\ \ >>\ \ m^{ed}≡m(mod\ n) \]

\[>>\ \ m^{hφ(n)+1}≡m\ (mod\ n)\ \ >>\ \ m^{hφ(n)}≡1\ (mod\ n) \]

根据欧拉定理我们可以知道上式是成立的

那么对于i取任意值的情况,下式也成立

\[m^{kiφ(n)}≡1 \]

[AFCTF2018]BASE

一整个无语住

什么都好说,就是这个文件实在是太大了,基本思路先16进制转文本(可以用winhex)然后basecrack一条龙,但是问题就是这个文件实在是太大了

八说了,

[BJDCTF2020]编码与调制

根据图片的内容找到曼彻斯特编码,略

[NPUCTF2020]Classical Cipher

古典密码(逃

[ACTF新生赛2020]crypto-classic1

古典(逃

坑爹之处在于:BUU给的题目是错的捏并且解完还要你给他变成小写才能过捏

原题为SRLU{OWSI_S_RDPKHARSA_NXYTFTJT}

四面八方

古典(逃

1.18

[MRCTF2020]Easy_RSA

先看题目

import sympy
from gmpy2 import gcd, invert
from random import randint
from Crypto.Util.number import getPrime, isPrime, getRandomNBitInteger, bytes_to_long, long_to_bytes
import base64

from zlib import *
flag = b"MRCTF{XXXX}"
base = 65537

def gen_prime(N):
    A = 0
    while 1:
        A = getPrime(N)
        if A % 8 == 5:
            break
    return A

def gen_p():
    p = getPrime(1024)
    q = getPrime(1024)
    assert (p < q)
    n = p * q
    print("P_n = ", n)
    F_n = (p - 1) * (q - 1)
    print("P_F_n = ", F_n)
    factor2 = 2021 * p + 2020 * q
    if factor2 < 0:
        factor2 = (-1) * factor2
    return sympy.nextprime(factor2)


def gen_q():
    p = getPrime(1024)
    q = getPrime(1024)
    assert (p < q)
    n = p * q
    print("Q_n = ", n)
    e = getRandomNBitInteger(53)
    F_n = (p - 1) * (q - 1)
    while gcd(e, F_n) != 1:
        e = getRandomNBitInteger(53)
    d = invert(e, F_n)
    print("Q_E_D = ", e * d)
    factor2 = 2021 * p - 2020 * q
    if factor2 < 0:
        factor2 = (-1) * factor2
    return sympy.nextprime(factor2)


if __name__ == "__main__":
    _E = base
    _P = gen_p()
    _Q = gen_q()
    assert (gcd(_E, (_P - 1) * (_Q - 1)) == 1)
    _M = bytes_to_long(flag)
    _C = pow(_M, _E, _P * _Q)
    print("Ciphertext = ", _C)
'''
P_n =  略
P_F_n =  
Q_n =  
Q_E_D =  
Ciphertext =  
'''

\(p\),直接sage解方程

\(q\),先计算\(phi=(e*d-1)//(((e*d-1)//n)+1)\),随后和计算p一样,sage解出方程

随后正常rsa解出flag

EasyProgram

看到与flag有关的运算只有最后一句异或

先把伪代码转换成python(虽然没什么用只是看着舒服

key = "whoami"
flag = "flag{********************************}"
s = []
t = []
f = ""
j = 0
for i in range(256):
	s.append(i)
	t.append(key[i%len(key)])
for i in range(256):
	j = (j+s[i]+ord(t[i]))%256
	s[i],s[j]=s[j],s[i]
for m in range(38):
	i = (i+1)%256
	j = (j+s[i])%256
	s[i], s[j] = s[j], s[i]
	x = (s[i]+(s[j]%256))%256
	f += chr(ord(flag[m])^s[x])
print(f)

那么直接逆运算回去,由于只有一个和flag有关的运算,所以代码改动不是很大

看一眼file文件是乱码用winhex读16进制刚好38位于是手敲进去(我是菜狗)

key = "whoami"
flag = [0x00,0xBA,0x8F,0x11,0x2B,0x22,0x9F,0x51,0xA1,0x2F,0xAB,0xB7,0x4B,0xD7,0x3F,0xEF,0xE1,0xB5,0x13,0xBE,0xC4,0xD4,0x5D,0x03,0xD9,0x00,0x7A,0xCA,0x1D,0x51,0xA4,0x73,0xB5,0xEF,0x3D,0x9B,0x31,0xB3]
s = []
t = []
f = ""
j = 0
for i in range(256):
	s.append(i)
	t.append(key[i%len(key)])
for i in range(256):
	j = (j+s[i]+ord(t[i]))%256
	s[i], s[j] = s[j], s[i]
i,j = 0,0
for m in range(38):
	i = (i+1)%256
	j = (j+s[i])%256
	s[i], s[j] = s[j], s[i]
	x = (s[i]+(s[j]%256))%256
	f += chr(flag[m] ^ s[x])
print(f)

[INSHack2017]rsa16m

一打开看着挺哈人的但是我们知道当n>>e的时候存在可能对c直接开e次方就能得到密文或者m^e = k*n+c中的k很小使得我们可以通过爆破得到

本题中直接开e次方就完事了(好烦这么大的txt虚拟机都打不开)

c = #略
e = 0x10001
import gmpy2
from Crypto.Util.number import*
m,_=gmpy2.iroot(c,e)
m=long_to_bytes(m)
print(m)

[AFCTF2018]你听过一次一密么?

一眼懵,先查一次一密,然后继续懵,然后看官方wp原来是Many-Time-Pad还是不会

继续查,翻到一篇写的比较好的wp于是懂了 (顺便嫖了代码) Many-Time-Pad 攻击

转述:

已知\(C_i⊕key=M_i\)

根据异或运算的性质,

\[C_1⊕C_2=(M_1⊕key)⊕(M_2⊕key)=M_1⊕M_2 \]

也就是说两个密文的异或就相当于对应明文的异或,此外我们还会发现 空格⊕大写字母=相应小写字母。所以如果x⊕y得到的是一个字母,那么x,y中就很可能有一个为空格。

将每条密文两两异或,得到相应列中,英文字母最多的,那么就假定该行明文的该列处为空格,如此可以恢复出该列的所有明文。

import Crypto.Util.strxor as xo
import libnum, codecs, numpy as np

def isChr(x):
    if ord('a') <= x and x <= ord('z'): return True
    if ord('A') <= x and x <= ord('Z'): return True
    return False

def infer(index, pos):
    if msg[index, pos] != 0:
        return
    msg[index, pos] = ord(' ')
    for x in range(len(c)):
        if x != index:
            msg[x][pos] = xo.strxor(c[x], c[index])[pos] ^ ord(' ')

dat = []

def getSpace():
    for index, x in enumerate(c):
        res = [xo.strxor(x, y) for y in c if x!=y]
        f = lambda pos: len(list(filter(isChr, [s[pos] for s in res])))
        cnt = [f(pos) for pos in range(len(x))]
        for pos in range(len(x)):
            dat.append((f(pos), index, pos))

c = [codecs.decode(x.strip().encode(), 'hex') for x in open('Problem.txt', 'r').readlines()]

msg = np.zeros([len(c), len(c[0])], dtype=int)

getSpace()

dat = sorted(dat)[::-1]
for w, index, pos in dat:
    infer(index, pos)

print('\n'.join([''.join([chr(c) for c in x]) for x in msg]))

执行代码之后可以发现我们已经恢复出了大部分的明文(这里遇到一个小问题,直接执行这个代码是报错了,问题在于最后一行密文少了最后两位,补上两个0就可以了)

虽然还不是最终结果,但已经可以猜测出相应出错位置的字母了

def know(index, pos, ch):
    msg[index, pos] = ord(ch)
    for x in range(len(c)):
        if x != index:
            msg[x][pos] = xo.strxor(c[x], c[index])[pos] ^ ord(ch)

know(10, 21, 'y')
know(8, 14, 'n')

print('\n'.join([''.join([chr(c) for c in x]) for x in msg]))

加上这一串代码就可以通过确定的字母恢复出相应出错列的明文

最后用\(C_1⊕M_1\)得到\(key\)

key = xo.strxor(c[0], ''.join([chr(c) for c in msg[0]]).encode())
print(key)

大佬写的代码太好了555

1.20

[De1CTF2019]babyrsa

题目
import binascii
from data import e1,e2,p,q1p,q1q,hint,flag

n =  [20129615352491765499340112943188317180548761597861300847305827141510465619670536844634558246439230371658836928103063432870245707180355907194284861510906071265352409579441048101084995923962148527097370705452070577098780246282820065573711015664291991372085157016901209114191068574208680397710042842835940428451949500607613634682684113208766694028789275748528254287705759528498986306494267817198340658241873024800336013946294891687591013414935237821291805123285905335762719823771647853378892868896078424572232934360940672962436849523915563328779942134504499568866135266628078485232098208237036724121481835035731201383423L, 31221650155627849964466413749414700613823841060149524451234901677160009099014018926581094879840097248543411980533066831976617023676225625067854003317018794041723612556008471579060428898117790587991055681380408263382761841625714415879087478072771968160384909919958010983669368360788505288855946124159513118847747998656422521414980295212646675850690937883764000571667574381419144372824211798018586804674824564606122592483286575800685232128273820087791811663878057827386379787882962763290066072231248814920468264741654086011072638211075445447843691049847262485759393290853117072868406861840793895816215956869523289231421L, 29944537515397953361520922774124192605524711306753835303703478890414163510777460559798334313021216389356251874917792007638299225821018849648520673813786772452822809546571129816310207232883239771324122884804993418958309460009406342872173189008449237959577469114158991202433476710581356243815713762802478454390273808377430685157110095496727966308001254107517967559384019734279861840997239176254236069001453544559786063915970071130087811123912044312219535513880663913831358790376650439083660611831156205113873793106880255882114422025746986403355066996567909581710647746463994280444700922867397754748628425967488232530303L, 25703437855600135215185778453583925446912731661604054184163883272265503323016295700357253105301146726667897497435532579974951478354570415554221401778536104737296154316056314039449116386494323668483749833147800557403368489542273169489080222009368903993658498263905567516798684211462607069796613434661148186901892016282065916190920443378756167250809872483501712225782004396969996983057423942607174314132598421269169722518224478248836881076484639837343079324636997145199835034833367743079935361276149990997875905313642775214486046381368619638551892292787783137622261433528915269333426768947358552919740901860982679180791L]
c =  [19131432661217908470262338421299691998526157790583544156741981238822158563988520225986915234570037383888112724408392918113942721994125505014727545946133307329781747600302829588248042922635714391033431930411180545085316438084317927348705241927570432757892985091396044950085462429575440060652967253845041398399648442340042970814415571904057667028157512971079384601724816308078631844480110201787343583073815186771790477712040051157180318804422120472007636722063989315320863580631330647116993819777750684150950416298085261478841177681677867236865666207391847046483954029213495373613490690687473081930148461830425717614569L, 15341898433226638235160072029875733826956799982958107910250055958334922460202554924743144122170018355117452459472017133614642242411479849369061482860570279863692425621526056862808425135267608544855833358314071200687340442512856575278712986641573012456729402660597339609443771145347181268285050728925993518704899005416187250003304581230701444705157412790787027926810710998646191467130550713600765898234392350153965811595060656753711278308005193370936296124790772689433773414703645703910742193898471800081321469055211709339846392500706523670145259024267858368216902176489814789679472227343363035428541915118378163012031L, 18715065071648040017967211297231106538139985087685358555650567057715550586464814763683688299037897182845007578571401359061213777645114414642903077003568155508465819628553747173244235936586812445440095450755154357646737087071605811984163416590278352605433362327949048243722556262979909488202442530307505819371594747936223835233586945423522256938701002370646382097846105014981763307729234675737702252155130837154876831885888669150418885088089324534892506199724486783446267336789872782137895552509353583305880144947714110009893134162185382309992604435664777436197587312317224862723813510974493087450281755452428746194446L, 2282284561224858293138480447463319262474918847630148770112472703128549032592187797289965592615199709857879008271766433462032328498580340968871260189669707518557157836592424973257334362931639831072584824103123486522582531666152363874396482744561758133655406410364442174983227005501860927820871260711861008830120617056883514525798709601744088135999465598338635794275123149165498933580159945032363880613524921913023341209439657145962332213468573402863796920571812418200814817086234262280338221161622789516829363805084715652121739036183264026120868756523770196284142271849879003202190966150390061195469351716819539183797L]
f=lambda m,e,n,c:pow(m,e,n)==c
assert(sum(map(f,[p]*4,[4]*4,n,c))==4)

ee1 = 42
ee2 = 3
ce1 =  45722651786340123946960815003059322528810481841378247280642868553607692149509126962872583037142461398806689489141741494974836882341505234255325683219092163052843461632338442529011502378931140356111756932712822516814023166068902569458299933391973504078898958921809723346229893913662577294963528318424676803942288386430172430880307619748186863890050113934573820505570928109017842647598266634344447182347849367714564686341871007505886728393751147033556889217604647355628557502208364412269944908011305064122941446516990168924709684092200183860653173856272384
ce2 =  13908468332333567158469136439932325992349696889129103935400760239319454409539725389747059213835238373047899198211128689374049729578146875309231962936554403287882999967840346216695208424582739777034261079550395918048421086843927009452479936045850799096750074359160775182238980989229190157551197830879877097703347301072427149474991803868325769967332356950863518504965486565464059770451458557744949735282131727956056279292800694203866167270268988437389945703117070604488999247750139568614939965885211276821987586882908159585863514561191905040244967655444219603287214405014887994238259270716355378069726760953320025828158
tmp =  864078778078609835167779565982540757684070450697854309005171742813414963447462554999012718960925081621571487444725528982424037419052194840720949809891134854871222612682162490991065015935449289960707882463387
n  =  15911581555796798614711625288508309704791837516232122410440958830726078821069050404012820896260071751380436992710638364294658173571101596931605797509712839622479368850251206419748090059752427303611760004621378226431226983665746837779056271530181865648115862947527212787824629516204832313026456390047768174765687040950636530480549014401279054346098030395100387004111574278813749630986724706263655166289586230453975953773791945408589484679371854113457758157492241225180907090235116325034822993748409011554673180494306003272836905082473475046277554085737627846557240367696214081276345071055578169299060706794192776825039
assert(pow(e1,ee1,n)==ce1)
assert(pow(e2+tmp,ee2,n)==ce2)

e = 46531
n = 16278524034278364842964386062476113517067911891699789991355982121084973951738324063305190630865511554888330215827724887964565979607808294168282995825864982603759381323048907814961279012375346497781046417204954101076457350988751188332353062731641153547102721113593787978587135707313755661153376485647168543680503160420091693269984008764444291289486805840439906620313162344057956594836197521501755378387944609246120662335790110901623740990451586621846212047950084207251595169141015645449217847180683357626383565631317253913942886396494396189837432429078251573229378917400841832190737518763297323901586866664595327850603
c = 14992132140996160330967307558503117255626925777426611978518339050671013041490724616892634911030918360867974894371539160853827180596100892180735770688723270765387697604426715670445270819626709364566478781273676115921657967761494619448095207169386364541164659123273236874649888236433399127407801843412677293516986398190165291102109310458304626261648346825196743539220198199366711858135271877662410355585767124059539217274691606825103355310348607611233052725805236763220343249873849646219850954945346791015858261715967952461021650307307454434510851869862964236227932964442289459508441345652423088404453536608812799355469
hint=int(binascii.hexlify(hint),16)
assert(q1p*q1q==n)
assert(q1p<q1q)
assert(c==pow(hint,e,n))

flag=int(binascii.hexlify(flag),16)
q1=q1p
q2 =  114401188227479584680884046151299704656920536168767132916589182357583461053336386996123783294932566567773695426689447410311969456458574731187512974868297092638677515283584994416382872450167046416573472658841627690987228528798356894803559278308702635288537653192098514966089168123710854679638671424978221959513
c1 =  262739975753930281690942784321252339035906196846340713237510382364557685379543498765074448825799342194332681181129770046075018122033421983227887719610112028230603166527303021036386350781414447347150383783816869784006598225583375458609586450854602862569022571672049158809874763812834044257419199631217527367046624888837755311215081173386523806086783266198390289097231168172692326653657393522561741947951887577156666663584249108899327053951891486355179939770150550995812478327735917006194574412518819299303783243886962455399783601229227718787081785391010424030509937403600351414176138124705168002288620664809270046124
c2 =  7395591129228876649030819616685821899204832684995757724924450812977470787822266387122334722132760470911599176362617225218345404468270014548817267727669872896838106451520392806497466576907063295603746660003188440170919490157250829308173310715318925771643105064882620746171266499859049038016902162599261409050907140823352990750298239508355767238575709803167676810456559665476121149766947851911064706646506705397091626648713684511780456955453552020460909638016134124590438425738826828694773960514221910109473941451471431637903182205738738109429736425025621308300895473186381826756650667842656050416299166317372707709596
assert(c1==pow(flag,e1,p*q1))
assert(c2==pow(flag,e2,p*q2))

前三部分都比较简单,第四部分tnl(大概我是个fw吧)

第一部分纯纯的CRT定理,解出最小特解p,但是记得开4次方才是p的值(

第二部分e比较小尝试爆破,其中e2要的k比较大(吓得我差点以为爆破不了

第三部分一眼傻,放到factordb分解一下居然出来了,开始以为是谁解出来记录上去的结果最后发现是p,q很接近。解出hint:b'orz...you.found.me.but.sorry.no.hint...keep.on.and.enjoy.it!'emmm她暖暖的

第四部分看到两个方程我有点傻了,(这不是正常的rsa吗为什么要两个方程

然后就会发现\(gcd(e,p*(q1-1))=14\)\(gcd(e,p*(q2-1))=14\)

把公约数提出来\(c_i\equiv(m^{14})^{e_i/14}\ mod\ p*q_i\)

使\(n_1=p*q_1\qquad n_2=p*q_2\) 则 $m^{14}\equiv c_1^{d_1}\ mod\ n_1\qquad m^{14}\equiv c_2^{d_2}\ mod\ n_2\qquad $

这两条式子由于幂次太高不能直接解出

然后我就不会了,翻wp

将上面的方程细化一下:

先令\(a_i\ =\ c_i^{d_i}\) 则:

\[m\equiv a_1\ mod\ p\qquad m\equiv a_1\ mod\ q_1\qquad m\equiv a_2\ mod\ p\qquad m\equiv a_2\ mod\ q2\qquad \]

考虑将上面的方程进行合并,理论上讲有6种,但实际上我们发现\(gcd(14,(p-1))=7\)

因此我们选择将两条\(q_1,q_2\)的式子合并,通过中国剩余定理计算出一个新的式子,即:

\[(m^2)^7\equiv a_3\ mod\ q_1q_2 \]

将此式作为一个新的rsa方程,求出\(m^2\)再开方得到\(m\)

下面是我这烂的不敢见人的exp
n =  [20129615352491765499340112943188317180548761597861300847305827141510465619670536844634558246439230371658836928103063432870245707180355907194284861510906071265352409579441048101084995923962148527097370705452070577098780246282820065573711015664291991372085157016901209114191068574208680397710042842835940428451949500607613634682684113208766694028789275748528254287705759528498986306494267817198340658241873024800336013946294891687591013414935237821291805123285905335762719823771647853378892868896078424572232934360940672962436849523915563328779942134504499568866135266628078485232098208237036724121481835035731201383423, 31221650155627849964466413749414700613823841060149524451234901677160009099014018926581094879840097248543411980533066831976617023676225625067854003317018794041723612556008471579060428898117790587991055681380408263382761841625714415879087478072771968160384909919958010983669368360788505288855946124159513118847747998656422521414980295212646675850690937883764000571667574381419144372824211798018586804674824564606122592483286575800685232128273820087791811663878057827386379787882962763290066072231248814920468264741654086011072638211075445447843691049847262485759393290853117072868406861840793895816215956869523289231421, 29944537515397953361520922774124192605524711306753835303703478890414163510777460559798334313021216389356251874917792007638299225821018849648520673813786772452822809546571129816310207232883239771324122884804993418958309460009406342872173189008449237959577469114158991202433476710581356243815713762802478454390273808377430685157110095496727966308001254107517967559384019734279861840997239176254236069001453544559786063915970071130087811123912044312219535513880663913831358790376650439083660611831156205113873793106880255882114422025746986403355066996567909581710647746463994280444700922867397754748628425967488232530303, 25703437855600135215185778453583925446912731661604054184163883272265503323016295700357253105301146726667897497435532579974951478354570415554221401778536104737296154316056314039449116386494323668483749833147800557403368489542273169489080222009368903993658498263905567516798684211462607069796613434661148186901892016282065916190920443378756167250809872483501712225782004396969996983057423942607174314132598421269169722518224478248836881076484639837343079324636997145199835034833367743079935361276149990997875905313642775214486046381368619638551892292787783137622261433528915269333426768947358552919740901860982679180791]
c =  [19131432661217908470262338421299691998526157790583544156741981238822158563988520225986915234570037383888112724408392918113942721994125505014727545946133307329781747600302829588248042922635714391033431930411180545085316438084317927348705241927570432757892985091396044950085462429575440060652967253845041398399648442340042970814415571904057667028157512971079384601724816308078631844480110201787343583073815186771790477712040051157180318804422120472007636722063989315320863580631330647116993819777750684150950416298085261478841177681677867236865666207391847046483954029213495373613490690687473081930148461830425717614569, 15341898433226638235160072029875733826956799982958107910250055958334922460202554924743144122170018355117452459472017133614642242411479849369061482860570279863692425621526056862808425135267608544855833358314071200687340442512856575278712986641573012456729402660597339609443771145347181268285050728925993518704899005416187250003304581230701444705157412790787027926810710998646191467130550713600765898234392350153965811595060656753711278308005193370936296124790772689433773414703645703910742193898471800081321469055211709339846392500706523670145259024267858368216902176489814789679472227343363035428541915118378163012031, 18715065071648040017967211297231106538139985087685358555650567057715550586464814763683688299037897182845007578571401359061213777645114414642903077003568155508465819628553747173244235936586812445440095450755154357646737087071605811984163416590278352605433362327949048243722556262979909488202442530307505819371594747936223835233586945423522256938701002370646382097846105014981763307729234675737702252155130837154876831885888669150418885088089324534892506199724486783446267336789872782137895552509353583305880144947714110009893134162185382309992604435664777436197587312317224862723813510974493087450281755452428746194446, 2282284561224858293138480447463319262474918847630148770112472703128549032592187797289965592615199709857879008271766433462032328498580340968871260189669707518557157836592424973257334362931639831072584824103123486522582531666152363874396482744561758133655406410364442174983227005501860927820871260711861008830120617056883514525798709601744088135999465598338635794275123149165498933580159945032363880613524921913023341209439657145962332213468573402863796920571812418200814817086234262280338221161622789516829363805084715652121739036183264026120868756523770196284142271849879003202190966150390061195469351716819539183797]
import gmpy2

def crt(b,m):
	for i in range(len(m)):
		for j in range(i+1,len(m)):
			if gmpy2.gcd(m[i],m[j]) != 1:
				print("m中含有不是互余的数")
				return -1
	M = 1
	for i in range(len(m)):
		M *= m[i]
	Mm = []
	for i in range(len(m)):
		Mm.append(M // m[i])
	Mm_ = []
	for i in range(len(m)):
		_,a,_ = gmpy2.gcdext(Mm[i],m[i])
		Mm_.append(int(a % m[i]))
	y = 0
	for i in range(len(m)):
		#print(Mm[i] * Mm_[i] * b[i])
		y += (Mm[i] * Mm_[i] * b[i])
	y = y % M
	return y
p=crt(c,n)

p,_=gmpy2.iroot(p,4)
print('p =',p)
#-------------------------------------------------
ee1 = 42
ee2 = 3
ce1 =  45722651786340123946960815003059322528810481841378247280642868553607692149509126962872583037142461398806689489141741494974836882341505234255325683219092163052843461632338442529011502378931140356111756932712822516814023166068902569458299933391973504078898958921809723346229893913662577294963528318424676803942288386430172430880307619748186863890050113934573820505570928109017842647598266634344447182347849367714564686341871007505886728393751147033556889217604647355628557502208364412269944908011305064122941446516990168924709684092200183860653173856272384
ce2 =  13908468332333567158469136439932325992349696889129103935400760239319454409539725389747059213835238373047899198211128689374049729578146875309231962936554403287882999967840346216695208424582739777034261079550395918048421086843927009452479936045850799096750074359160775182238980989229190157551197830879877097703347301072427149474991803868325769967332356950863518504965486565464059770451458557744949735282131727956056279292800694203866167270268988437389945703117070604488999247750139568614939965885211276821987586882908159585863514561191905040244967655444219603287214405014887994238259270716355378069726760953320025828158
tmp =  864078778078609835167779565982540757684070450697854309005171742813414963447462554999012718960925081621571487444725528982424037419052194840720949809891134854871222612682162490991065015935449289960707882463387
n  =  15911581555796798614711625288508309704791837516232122410440958830726078821069050404012820896260071751380436992710638364294658173571101596931605797509712839622479368850251206419748090059752427303611760004621378226431226983665746837779056271530181865648115862947527212787824629516204832313026456390047768174765687040950636530480549014401279054346098030395100387004111574278813749630986724706263655166289586230453975953773791945408589484679371854113457758157492241225180907090235116325034822993748409011554673180494306003272836905082473475046277554085737627846557240367696214081276345071055578169299060706794192776825039

for k in range(100):
	e1=ce1+k*n
	e1,f=gmpy2.iroot(e1,ee1)
	if f:
		print('e1 ='e1)
		break
for k in range(100000):
	e2=ce2+k*n
	e2,f=gmpy2.iroot(e2,ee2)
	if f:
		e2-=tmp
		print('e2 =',e2)
		break
#----------------------------------------------------
from Crypto.Util.number import*
#factordb分解n
q1p=127587319253436643569312142058559706815497211661083866592534217079310497260365307426095661281103710042392775453866174657404985539066741684196020137840472950102380232067786400322600902938984916355631714439668326671310160916766472897536055371474076089779472372913037040153356437528808922911484049460342088834871
q1q=127587319253436643569312142058559706815497211661083866592534217079310497260365307426095661281103710042392775453866174657404985539066741684196020137840472950102380232067786400322600902938984916355631714439668326671310160916766472897536055371474076089779472372913037040153356437528808922911484049460342088835693
phi=(q1p-1)*(q1q-1)
e = 46531
d=inverse(e,phi)
n = 16278524034278364842964386062476113517067911891699789991355982121084973951738324063305190630865511554888330215827724887964565979607808294168282995825864982603759381323048907814961279012375346497781046417204954101076457350988751188332353062731641153547102721113593787978587135707313755661153376485647168543680503160420091693269984008764444291289486805840439906620313162344057956594836197521501755378387944609246120662335790110901623740990451586621846212047950084207251595169141015645449217847180683357626383565631317253913942886396494396189837432429078251573229378917400841832190737518763297323901586866664595327850603
c = 14992132140996160330967307558503117255626925777426611978518339050671013041490724616892634911030918360867974894371539160853827180596100892180735770688723270765387697604426715670445270819626709364566478781273676115921657967761494619448095207169386364541164659123273236874649888236433399127407801843412677293516986398190165291102109310458304626261648346825196743539220198199366711858135271877662410355585767124059539217274691606825103355310348607611233052725805236763220343249873849646219850954945346791015858261715967952461021650307307454434510851869862964236227932964442289459508441345652423088404453536608812799355469
hint=long_to_bytes(pow(c,d,n))
print(hint)
#--------------------------------------------------
q1=q1p
q2 =  114401188227479584680884046151299704656920536168767132916589182357583461053336386996123783294932566567773695426689447410311969456458574731187512974868297092638677515283584994416382872450167046416573472658841627690987228528798356894803559278308702635288537653192098514966089168123710854679638671424978221959513
c1 =  262739975753930281690942784321252339035906196846340713237510382364557685379543498765074448825799342194332681181129770046075018122033421983227887719610112028230603166527303021036386350781414447347150383783816869784006598225583375458609586450854602862569022571672049158809874763812834044257419199631217527367046624888837755311215081173386523806086783266198390289097231168172692326653657393522561741947951887577156666663584249108899327053951891486355179939770150550995812478327735917006194574412518819299303783243886962455399783601229227718787081785391010424030509937403600351414176138124705168002288620664809270046124
c2 =  7395591129228876649030819616685821899204832684995757724924450812977470787822266387122334722132760470911599176362617225218345404468270014548817267727669872896838106451520392806497466576907063295603746660003188440170919490157250829308173310715318925771643105064882620746171266499859049038016902162599261409050907140823352990750298239508355767238575709803167676810456559665476121149766947851911064706646506705397091626648713684511780456955453552020460909638016134124590438425738826828694773960514221910109473941451471431637903182205738738109429736425025621308300895473186381826756650667842656050416299166317372707709596

d1=inverse(e1//14,(q1-1)*(p-1))
d2=inverse(e2//14,(q2-1)*(p-1))
a1=pow(c1,d1,q1)
a2=pow(c2,d2,q2)

a3=crt([a1,a2],[q1,q2])
print(a3)

phi=(q1-1)*(q2-1)
d=inverse(7,phi)
m=pow(a3,d,q1*q2)
m,_=gmpy2.iroot(m,2)
m=long_to_bytes(m)
print(m)

还是要继续努力捏qwq

[ACTF新生赛2020]crypto-aes

第一道aes题目

key长度32bytes,iv长度16bytes,二者异或之后,前16位仍为key,后16位是异或结果

根据题目代码知道,key是两个字节重复16次,所以根据前16位就可以直接推出整个key,再用输出结果和key异或得到iv

最后aes.decrypt()

虽然这题不难,但促进了对aes的一些理解,总之还是比较有意义

1.22

[INSHack2019]Yet Another RSA Challenge - Part 1

从题目脚本中可以发现,本题是将16进制的p字符串中的9F改为了FC

由于不知道哪个FC是被换出来的,我们对p进行爆破,题目输出中一共有4个FC,所以爆破难度不大。

上脚本:

from Crypto.Util.number import*
e=65537
n=719579745653303119025873098043848913976880838286635817351790189702008424828505522253331968992725441130409959387942238566082746772468987336980704680915524591881919460709921709513741059003955050088052599067720107149755856317364317707629467090624585752920523062378696431510814381603360130752588995217840721808871896469275562085215852034302374902524921137398710508865248881286824902780186249148613287250056380811479959269915786545911048030947364841177976623684660771594747297272818410589981294227084173316280447729440036251406684111603371364957690353449585185893322538541593242187738587675489180722498945337715511212885934126635221601469699184812336984707723198731876940991485904637481371763302337637617744175461566445514603405016576604569057507997291470369704260553992902776099599438704680775883984720946337235834374667842758010444010254965664863296455406931885650448386682827401907759661117637294838753325610213809162253020362015045242003388829769019579522792182295457962911430276020610658073659629786668639126004851910536565721128484604554703970965744790413684836096724064390486888113608024265771815004188203124405817878645103282802994701531113849607969243815078720289912255827700390198089699808626116357304202660642601149742427766381

t=['9F','FC']
for a in t:
	for b in t:
		for c in t:
			for d in t:
				p1 = '0xDCC5A0BD3A1' +a+ '0BEB0DA1C2E8CF6B474481B7C12849B76E03C4C946724DB577D2825D6AA193DB559BC9DBABE1DDE8B5E7805E48749EF002F622F7CDBD7853B200E2A027E87E331A' +b+ 'FD066ED9900F1E5F5E5196A451A6F9E329EB889D773F08E5FBF45AACB818FD186DD74626180294DCC31805A88D1B71DE5BFEF3ED01F12678D906A833A78EDCE9BDAF22BBE45C0BFB7A82AFE42C1C3B8581C83BF43DFE31BFD81527E507686956458905CC9A660604552A060109DC81D01F229A264AB67C6D7168721AB36DE769CEAFB97F238050193EC942078DDF5329A387F46253A4411A9C8BB71F9AEB11AC9623E41C14' +c+ 'D2739D76E69283E57DDB11' +d+ '531B4611EE3'
				p = int(p1,16)
				if (n%p==0):
					q=n//p
					c=596380963583874022971492302071822444225514552231574984926542429117396590795270181084030717066220888052607057994262255729890598322976783889090993129161030148064314476199052180347747135088933481343974996843632511300255010825580875930722684714290535684951679115573751200980708359500292172387447570080875531002842462002727646367063816531958020271149645805755077133231395881833164790825731218786554806777097126212126561056170733032553159740167058242065879953688453169613384659653035659118823444582576657499974059388261153064772228570460351169216103620379299362366574826080703907036316546232196313193923841110510170689800892941998845140534954264505413254429240789223724066502818922164419890197058252325607667959185100118251170368909192832882776642565026481260424714348087206462283972676596101498123547647078981435969530082351104111747783346230914935599764345176602456069568419879060577771404946743580809330315332836749661503035076868102720709045692483171306425207758972682717326821412843569770615848397477633761506670219845039890098105484693890695897858251238713238301401843678654564558196040100908796513657968507381392735855990706254646471937809011610992016368630851454275478216664521360246605400986428230407975530880206404171034278692756
					phi=(p-1)*(q-1)
					d=inverse(65537,phi)
					m=pow(c,d,n)
					flag=long_to_bytes(m)
					print(flag)
					exit(0)

[UTCTF2020]hill

古典密码(逃

1.23

[NPUCTF2020]认清形势,建立信心

from Crypto.Util.number import *
from gmpy2 import *
from secret import flag

p = getPrime(25)
e = # Hidden
q = getPrime(25)
n = p * q
m = bytes_to_long(flag.strip(b"npuctf{").strip(b"}"))

c = pow(m, e, n)
print(c)
print(pow(2, e, n))
print(pow(4, e, n))
print(pow(8, e, n))

'''
169169912654178
128509160179202
518818742414340
358553002064450
'''

不妨设\(pow(2,e,n)=a\quad pow(4,e,n)=b\quad pow(8,e,n)=c\)

那么,\(gcd(a^2-b,a^3-c)\ mod\ n =0\)

计算\(gcd(a^2-b,a^3-c)\)后在factordb上分解,找到\(p\)\(q\),随后计算\(m\),得到\(flag\)

2.1

[QCTF2018]Xman-RSA

step1

quipquip恢复python脚本

step2

base64恢复\(n2,n3\)

step3

共模攻击恢复\(n1\)

step4

\(gcd(n1,n2)\)\(φ1,φ2\)

恢复flag

import base64
from Crypto.Util.number import*
import gmpy2

#解n2,n3
n2='PVNHb2BfGAnmxLrbKhgsYXRwWIL9eOj6K0s3I0slKHCTXTAUtZh3T0r+RoSlhpO3+77AY8P7WETYz2Jzuv5FV/mMODoFrM5fMyQsNt90VynR6J3Jv+fnPJPsm2hJ1Fqt7EKaVRwCbt6a4BdcRoHJsYN/+eh7k/X+FL5XM7viyvQxyFawQrhSV79FIoX6xfjtGW+uAeVF7DScRcl49dlwODhFD7SeLqzoYDJPIQS+VSb3YtvrDgdV+EhuS1bfWvkkXRijlJEpLrgWYmMdfsYX8u/+Ylf5xcBGn3hv1YhQrBCg77AHuUF2w/gJ/ADHFiMcH3ux3nqOsuwnbGSr7jA6Cw=='
n3='TmNVbWUhCXR1od3gBpM+HGMKK/4ErfIKITxomQ/QmNCZlzmmsNyPXQBiMEeUB8udO7lWjQTYGjD6k21xjThHTNDG4z6C2cNNPz73VIaNTGz0hrh6CmqDowFbyrk+rv53QSkVKPa8EZnFKwGz9B3zXimm1D+01cov7V/ZDfrHrEjsDkgK4ZlrQxPpZAPl+yqGlRK8soBKhY/PF3/GjbquRYeYKbagpUmWOhLnF4/+DP33ve/EpaSAPirZXzf8hyatL4/5tAZ0uNq9W6T4GoMG+N7aS2GeyUA2sLJMHymW4cFK5l5kUvjslRdXOHTmz5eHxqIV6TmSBQRgovUijlNamQ=='
n2=bytes_to_long(base64.b64decode(n2))
n3=bytes_to_long(base64.b64decode(n3))

#共模攻击解n1
c1=0x2639c28e3609a4a8c953cca9c326e8e062756305ae8aee6efcd346458aade3ee8c2106ab9dfe5f470804f366af738aa493fd2dc26cb249a922e121287f3eddec0ed8dea89747dc57aed7cd2089d75c23a69bf601f490a64f73f6a583081ae3a7ed52238c13a95d3322065adba9053ee5b12f1de1873dbad9fbf4a50a2f58088df0fddfe2ed8ca1118c81268c8c0fd5572494276f4e48b5eb424f116e6f5e9d66da1b6b3a8f102539b690c1636e82906a46f3c5434d5b04ed7938861f8d453908970eccef07bf13f723d6fdd26a61be8b9462d0ddfbedc91886df194ea022e56c1780aa6c76b9f1c7d5ea743dc75cec3c805324e90ea577fa396a1effdafa3090
c2=0x42ff1157363d9cd10da64eb4382b6457ebb740dbef40ade9b24a174d0145adaa0115d86aa2fc2a41257f2b62486eaebb655925dac78dd8d13ab405aef5b8b8f9830094c712193500db49fb801e1368c73f88f6d8533c99c8e7259f8b9d1c926c47215ed327114f235ba8c873af7a0052aa2d32c52880db55c5615e5a1793b690c37efdd5e503f717bb8de716303e4d6c4116f62d81be852c5d36ef282a958d8c82cf3b458dcc8191dcc7b490f227d1562b1d57fbcf7bf4b78a5d90cd385fd79c8ca4688e7d62b3204aeaf9692ba4d4e44875eaa63642775846434f9ce51d138ca702d907849823b1e86896e4ea6223f93fae68b026cfe5fa5a665569a9e3948a
e1 = 0x1001 
e2 = 0x101
_, r, s = gmpy2.gcdext(e1, e2)
n1 = pow(c1, r, n3) * pow(c2, s, n3) % n3

#公因数分解n1,n2
c1=0x1240198b148089290e375b999569f0d53c32d356b2e95f5acee070f016b3bef243d0b5e46d9ad7aa7dfe2f21bda920d0ac7ce7b1e48f22b2de410c6f391ce7c4347c65ffc9704ecb3068005e9f35cbbb7b27e0f7a18f4f42ae572d77aaa3ee189418d6a07bab7d93beaa365c98349d8599eb68d21313795f380f05f5b3dfdc6272635ede1f83d308c0fdb2baf444b9ee138132d0d532c3c7e60efb25b9bf9cb62dba9833aa3706344229bd6045f0877661a073b6deef2763452d0ad7ab3404ba494b93fd6dfdf4c28e4fe83a72884a99ddf15ca030ace978f2da87b79b4f504f1d15b5b96c654f6cd5179b72ed5f84d3a16a8f0d5bf6774e7fd98d27bf3c9839
c2=0x129d5d4ab3f9e8017d4e6761702467bbeb1b884b6c4f8ff397d078a8c41186a3d52977fa2307d5b6a0ad01fedfc3ba7b70f776ba3790a43444fb954e5afd64b1a3abeb6507cf70a5eb44678a886adf81cb4848a35afb4db7cd7818f566c7e6e2911f5ababdbdd2d4ff9825827e58d48d5466e021a64599b3e867840c07e29582961f81643df07f678a61a9f9027ebd34094e272dfbdc4619fa0ac60f0189af785df77e7ec784e086cf692a7bf7113a7fb8446a65efa8b431c6f72c14bcfa49c9b491fb1d87f2570059e0f13166a85bb555b40549f45f04bc5dbd09d8b858a5382be6497d88197ffb86381085756365bd757ec3cdfa8a77ba1728ec2de596c5ab
p1=gmpy2.gcd(n1,n2)
p2,p3=n1//p1,n2//p1
e=0x1001
phi1=(p1-1)*(p2-1)
phi2=(p1-1)*(p3-1)
d1,d2=inverse(e,phi1),inverse(e,phi2)
msg1,msg2=long_to_bytes(pow(c1,d1,n1)).decode(),long_to_bytes(pow(c2,d2,n2)).decode()
print(msg1,msg2)
flag=''
for i in range(len(msg2)):
	flag+=msg1[i]
	flag+=msg2[i]
flag+=msg1[-1]
print(flag)

2.3

[NPUCTF2020]共 模 攻 击

hint部分

一个共模攻击之后用sympynthroot_mod解出m

hint为m.bit_length() < 400

task部分

不懂,找wp:

​ 由于hint提示了m有长度限制,所以联想到Coppersmith定理。Coppersmith定理的内容为:在一个e阶的mod n多项式f(x)中,如果有一个根小于n^1/e,就可以运用一个O(log n)的算法求出这些根[3]。计算可得m是满足这个情况的。

从task.py中可以知道:

​ $c_1 \equiv mp\ (mod\ pq) $ \(c_2 \equiv mq\ (mod\ pq)\)

又因为\(p,q\)均为素数,可有费马定理得到:

\(mp\equiv m\ (mod\ p)\) \(mq\equiv m\ (mod\ q)\)

整理可得:

\(c_1=m+ip\) \(c_2=m+jq\)

\(c_1c_2=m^2+(ip+jq)m+ijn\)

\((c_1+c_2)m=2m^2+(ip+jq)m\)

所以:\(m^2-(c_1+c_2)m+c_1c_2\equiv ijn\equiv 0\ (mod\ n)\)

sage脚本如下:

n = 128205304743751985889679351195836799434324346996129753896234917982647254577214018524580290192396070591032007818847697193260130051396080104704981594190602854241936777324431673564677900773992273463534717009587530152480725448774018550562603894883079711995434332008363470321069097619786793617099517770260029108149
c1 = 96860654235275202217368130195089839608037558388884522737500611121271571335123981588807994043800468529002147570655597610639680977780779494880330669466389788497046710319213376228391138021976388925171307760030058456934898771589435836261317283743951614505136840364638706914424433566782044926111639955612412134198
c2 = 9566853166416448316408476072940703716510748416699965603380497338943730666656667456274146023583837768495637484138572090891246105018219222267465595710692705776272469703739932909158740030049375350999465338363044226512016686534246611049299981674236577960786526527933966681954486377462298197949323271904405241585

PR.<m> = PolynomialRing(Zmod(n))
f = m^2-(c1+c2)*m+c1*c2
x0 = f.small_roots(X=2^400)
print(x0)

得到x0 = 4242839043019782000788118887372132807371568279472499477998758466224002905442227156537788110520335652385855

再long_to_bytes()得到:b'verrrrrrry_345yyyyyyy_rsaaaaaaa_righttttttt?'

这题主要还是看wp,对Coppersmith不是很熟悉(只会看着wp用

2.9

[羊城杯 2020]RRRRRRRSA

翻了翻wp,原来也是要用到维纳攻击,类似今年NCTF那道,,,

\(N_1/N_2=(P_1/P_2)^2 * (Q_1/Q_2)\)

显然\(N_1/N_2>Q_1/Q_2>1\)

\(N_1/N_2\)进行连分数展开,其中某个分子就可能是\(Q_1\)

\(N_1\ mod\ Q_1=0\)进行验证找到\(Q_1\)后就可以求出其他所有的参数

import gmpy2
from Crypto.Util.number import*

N1=60143104944034567859993561862949071559877219267755259679749062284763163484947626697494729046430386559610613113754453726683312513915610558734802079868190554644983911078936369464590301246394586190666760362763580192139772729890492729488892169933099057105842090125200369295070365451134781912223048179092058016446222199742919885472867511334714233086339832790286482634562102936600597781342756061479024744312357407750731307860842457299116947352106025529309727703385914891200109853084742321655388368371397596144557614128458065859276522963419738435137978069417053712567764148183279165963454266011754149684758060746773409666706463583389316772088889398359242197165140562147489286818190852679930372669254697353483887004105934649944725189954685412228899457155711301864163839538810653626724347
c1=55094296873556883585060020895253176070835143350249581136609315815308788255684072804968957510292559743192424646169207794748893753882418256401223641287546922358162629295622258913168323493447075410872354874300793298956869374606043622559405978242734950156459436487837698668489891733875650048466360950142617732135781244969524095348835624828008115829566644654403962285001724209210887446203934276651265377137788183939798543755386888532680013170540716736656670269251318800501517579803401154996881233025210176293554542024052540093890387437964747460765498713092018160196637928204190194154199389276666685436565665236397481709703644555328705818892269499380797044554054118656321389474821224725533693520856047736578402581854165941599254178019515615183102894716647680969742744705218868455450832
E1=125932919717342481428108392434488550259190856475011752106073050593074410065655587870702051419898088541590032209854048032649625269856337901048406066968337289491951404384300466543616578679539808215698754491076340386697518948419895268049696498272031094236309803803729823608854215226233796069683774155739820423103
N2=60143104944034567859993561862949071559877219267755259679749062284763163484947626697494729046430386559610613113754453726683312513915610558734802079868195633647431732875392121458684331843306730889424418620069322578265236351407591029338519809538995249896905137642342435659572917714183543305243715664380787797562011006398730320980994747939791561885622949912698246701769321430325902912003041678774440704056597862093530981040696872522868921139041247362592257285423948870944137019745161211585845927019259709501237550818918272189606436413992759328318871765171844153527424347985462767028135376552302463861324408178183842139330244906606776359050482977256728910278687996106152971028878653123533559760167711270265171441623056873903669918694259043580017081671349232051870716493557434517579121
c2=39328446140156257571484184713861319722905864197556720730852773059147902283123252767651430278357950872626778348596897711320942449693270603776870301102881405303651558719085454281142395652056217241751656631812580544180434349840236919765433122389116860827593711593732385562328255759509355298662361508611531972386995239908513273236239858854586845849686865360780290350287139092143587037396801704351692736985955152935601987758859759421886670907735120137698039900161327397951758852875291442188850946273771733011504922325622240838288097946309825051094566685479503461938502373520983684296658971700922069426788236476575236189040102848418547634290214175167767431475003216056701094275899211419979340802711684989710130215926526387138538819531199810841475218142606691152928236362534181622201347
E2=125932919717342481428108392434488550259190856475011752106073050593074410065655587870702051419898088541590032209854048032649625269856337901048406066968337289491951404384300466543616578679539808215698754491076340386697518948419895268049696498272031094236309803803729823608854215226233796069683774155739820425393
def continuedFra(x, y): #不断生成连分数的项
    cF = []
    while y:
        cF += [x // y]
        x, y = y, x % y
    return cF
def Simplify(ctnf): #化简
    numerator = 0
    denominator = 1
    for x in ctnf[::-1]: #注意这里是倒叙遍历
        numerator, denominator = denominator, x * denominator + numerator
    return (numerator, denominator) #把连分数分成分子和算出来的分母
def getit(c):
    cf=[]
    for i in range(1,len(c)):
        cf.append(Simplify(c[:i])) #各个阶段的连分数的分子和分母
    return cf #得到一串连分数
def wienerAttack(e, n):
    cf=continuedFra(e,n)
    for (Q2,Q1) in getit(cf):#遍历得到的连分数,令分子分母分别是Q2,Q1
        if Q1 == 0:
            continue
        if N1%Q1==0 and Q1!=1:#满足这个条件就找到了
            return Q1
    print('not find!')
Q1=wienerAttack(N1,N2)

P1=gmpy2.iroot(N1//Q1,2)[0]
P2=gmpy2.next_prime(P1)
Q2=gmpy2.next_prime(Q1)
phi1=P1*(P1-1)*(Q1-1)
phi2=P2*(P2-1)*(Q2-1)
d1=inverse(E1,phi1)
d2=inverse(E2,phi2)
m1=long_to_bytes(pow(c1,d1,N1))
m2=long_to_bytes(pow(c2,d2,N2))
print((m1+m2))

[BJDCTF2020]伏羲六十四卦

鸟题,但是看着还挺nmd复杂的(逃

2.10

[XNUCA2018]Warmup

用wireshark打开流量包之后一个个看过来,可以找到一共六条加密信息

比对后可以发现其中有两份的加密模数相同,于是进行共模攻击

就可以得到flag了

[UTCTF2020]OTP

Encoded A: 213c234c2322282057730b32492e720b35732b2124553d354c22352224237f1826283d7b0651
Encoded B: 3b3b463829225b3632630b542623767f39674431343b353435412223243b7f162028397a103e

Original A: 5448452042455354204354462043415445474f52592049532043525950544f47524150485921
Original B: 4e4f205448452042455354204f4e452049532042494e415259204558504c4f49544154494f4e

A XOR A: 7574666c61677b7477305f74696d335f703464737d7574666c61677b7477305f74696d335f70
B XOR B: 7574666c61677b7477305f74696d335f703464737d7574666c61677b7477305f74696d335f70

白给的题目,拿encoded Aoriginal A异或一下就是明文了不是很懂

怀疑是不是信息给多了,,,

还有就是A XOR A为什么不是0

posted @ 2022-02-21 08:50  上辰  阅读(471)  评论(0编辑  收藏  举报